ReportWire

Tag: signal

  • The WIRED Guide to Digital Opsec for Teens

    Expand your mind, man. Opsec is really all about time travel—taking small, protective steps now before you have a disaster on your hands later. If you’re not on auto-delete, then an explosive, emotional text exchange with the person you’re currently dating—or, ahem, photos you sent to each other—will hang around forever. It’s normal for things to change and for relationships of all types to come and go. You may trust someone and be close to them now but grow apart in a year or two.

    If you imagine an even more extreme scenario where you’re being investigated by the police, they could obtain warrants to search your digital accounts or devices. People have to go to great lengths to maintain their opsec if they’re trying to hide activity from law enforcement. To be clear, this guide is definitely not encouraging you to do crimes. Don’t do crimes! The goal is just to understand the value of keeping basic opsec principles in mind, because if some of your digital information is revealed haphazardly or out of context, it could, theoretically, appear incriminating.

    You probably intuitively understand a lot of this. Don’t give your password to friends, duh.) So this guide is going to largely skip the obvious and emphasize more subtle, unintended consequences of failing to practice good opsec.

    Memorable Opsec Fails

    “Signalgate,” 2025: US officials discussed war plans in a group chat on the mainstream, secure messaging app Signal. Then they accidentally added a journalist to the chat. Subsequently, US defense secretary Pete Hegseth famously (embarrassingly) messaged the chat, “we are currently clean on OPSEC.” At least some members of the chat were also potentially using a modified, insecure version of Signal. All extremely not clean on opsec.

    Gmail Drafts Exposed, 2012: Then-CIA director David Petraeus and his paramour shared a Gmail account to hide their communications by leaving them for each other to see as draft messages. Kind of ingenious given that this was before most texting or messaging apps offered timed disappearing/ephemeral messages, but the FBI figured out the strategy.

    Identities

    Opsec is all about compartmentalizing, and that’s the hardest part. Failure to compartmentalize is often how criminals get caught or how information that was meant to stay secret gets exposed. Think of your online life like rooms in a house. Each room has a separate key. If someone breaks into one room, they can grab everything there, but you don’t want them to be able to run wild beyond that room.

    You can have multiple identities online and compartmentalize the activities of each, but it takes forethought to maintain the separation. There’s the real you who uses your main Gmail or Apple ID for personal and family stuff and social accounts where you use your real name, plus school and maybe work. Another compartment is your school email and school file storage. Then there’s your more adaptable, online personas who may have semi-anonymous handles, like jnd03 for Jane Doe. Friends know that these accounts are yours and classmates can probably guess them. Finally, there may be a pseudonymous you: alt accounts with no obvious link to real you—like Jane Doe using the handles “_aksdi0_0” or “peter_mayfield01.”

    Rules of Separation

    You have accounts under your real name, but you probably also need pseudonymous accounts. Tight compartmentalization will prevent people from doxing your pseudonymous accounts. But that’s easier said than done.

    Obviously, don’t recycle usernames across platforms. If JaneD03 is your Instagram handle, don’t use it or a similar name for your anonymous Reddit account. Don’t even reuse passwords—but especially don’t reuse passwords between real and pseudonymous accounts. To prevent a compromised pseudonymous account from revealing your name, don’t use your main email address; instead, use a unique, pseudonymous one. Gmail “dot tricks” (jane.doe@, j.ane.doe@) don’t count, because they all equally reveal your master account.

    JP Aumasson, Lily Hay Newman

    Source link

  • Signal extends backup feature to iOS users

    Fortunately, we live in a time when most information can be recovered from another device or the cloud. Now, iPhone users can add another app to that list. Signal has announced that secure backups are now available for iOS devices. It follows a similar launch for Android devices in early September. The company shared the news on X and linked to the previous Android blog post for all additional information.

    At the time, Signal noted that secure backups would be an opt-in feature and available in Android users’ latest beta release. The company stated this was to test the feature on a smaller scale before it came to iOS and desktop — so clearly something worked.

