Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I doubt how useful it would be as an attack. As a single point of info it tells you next to nothing. As part of a composition of other indicators it would be the weak link in the chain probably just causing noise for the not un-likly scenario where the person you're targeting is using a VPN.

If it was any less specific we'd be talking about a deanonymization attack that outs whether or not a target is still on Earth.



Oh, this attack would be a useful tool for e.g., identifying whistleblowers that travel a lot (e.g., in academia, military). If you know their Signal ID, you could send them images from time to time and then compare their coarse locations with travel information for a number of suspects.


I believe they'd have to accept the chat request before any images would be loaded?

Looking at the app options it seems to be possible to disable media auto-download entirely; there's tickboxes for Images/Audio/Video/Documents via Mobile Data/Wi-Fi/Roaming.


Yes, I agree. This attack won't work on competent / paranoid people. What I had in mind when writing the comment: a whistleblower who wants to inform the press about illegal practices in their company and installed Signal to communicate anonymously with journalists. Somehow, a detective working for the company got their Signal ID and contacted them, impersonating a journalist.


> not un-likly scenario where the person you're targeting is using a VPN

Do you think a large proportion of Signal users also use VPNs? I'd expect it would be a higher proportion than the general population but still only a small minority.


> Do you think a large proportion of Signal users also use VPNs?

It is feasible to consider that interesting Signal users mostly use VPN as an extra protection layer.


Being 'interesting' doesn't make you more likely to understand VPNs and opsec. I expect it makes you more likely to try, but there's a good chance of doing it ineffectively.


I disagree, it does significantly increase the likeliness. Like having cancer makes you significantly more likely to know a lot of medical facts about cancer.

If you fear for your life you are much more likely to have spent time researching how to protect yourself digitally.


Fair point. But there are lot of educational resources for whistleblowers and others. OPSEC is crucial nowadays.


There's a lot of nonsense too. In another HN thread, someone was explaining to me that email is more secure than Signal, and desktops more secure than phones - and they had a link to someone's blog to prove it.

That's a HN reader. For the non-technical, it is a minefield.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: