Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Encryption Privacy Security

Signal's New PIN Feature Worries Cybersecurity Experts (vice.com) 45

Lorenzo Franceschi-Bicchierai, writing for Vice: Ever since NSA leaker Edward Snowden said "use Signal, use Tor," the end-to-end encrypted chat app has been a favorite of people who care about privacy and need a chat and calling app that is hard to spy on. One of the reasons security experts recommended Signal is because the app's developers collected -- and thus retained -- almost no information about its users. This means that, if subpoenaed by law enforcement, Signal would have essentially nothing to turn over. Signal demonstrated this in 2016, when it was subpoenaed by a court in Virginia. But a newly added feature that allows users to recover certain data, such as contacts, profile information, settings, and blocked users, has led some high-profile security experts to criticize the app's developers and threaten to stop using it.

Signal will store that data on servers the company owns, protected by a PIN that the app has initially been asking users to add, and then forced them to. The purpose of using a PIN is, in the near future, to allow Signal users to be identified by a username, as opposed to their phone number, as Signal founder Moxie Marlinspike explained on Twitter (as we've written before, this is a laudable goal; tying Signal to a phone number has its own privacy and security implications). But this also means that unlike in the past, Signal now retains certain user data, something that many cybersecurity and cryptography experts see as too dangerous. Matthew Green, a cryptographer and computer science professor at Johns Hopkins University, said that this was "the wrong decision," and that forcing users to create a PIN and use this feature would force him to stop using the app.

This discussion has been archived. No new comments can be posted.

Signal's New PIN Feature Worries Cybersecurity Experts

Comments Filter:
  • by PPH ( 736903 ) on Friday July 10, 2020 @04:44PM (#60284742)

    ... Signal has bee pwned by the TLAs.

    A contacts list, profile and blac^H^H^H^Hblock list are things that a user can choose to store locally. Or not at all, in the event their phone is compromised.

    Look for an empty canary cage on Marlinspike's curb come next week's trash pickup day.

    • Yeah, someone got them by the short and curly. Goddamnit.

    • by Anonymous Coward

      I have to agree. There is no rational explanation for the PIN feature other than they are being forced by the TLAs to collect and retain more information, protecting it only with a 4 digit PIN than can be brute-forced in milliseconds.

      I stopped using Signal the instant this PIN thing came out because there really is no other reason for them to have done it other than to comply with secret court orders from the intelligence courts.

      • ... there really is no other reason for them to have done it other than to comply with secret court orders from the intelligence courts.

        No other reason? How about the one on their blog post [signal.org] announcing the feature?

        Signal has been adding usability features for a while now (message reactions, device transfer, GIF search, etc.). This is just another thing that people (though not everyone) want. If the purpose is to get more people to adopt e2e encrypted messaging, sometimes convenience features, even if you think they're dumb.

        • There's no reason to make it [b]mandatory[/b]. They should make it opt-in all they want. They're forcing this on every user, which calls their motives into question if not destroys the premise that they have your best interests closest to their hearts.
        • This is just another thing that people (though not everyone) want.

          It doesn't seem to be something that anyone wants, I know a lot of Signal users and every single one of them hates this stupid change. It's something that Signal developers want, and now they're forcing everyone else to use it, whether they want it or not.

          Maybe the Signal folks are trying to make themselves attractive to Microsoft for a buyout, showing that they understand Microsoft's way of forcing unwanted things on users.

    • by AmiMoJo ( 196126 )

      For years now the Signal app has required an absolutely ridiculous number of permissions. They come up with daft features to excuse wanting them, but the reality is that if that app did have a backdoor it already had complete access to your phone too.

      Then Android changed the way permissions work and suddenly they need to "backup" your data to their server with a PIN that they know most people will set to 1234.

      Signal has always been dodgy and we need something better that doesn't try to take over your phone.

      • Not just that but it's gone from an app that does one thing well, encrypted messaging, to a massive bloated piece of crap that still only does one thing, encrypted messsaging, but now takes 165MB to do it. And they seem to roll out updates every few days which do nothing apart from making me wonder why they need to constantly update it. WTF are they packing into this bloated monstrosity?
  • Already Old News (Score:5, Informative)

    by divide overflow ( 599608 ) on Friday July 10, 2020 @04:46PM (#60284752)
    Two days ago Moxie posted this message on Twitter [twitter.com]:

    Moxie Marlinspike
    @moxie
    Replying to
    @matthew_d_green

    Based on the feedback we've gotten about PINs, we're working on shipping an option to disable PINs for advanced users who are alright with losing their Signal contacts on reinstall.

    • by PPH ( 736903 ) on Friday July 10, 2020 @04:54PM (#60284782)

      advanced users who are alright with losing their Signal contacts on reinstall.

      How about export to and import from CSV file on their local system? Like every two-bit e-mail client I've ever worked with. Nothing needs to be lost.

      • by Lije Baley ( 88936 ) on Friday July 10, 2020 @04:59PM (#60284798)

        Damn kids today don't even know what a local file system is!

        • kids today don't even know what a local file system is!

          Local file systems are simply caching-assisting options for the cloud, where all data is naturally stored. Why, it's almost as if you have something to hide!

      • advanced users who are alright with losing their Signal contacts on reinstall.

        How about export to and import from CSV file on their local system? Like every two-bit e-mail client I've ever worked with. Nothing needs to be lost.

        The kiddies are into JSON now ...

      • Re: (Score:3, Informative)

        They're opposed to that too. Moxie Marlinspike is something of a "my way or the highway" popu-dev. They stopped the ability to make backups of your messages that you can actually read yourself, and they closed all feature requests for it.

        I like having a copy of all my chat messages with certain friends, but in Signal you have to use some third party hack to decrypt the backup file and liberate the messages.
      • by egyas ( 1364223 )

        I wish I hadn't used all my mod points already, so that I could upvote this VERY SIMPLE suggestion to solve the supposed issue. Many times the simply solution is the best one, and tech companies always forget that in their desire to re-invent the wheel. :)

    • Their work making it so that you can store something "in the cloud" but still have an enforcable way to limit the number of attempts at a PIN is quite nice.

      But I question the need for that... They say that they want to provide a way to recover your "social graph", i.e. your contact database. However, very few people only want to store their social graph on a single device in the first place, and your social graph is also effectively stored in the social graphs of all of your contacts. These are two oth

      • All good points. Moxie doesn't have all the answers, so if you have some good ideas I'd encourage you to sent them to Moxie and his small team of developers. They *want* to improve the app. It has already improved quite a bit since I first tried it and I'd like to see the best ideas adopted into sparkling new code.
        • Yeah, I should probably try to help instead of just talking. I think they should have just been more up front about what they are actually trying to do. Really they are trying to resurrect easily human-memorable and human-enterable secrets as an authentication method by making retry limits enforceable outside of a hardware level. That is way more far-reaching than enabling non phone number based addressing or even storing just contact information in the cloud.
  • Signal lost me when they removed the application lock screen and just said, and I quote, "just use the android lock screen". Well sorry there, pork chop, but I have several hundred virtual machines that I have to deal with and passwords sometimes get passed around in your messaging app. I would like to segregate that from the rest of my phone. That's when I knew the end was near. I'm all for a fork that can support multiple servers (user configurable, of course). Or, pretty much any new direction at th

    • Re:Saw it coming (Score:5, Insightful)

      by TheReaperD ( 937405 ) on Friday July 10, 2020 @06:00PM (#60284904)

      It sounds like their management is moving away from the security conscious community, which as much as this fact makes us sad, we're a niche community and instead trying to go for the mass market, where the money is. The problem is that there's no way to make both the security community and the mass market happy. The mass market wants convenience and damn security for getting in the way of that. They don't want passwords and encryption, they want shoddy thumbprint scans or taking pictures of their face. They don't want their contact information in an encrypted enclave that they have to manage, they want their data 'in the cloud' (not that they have any idea what that actually means), always available waiting for them. It's frustrating for those of us that know what governments and corporations do with our data as we watch the sheep willingly going to get sheered and slaughtered by their shepherds.

      • It sounds like their management is moving away from the security conscious community, which as much as this fact makes us sad, we're a niche community and instead trying to go for the mass market, where the money is.

        HUH? Really?

        Signal is a non-profit organization. It says so right at the bottom of their home page!

        Free for Everyone

        Signal is an independent nonprofit. We're not tied to any major tech companies, and we can never be acquired by one either. Development is supported by grants and donations from people like you.

        © 2013–2020 Signal, a 501c3 nonprofit.

        • by ceoyoyo ( 59147 )

          So? Non-profit means you're not allowed to make a profit. In other words, you have to spend all he money you take in.

          • No that is not what it means, non-profit just means that you cannot pay out your profits to shareholders or owners, aka the profits generated stays in the organization.
            • by ceoyoyo ( 59147 )

              I'm not really interested in arguing the semantics of what "profit" is. My point stands. Notably, you certainly can give money to whomever you want, it just has to be in the form of a salary or fee rather than a dividend.

              • It was not semantics, you specifically wrote "you have to spend all he money you take in" which is not true, non profits can stockpile all the money they want.
            • You can still pay the CEO millions of dollars as long as you prove that for-profit companies in the same industry pay their CEOs millions of dollar and you can prove that the company has the millions to spare. See where this is going?

