FBXL Social

This is just of the many tweets that are flooding Twitter these days praising Telegram and discouraging users from using Signal with stupid NSA and FBI conspiracy theories.

Under no scenario you should have Telegram installed on your phone. It's basically the Hulk Hogan of E2EE apps

@campuscodi @AnnaAnthro

I've never understood anybody using but shouldn't we be concerned that also isn't decentralized?

Other people are now seeing the same Twitter spam.

Many of these spammy accounts are post Feb 2022 accounts, suggesting a Russian nexus.

Why?

@Hyolobrika

which part?

Why should we be concerned that Signal isn't decentralised?
I like the fediverse being decentralised because everyone doesn't have to play by the same rules. But it's different for Signal because it's not a public forum. They basically allow everything there that isn't spam or illegal IIRC. And it's end to end encrypted so they can't see anything anyway.
Do you mean so that there isn't one organization that has access to everyone's metadata? That makes sense actually now I come to think of it.

@Hyolobrika @wjmaggos

Problem with Signal and just about every other e2ee chat app out there is that they're just a trojan horse to geolocate you via your cellphone #. That's why they don't allow VOIP #'s to signup and insist on you having a smartphone with Android/iOS. That way they can also track your social network in real time based on geolocation and which account talks to which. They don't need the content of conversations when everything else they want to know about you can be obtained via side-channels.

Geolocate you via your IP address? Because I've never noticed that being very good.

>insist on you having a smartphone with Android/iOS
Yeah, I found their smartphone focus really annoying too. I tried using the desktop app but it never worked properly and even if it did, you still have to link it to your smartphone. Which is just unnecessary.

>don't allow VOIP #'s to signup
Really? That's interesting. The charitable interpretation is that that's to defend against spam, but who knows?
Does this mean that those companies where you can rent a number to receive verification codes don't work as well?

Oh. Geolocate you via your cellphone *number*. I didn't notice the "#".
replies
1
announces
0
likes
0

I mean, I mainly talk to family using Signal. So I doubt they'd find that metadata particularly valuable.

@Hyolobrika @wjmaggos

No. Your cellphone number. When your cellphone is turned on it sends/receives signals to triangulate the closest cell tower. Then it associates that with the Subscriber ID your cellphone company assigned you, and the Equipment (ie. hardware) ID that was assigned by the manufacturer of your phone. Based on that they can track your location in real time 24/7/365 for as long as you've owned a cellphone. This automatically gives up your entire social network and by implication your political opinions, etc, etc, etc. All of which gets fed into algorithms to subtly manipulate your worldview according to whatever is most convenient to the agenda of the powers that be. This is happening on a global scale with basically no one in the modern world exempt from it's effects.

@Hyolobrika @wjmaggos

No one cares about you individually as a person. You're just part of a herd of cattle that they use AI algorithms to manipulate and prod around from field to field based on what they want in a given instance.

When your cellphone is turned on it sends/receives signals to triangulate the closest cell tower. Based on that they can track your location in real time 24/7/365 for as long as you’ve owned a cellphone.

I know that. That’s why I don’t have a SIM card in my phone anymore. I removed it some time after signing in to Signal with it. But what does that have to do with Signal?

This automatically gives up your entire social network and by implication your political opinions

Because if you’re hanging out with people then you share political opinions with them? That’s not necessarily true.

All of which gets fed into algorithms to subtly manipulate your worldview according to whatever is most convenient to the agenda of the powers that be. This is happening on a global scale with basically no one in the modern world exempt from it’s effects.

Any evidence for this?

How does that work exactly?

@Hyolobrika @wjmaggos

> I don’t have a SIM card in my phone anymore. I removed it some time after signing in to Signal with it. But what does that have to do with Signal?

Depends on your phone. It will still transmit an IMEI even if there's no associated IMSI. But if you've used it with an IMSI and the location correlates, they can pretty much assume the IMEI corresponds to the same person. Opsec only takes one screw up to be useless.

> Because if you’re hanging out with people then you share political opinions with them? That’s not necessarily true.

Statistically it is. It's like quantum physics. Works on the law of averages, and is therefore powerfully predictive even if it doesn't mirror the objective reality directly.

> Any evidence for this?

Cambridge Analytica for one, though that's just the tip of the iceberg.

https://archive.org/details/the.great.hack.2019.nf.webdl.dd5.1.x264ntgreducido

@Hyolobrika @wjmaggos

The other thing to bear in mind is that the same device you use for Signal or other e2ee comms (ie. your cellphone), you probably also use to listen to music, browse websites, SMS text, etc, etc, etc. All those other side-channels leak useful information about you and your opinions.

https://www.nytimes.com/2019/07/23/health/data-privacy-protection.html
https://www.nature.com/articles/s41467-019-10933-3

None of the privacy settings you use to control the apps on your phone have any effect on the underlying operating system nor the level of access it provides to the manufacturer (ie. Google, Apple, etc). Plus there's the trunk based intercept/mirroring capability that is built-in to basically every telco on earth and which the telcos themselves must accept under NDA in order to be allowed to operate whatsoever. You can buy some of the early versions of hardware (eg. Catalyst 6500 switch) used for this off ebay if you want. Bear in mind SigInt is as old as telegraph equipment, and the internet was originally a military network (ARPANET). It's not a new thing. Just gotten more and more sophisticated.

https://web.archive.org/web/20210323123603/https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/lawful/intercept/book/65LIch1.html
https://www.ebay.com/b/cisco-6500-switch/bn_7024899897

This has been an open secret for as long as I've been in tech (ie. 1990's) and based on what I've heard from folks before me, long before that too. Snowden wasn't saying anything revolutionary as far as anyone working in the industry was concerned. We'd been talking about that stuff for ages, but were treated like tinfoil hat conspiracy theorist until he came along.

https://www.eff.org/deeplinks/2015/09/eff-filings-show-phone-companies-participation-nsa-spying-no-state-secret

@toiletpaper @Hyolobrika @wjmaggos I'll add the usual dose of nightmare rectangle/modern web.

Corporate surveillance, digital tracking, big data & privacy
https://media.ccc.de/v/33c3-8414-corporate_surveillance_digital_tracking_big_data_privacy
http://cdn.chiefmartec.com/wp-content/uploads/2016/03/marketing_technology_landscape_2016_3000px.jpg

Replicant: software freedom on mobile devices
https://tube.raccoon.quest/watch?v=XIEXPLdM8rQ

The surreptitious assault on privacy, security, and freedom
https://media.libreplanet.org/mgoblin_media/media_entries/1529/144_7_gerwith.webm

Security Analysis of Estonia's Internet Voting System
https://media.ccc.de/v/31c3_-_6344_-_en_-_saal_1_-_201412281400_-_security_analysis_of_estonia_s_internet_voting_system_-_j_alex_halderman

DEF CON 21 - Karl Koscher and Eric Butler - The Secret Life of SIM Cards
https://tube.raccoon.quest/watch?v=_-nxemBCcmU

Data collection, psychographic profiling, and their impact on politics
https://www.youtube.com/watch?v=HUm9hV9KPy0

The Power of Big Data and Psychographics
https://www.youtube.com/watch?v=n8Dd5aVXLCc

@mangeurdenuage @Hyolobrika @wjmaggos

Glad you pointed out the voting machines too. That's another angle that's been an issue from day one. I remember about 10-15 years ago the city of Toronto put out an RFP for electronic vote tabulators and spent a good chunk of money to have a 3rd party security firm audit all the candidates. The auditor came back and said "none of the above" and gave a ranked list of the worst in order. Toronto city council chose the worst of the entire list (ie. most easily hackable) because it was based out of the city (Dominion). Same company that provides most of the vote tabulators in the USA and across Canada now. Nothing has changed about the security of their systems. They just sweep it under the rug every time (which is often) that an issue is pointed out.

@toiletpaper @Hyolobrika @wjmaggos Any electronic voting is a farce. The issue is always the people who count the votes.

@mangeurdenuage @Hyolobrika @wjmaggos

Yeah. That's true too. There's a lot of ballot stuffing going on apparently, even when it's all done manually. But with those machines, in a lot of cases they have internet connections running exposed services allowing the manufacturer to push software updates. Defcon reported a few years ago that it took one 11 year old girl around 15 minutes to modify the voting record on one of those machines in their vote hacking village. She'd never even seen one of the machines before in her life and had extremely minimal prior instruction from the folks organising the event. Here's a synopsis. Not just one case of this either. To say nothing of real world applications.

https://nypost.com/2018/08/13/kid-hackers-prove-how-easy-it-is-to-change-election-results/

@toiletpaper @Hyolobrika @wjmaggos
>But with those machines, in a lot of cases they have internet connections running exposed services allowing the manufacturer to push software updates.
I'm aware.

Depends on your phone. It will still transmit an IMEI even if there’s no associated IMSI.

I use a Pixel 6a with GrapheneOS and Airplane Mode always on. Am I safe?

But if that's true, then that's the case regardless of whether you use Signal or not.

And trusting the manufacturer and OS vendor is something you have to do with any computer, whether it's a phone or a desktop or a laptop or something else entirely, including whatever you're using to write your posts.

@Hyolobrika @wjmaggos

> I use a Pixel 6a with GrapheneOS and Airplane Mode always on. Am I safe?

The operating system doesn't matter in terms of cell tower triangulation. By design they all have to triangulate to locate the closest tower for the phone to work whatsoever. Just about every phone out there will connect to cell towers regardless of having a SIM or not, because it's required to provide 911 service. So no. More than likely not. Airplane mode depends. I don't know about those phones. But if you want to be sure your phone is not sending telemetry when not in use, either buy or make a faraday cage/case.

To make one, the way I have done it is to get some cardboard and make a case that surrounds your phone completely on all sides. Then wrap with 3 or more layers of aluminium foil so that the entire case is covered by metal with a complete seal when closed. Then tape over it with duct tape. You can test it by placing the phone in with it turned on, and try receiving a call. If it doesn't ring, then it's working. If it does ring, keep adding layers of aluminium foil until it doesn't.

@Hyolobrika @wjmaggos

> that's the case regardless of whether you use Signal or not. And trusting the manufacturer and OS vendor is something you have to do with any computer, whether it's a phone or a desktop or a laptop or something else.

Yes. That's absolutely true. There's no bullet proof solution. The best you can do is make it harder for the attacker to do it by creating more hoops for them to jump through. Personally the only point of information that I am really concerned about protecting is my location. I don't talk to too many people online that I know in person, so that measure alone protects against correlating the bulk of my social network. But the fact is, a state actor likely wouldn't have much problem in the end anyway. It would just be a matter of time.

If you want to get an idea of the worst case scenario, check out this documentary series from back when the Canadian Broadcasting Corporation actually occasionally did real journalism.

https://youtu.be/uWe3kt435y4
https://youtu.be/Dj8QL9FiKiw
https://youtu.be/TckBaynmpTs

The program under discussion was unlikely to have been discontinued, but instead just renamed. That's how they operate. Nor is it likely to be exclusively a Canadian thing. With facebook and google and so forth receiving the bulk of their seed funding from In-Q-Tel (a CIA VC firm) for precisely the purpose of profiling the *entire* population with this kind of result in mind, plus AI now, it's pretty much a fait accompli. All that's needed is a shift in political climate of the leadership, or some `national emergency` and they pull the lever. Then it's game over for the likes of anyone with a differing opinion.