undefined | Better HN

0 pointsrodgerd4y ago0 comments

Signal is going to start attacking third-party tools once it's installed on your phone.

It's as though Theo decided that OpenSSH should respond to portscanners by trying to pwn the source systems.

0 comments

No, because that would be active retaliation.

More realistically it is like dropping a file on your private file server DONT_RUN_THIS_BLOWS_UP_YOUR_COMPUTER.exe. You never run it, but maybe somebody exploits your file server, gets all your files, and automatically runs them?

Oh well.

PeterisP4y ago

It really is like dropping a file on your private file server DONT_RUN_THIS_BLOWS_UP_YOUR_COMPUTER.exe - but contrary to your expectations, it's not "oh well", if you placed it there with the intent to trap someone who you expect to be looking at your computer, you may well be liable if their computer blows up, there's no significant difference from active retaliation - the consequences are there, the intent is there, the act is there, it's pretty much the same.

Of course, if some criminal exploits your file server, they are not likely to press charges, but if it triggers on law enforcement who have a warrant to scan your fileserver, that's a different issue.

You'd be just as liable as for physical boobytraps on your property, with pretty much the same reasoning.

salawat4y ago

The beauty though, is that law enforcement now can't even know before plugging in and scanning a device whether they'll actually be pwned.

They have to use the exploit to figure out if the phone can nuke that hardware's usability in the future or integrity of any locally stored, non-offsited data.

UNLESS Cellebrite can produce publically for a court of law proof that any potential exploit isn't a valid concern, which means spilling implementation details about how the device works.

Nobody can continue to shut up AND maintain the status quo. Either everyone clams, and Signal can sow reasonable doubt without challenge, crippling Cellebrite's value as a forensic tool. Or someone has to open up about the details of their tool, which, like it or not, will speak very loudly about the ways and methods behind these exploits.

The Checkmate is implied, and oh my, is it deafening.

chordalkeyboard4y ago

> if you placed it there with the intent to trap someone who you expect to be looking at your computer, you may well be liable if their computer blows up

Liable for what? You haven’t promised that the code is safe, and they chose to run it.

> there's no significant difference from active retaliation

There is a significant difference, in active retaliation you choose to attack someone elseks computer, with a trap file the attacker chooses to run files they have stolen from you. Big difference.

> You'd be just as liable as for physical boobytraps on your property, with pretty much the same reasoning.

The reasoning is different, lethal or injurious man traps are prohibited because you don’t respond to trespassing with lethal force and you don’t know who or what may trigger the trap. Man traps that lock the intruder in a room without injuring them are fine, and used in high security installations.

spoonjim4y ago

And why shouldn’t OpenSSH do that?

rodgerdOP4y ago

Because I have zero interest in running attack software.

j / k navigate · click thread line to collapse