undefined | Better HN

0 pointsmd_4y ago0 comments

> Plus, managing DIY security is more complicated than just running Signal on an encrypted phone. Same concerns regarding supply chain interdiction, remote code execution, and other security vulnerabilities on the operating system running Signal.

Yes, but specifically to supply chain security, as this attack shows, the most affordable option to secure your supply chain is to ensure your devices and downloads cannot be uniquely targeted.

Buying a stock iPhone in cash and downloading Signal from the App Store is a far better approach than buying a "drug dealer phone."

I do think this attack, as you imply, simply highlights how hard it is for even motivated consumers in the market to make actually secure choices, which in turn is why the market underemphasizes real security improvements.

0 comments

9wzYQbTYsAIc4y ago

Well put, and I agree that right now the most effective thing would probably be to buy a stock iPhone, from a random source, in cash, etc.

That said, one huge caveat: any stock, internet-connected phone is always one law away from being rendered completely transparent to law enforcement with legal jurisdiction over the place of sale.

In the US, for example, Congress could write a law that forces a back door.

The back door doesn’t even have to be to the encryption keys or algorithm, but could be a simple screen capture interface that can be remotely triggered with a warrant.

mianos4y ago

This exact law exists in Australia, the "Assistance & Access Act". That these laws exist in Australia is also a reason why there is a lot of co-operation between US and Australian law enforcement. I am not sure how but it gives the US an ability to do things they can't do on their own shore. The US often works on other countries, like Bucharest in the An0m case to work around their own laws.

9wzYQbTYsAIc4y ago

https://www.homeaffairs.gov.au/about-us/our-portfolios/natio...

At least there’s this:

> The Assistance and Access Act contains an express prohibition against building or implementing any weakness or vulnerability in software or physical devices that would jeopardise the security of innocent users. This is found in section 317ZG of the Act which also makes clear that any assistance that makes a system's encryption or authentication less effective for general users is strictly prohibited. This same section prohibits the construction of new decryption capabilities and rules out any requirements that would prevent a company from patching existing security flaws in their systems.

1 more reply

j / k navigate · click thread line to collapse

0 pointsmd_4y ago0 comments

Yes, but specifically to supply chain security, as this attack shows, the most affordable option to secure your supply chain is to ensure your devices and downloads cannot be uniquely targeted.

Buying a stock iPhone in cash and downloading Signal from the App Store is a far better approach than buying a "drug dealer phone."

0 comments

9wzYQbTYsAIc4y ago

Well put, and I agree that right now the most effective thing would probably be to buy a stock iPhone, from a random source, in cash, etc.

That said, one huge caveat: any stock, internet-connected phone is always one law away from being rendered completely transparent to law enforcement with legal jurisdiction over the place of sale.

In the US, for example, Congress could write a law that forces a back door.

The back door doesn’t even have to be to the encryption keys or algorithm, but could be a simple screen capture interface that can be remotely triggered with a warrant.

mianos4y ago

9wzYQbTYsAIc4y ago

https://www.homeaffairs.gov.au/about-us/our-portfolios/natio...

At least there’s this:

1 more reply

j / k navigate · click thread line to collapse