Hacker News new | past | comments | ask | show | jobs | submit login

If you are a client for Signal, rubberhose cryptoanalysis is a much bigger issue.

Here is a story what has happened to Doubi (SSr developer.) He was a very well aware of anonymity risks, and he evaded police for years on end. China literally tried to do geolocate him by turning off the internet in entire cities, but to no result — he caught on to that, and started randomising his release timing, and avoiding releasing "hotfixes". So, the entire Chinese police and MSS been looking him for 4-5 years.

What has happened? A few month before his arrest, he registered a Twitter handle with a throwaway SIM card. Those are being usually sold by "grannies" in Chinese 2nd tier cities who peddle things like fake tax receipts, anonymous train tickets and such.

China either hacked Twitter, or had somebody bribed there, and they got the number. They then tracked down the granny who sold him the SIM card, and went on and checking every person door to door in that small town. Then, they found him.

He got 5 years prison, and 4 years of laogai (gulag)

That's super interesting, thanks for sharing! Would you mind posting a link or a two about the story of Doubi. I can't find much and would love to dig into this story.

Basically Twitter got pwned big time, and now denies it because GDPR will ruin them if breach is proven.

Here is what Doubi's online followers figured:

State security got all phone numbers used for Twitter phone verification up to May 2019 and possibly till July.

Twitter haphazardly closed the breach in complete secrecy.

API hole explanation is excluded as people with 100% private accs got police visits.

People with foreign SIM cards also got into trouble. So the explanation that China compromised Twitter's SMS providers is also excluded, as its improbable that they did it in 4+ countries.

2016 breach is also out of question.

The only explanation is that they got hold on a big piece of their user DB, or, worse, they have an active infiltrator in Twitter, or Twitter voluntarily cooperated.



Pardon my ignorance but I'm unable to find much about this story... and the links you posted are hard to piece together with this narrative.

Not even doubting it, just wondering if there's more of a source that's laid out (work/timeline/etc)? It's supremely interesting and should probably be more well known if it's not already.

Most of what I know was found by people on Doubi's forum which now went down. Near nothing about that in English besides stating the fact that he is gone now, that he got a term, and that his Twitter was the most likely source of his ID leak as deduced from public records about his case.

Early accounts explored the possibility of Chinese police exploiting SMS gateway, and password reset abuse, but it has since been confirmed that even users who lived for years in the West got deanonymised, and their relatives got harassed. MSS/police having fresh twitter user DB is the most probable explanation at this point.

But, in this story - had he used signal - if the police arrested anyone in contact with him, any one of those would be able to turn over his phone number? Which would be linked to the sim card in his phone?

Am I missing something? Or am I misinterpreting your story? You're saying that sign up bound to a Sim card is bad for Twitter and bad (worse) for signal?

Yes, see, he went as far as buying an anonymous sim in China, which are sold at extreme premium by black market dealers, and still got tracked down.

Applications are open for YC Winter 2023

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact