It's a clever construction, but I still feel it is too clever to be comfortable with. The code you run is signed by Intel, and you have a chain of trust stemming from a key held by Intel. Edit: from skimming the previous HN discussion, it seems that SGX relies upon Intel's remote attestation service. ( Only half kidding: My favorite paranoid theory is that most security tech is thoroughly backdoored, and most of the 30000-40000 employees of NSA are actually doing parallel contruction all day long for the data they get this way.) And most importantly, easier for me to verify. It's not perfect, but I would consider it good enough. I would probably just concatenate the phone numbers with the user's numbers, throw in some hard to guess salt like the Dow Jones index, and hash it with bcrypt. Those who want to read the full research can check the research entitled "All the Numbers are US: Large-Scale Abuse of Contact Discovery in Mobile Messengers," which is available on PDF.Īccording to The Independent, a WhatsApp spokesperson, privacy policy changes were "common in the industry" and that users have enough time to review them, plus it's designed to "offer integrations across the Facebook Company Products," including Messenger and Instagram.ĭespite that, many are still unsure about the policy change and are planning to move to rival apps.How does this ensure that the code on the server is running on the secure enclave, and not in an emulation? Or that the whole attestation is not emulated? How do we know that the team who built the SGX does not work closely with the NSA? Meanwhile, the researchers also found that those who are using Telegram has found that its contact discovery service can expose some sensitive information of even owners of the phones whose numbers were not registered in the app. ![]() (The only way around this is to sign up with a secondary phone number, which people will see instead.) Like other modern chat applications, Signal asks for access to your iPhone or Android phone’s. In other words, your Signal address is your phone number. What's more, 40% of Signal users are also WhatsApp users and each of them has the same profile picture on both messaging apps.Īttackers can track such data and build accurate models over time that they can use to gain an advantage against the victims. You cannot use Signal without revealing your phone number to the people you contact. Through the data they gathered, the team also found some rather worrisome behavior from users.įor example, very few of the users change the app's default privacy setting, which isn't private at all, and that 50% of WhatsApp users across the country has a public profile picture, with 90% more with a public "About" text. Find the first signal source Find the second signal source Survive and extract. Private Contact Discovery Service (Beta) The private contact discovery micro-service allows clients to discover which of their contacts are registered users, but does not reveal their contacts to the service operator or any party that may have compromised the service. Read More: Parler Ban Causes Parlor App Download Surge by 35% in 24 Hours Due to Confused Searchers Extensive Research Shows Behaviorsįor the research, the team queried 100% of all the US mobile phone numbers for Signal and 10% for WhatsApp, allowing them to gather the meta data that these messaging apps commonly acquire from their users, such as their profile pictures, status text, and the last time they were online. Signal - Part 1 is a Quest in Escape from Tarkov. ![]() The team of researchers says that this certain process is what threatens the privacy of billions of messaging app users.Īs part of the investigation, they were able to perform crawling attacks on WhatsApp, Signal, and Telegram without using that much resources, meaning hackers can do the same. You may notice that when you install such apps, it would ask permission to access your address book, which they would then upload onto their servers through the process known as mobile contact discovery. Based on the research, these apps can do so via their discovery services features that allow the messaging app to find possible contacts through your phone's local address book, which is apparent in apps like WhatsApp, Signal, and Telegram.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |