Signal faces scrutiny following a series of phishing-based account hijackings. As previously reported, attackers impersonated Signal support staff to trick users into revealing registration codes and PINs, enabling them to re-register accounts on devices under their control. Signal clarified that its infrastructure and encryption were not compromised, attributing the incidents entirely to social engineering.
I got scammed therefore Signal insecure. Got it.
It was mostly German conservative figures falling for the phishing attack, and it’s mostly German conservatives demanding this right now. So they’re responding in a characteristically conservative fashion: zero self-awareness, zero competence in the matter, but righteousness cranked all the way up to eleven.
A lot of journalists got that wrong in initial reporting. But as an IT administrator you can see where they are coming from with their switch to another platform.
Signal is end user software, and a very good one at that. But it is no enterprise grade software. It lacks the management and policies needed for such user groups, which Wire seems to provide. Things like a mobile number as primary account handle spells ease and low entrance hurdle for end users, and a security problem for administrations.
The fractured nature of the IT in German politics is probably still keeping the attack surface alive. As outlined here by heise:
https://www.heise.de/en/background/Signal-attacks-Political-reality-bites-the-IT-admin-11279251.html
Politicians and beurocrats shouldn’t be using it anyway. They should be using something centrally auditable. I have Signal, but I talk to my colleagues in Teams for a reason. I could actually get in some trouble for using a secure back channel that cannot be FOI’d.
Wire is still around? Tried it literally 10 years ago and didn’t like it at all.
How does being email-based instead of phone-number-based meaningfully help security? I would understand something like non-federated Matrix, where only approved users have accounts on your instance. Less phishing at the cost of convenience.
They have no clue what is safe or dangerous or reasonable or stupid. For a few decades now, the Internet has been “Neuland” to them, that is, unexplored country. These geriatric chucklefucks couldn’t be arsed to seriously and systematically explore it if you held a gun to their head.
(I don’t advocate holding guns to their head, for the record. It wouldn’t solve the systematic issue underpinning their incompetence. It would also give them advance warning.)
Yes, it’s a dumb idea. I imagine the idea is that you can tell if an email is from a government domain or not.
It’s an enigma why they chose it in the first instance.
