What they’ll do is arrest someone on bogus charges and then get their phone (legally via a plea or illegally whatever works). Since signal links your account with a phone number they can cross reference the contacts sync with the signal profiles and work their way up that way.
Best thing to mitigate this is to use a communications app that doesnt link to any personal details like SimpleX or GNU Jami, that way if one person gets booked then the entire network can be more resilient.
Signal is an upgrade from SMS but the phone number linking makes it impossible to create disposable identities. Signal is what you use outside of organizing talking to colleagues and family because WhatsApp is a slop mess and its fairly well known that you have an easier chance on getting people on board.
Afaik it’s not anything to do with signal as a platform it’s that they had rats in the chat
The signal chats have been already leaked publicly by right wing infiltrators, so I don’t think there’s much that can be done now. All the data is already out there, the FBI don’t even need to seize phones to get a start on the investigation.
signal chats have been already leaked publicly by right wing infiltrators
didnt’ know this happened
Yo I hope that’s been posted somewhere else more prominent.
I have been undercover inside the groups for days.
Looks like he’s doing better than the regular FBI.
Sounds like they are doing an OK job of organization and security given the constraints. Signal is main issue here but comparable info could likely be obtained with an IMSI catcher.
Hmm. How did this guy get in here? How are they verifying access to these groups? I feel like you could better atomize these groups.
It’s the blending of communication channels and operational channels. My local groups had this problem until we developed better practices.
Comms channel is only for rapid response, who-what-where, to get people on the scene documenting everything, informing victims of their rights, and impeding police fuckery. This is considered “public”, in that the bar for entry is quite low and the worst that an infiltrator would find out is “hey, cops, in about 10 minutes you’re gonna have a bunch of cameras on you”, a fact that they’d know soon enough anyway.
People love to chat, so there’s a chatter channel. Nothing important goes on here, and things are strictly moderated. The closest thing to operationally relevant information is stuff like “hey, I’m trying to organize X, react if you’re interested”. Again, worst case an infiltrator knows some vague information about planned actions.
All the resulting planning happens in person or in very tightly vetted invite-only threads. It is possible for infiltrators to get into these, but it requires establishing a lot of trust that’s just not gonna happen for a random lurker. For anything remotely serious, at most there’s a handful of core organizers updating each other. A lot can be done with 3-5 people without endangering the operation of the whole group, so you keep the scale small until you need bodies. Once you do, you break the action into disparate areas of responsibility and recruit through whisper networks and trusted individuals. These groups do not coordinate directly. If you lose an organizer, you jettison channels and either adapt the plan or start over. It’s easy to cut the head off of a snake, so you gotta be a hydra.
And I’m talking a not very large city with an incredibly overbearing police presence. If this isn’t going on 100 times over in Minneapolis (and everywhere else), they’ll roll up everyone they can identify on “conspiring” or “obstruction” or RICO or similar nonsense charges and hang them up in court/prison until people are so scared/exhausted that they give up or buy into some “emotional” outburst about how we all just need to put a 👍 on a message about doing a little domestic txrrxism to “take back our city”.
I do not think mostly anybody should be planning “dangerous” actions (mainly due to lack of opsec and experience), but the writing is on the wall: whether you want to move the needle or just keep yourself safe, you need a cell, a gang, a cadre, not a big tent. Let a thousand gangs bloom. 🌺
good post!
Spy agencies typically used small cells to avoid one compromise destroying the whole network. Organizers should copy this with big broad directions from the top, broad basic cooperation across the group but specifics as much as possible localized to small in-person cells of less than 10 people who all know and trust each other (e.g. not randoms who claim to be interested in the cause who contact you online but people known to others in the group so if some known reactionary who was posting Trump memes all last year wants to join you say no).
That and not using something that requires phone numbers which leads to network mapping and graphs which is what the NSA and CIA targeting have always cared about more than message content. Signal is compromised by US intelligence in the sense at least that it gives them maps of who is talking to who and associates them with real numbers they can connect to real identities thanks to phone company cooperation. Message content may be safe from broad collection but infiltration is still a problem. Not any good off the shelf solutions that don’t require hosting something or several somethings unfortunately that I’m aware of that aren’t equally suspicious as signal.
Bullshit. All they can see is if a phone number is registered to a Signal account. They get no visibility of social graphs. They publish the subpoena requests they are forced to comply with. Unless you have evidence proving otherwise, please retract your disinformation.
What exactly outbound signal message looks like to isp? if it’s a burst to central server with known ip, social metadata is absolutely trivial to extract, if it’s peer2peer (which seems exceedingly unlikely with phones constantly swapping ip), only then you have to do time correlation attacks and likely non-trivial to solve and easy to obfuscate. (p2p meshes also dodge direct inference of social connectivity, but i don’t think signal functions that way)
Not that they would compromise keyboard-encryption backdoor if it exists over something so trivial, but one shouldn’t just trust something on the say-so
https://signal.org/blog/sealed-sender/
The original claim was about phone numbers disclosing social graphs, but now we’re getting into network traffic analysis for a global passive adversary and a compromised device?
If you’re worried about traffic analysis use a mixnet like Nym. If you don’t trust your device, then get a device you trust.
No, it’s two claims: before signal servers and on your isp provider side sits nsa sniffing device (likelihood 99%), which trivially can reconstruct social graph without specifically designed obfuscations on server side (something like nym, exactly, but for signal servers themselves, with random delays and obfuscatory traffic).
Second claim is all messages are encrypted doesn’t exclude possibility of keyboard input->app internals middleman backdoor, likelihood of it existing unknown (hi, nsa), with pegasus infection 100% at least.