    The end-to-end encrypted backup offers no-cost storage of a user’s text messages and up to 45 days of media. Keeping older media costs $2 per month — Signal’s first paid offering. “The reason we’re doing this is simple: media requires a lot of storage, and storing and transferring large amounts of data is expensive,” Signal said at the time. “As a nonprofit that refuses to collect or sell your data, Signal needs to cover those costs differently than other tech organizations that offer similar products but support themselves by selling ads and monetizing data.”

    Anyone who opts-in will have their messages backed up each day. The secure backups use a 64-character recovery key that is available exclusively on a user’s device. It’s required to access the backup and Signal is unable to recover it.

    Sarah Fielding

    Source link

  • New Text to 911 service allows you to reach help without cell reception. Here’s how it works

    Have you ever been in or traveling through an area where there is no or low traditional cell service and thought, “What if I had an emergency and needed to call 911?”Now, because of a well-known cell service provider’s connection to a popular network of satellites, there’s a solution when you have an emergency and are off the grid and out of reach of a terrestrial cell tower’s signal.Related video above: A different new piece of technology helps guide rescuers to woman stuck in swampThe service is called Text to 911, and its availability is all thanks to T-Mobile’s new T-Satellite with Starlink, a service that, according to a recent release from the mobile carrier, was rolled out in July and connects compatible phones to an array of Starlink satellites orbiting the Earth.But if you’re not a T-Mobile customer, don’t fret. You don’t need to be a subscriber of the provider to use Text to 911. The service is available to anyone in the U.S. who has a compatible, satellite-capable iPhone or Android phone, and is designed to work anywhere in the 500,000 square miles of the U.S. not reached by traditional cell towers.That means even customers of providers like AT&T and Verizon can sign up for Text to 911.How to sign up for and use Text to 911While the service is free to use, non-T-Mobile customers are required to sign up in advance to use Text to 911. That can be done on the company’s website. The company said T-Mobile customers can add the service under “Manage Data & Add-Ons’” in their account or in T-Life. You don’t need to take any special action to use Text to 911. The mobile provider says that all you need is a view of the sky, and that using the service is just like sending a normal text message. All you need to do is enter a message on your phone’s native messaging app and enter 911 in the number field. From there, all you’ll need to do is hit “send.”While some areas around the U.S. already have the ability to text 911, this new service allows users to do so even when they can’t get reception from a traditional cell tower. If that’s the case, Text to 911 finds you a signal from a satellite up in space.The company said it “was a no-brainer” to make Text to 911 available and free for any person who enrolls and has a compatible phone.“There’s a good chance you’ve had that moment in your life at some point. Badly rolled ankle deep into a backcountry hike. Stuck in a tree well while skiing. Flat tire on a backcountry road. Or a million other situations that require access to emergency services in a place without cell service. It’s an absolutely terrifying feeling that we don’t want anyone to have ever again,” Mike Katz, president of marketing, strategy and products for T-Mobile, said in announcing the availability of Text to 911 on Nov. 5.

    Have you ever been in or traveling through an area where there is no or low traditional cell service and thought, “What if I had an emergency and needed to call 911?”

    Now, because of a well-known cell service provider’s connection to a popular network of satellites, there’s a solution when you have an emergency and are off the grid and out of reach of a terrestrial cell tower’s signal.

    Related video above: A different new piece of technology helps guide rescuers to woman stuck in swamp

    The service is called Text to 911, and its availability is all thanks to T-Mobile’s new T-Satellite with Starlink, a service that, according to a recent release from the mobile carrier, was rolled out in July and connects compatible phones to an array of Starlink satellites orbiting the Earth.

    But if you’re not a T-Mobile customer, don’t fret. You don’t need to be a subscriber of the provider to use Text to 911.

    The service is available to anyone in the U.S. who has a compatible, satellite-capable iPhone or Android phone, and is designed to work anywhere in the 500,000 square miles of the U.S. not reached by traditional cell towers.

    That means even customers of providers like AT&T and Verizon can sign up for Text to 911.

    How to sign up for and use Text to 911

    While the service is free to use, non-T-Mobile customers are required to sign up in advance to use Text to 911. That can be done on the company’s website. The company said T-Mobile customers can add the service under “Manage Data & Add-Ons’” in their account or in T-Life.