    • by Bengie ( 1121981 )
      I love optional additional locks for security related apps on my phone. I would love even more to use my NFC fido2 security key + pin.
  • I quit signal purely because of the pin. they were obsessed with it, had to be entered so often just to use text SMS, seemed to be at least every day that they wanted to be sure it was me sending. who needs that when you just want to quickly reply to a message?

    • by Bengie ( 1121981 )
      It prompts you in exponentially decreasing frequency unless you get it wrong. I haven't been prompted for a few months now. And you really shouldn't use it for SMS because it will attempt to send a signal message if the person has signal, and sometimes you need an SMS, like when there's no data access. I've heard stories of people receiving their signal messages days later because they were roaming with no data.
      • Or not getting their signal messages because they got a new phone with a new number and thought just reinstalling Signal was enough.

        Or someone else getting the messages because they inherited the recycled number and installed signal. That would (maybe) be on the sender for ignoring the safety number changed message.

        Or someone else getting the messages because they inherited the recycled number that was never used for signal and installed signal for the first time and the app noticed and switched to signal m

        • Also good points, and just really says the reasons why we're even talking about it. It was awfully convenient to not even have to create an account and just use the phone number. Which means it was always going to lead this way...

          I wish Freedom Box was still a thing. But what we need, is an easy to use personal cloud. You could say, use a sample of your contacts to confirm it's you (phone call, in person, etc. it's up to whatever you all setup), But even then, that's also highly exploitable. Security is har

  • Password manager (Score:5, Informative)

    by Bengie ( 1121981 ) on Friday July 10, 2020 @06:51PM (#60285024)
    I generated a 20char random password for the "pin". Must be at least 4 chars, but can be arbitrarily longer and supports any chars The other benefit of the new pin feature is if someone sim jacks you, they can't use their newly acquired signal phone number for a week.
  • When a contact you have joins Signal, you get a notification of this.

    That's 100% a violation of the concept of OPSEC. If I join Signal and you have me as a contact it's NONE OF YOUR BUSINESS and a VIOLATION of my OPSEC to "inform" you of what software and services I'm using.

    Sorry, I really do like Signal, but that was already strike one -- and a big strike.
    This new thing -- requiring a PIN (not a password!) -- and uploading stuff to the cloud -- another big strike.

    SIGNAL, take note. One more strike and yo

  • by Bengie ( 1121981 )
    At least they stretch it with Argon2. Takes about 2 seconds on my Intel i5. Even a 2000 core GPU has only a few GiB of memory, and the random memory access would decimate any remaining potential. At most 256 of these 16MiB state argon2 hashers could run concurrently. Even a 64 core CPU is only going to be doing ~32 guesses a second. And that's being generous because of the random memory access plus heavy bandwidth. While this won't prevent a 4 char pin from being broke, you can make it as long as your want
    • Re: KDF (Score:4, Interesting)

      by mr.morbo ( 6346556 ) on Friday July 10, 2020 @08:26PM (#60285224)

      The beauty of these kind of analysis is computers get faster and cryptanalysis finds shortcuts given time.

      32 guesses a second might be 64 in 6 months because the GPU got faster. It might be 128 in a few more because boffins found a way to shave a single bit off the execution time. It might be 512 next year because some wily programmer managed to hand-optimize the implementation for a particular GPU. And 2048 the year after when it's built into custom silicon by some TLA whose been archiving Signal data since the feature was added.

      Look at 1024-bit DH. It took a while but boffins shaved it down far enough while computers got faster enough and then it was possible to pre-compute all possible combinations for a few hundred dollars of AWS compute time.

      Don't underestimate the determination of a well funded adversary when the protection contains a treasure trove of information.

      • by Bengie ( 1121981 )
        I fully agree, but I would like to add a bit more info about Argon2 in particular. Argon2 is meant to make GPUs and ASICs acceleration virtually impossible. The large state, which is completely configurable and I have systems using Argon2 with a concurrency of more than 4 and a state of 16GiB+, and random memory access pretty much breaks any computational scaling. The memory access latency with modern high end DDR4(10ns) is worse than PC133 sdram(~7.5ns) from 24 years ago. Bandwidth is much higher and concu
  • During WW2 a thing called signals analysis and traffic analysis grew up. The Germans loved to switch off power grid by grid, and when the transmission stopped, they had a fair idea of the grid to target. We know telcos are cooperating, so with a bit of variable latency you can finger likely suspects such as journalists. It is true onion is wrecking certain assumptions. With certain 5G, you can hop over strategic delay lines - thus hostility to certain 5G makers that do not have programmable latency delays.

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...