@navi xD I read the other day that the Nokia N900 had such big capacitors they you could do a live battery swap
s�d
e-sydb
I toot everyday, mutual interactions welcome <3, I love cooking and tinkering, tell me about your special interests⚧️
Pronouns
they/them!
🥑
🍞
🗺️
In case you are having a bad day. How about you enjoy this A+ performance of someone playing the Celtic instrument "carnyx"?
what if we made wayland run in the init process already?
@plom Also Johan Sebastian Bass nicht Bach :'D
Update: CN Gore für das Video (kannte nur Musik bis jetzt)
https://www.youtube.com/watch?v=Z3vgYg1pWVA
@leah when I was a kid and first started using Linux, I really was amazed I could copy the text form almost all GUI elements - really felt that this is how it should be :'D but that's gone again (I guess with special screenreader devices one could extract a lot of UI texts)
@lnl That feature is implemented through
https://www.electronjs.org/docs/latest/api/safe-storage
which isn't documented by Signal at all, worse - Signal doesn't warn you when it's in "Basic" mode. In combination with depending on `safeStorage` which is a spoiled implementation
Other issues with "when the key(s with password-store) is extracted" remain. An attacker shouldn't be able to run a second authenticated client in parallel without any visual indicator that this is happening (or why you aren't receiving messages).
@rugk > is not signal here
Sorry, but the real issue is Signal, it's bad that you can spawn a second client overtaking the other clients key-material silently blocking the main one receiving messages. What you're trying to solve is an entire different one - and I'm not only talking about Linux.
@fisk might even be partially solvable with more documentation, for example what to do/consequences if a computer was accessed by an untrusted party. I've had someone reaching out to me to help after a breakup before, it's really tough for less technical people to navigate those things.
@fisk yeah true - Signed executables etc is really missing.
I think I just wish it would make it obvious if someone is trying to run a second Signal instance with the same keys.
And also of course I Signals organization occasionally a bit hypocritical. One the one hand they are extremely critical towards others, but in parallel some of the security posture is definitively dangerous. Threats like "my ex partner had access to my computer and copied the `.config/Signal` folder" are valid
@fisk That would be nice. I've spawned one client, duplicated the contents of Signal config folder.
Spawned a second client, then closed the first one.
The client that has started the earliest takes over control.
Now after like ~12 hours, starting the second one (closing the first one) has no previous messages, but is able to send/receive messages. (Interestingly with an error message).
Not sure when/how the double ratchet would take effect on newly sent messages.
@david_chisnall Thanks for taking time to create your write-up. I'm well aware of everything you're saying. If you check the thread, I've linked someone showcasing a POC for example Yubikey integration.
As I said, my criticism is that Signal President in my linked talk is explaining that Microsoft Recall had exactly the same shortcoming as Signal Desktop (data basically easily extractable) - but Signal doesn't.
Protecting against key-duplication is nearly impossible, safeguards certainly are.
I've just replicated this exact scenario on a recent version of Signal Desktop on Linux.
Full write-up of the issue
https://cryptographycaffe.sandboxaq.com/posts/protecting-signal-desktop-keys/
Really enjoyed @Mer__edith and Udbhav Tiwari at #39C3
https://media.ccc.de/v/39c3-ai-agent-ai-spy
But @signalapp should please become resilient against scenarios outlined during the talk!
Currently malware can copy #signal `~/.config/Signal`. An attacker can run a second client, if user goes offline attacker receives all messages - with no indicator that this is happening.
If both are online, there is no warning towards the user, worse the user will receive no future messages.
@fluepke fun that this seems to be a recurring issue over the years :D
https://www.reddit.com/r/signal/comments/1im4nxi/mac_desktop_app_turning_on_mic/
Client Info
Server: https://mastodon.social
Version: 2025.07
Repository: https://github.com/cyevgeniy/lmst