You don't need root (dump memory). You need the user password or to control the binary. Both of them relatively easy if you have user access. For example, change ENV variable to point to a patched binary first, spoof the password prompt, and then continue execution as the normal binary does.
sudneo
joined 3 months ago
I am saying that based on the existing risks, effort should be put on the most relevant ones for the threat model you intend to assume.
In fact the "fix" that they are providing is not changing much, simply because on single-user machines there is borderline no difference between compromising your user (i.e., physical access, you installing malware unknowingly etc.) and compromising the whole box (with root/admin access).
On Windows it's not going to have any impact at all (due to how this API is implemented), on Linux/Mac it adds a little complexity to the exploit. Once your user is compromised, your password (which is what protects the keychain) is going to be compromised very easily via internal phishing (i.e., a fake graphical prompt, a fake sudo prompt etc.) or other techniques. Sometimes it might not be necessary at all. For example, if you run signal-desktop yourself and you own the binary, an attacker with local privileges can simply patch/modify/replace the binary. So then you need other controls, like signing the binary and configuring accepted keys (this is possible and somewhat common on Mac), or something that anyway uses external trust (root user, remote server, etc.).
So my point is: if their threat model assumed that if your client device was compromised, your data was not protected, it doesn't make much sense to reduce 10/20% the risk for this to happen, and focus on other work that might be more impactful.
Privacy is not anonimity though. Privacy simply means that private data is not disclosed or used to parties and for purposes that the data owner doesn't explicitly allow. Often not collecting data is a way to ensure no misuse (and no compromise, hence security), but it's not necessarily always the case.
A security company should prioritize investments (I.e. development time) depending on a threat model and risk management, not based on what random people think.
Only in written language though, as the schwa can't really be pronounced. I guess the way is to simply use both verbally ("tutti e tutte"), even though it's not really necessary as "tutti" already includes - well - everyone (incl. non binary people).
Sure, but my point is:
- there is no point to overcharge with moral meaning what is a linguistic process (well understood I would add) that happened over centuries. This particular phenomenon has to do with the optimization of the language (neutral in Latin had relatively few nouns for objects) and the loss of consonants at the end of the world (like -m) that were often not pronounced anyway in the spoken language already - so again simplification. It has to do with a moral stance not more than other linguistic phenomena that caused mutations in consonants etc.
- changing the language is responsibility of the speakers, not of English-speakers that in addition to have language hegemony, pretend to change other languages they don't speak, mirroring English's quirks and working mechanisms.
In fact, what I mentioned above (about * and the schwa) are processes that exist among speakers to address what some perceive as a problem in the language. However this is something that for obvious reasons only applies to written language as both of them are not pronounceable.
Different languages also have a different prescriptive vs descriptive balance, hence changes happen differently.
You simply can't transport English "solutions" to problems (I.e. neutral words) to Spanish (or Italian), because neutral for this language is the same as masculine. However, for speakers, gender is not perceived in the same way it is perceived in English. It is completely obvious (I can speak for Italian, but given the similarity I am sure the same applies to Spanish) that both "umani" (humans) and "persone" (people) include everyone, even if the first is a masculine word and the second is a feminine word, grammatically speaking. Nobody thinks of the gender of the word as the gender of the concept, because that's not how the language works. When you want to do that, you add context that make it semantically obvious. This is apparently how English works instead, because gender has basically no other function, so you get things like the one in the screenshot, that doesn't make any sense.
Similar issue in Italian. Neutral gender in Latin consolidated in the male gender. It is what it is. There are some English-speakers who have really hard time to understand that different languages work in different ways, somehow.
That said, there are discussions about using both articles or more weird stuff like "*" or even the Ə character to replace the ending, which most people are not used to yet, though.
I am a security professional. I would personally not care less to make the distinction, as both are very generic terms that are used very liberally in the industry.
So I don't see any reason not to call this hacking. This was not an intended feature. It was a gap, which has been used to perform things that the application writer did not intended (not in this form). If fits with the definition of hacking as far as I can tell. In any case, this is not an academic discussion, it is a security advisory or an article that talks about it.
Lack of rate limiting is a code vulnerability if we are talking about an API endpoint.
Not that discussion makes any sense at all...
Also, "not securing" doesn't mean much. Security is not a boolean. They probably have some controls, but they still have a gap in the lack of rate limiting.
Would you consider a man in a park playing with little girls a predator? No you wouldn't, because that can be both a predator and a sweet grampa (and many other things). A man having a relationship (you are saying hitting on, you don't know) with a young girl is not necessarily a predator. Mind you, it can be! But the age alone doesn't tell us that. It's not nuance questioning, is accepting that human experience is different and people are different and yes, it's possible that a very young person has a very good relationship with someone much older. If I saw two people in public, it's not the first thing I would think, but that's due to my prejudices.
Also I don't care what two people say on a forum. The comment got 4 upvotes, so even the temperature check here shows me that it's clear I am not defending predators (which I would find abhorrent). Nor you nor anybody else has elaborated on why a middle-aged person in a relationship with a 20yo is necessarily (emphasis on necessarily) a predator. So I take it for what it is: a cultural item which is based on mostly prejudices and traditions. Mind you, I have it as well. This whole disgust is the first thing that came to my mind too. I just realized that it's based on nothing more than my gut feeling.
Edit: since I grew tired of having to receive sever accusations by people who refuse to engage in good faith in a discussion, potentially questioning their own moral value, I will give make you a favor and block you as well. Cheers.
What a useful point! Thanks for the comment
view more: next ›
I am not proposing anything actually, I am implying that this change won't modify the threat model in any substantial way. Your comment implied that it kind of did, requiring root access - which is a slightly different tm, not so much on single user machines..
So my point is that "The data is safe until your user password is safe" is a very tiny change compared to "your data is safe until your device is safe". There are tons of ways to get the password once you have local access, and what I strongly disagree with is that it requires more work or risk. A sudo fake prompt requires a 10-lines bash script since you control the shell configuration, for example. And you don't even need to phish, you can simply create a SUID shell and use "sudo chmod +s shell" to any local configuration or script where the user runs a sudo command, and you are root, or you dump the keyring or...etc. Likewise, 99.9% of the users don't run integrity monitoring tools, or monitor and restrict egress access, so these attacks simply won't be noticed.
So what I am saying is that an encrypted storage is better than a plaintext storage for the key, but if this requires substantial energies from the devs that could have been put on work that substantially improved the security posture, it is a net negative in terms of security (I don't know if it is the case), and that nobody after this change should feel secure about their signal data in case their device would be compromised.