
How Russia Works on Intercepting Messaging Apps - adamnemecek
https://www.bellingcat.com/news/2016/04/30/russia-telegram-hack/
======
dendory
It's all fine and good to point out how insecure SMS is, and various ways that
2-factor auth may have been improved, but I think the bottom line is that when
your adversary is the government, police and telecom provider working
together, the means you use to protect yourself are irrelevant, if they really
want to bring you down, they will. The solution is in democratization and
lobbying for proper laws to be passed.

~~~
snitko
The solution is to make it extremely difficult/costly for them. It is never
democratization and lobbying, because for a person to see any kind of change
in the direction he wishes, it may take years. And even then it's just asking
your masters for permission. Technology gives us a quick way to bypass
government, make it irrelevant.

~~~
e12e
> Technology gives us a quick way to bypass government, make it irrelevant.

If you actually could do that, it's very likely that said technology would be
illegal. Just as it illegal pretty much everywhere to own your own tanks and
fighter bombers.

Just because you ignore politics, doesn't mean politics ignores you. And puts
you in indefinite detention, or execute you.

~~~
snitko
Perhaps temporarily, yes. You can outlaw cryptography, but the more
governments resist it, the faster it will take over.

~~~
e12e
Take over what?

------
mtamizi
It's one thing to rely on phone numbers for authentication, it's yet another
to store the messages. The same scenario on WhatsApp would have given the
attacker access to the account but not the message history, which is
presumably what they were after.

------
pigscantfly
It's interesting that the Russian state relies on these multi-party procedures
(security service contacts telco to cut off service to initiate attack) rather
than unilateral interception, which as the author says, might not only be
simpler but also less detectable.

~~~
nxzero
Just because the teleco said something happened doesn't mean that's what
happened. Lot of other ways even an average attacker could due this if they
had the resources to do it, and unlikely that a service provider would tell a
customer what happen; they could be the attacker testing the systems.

------
Amir6
This shows the absurd ignorance of many people (including security experts and
even Snowden himself!) on using messaging apps that are based on phone number.
As stated many times, there are limited number of phone numbers possible for
every country, so even if the database only consists of some sort of hash
value instead of the number itself, the system is vulnerable to identity theft
and user identification. Practically in any country governments have a
database of people's phone number (correlated to their social security
numbers, banking info used to pay the bills, street addresses and even
IMEI,MAC address of the devices they used or bought for that account). I wish
someone could tell me why an app like Telegram or even Signal (which both make
many claims on their encryption capabilities and are endorsed by activists)
are based on such fundamental security flaw!

------
nxzero
Even E2E apps like Signal use a device's number to setup an account; meaning
as of a month ago, at least for the app, the device number was required to
created an account.

Maybe this isn't an issue, but seems odd to me.

~~~
retox
I can confirm, Signal will not go through initial run without access to your
IMEI, even for an existing account.

~~~
Amir6
How is this a good thing for privacy?

~~~
nxzero
What would be a better solution, why, and what if any trade offs might exists
between the options? Do you use the app or code?

------
e12e
It seems unlikely that the Russian intelligence services would be _forced_ to
this in such an obvious manner. But it might have been done in such an obvious
way to act as a deterrent: like a van parked outside a dissidents house: We
are watching you, and want you to know that we are watching you?

~~~
SXX
> We are watching you, and want you to know that we are watching you?

This. People they watching doesn't represent any real danger to regime as
otherwise they would easily put them in prison for no reason. So in that case
intelligence only goal is to make activists life as hard as possible and force
them to leave the country or stop being activist.

They periodically confiscate their personal phones / computers during searches
in their property and offices. People smart enough to use crypto and it's not
that easy to get control over accounts on services that are not hosted in
Russia.

------
chinathrow
Lesson No 1: Don't tie your messaging account to your cell number.

E.g. Threema allows that.

~~~
rotw
What about Signal?

------
weitzj
It would be nice to have a distributed 2 factor authentication using something
like bitcoin or ipfs.com

~~~
nxzero
Bitchains would leak a massive amount of metadata.

------
kabouseng
There is a couple of points I disagree with this article.

First off two factor authentication and resetting your account use sms's for
recovery not so much to get access to your social graph and thereby "growth
hacking", but because proving someone's identity you don't know personally
digitally is a hard unsolved problem (pgp key ceremonies and web of trust
certainly didn't solve it).

Second, saying you should use end to end encryption doesn't prevent someone
from resetting your account and getting access, so it is not some sort of
silver bullet. It does however prevent an attacker from reading your past
messages, but after getting access they will be able to read all your current
messages on multi device services.

------
finishingmove
I love reading gray on gray. No, really, the web needs more of this. Let's
also make sure the font is readable only on retina displays.

~~~
usaphp
Maybe it's your monitor's issue, it looks very readable on mine.

~~~
stordoff
It's readable fine on mine as well, but the screenshot in the article (black
text on white) is much more pleasant to read.

------
mlvljr
Из пальца высосано :)

Cheers from the place

------
guilhas
A guy working for NATO thinks that Russia...

