Russia-aligned hackers are targeting Signal users with device-linking QR codes (arstechnica.com)
from solo@slrpnk.net to technology@lemmy.world on 20 Feb 08:22
https://slrpnk.net/post/18629710

Swapping QR codes in group invites and artillery targeting are latest ploys.

#technology

threaded - newest

latenightnoir@lemmy.world on 20 Feb 08:38 next collapse

Back to pen and paper it is! Start feeding the pigeons, everyone!

chaosCruiser@futurology.today on 20 Feb 09:23 next collapse

Message in a bottle is the way to go.

If hackers don’t know where the bottle is floating, they can’t read the message. It’s also completely disconnected from the Internet, further enhancing the already robust security. This protocol also supports all encryption methods you can fit inside the bottle. There’s no central authority, no servers, no licenses, and no EULAs to accept without reading.

The only bottlenecks are bandwidth, packet loss, and the physical dimensions of the glass container.

Fantabread@lemm.ee on 20 Feb 10:25 next collapse

And the actual neck of the bottle.

joshcodes@programming.dev on 20 Feb 10:41 next collapse

Reliance on security by obscurity is unacceptable, except when the obscurity method is the oceans entire fucking surface area.

AutistoMephisto@lemmy.world on 20 Feb 16:56 next collapse

For the landlocked, may I recommend the Dead Drop Protocol? Leave the message in a place that everyone knows about, but only the intended recipients knows a message is there to be read. Like the Message in a Bottle, it supports all encryption methods and is disconnected from the Internet.

There are a couple drawbacks, though. For one, unless you are watching the drop point, you have no way of knowing whether your message made it to the intended recipient or if it was intercepted. Vice versa, if you are the intended recipient of a dropped message, the only guarantee you have that the message is authentic is if the message uses a self-authenticating encryption method. Also, there is a potential that any drop point you use may be under surveillance, so make sure to not use the same drop point too often.

southsamurai@sh.itjust.works on 20 Feb 17:22 collapse

You forgot one bottleneck. The bottleneck.

einkorn@feddit.org on 20 Feb 09:49 collapse

Obligatory link to IPoAC

absGeekNZ@lemmy.nz on 20 Feb 10:00 collapse

With 1.5TB capacity micro sd cards available, a pigeon could probably deliver 12-18TB.

latenightnoir@lemmy.world on 20 Feb 11:08 collapse

This is the way.

Edit: can we also give’em tiny cyberpunk shades and stuff?

TheHobbyist@lemmy.zip on 20 Feb 08:48 collapse

It seems Signal has already pushed out a fix for this, which was abusing the QR codes to actually link a device when it was presenting itself as a way to join a group.

Paywalled: wired.com/…/russia-signal-qr-code-phishing-attack…

uiiiq@lemm.ee on 20 Feb 10:04 next collapse
notabot@lemm.ee on 20 Feb 10:39 collapse

What I find particularly concerning is that the were able to “hide javascript commands that link the victim’s phone to a new device” in the payload of a qr-code. I can’t see any valid use for javascript in the group joining process, I would expect the code to just be a signal URI with the relevant group ID, so is there sone external javascript interface being exposed?