getting hacked in just 20 minutes due to a basic misconfiguration is alarming!
But not surprising.
Not to mention TeleMessage violated the terms of the GPL. Signal is under gpl and I can’t find TeleMessage’s code anywhere.
Edit: it appears it is online somewhere just not in a github repo or anything
https://micahflee.com/heres-the-source-code-for-the-unofficial-signal-app-used-by-trump-officials/
I’m pretty sure that the licence also requires that you link to the source code. You can’t just have it up “somewhere” and just expect people to find it.
Yep. Relevant sentence bolded by me below
6d) Convey the object code by offering access from a designated place (gratis or for a charge), and offer equivalent access to the Corresponding Source in the same way through the same place at no further charge. You need not require recipients to copy the Corresponding Source along with the object code. If the place to copy the object code is a network server, the Corresponding Source may be on a different server (operated by you or a third party) that supports equivalent copying facilities, provided you maintain clear directions next to the object code saying where to find the Corresponding Source. Regardless of what server hosts the Corresponding Source, you remain obligated to ensure that it is available for as long as needed to satisfy these requirements.
“yeah my code is open source, it’s somewhere on this site I’m just not gonna tell you where it is.”
They sound staggeringly incompetent. And anyone who bought their software without any investigation into its quality also sounds staggeringly incompetent. Apparently there’s a lot of it going around.
Here’s a link to the original article (from the same author) on the platform you should actually subscribe to.
https://www.404media.co/the-signal-clone-the-trump-admin-uses-was-hacked/
Big 404 fan, but “original” is misleading. “First article on this topic” is more accurate. OPs link is arguably more interesting.
You might enjoy the full blog post from the author:
works in almost exactly the same way as Signal, except that it also archives copies of all the messages passing through it, shattering all of its security guarantees.
Pretty sure Signal does that as well, which is not a security issue.
Signal uses end-to-end encryption (E2EE). The only copies of messages are on the sender’s and recipient’s devices.
Copies of messages are also known as archives.
Signal does not archive messages on server side
They weren’t talking about the server:
This app…works in almost exactly the same way as Signal, except that it also archives copies of all the messages passing through it, shattering all of its security guarantees.
Later in the article, it talks specifically about the server-side archives being stored in plain text. That’s why the hacker was able to access messages. This isn’t about the local copies on phones.
Yeah I didn’t read past the misinformation
Kinda seems like you’re the misinformation.