    You don’t need to take any special action to use Text to 911. The mobile provider says that all you need is a view of the sky, and that using the service is just like sending a normal text message. All you need to do is enter a message on your phone’s native messaging app and enter 911 in the number field. From there, all you’ll need to do is hit “send.”

    While some areas around the U.S. already have the ability to text 911, this new service allows users to do so even when they can’t get reception from a traditional cell tower. If that’s the case, Text to 911 finds you a signal from a satellite up in space.

    The company said it “was a no-brainer” to make Text to 911 available and free for any person who enrolls and has a compatible phone.

    “There’s a good chance you’ve had that moment in your life at some point. Badly rolled ankle deep into a backcountry hike. Stuck in a tree well while skiing. Flat tire on a backcountry road. Or a million other situations that require access to emergency services in a place without cell service. It’s an absolutely terrifying feeling that we don’t want anyone to have ever again,” Mike Katz, president of marketing, strategy and products for T-Mobile, said in announcing the availability of Text to 911 on Nov. 5.

    Source link

  • Signal President Spars With Elon Musk Over Trust in Private Messengers

    On Monday, a major outage at Amazon Web Services affected a large number of websites and apps, including end-to-end encrypted messenger Signal. In response, X Executive Chairman and Chief Technical Officer Elon Musk claimed that he no longer trusts Signal. “I don’t trust Signal anymore,” Musk stated, plainly.

    To be clear, the centralized infrastructure upon which Signal relies does not necessarily put encrypted communications made via Signal at risk, as Signal does not hold the keys to the encrypted data held in that infrastructure.

    Signal President Meredith Whittaker responded to Musk’s post on X, noting, “Signal is trusted by the security and hacker community, and hundreds of millions of others, BECAUSE they can examine it, and because on examination, it has shown to be robust, private, and secure–for over a decade.”

    In recent months, Musk has been promoting the use of X Chat as a method of secure, encrypted communications between its users. However, security experts have noted that any encrypted messaging app should be open source if it is to be trusted with secure communications, in addition to other concerns. After all, how is someone supposed to know what the app is actually doing if they cannot look at the code?

    X themselves label X Chat, which is intended to eventually replace the traditional direct messaging system, as beta software on their platform. There were reports in 2018 that X (then known as Twitter) was testing end-to-end encryption; however, the feature did not get an official support announcement until 2023. X has also said they plan to eventually make it easier to verify that their chat features are as safe and secure as they claim.

    Jack Dorsey, who originally co-founded X as Twitter and led the company for years, was open to this move towards end-to-end encryption during his time as CEO. More recently, Dorsey “vibe coded” a geographically-focused messaging app called Bitchat over a weekend.

    Bitchat gained notoriety during the recent overthrow of the Nepalese government due to the app’s mesh networking features that allow it to function in localized areas without internet access. An app with similar features, known as FireChat, was used during the Hong Kong protests all the way back in 2014.

    Of course, Signal is not perfect either and has received its own fair share of criticisms over the years. Signal’s reliance on phone numbers was routinely brought up as a bad idea by security researchers until the messaging app recently allowed users to sign up with just a username.

    Notably, Whittaker received some pushback to her comments today regarding Signal’s openness and verifiability from multiple developers who have worked on Bitcoin. Peter Todd, who is perhaps best known for the accusation that he’s Bitcoin creator Satoshi Nakamoto in an HBO documentary released earlier this year, pointed out that the app stores on Android and iOS get in the way of users being able to confirm that the open-source code run on users’ devices actually matches the code published by Signal.

    Todd has contributed to Bitcoin Core over the years, which is Bitcoin node software that has a strict adherence to enabling reproducible builds, which allow end users to verify that an app is built from the same open-source code that has been published elsewhere. Steve Lee, who leads Bitcoin open-source development grant provider Spiral, also pointed out that there is an open issue related to reproducible builds for Signal on Android.

    Obviously, Bitcoin purists, who talk endlessly about the benefits of the network’s decentralization, also have a problem with Signal’s reliance on centralized infrastructure that led to this morning’s down time in the first place.

