1/ In case you don't have the context to understand this manifesto, let me explain it to you. https://signal.org/blog/cellebrite-vulnerabilities/
Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app's perspective

Cellebrite makes software to automate physically extracting and indexing data from mobile devices. They exist within the grey – where enterprise branding joins together with the larcenous to be...

https://signal.org/blog/cellebrite-vulnerabilities/
2/ Cellebrite is a product designed for law enforcement to forensically scan Androids and iPhones. Recently, they announced that they've added the ability to forensically scan the Signal app.
3/ Signal, as you'll recall, is the famous end-to-end encrypted app -- meaning that nobody in between the ends can intercept your data, not the FBI, not the NSA, and not even Signal itself.
4/ But "end-to-end" still means vulnerability on the ends, so that if someone can get your (unlocked) phone and analyze the contents, they can get stuff, like saved messages in Signal.
5/ Signal allows automatic expiration (and removal) of old messages that partially mitigates this threat, but it's still a threat. There's no technical defense that Signal can provide against this threat.
6/ BUT THE BEST DEFENSE IS OFFENSE.

(This is the tl;dr of this thread)
7/ The source of most vulnerabilities is the interface between the data pulled in from the outside untrusted world and parsed internally by code. The more types of data a program handles, the larger it's expose to hacks, it's "attack surface".
8/ Since Cellebrite must parse lots of different data formats, it has the largest attack surface of almost anything. It means you can pull data on your phone that, when Cellebrite opens, will hack Cellebrite.
9/ Thus Moxie's manifesto: if Cellebrite continues to try to hack Signal data, Signal will continue to hack Cellebrite.

This is an interesting threat because if Cellebrite is easily hacked, it's data is no longer reliable in court cases.
10/ In other words, when they come for you (and they will), get your phone, and use the Cellebrite evidence against you in a court of law, your defense can call into question the evidence because the Cellebrite data may be altered from a hack.
11/ Thus, Signal promises to keep putting hacked files inside it's data to corrupt Cellebrite. This kinda threatens Cellebrite into backing off.
12/ While this sounds fun, it's actually counter productive. It's just free quality assurance for Cellebrite. They just need to install Signal on their phone, get the latest bug that's been found, and ship an update.
13/ Instead, the actual defense is to publish such a vuln every couple months pointing out that Cellebrite can never be trusted in any court case.
14/ The overall message is "don't fuck with hackers".
(FYI: Use Signal and use Tor -- unless your life depends upon it. In which case, educate yourself on the threats against you and don't listen to simple one sentence advice on the subject and make your own educated decisions).
You can follow @ErrataRob.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
There are a lot of misconceptions about the Turkish diaspora in Germany. Since i just finished writing an essay about this topic I thought it's time to give other people
Read more
Las mejores calculadoras online en 2020A thread http://totumat.com/2020/11/26/las-mejores-calculadoras-online-en-2020/ Cuando se estudian asignaturas que requieren de cálculos complicados, nada mejor que contar con una buena calculadora.
Read more
Mitigating #ClimateChange is as much about taking up new techs as about leaving others behindMost studies focus on #coal's global downfall but another #energy tech decline is loomingRead my new
Read more