WEBVTT

00:00.000 --> 00:23.740
What's up, everyone? So today, we're talking about what Signal just rolled out, which was their new secure backup feature, and everyone's kind of celebrating it like they've revolutionized privacy protection or something, and they're actually rolling it out as like an opt-in feature, basically, and it's an encrypted backup archive.

00:23.740 --> 00:36.820
And the free tier basically gets you all your texts plus the last 45 days of media with the paid tier that's like $1.99 or something per month.

00:37.020 --> 00:44.500
That gets you the full text, you know, plus older media up to like 100 gigabytes.

00:44.500 --> 00:55.100
And the first phase is Android beta only, and they're building a kind of centralized repository of user communications.

00:57.940 --> 01:08.380
Mull that over for a moment, like think about that solitary statement, like does that actually sound like a good idea to you?

01:08.380 --> 01:16.960
Now, before I go on, like the tangent, because that's bound to happen here, I love and I use Signal.

01:17.400 --> 01:25.220
And, you know, I have for years, I say years, that's what I mean. I'm not some like, you know, Signal hater.

01:25.740 --> 01:31.520
I also think that Moxie Marlin Spike is kind of a total badass.

01:31.520 --> 01:43.280
And if you know much about him, then you know he in fact very much is when he publishes paper that basically demonstrated SSL strip back, I don't know.

01:43.440 --> 01:49.000
I think he was in 09, probably wrong, but you know, whatever. Like, I was really amazed by that.

01:49.160 --> 01:57.360
I totally did not capture tons of unencrypted usernames and passwords with it back in the day.

01:57.480 --> 01:59.020
That's not a thing that actually happened.

01:59.020 --> 02:05.500
Now, I have another YouTube channel called all hacking cons, which is not monetized and it never will be.

02:05.980 --> 02:19.140
It's just a kind of a pet project that I set up to try to bring education around cybersecurity and information security by putting out other people's talks that are way more intelligent than me.

02:19.340 --> 02:20.540
He definitely qualifies.

02:20.540 --> 02:26.700
But basically, it's an archive of something like 20,000 plus videos currently.

02:27.760 --> 02:31.680
And in it, you know, you'll find his talks, they exist there.

02:31.980 --> 02:37.960
This backup system kind of stores your conversations on signal servers.

02:38.400 --> 02:46.900
And they say it's protected by like the 64 character recovery key that gets generated locally and stays locally according to them.

02:46.900 --> 02:54.300
Signal says that it never actually receives this key and that they can recover it if it gets lost.

02:54.940 --> 03:04.200
And signal claims that the stored backups are directly linked to your actual signal account or your payment records.

03:04.480 --> 03:13.520
And they use zero knowledge, you know, addressing similar to what they have in your with signal groups, metadata protections, basically.

03:13.520 --> 03:17.020
This brings the question, can you back up locally?

03:17.420 --> 03:20.020
And the answer to that is no, you cannot back up locally.

03:20.760 --> 03:26.320
But don't worry, they swear they can't actually access your data without this key.

03:26.660 --> 03:29.680
So that brings up another question.

03:30.140 --> 03:34.700
Should we actually just blindly trust them with this information?

03:34.700 --> 03:47.780
And I think this backup feature all in all is pretty much the point, which I'm going to push back on in regards to a few things here.

03:48.560 --> 03:56.420
And first, let's start with the absolute most basic kind of rudimentary thing that we can.

03:56.420 --> 04:05.480
And that's, you know, who actually made the announcement and pushed for this or made the announcement.

04:05.680 --> 04:11.660
I can't really say that he pushed for it because I don't have access to their internal communications.

04:12.100 --> 04:17.540
They claim to his users who pushed for this, which I have no doubt people said, hey, I want to be able to back up my data.

04:17.820 --> 04:18.800
That makes sense.

04:19.280 --> 04:22.980
Probably those people were assuming that it would be locally implemented first.

04:23.780 --> 04:24.060
Side issue.

04:24.060 --> 04:28.900
If we go back to the basics, the basics are who made the announcement post?

04:29.540 --> 04:31.760
And it came from Jim O'Leary.

04:33.160 --> 04:34.620
You know Jim, right?

04:35.260 --> 04:35.460
Right?

04:35.920 --> 04:36.520
You know Jim.

04:37.160 --> 04:41.600
Comment below if you know Jim or if you don't know Jim.