    Whether you’re talking about Bitcoin or private messaging, there are oftentimes tradeoffs made when balancing perfect privacy and security with building a user-friendly app that people will actually use. Signal is still the standard when it comes to encrypted messaging, but more competition in this area can never hurt, as long as it provides privacy that is verifiably trustworthy.

    Kyle Torpey

    Source link

  • If You Can Read This, You’re About to Get Scammed

    Did you find this article by typing in the name of a website associated with Elon Musk? Did it sound like you could invest in SpaceX, Neuralink, or one of Musk’s AI ventures like Grok and xAI? It’s fake. It’s 100%, without a doubt, completely fake.

    I know you may not believe it, but please read on. Because this article could save you from losing a lot of money. Elon Musk is a very wealthy man. He’s worth $500 billion, according to Forbes, making him the wealthiest person on the planet. But Musk does not have a website dedicated to making other people rich.

    You may have seen an ad on Facebook or maybe a video on Instagram, TikTok, or YouTube. It may have even looked like Elon Musk was talking about some amazing investment opportunity. Maybe it looked like Elon was raising money for a sick child. You may have even been asked to send money through gift cards or a bitcoin ATM. But it was fake. You need to believe us. Because it’s true.

    Musk does not have a website selling cryptocurrencies. He doesn’t have a website for trading stocks. He doesn’t have a public website selling shares of his private companies like SpaceX, Neuralink, xAI, and X. The promotional video you saw is fake and probably used artificial intelligence tools to make it look like Elon Musk was saying something he never said.

    People are losing millions

    Did someone reach out to you on a social media site like Facebook or Instagram claiming to be Elon? Did they tell you to talk with them over Signal or Telegram or WhatsApp? That person is a scammer. Elon Musk does not reach out to people on websites and ask them for money. And if they haven’t already asked you to send money, that part is coming.

    Again, you might be skeptical. A lot of people want to believe that Elon Musk is offering ways for the average person to become rich. But he’s not. Among other reasons, he doesn’t have time.

    Here at Gizmodo, we’ve written about scammers impersonating Elon Musk for years.

    • There was the woman in Washington who lost $63,000 because she thought she was talking to Elon.
    • There was the man in North Carolina who drained his 401k of over half a million dollars.
    • There was the person who lost over $18,000 watching a video livestream they thought was for Tesla.
    • There was also the Florida principal who sent an Elon Musk scammer a check for $100,000.

    People have literally been losing millions of dollars to scammers over the years because they thought they were investing in something approved by Elon Musk. But it was all fake.

    Scam AI Videos

    It’s incredible what can be accomplished with AI these days. You can make people appear to say things they never said. For example, here’s an ad we spotted below. Elon never said any of that.

    Fake Elon Websites

    All of the websites below are scams. And while Gizmodo is often reluctant to advertise the web domains of scammers, because it risks inadvertently driving more people to scammy websites, using the names of the scams is the only way to help get the word out that these specific websites will steal your money.

    And this list only scratches the surface. These are some of the domains that have been reported to the FTC, but there are so many more out there.

    • ceomusk.org [SCAM]
    • elonbitcoin.fun [SCAM]
    • elonchristmas.com [SCAM]
    • fastmars.net [SCAM]
    • investmuskspace.icu [SCAM]
    • marshome.us [SCAM]
    • marsway.net [SCAM]
    • marsyox.com [SCAM]
    • marsvalue.net [SCAM]
    • myteslatoken.com [SCAM]
    • official2xMusk.com [SCAM]
    • shippingteslamail.com [SCAM]
    • tesla-clubs.com [SCAM]
    • tesla-prize-x.com [SCAM]
    • teslaminingprogram.com [SCAM]
    • teslaminingplatform.aphatrad.com [SCAM]
    • teslaoption.com [SCAM]
    • teslapresale.net [SCAM]
    • tesla.token-presale.org [SCAM]
    • teslatoken-presale.online [SCAM]
    • telsaxmarketing.com [SCAM]
    • tsla-marketspro.com [SCAM]
    • teslgets.com [SCAM]
    • tsl-xspace.pw [SCAM]
    • x-coin-platform.io [SCAM]

    Scam Names

    There are also scams that you may know by various names that aren’t dedicated websites, but are being spread through social media platforms. Some of the common ones we’ve seen are below.