Basically, you are fucked with state adversary, and shouldn’t use phone for anything not serving to appear normal, and while signal can provide necessary tools to message each other, you should assume it to be transparent and appearing in some court if things go wrong. (But crucially transparent to very advanced adversary, not bumblefuck from local police, so it’s not a call to rely on messages which are so trivial to intercept with sim card duplication for 1k-5k bucks, and unencrypted for traffic interception)
While Signal has substantial problems, to my knowledge this “tracking” has always been non-technical. It is having access to someone’s unlocked phone and therefore being able to see the messages on it. Most apps will have this kind of weakness, even high quality open source security ones, and most of the security weakness is social: don’t put things in a chat that that would be bad news if it was screenshotted or leaked by a disgruntled or careless member. Infiltration is also possible but pissy babies and incompetence are more common. Don’t even put anything spicy on any chat unless it can be a one-way untraceable blast or something. Rely on irl face to face organizing as much as possible. It’s better anyways 99% of the time.
“tracking” has always been non-technical
litteraly this, they need a guy sitting at a Phone lol
Reminder that Signal is not secure and is a tool pushed by the US intelligence agencies and Silicon Valley tech bros.
I remember being able to easily read about this but I am not able to find anything easily anymore by searching
dessalines (the creator of lemmy) spoke it on his “why not signal”
reminder that this is FUD
I have already read it, the only valid thing it mentions is the fact that servers are located in the US, but assuming the encryption standard is doing its job, that’s a non-issue.
it reads very similarly to all the people who say SELinux is evil bc the NSA were involved in the development.
It’s going to be so funny whenever Kash
Kashes out.oh gee, i thought everyone used signal because it was E2E encrypted?
They invited the feds into their group chat. If you’ve ever been involved with any “big tent” organizing work, you know it doesn’t take much to get access to all the chats and files.
Not really any way to avoid this. Assume it is taking place and plan to limit damage as much as possible by enforcing discipline on what goes in the chats.
There is a way to avoid this: don’t use big signal group chats for any of these things. Use irl meetings, use one-way blasts, talk to people, put up posters. Large signal chats are usually pointless anyways, it ends up being full of pointless yammering by the least helpful people.
According to the leaks posted elsewhere in this thread by marmite lover, they are using them for daily coordination and communication. Have you seen those? Have a look and tell me if you think they can be replaced as you suggest.
By having an organized structure where instructions are handed out by neighborhood captains to block captains, block captains to individuals, that sort of thing. I don’t want to reveal too much about how people do things in different areas, but I can tell you that these tactics are already in place in some cities and work "better* than the horizontalist group chat approach, although they are not mutually exclusive. If one person gets access to “the chat” without being vetted, their blast radius will most likely be contained to a block, as unvetted people don’t get to be neighborhood captains, etc etc.
Nothing is perfect, so you use this containment and organizational structure to limit the impact and likelihood of failures.
What we see with the big group chats etc is what happens when you are actually quite poorly organized, just taking your first stabs at it. It is what naturally happens when people don’t know what they are doing but organize organically, not understanding their threats or how to mitigate them, or cynically prioritizing any action at all over opsec because they do not have the capacity to organize properly. The latter basically sacrifices people for “the cause” and is more common than you might think.
Hmmm I notice they do have a role called “hyper local group messenger” perhaps that is like what you are describing. These screenshot are what he got after a few days of infiltration and he also mentions he was being followed around as a suspected ICE himself so presumably his cover was not very good and there could be more specific groups he didn’t get access to.
They have some amount of regional sub organization:
But you’re right if groups are reaching 1000 people it probably means things should be broken into smaller pieces.
Do you really think being secretive about the org structure has any security benefit? Hopefully they do not rely on obscurity of structure as it’ll eventually be discovered by enemies, if not already.
If your group has a better way than these MN people I hope it could be shared with them.
Yes, you should be secretive about org structure when the org is an active anti-fed tracking and disruption campaign (not even really an org). It isn’t hiding the structure of a communist org to its members, but rather the individuals who are part of the overall campaign. In reality, the people involved in the campaign are mostly not part of an org except in the most superficial of ways, doing assigned tasks, and cannot be expected to have either a political or tactical understanding to protect the wider group. Trainings are still essential, but this is not a cadre. You very strictly do not want all the “leaf” members of the org tree, community members, knowing the ins and outs of your org, let alone the active anti-fed campaign. They wouldn’t be able to do anything positive with it anyways. They can always talk to “nodes” a level up to increase their understanding and potential to become one themselves, a process that should have vetting.
Folks in Minneapolis are beginning to adopt better tactics over time, yes. They are more serious than in many other places.
To be clear, these organizing campaigns aren’t even just one org having a front org. They are a natural united front, made up of previously organized people and newly organized people, all figuring out how to work together with unified tactics. It is close to impossible to have a consistent cadre for something that is inherently ephemeral and so mixed. But it is a good development to have this greater level of hierarchical organization, as it will increasingly mean that this doesn’t need to be rebuilt every 2-3 years, it is no longer a temporary reaction, and we can think of it as part of an organization to join and build at any time.
My understanding is that signal groups are pretty small. Like, block-by-block small.
Sure, there might be a big one. But those small ones are where the nitty-gritty coordination is actually happening
Yeah for the kind of spontaneous mass organizing they are doing, you are probably right. With relatively little effort, a well organized group could implement a system that makes it pretty preventable for anything important
E2E encryption is great but it completely falls apart if an adversary gets ahold of one of the ends…
Group chats are only as secure as their members, signal metadata (who’s messaging who) is not necessarily secure, and signal users are identifiable by their phone number.
describes most security… only as good as the people involved
Good luck; we’re clean on opsec 😎
What the fuck is up with this dude’s brainworm? I give it 6 months tops before he’s fired and sent to some camp. Is he just trying to survive or is really just beyond stupid and delusional