04:41.880 --> 04:45.380
Now, I personally did not know Jim.

04:45.500 --> 04:46.760
I was not aware of Jim.

04:46.760 --> 04:52.980
And this led me to my next question, which is, you know, who the hell is Jim?

04:53.740 --> 05:01.900
And that led me to look into Jim was and, you know, well Jim is Signals Vice President of Engineering.

05:02.260 --> 05:03.660
And it's not a new position.

05:03.820 --> 05:05.260
He's been there since 2009.

05:05.700 --> 05:16.260
But then I started looking into it and here's what kind of makes his background particularly interesting when we are specifically talking about him.

05:16.260 --> 05:20.940
In the context of this specific post that he actually made.

05:21.460 --> 05:26.440
So Jim spent four years at Twitter from 2011 to 2015.

05:26.800 --> 05:30.080
If you know much about that time that might be concerning to you.

05:30.580 --> 05:31.420
What did Jim do?

05:31.600 --> 05:43.860
Well, he was building account anomaly detection systems, which is essentially behavioral surveillance to track and flag quote unquote unusual user activity.

05:43.860 --> 05:53.480
Seeing that though, you know, kind of as a, hey, that's kind of weird, you know, when I was doing OSINT.

05:54.440 --> 05:55.680
I kept going, right?

05:55.820 --> 05:59.460
So like, oh, maybe that's just like, you know, one off after Twitter.

06:00.500 --> 06:03.320
He didn't go directly to signal, right?

06:03.400 --> 06:10.920
Instead, he kind of meandered around after his time at Twitter, he went straight to Facebook from 2015 to 2019.

06:11.280 --> 06:12.100
What did he do there?

06:12.100 --> 06:22.940
Well, he managed security teams of up to 30 people with a multimillion dollar budget during Facebook's worst privacy scandals.

06:23.340 --> 06:28.520
At Facebook, Jim coordinated something called privacy IMOX.

06:28.840 --> 06:38.400
And I have absolutely zero clue if that's how it's pronounced or if it's supposed to be pronounced something like IMOC's.

06:38.400 --> 06:41.240
But I'm really not sure.

06:41.240 --> 06:44.140
I'm pretty much committed to IMOX at this point.

06:44.460 --> 06:47.060
So that's the term that I'm going to go with.

06:47.820 --> 06:55.800
That term, however, like, however you want to say it is something that stands for privacy incident response teams.

06:56.460 --> 07:08.680
Now, consider the nature and position and think back about, you know, what was actually going on at or around that time on Facebook.

07:11.990 --> 07:21.380
Do you know, like this guy, according to that timeframe, and I want to phrase it like that for different legal reasons.

07:22.800 --> 07:33.620
This was the guy that was literally managing Facebook's damage control teams during things like according to the timeframe, the whole Cambridge Analytica scandal.

07:33.620 --> 07:46.100
And this is, you know, during like congressional hearings about privacy violations and during the VPN spying operation that Apple basically banned from their store.

07:46.380 --> 08:00.780
Every major Facebook privacy breach from 15 to 19, then it would be logical to assume actually went through, you know, Jim's incident response teams,

08:00.780 --> 08:03.880
especially because that was their focus was privacy, right?

08:04.520 --> 08:12.140
So in case you didn't actually catch that, you know, term teams was absolutely plural.

08:12.580 --> 08:18.260
So let's kind of walk through this and I'll try to paint you a more fuller picture here.

08:18.700 --> 08:29.480
Jim wasn't just like some random, you know, low level or high level engineer like this guy legitimately controlled multimillion dollar surveillance budgets at Facebook.

08:29.480 --> 08:35.480
His job included something called MNA security, which stands for mergers and acquisitions,

08:35.880 --> 08:54.520
which means when Facebook wanted to buy WhatsApp or Instagram to eliminate competition, Jim would evaluate how to basically absorb these companies and their user data into Facebook's kind of panopticon of Facebook surveillance

08:54.520 --> 09:02.000
that is basically a massive machine that, you know, continually generates revenue off the backs of its users.

09:02.340 --> 09:18.740
When Facebook ended up buying WhatsApp for like 19 billion in 2014 and spending years integrating it, he was most likely the one that was there making sure that Facebook could properly surveil those two billion new users.

09:18.740 --> 09:25.420
And when they acquired Instagram to control things like photo sharing, it was the same thing.