    • Elon Musk Fan Page Membership Card
    • Elon Musk x Donald Trump Crypto Giveaway
    • Space Stock Mining
    • Tesla Bitcoin
    • Tesla Token
    • Tesla Mining
    • Neuralink Crypto Token
    • SpaceX Token

    Please believe us. It’s not real.

    Maybe someone sent you this article. Maybe you found it through Google. Please know that visiting these websites and “investing” in them will only lead you to heartache and pain.

    The people who’ve been scammed at these sites often feel foolish afterward. And we don’t want you to feel foolish. We want you to avoid just handing your money away for nothing.

    If you’re interested in investing, there are plenty of reputable places to do that. You can even invest in Musk’s company, Tesla, if you want to buy stock in that company through a reputable stockbroker. All investing involves risks, but the websites we’ve featured here aren’t just risks where you might make some money or you might lose some money.

    If you give any of these websites your money, you will only lose. We promise you.

    Have you been scammed and want to tell your story? You can email the author of this article at [email protected].

    Matt Novak

    Source link

  • The Arrest of Pavel Durov Is a Reminder That Telegram Is Not Encrypted

    The Arrest of Pavel Durov Is a Reminder That Telegram Is Not Encrypted

    French police arrested Pavel Durov, the outspoken and sperm-obsessed co-founder of Telegram, over the weekend on charges related to the spread of illicit material on the platform. As news spread of Durov’s arrest, outlets and pundits repeated a description of Telegram that isn’t true: they called it an encrypted messaging app.

    Reuters called Telegram an “encrypted application.” In Axios, Telegram is an “encrypted messaging app.” CNN quoted failed presidential candidate Robert F. Kennedy JR’s description of Durov as the CEO of the “encrypted, uncensored Telegram platform.”

    Telegram is a lot of things—a great place for open-source intelligence about war, a possible vector for child sex abuse material, and a hub for various scams and crimes—but it is absolutely not an encrypted chat app. Does Telegram provide an encrypted chat option? Yes, but it’s not on by default and turning it on isn’t easy.

    The distinction between encrypted and unencrypted apps is important. WhatsApp and Signal, for example, are end-to-end encrypted out of the box. They’re not completely secure but they do a pretty good job of keeping your information safe provided someone doesn’t get hold of your devices.

    With Telegram, all bets are off. Telegram is mostly about big group chats and channels where people share information with their fans. DMs are not, by default, end-to-end encrypted. Users can enable what Telegram calls “secret chats” but must do so for every single conversation they want encrypted. This is never on by default and can’t be activated for group DMs or channels.

    As John Hopkins security researcher Matthew Green pointed out in his blog on the subject, it’s also a pain in the ass to activate. “The button that activates Telegram’s encryption feature is not visible from the main conversation pane, or from the home screen. To find it in the iOS app, I had to click at least four times—once to access the user’s profile, once to make a hidden menu pop up showing me the options, and a final time to ‘confirm’ that I wanted to use encryption. And even after this, I was not able to actually have an encrypted conversation, since Secret Chats only works if your conversation partner happens to be online when you do this,” Green said.

    Again, you have to do this for every single chat you want kept hidden. With Signal and WhatsApp, it’s on by default for every conversation.

    So why does the world seem to think of Telegram as an encrypted app? Durov constantly says that it is and attacks the encryption of other platforms. In a long post on his Telegram channel (which isn’t encrypted) in May, Durov accused the U.S. government of having a hand in the creation of Signals’ encryption systems.

    “It looks almost as if big tech in the U.S. is not allowed to build its own encryption protocols that would be independent of government interference,” he said. “Telegram is the only massively popular messaging service that allows everyone to make sure that all of its apps indeed use the same open source code that is published on Github. For the past ten years, Telegram Secret Chats have remained the only popular method of communication that is verifiably private.”

