Welcome to Your Password Sucks, the Daily Dot newsletter that answers all your internet security-related questions.
Today, we’ll discuss how to use Signal’s group chat feature without exposing your private information like President Donald Trump’s advisors.
If you’re at all interested in online security, and even if you aren’t, you undoubtedly heard about the Trump admin’s Signal chat fiasco.
The other week, Jeffrey Goldberg, the editor-in-chief of the Atlantic, was accidentally added to a Signal group chat where everyone from Secretary of Defense Pete Hegseth to Vice President JD Vance discussed an impending attack on Yemen’s Houthi rebels.
Long story short, the administration responded to the unprecedented blunder by simultaneously confirming and denying it, before ultimately concluding that it wasn’t a big deal.
In reality, the information shared in the chat would have been classified, making the accidental inclusion of an outside party a major security disaster. So what could the administration have done to avoid such an issue?
For starters, they should not have used Signal. Yes, Signal is the gold standard for end-to-end encrypted communications, so don’t buy the claims that it’s vulnerable.
How to avoid the Trump administration’s Signal mistakes
But Signal is designed to protect your messages from being intercepted when they travel from your phone to a recipient. If your phone gets hacked, a very likely possibility for the people in that chat group, then the unencrypted chats on your phone will be available to the attackers. And if you add someone to a group that isn’t supposed to be there, encryption won’t help you either.
But the administration could have done one thing to avoid this mess: Use compartmentalization, which involves dividing information and access into distinct segments to minimize the risk of unauthorized disclosure.
Reporting suggests that some members in the group were using both their personal phones and work phones to access the chat. By doing so, they’ve made their attack surface even larger. Had members of the group used multiple Signal accounts, like one for discussing with other admin officials, another for communicating with journalists, and another for personal use, this never would have happened.
Granted, setting up multiple Signal accounts or using multiple devices isn’t always practical or fun (believe me, I know). And as we stated before, they shouldn’t have been using a commercial phone app to chat about war plans regardless.
To be fair, there are phones that will let you run multiple profiles and Signal accounts at once, all with different usernames and phone numbers. But that’s a discussion for another day (feel free to ask if you’d like to learn more in a future column!)
But in this scenario, relying on the same phone you use to gossip with friends to discuss classified kinetic action by the most powerful military in world history, isn’t smart.
Another Signal feature
One other feature worth mentioning––although it may not have helped in this case––is the feature known as safety numbers, or codes that are unique to your Signal conversations.
On Signal, if you click on a user’s profile picture in your inbox, you should see an option that says “View safety number.” When you click it, you’ll see a QR code with 12 rows of 5 digit numbers below.
Essentially, you want to confirm with the recipient that the collection of numbers on their screen matches what’s shown on yours. The easiest way to do this is in person by scanning the QR code on your recipient's phone.
And if you can’t do it in person, have the person reach out with a copy-and-pasted version of their safety number, or a screenshot, from an account that you know they have control of.
Once you both confirm that you’re seeing the same codes, you and the recipient will have a “Verified” check mark badge under your names in your conversation. If you or the person changes your phone number or begins messaging from a new device, you’ll get an alert that their safety number has changed. If that happens, you’ll want to confirm it’s them and re-verify the new safety numbers.
Had Trump’s advisors practiced compartmentalization, the journalist wouldn’t have been in the chat. And by verifying everyone’s safety numbers, they would have seen, had they checked, whether everyone in the chat was legit.
While it remains unseen as to whether the Trump admin will step up its operational security practices, hopefully these tips help someone out there.
The internet is chaotic—but we’ll break it down for you in one daily email. Sign up for the Daily Dot’s web_crawlr newsletter here to get the best (and worst) of the internet straight into your inbox.
Sign up to receive the Daily Dot’s Internet Insider newsletter for urgent news from the frontline of online.
The post How to avoid the Signal mistakes the Trump administration made appeared first on The Daily Dot.
from Tech https://ift.tt/Yeu8043
0 Comments