09:25.960 --> 09:32.800
His job was literally helping Facebook eliminate any kind of alternatives by absorbing them.

09:33.000 --> 09:34.580
Who actually cares about that?

09:35.040 --> 09:36.980
Well, like I said, it gets worse.

09:36.980 --> 09:50.980
Given the timeframe, he also most likely managed the security during Facebook's on of a privacy scandal, which related to a VPN, on of a VPN,

09:50.980 --> 10:06.700
which Facebook basically marketed as protecting users while secretly using it to spy on what apps teenagers were using, tracking competitors like Snapchat and TikTok at the same time.

10:07.340 --> 10:14.640
And when Apple ended up kicking the VPN off the App Store in 2018 for violating privacy rules,

10:15.380 --> 10:20.920
guess who's managing Facebook's privacy and security and compliance teams.

10:21.440 --> 10:30.260
Jim was, according to the timeline, he literally oversaw a fake privacy tool that was actually a surveillance weapon.

10:30.720 --> 10:34.680
Now, let's think hard about this, right?

10:35.560 --> 10:40.500
Does any of that actually sound familiar to you, right?

10:41.140 --> 10:44.760
A privacy tool that's actually surveillance.

10:46.160 --> 10:54.780
It's an interesting question because there's been quite a few of them, but now we see he's building signals secure backups.

10:54.780 --> 11:05.780
And again, this is a guy who spent eight years in total between Twitter and Facebook, the two companies that perfected behavioral surveillance,

11:06.740 --> 11:14.800
arguably, and data monetization before becoming Signals VP of Engineering in October of 2019.

11:15.200 --> 11:17.080
The timing is just absolutely incredible.

11:17.080 --> 11:22.960
He left Facebook right after Zuckerberg's whole privacy focused vision.

11:23.120 --> 11:32.260
Remember that whole deal that he had where he had this complete 180 and was really 180, but you know, you don't know what I'm talking about.

11:32.660 --> 11:42.840
It was this big announcement that was back in March of 2019, which just kind of kicked off this kind of insult to injury thing.

11:42.840 --> 11:57.000
And it was right after the FTC had a record $5 billion fine, right when Facebook was under the maximum amount of privacy scrutiny, basically.

11:57.000 --> 12:12.900
He went from building Twitter's anomaly detection systems to managing Facebook's privacy incident coverups and surveillance acquisitions to running signals engineering.

12:13.880 --> 12:23.560
And you know, the revolving door between surveillance capitalism and privacy organizations really couldn't be any more obvious to anyone paying attention.

12:23.560 --> 12:32.780
So, you know, that's kind of it. It's just it's crazy how there are such crazy parallels to actually uncover out there.

12:32.960 --> 12:39.160
Also, like when I said that said, I wasn't talking about Jim, like, it still gets worse.

12:39.520 --> 12:48.440
He also worked at Microsoft's Health Solutions Group, where he was the first security engineer for health of all where according to them,

12:48.440 --> 12:54.340
they were architecting from scratch how to centralize and store your medical records.

12:54.600 --> 12:57.620
And he built security for medical devices.

12:58.020 --> 13:10.480
Basically the code that runs in devices, monitoring your heartbeat, your blood sugar, you know, you're most like, you know, intimate health data is what he worked on.

13:10.480 --> 13:17.940
And he also found vulnerabilities in these systems after leaving Microsoft in 2011 and 2015.

13:19.620 --> 13:30.080
Meaning he either, you know, had backdoor knowledge or the systems were so broken that external reviews basically revealed flaws.

13:30.700 --> 13:37.020
Now, dude had monitoring users kind of down to a heartbeat, you know, right.

13:37.720 --> 13:41.640
So, look at the pattern that's across his entire career.

13:41.960 --> 13:52.200
At Microsoft from like 04 to 11, he basically built centralized health surveillance during the push for electronic medical records, right.

13:52.500 --> 14:04.420
And at Twitter from 2011 to 2015, he built behavioral anomaly detection during the hour spring when governments were, you know, clamoring

14:04.420 --> 14:07.380
and just desperate to track protesters.

14:08.120 --> 14:10.500
And thanks to the Twitter files, we know a lot about that.

14:10.740 --> 14:23.460
But at Facebook from 2015 to 2019, he managed privacy violations during the Cambridge Analytica GDPR and congressional investigations.

14:23.460 --> 14:35.240
Now, like every single position involved centralizing sensitive data during periods of maximum surveillance expansion.