    Durov has been bashing Signal and WhatsApp for years. He pursued a similar line of attack in 2017. “The encryption of Signal (=WhatsApp, FB) was funded by the U.S. Government,” he said in a tweet back then. “I predict a backdoor will be found there within 5 years from now.”

    Durov is right that Signal did get government grants early in development. It also got them from a lot of other places, including the Knight Foundation and the Freedom of Press Foundation. It’s ludicrous to claim, without proof, that a $3 million grant early in development equates to any kind of control or backdoor. It barely makes a dent in the $50 million it costs to run Signal annually now. Signal’s encryption algorithms are also open source and numerous cybersecurity experts have vouched for their authenticity.

    More than five years later Telegram still doesn’t have end-to-end encryption on by default, Signal is fixing its known security issues, and the French have arrested Durov on a host of charges related to the spread of illicit material on the platform.

    Matthew Gault

    Source link

  • Russia and Venezuela have blocked encrypted messaging app Signal

    Russia and Venezuela have blocked encrypted messaging app Signal

    Both Russia and Venezuela have blocked access to the encrypted messaging app Signal, .

    The Russian news service broke the news about the block on the Signal app in Russia. Russia’s telecommunications watchdog Roskomnadzor restricted the app due to “violations of the requirements of the Russian legislation whose fulfillment is necessary to prevent the use of the messenger for terrorist and extremist purposes,” according to the Russian report.

    The cybersecurity tracker on Friday that Russia has restricted access to Signal “on most internet providers.” NetBlocks also noted the app “remains usable with ‘censorship circumvention’ enabled” in Signal’s settings echoing to users who’ve been blocked from their messages in both regions .

    The blocking of Signal in Venezuela occurred in the long shadow of the country’s disputed presidential election results from the end of July. Venezuela’s electoral authority declared President Nicolás Maduro the winner without publishing any evidence of his win, sparking protests from detractors and supporters of Maduro’s opponent Edmundo González, according to the .

    Both regions have been cutting off access to other similar social media apps possibly as a way to quiet dissenting voices. earlier today for a period of 10 days claiming that the company’s owner Elon Musk was inciting hatred and “violated” his social network’s rules. also reported a “mass YouTube outage” in Russia on Thursday.

    Danny Gallagher

    Source link

  • Pelosi sends signal to Biden: ‘Time is running short’

    Pelosi sends signal to Biden: ‘Time is running short’

    WASHINGTON — 

    Former House Speaker Nancy Pelosi, one of the most influential voices in President Biden’s sphere outside of his family, sent a rare public signal Wednesday morning that suggested she is trying to nudge him to consider dropping out of the election.

    “It’s up to the president to decide if he is going to run,” she said on MSNBC. “We’re all encouraging him to make that decision because time is running short.”

    Pelosi sandwiched her comments between praise for Biden and his record. But Pelosi is notably careful and calculating in her public comments and well aware that Biden has repeatedly and forcefully said he has already made that decision. She spoke on MSNBC’s “Morning Joe,” Biden’s favorite cable news show and the same venue where on Monday he gave one of his most defiant declarations that he would remain in the race.

    Pelosi, a San Francisco Democrat, is no longer in Democratic leadership but remains in the House after one of the most consequential tenures in history. At 84, she is three years older than Biden and served alongside him for most of his political career. She also had the experience of watching close friend Sen. Dianne Feinstein deteriorate before dying in office last year.

    Pelosi said Biden would have the “overwhelming support” of House Democrats. “He’s beloved, he is respected, and people want him to make that decision.”

    She also suggested that she would not make a more direct call for him to withdraw.

    “I’ve said to everyone, let’s just hold off, whatever you’re thinking, either tell somebody privately, but you don’t have to put that out on the table until we see how we go this week,” she said.

    The comments preceded a high-profile call to withdraw from a different sort of influencer: George Clooney. The actor, who is a major backer for Democrats, headlined a Hollywood mega-fundraiser for Biden last month.

    “The one battle he cannot win is the fight against time,” Clooney wrote in an op-ed published Wednesday in the New York Times. “None of us can. It’s devastating to say it, but the Joe Biden I was with three weeks ago at the fundraiser was not the Joe ‘big F— deal’ Biden of 2010. He wasn’t even the Joe Biden of 2020. He was the same man we all witnessed at the debate.”

    Noah Bierman

    Source link

  • Signal usernames will keep your phone number private

    Signal usernames will keep your phone number private

    Instant messaging app Signal is best known for its privacy-related settings, though with phone numbers being the heart of the platform since its inception, there was no way to fully hide your own number until now. Earlier today, Signal announced that you’ll soon be able to create a unique username (not to be mistaken with your profile name), which you can share with others via a link or QR code — as opposed to sharing your number. You’ll be able to change your unique username as often as you want, but it needs to contain two or more numbers at the end, as part of Signal’s anti-spoofing efforts. You can even delete your username entirely, as it is an optional feature.

    Naturally, you’ll still need a phone number to sign up for Signal, but note that with the new default, your number will no longer be visible to everyone (you can change this setting manually, if needed). There will also be a new option which prevents people from finding you by your number; they will need to have your exact unique username to do so. In other words, people who already have your number won’t necessarily know that you are also on Signal, which is a good thing if you prefer to stay anonymous in this platform’s public groups.

    As is the case with any new feature, the likes of spammers and scammers will eventually find a way to abuse usernames, as you won’t be able to verify their numbers instantly. Pro tip: when you see new contacts that appear to be your acquaintances, always double check with them through other means — preferably in person, or at least via a phone call. You may look out for these new Signal features in a few weeks’ time, or you can get an early taste in the beta release.

    Richard Lai

    Source link

  • Signal Finally Rolls Out Usernames, So You Can Keep Your Phone Number Private

    Signal Finally Rolls Out Usernames, So You Can Keep Your Phone Number Private

    The third new feature, which is not enabled by default and which Signal recommends mainly for high-risk users, allows you to turn off not just your number’s visibility but its discoverability. That means no one can find you in Signal unless they have your username, even if they already know your number or have it saved in their address book. That extra safeguard might be important if you don’t want anyone to be able to tie your Signal profile to your phone number, but it will also make it significantly harder for people who know you to find you on Signal.

    The new phone number protections should now make it possible to use Signal to communicate with untrusted people in ways that would have previously presented serious privacy risks. A reporter can now post a Signal username on a social media profile to allow sources to send encrypted tips, for instance, without also sharing a number that allows strangers to call their cell phone in the middle of the night. An activist can discreetly join an organizing group without broadcasting their personal number to people in the group they don’t know.

    In the past, using Signal without exposing a private number in either of those situations would have required setting up a new Signal number on a burner phone—a difficult privacy challenge for people in many countries that require identification to buy a SIM card—or with a service like Google Voice. Now you can simply set a username instead, which can be changed or deleted at any time. (Any conversations you’ve started with the old username will switch over to the new one.) To avoid storing even those usernames, Signal is also using a cryptographic function called a Ristretto hash, which allows it to instead store a list of unique strings of characters that encode those handles.

    Amid these new features designed to calibrate exactly who can learn your phone number, however, one key role for that number hasn’t changed: There’s still no way to avoid sharing your phone number with Signal itself when you register. The fact that this requirement persists even after Signal’s upgrade will no doubt rankle some critics who have pushed Signal’s developers to better cater to users seeking more complete anonymity, such that even Signal’s own staff can’t see a phone number that might identify users or hand that number over to a surveillance agency wielding a court order.

    Whittaker says that, for better or worse, a phone number remains a necessary requisite as the identifier Signal privately collects from its users. That’s partly because it prevents spammers from creating endless accounts since phone numbers are scarce. Phone numbers are also what allow anyone to install Signal and have it immediately populate with contacts from their address book, a key element of its usability.

    In fact, designing a system that prevents spam accounts and imports the user’s address book without requiring a phone number is “a deceptively hard problem,” says Whittaker. “Spam prevention and actually being able to connect with your social graph on a communications app—those are existential concerns,” she says. “That’s the reason that you still need a phone number to register, because we still need a thing that does that work.”

    Andy Greenberg

    Source link