14:35.640 --> 14:47.020
Jim launched Twitter's bug bounty program, which sounds really good, right, until you actually realize that a lot of times these programs serve to actually privatize vulnerability discovery

14:47.020 --> 14:57.180
and kind of keeps exploits quiet through financial incentives, which a lot of the time makes it so that you just spend money and they don't actually have the fixed stuff.

14:57.420 --> 15:06.000
So you're going to see it as going away versus kind of the immediate public disclosure that I'm more of a fan of.

15:08.000 --> 15:17.180
Which is like, yeah, we know like anyone who was on breach forums probably can be like, yeah, that makes sense.

15:17.520 --> 15:28.840
But at Facebook, he ran their bug bounty, you know, like with a multimillion dollar budget and again, these this huge team of people.

15:29.480 --> 15:35.500
And it's kind of the same playbook with this guy just different surveillance companies, right.

15:35.500 --> 15:45.860
He rewrote Twitter's production login systems that in turn was used to track every authentication event specifically for behavioral analysis.

15:46.340 --> 15:56.980
He managed Facebook's AVVR security for like their metaverse surveillance ambitions, which I'm sure were super creepy like mapping out houses and stuff.

15:56.980 --> 16:12.960
But now he's implementing signals backup authentication system using the same type of architectural principle, which is from, you know, what we see centralized management, right.

16:13.320 --> 16:20.080
Like if you notice in the actual blog post, there's no real concrete technical details.

16:20.080 --> 16:31.680
There's pretty much just, you know, a bunch of trust us bro kind of nonsense BS that links to impart their groups.

16:32.480 --> 16:33.640
That's pretty much it.

16:34.260 --> 16:44.680
You know, for a guy that's been entrenched in the anti privacy scene, by and large, that's kind of what he's a crusader of and so wrapped up in tech companies.

16:44.680 --> 16:51.100
You know, he sure wasn't very technical or descriptive for a VP of engineering.

16:52.000 --> 17:03.880
And again, like real quick, just before I move on, like, I just want to reiterate like I do you signal like, and that's why I'm making this video is because that's why it's an issue.

17:03.980 --> 17:13.460
We as the users, you know, should absolutely voice our opinions on what we believe is a problem or could be a problem or is an issue.

17:14.180 --> 17:17.980
And not only do I use it, but like I like it, I actively like it.

17:17.980 --> 17:27.560
It's something that like I do suggest, especially to, you know, the normies that are out there, because it's better than just plain text messaging.

17:27.880 --> 17:35.000
Obviously, and it's clean, it's got a nice UI, it's got great UX, like, you can just open it up and it's and you're fine with it.

17:35.000 --> 17:38.720
There's no real hard configuration or anything, right.

17:38.720 --> 17:40.040
It's on x amp, right.

17:40.360 --> 17:45.420
You know, something that's that's going to require multiple steps in parallel.

17:46.320 --> 17:52.720
And I think discussions and information like this should be things that we're having and it should be things that are readily available to the public.

17:52.820 --> 18:00.780
These are the kind of discussions that I think we should be having in regards to software companies, whether they're, you know, FOS or whatever.

18:00.780 --> 18:10.000
Like it's not just the code that, you know, we're running, but it's also the people that like are literally overseeing the code.

18:11.060 --> 18:22.040
That also matter in my opinion, in the equation that we look at when we look at these kind of things like and signal is, you know, not without its own issues, though.

18:22.160 --> 18:24.880
And that's, you know, something that we should also touch on, right.

18:24.880 --> 18:39.220
Like so, for example, their desktop database encryption key, right, stored in plain text since 2018, only fixing it later on in July of 2024, after there's a ton of public scrutiny.

18:39.720 --> 18:42.880
And I remember when this was happening, people like, Oh, are you going to make a video on it?

18:43.080 --> 18:45.160
I just I didn't because I had a ton of stuff going on.

18:45.160 --> 19:01.180
But, you know, basically signal at storage or encryption keys in plain text on desktop systems, which was a vulnerability that security researchers had been kind of screaming about for like six years or something.

19:01.660 --> 19:14.280
Like any malware with any kind of like basic file access permissions could absolutely grab these keys and decrypt your entire message history, really without breaking a sweat.

19:14.280 --> 19:29.460
And when confronted about this very issue, you know, the kind of gaping security hole that existed, signal support just kind of said that the database key was never intended to be secret.

19:31.540 --> 19:42.640
And that was a big issue for me because the company that kind of markets itself as the gold standard of secure messaging, you know, admits their encryption keys,

19:42.640 --> 19:50.380
whatever meant to be secure. It's kind of an issue and it's kind of an oxymoron that I really did not like.

19:52.020 --> 20:02.640
Also, aside from all that, you should use simple x like I just want to inject that, you know, go Google it, look it up, start page it, whatever, you know, check it out.

20:02.640 --> 20:15.100
But the vulnerability sat there for six years, while signal collected donations from privacy conscious users who believed their messages were in fact protected.

20:15.460 --> 20:24.260
And this is exactly the kind of thing that blind trust ends up creating, which is why I'm always harping about don't trust verify.

20:24.740 --> 20:30.400
It's the if you get one thing out of this channel, get that from it, you know, don't trust anyone, including me.

20:30.400 --> 20:34.780
Don't trust me either, like, go look this stuff up and prove me wrong.

20:34.860 --> 20:35.940
I love to be proven wrong.

20:36.120 --> 20:39.060
Because at the end of the day, I learned something when that happened.

20:39.100 --> 20:40.000
So I have no issue with it.

20:40.860 --> 20:44.440
Anyways, signal did end up actually shipping the fix.

20:45.400 --> 20:59.680
Immediately following a, we'll call it like a high profile flare up on X that were, you know, basically revived the whole issue and set it on fire with propane.

21:00.120 --> 21:09.240
And it took kind of a billionaire to actually do so in order to get them off their asses to do something about this.

21:09.240 --> 21:23.080
And the signals president Meredith with a taker basically tried to gaslight everyone by claiming that if an attacker has device access that no app can protect your data.

21:23.740 --> 21:29.500
And I found a really kind of condescending and retarded.

21:29.500 --> 21:40.600
Like, it's kind of no different than claiming that viruses are bad or that the sun is bright or that snow is white.

21:41.160 --> 21:56.240
Like, like saying a random fact does not prove a separate point, like, you know, intentionally allowing a severe issue like this to go on for half a decade.

21:58.080 --> 22:13.680
And, you know, you've known about it this whole time and then citing some dumb ass hypothetical access to a hypothetical computer that a hypothetical attacker hypothetically has

22:15.660 --> 22:26.980
is just not a reasonable counter to a real problem that actually exists for millions of people on software that your company makes, right.

22:27.520 --> 22:39.060
And all the while the VP of engineering who should have fixed this years ago was busy implementing new features to centralize data into a subscription model.

22:39.060 --> 22:47.300
Instead of securing existing real world security issues, which I personally would rather see them do.

22:47.600 --> 22:58.200
I would rather see you make your software secure than give us centralized backups by, you know, Mr. Social Media.

22:58.980 --> 23:13.500
Like, and this goes beyond that too, because like we have like commercial forensics that can absolutely decrypt and parse signal databases from, you know, seized or unlocked devices

23:13.500 --> 23:21.440
by basically extracting keys from the iOS keychain and then opening the signal SQL light store.

23:21.440 --> 23:35.860
And that's, you know, also trying to true for other messengers, but basically that's post endpoint compromise, not a break of end to end encryption, which is completely different.

23:36.020 --> 23:47.700
But it shows how easily signals data becomes accessible once a device is in law enforcement hands, which the other side issue is why you should use Graphene OS.

23:47.700 --> 23:50.600
Look it up. And I should do a whole video on that too.

23:51.040 --> 23:59.000
Basically anyone who says that they dislike it, you know, I would do an OS and an investigation on that, because it probably a Fed.

23:59.400 --> 24:12.980
That's a side issue. Academic work has basically shown that, you know, full database media and log decryption on like devices that have been seized.

24:13.640 --> 24:20.920
Any type of, you know, phone really except for for what I've seen a lot of the Graphene OS devices.

24:21.060 --> 24:28.820
That's why I mentioned them earlier is possible via reverse engineering the apps actual crypto workflow.

24:29.580 --> 24:34.100
For example, celebrate announced that they cracked signal.

24:34.620 --> 24:39.080
They weren't actually breaking the was a very important distinction.

24:39.080 --> 24:47.620
Instead, they were kind of just simply copying the unprotected database files that signal leaves accessible.

24:48.500 --> 24:52.220
That's it. So it really wasn't like some amazing thing, but researchers from.