Conversation

OK, here is some additional info about the Telemessage thing found by somebody on BlueSky:

- The hard-coded credentials are used to encrypt the collected logs.

- They seem to be "encrypted" in a passworded archive (ZIP?). Not sure; I'm not familiar with Kotlin.

- They are uploaded to a PostgreSQL database on a server in Israel.

- The database is accessed by subscriber e-mail and PIN.

- The site has been purged, which probably means that at least until the app is updated, the US government communications via Signal are no longer logged, as required by law.

I still wouldn't call this a "backdoor" but definitely poor security practices:

- Hard-coded credentials, duh.

- ZIP legacy encryption is vulnerable to known-plaintext attacks.

- Storing sensitive info on a server in a foreign country is bad - not because you can't trust the company but because you have no control of its security. What if an employee runs an info stealer and the admin password to the database gets leaked? The US government has a secure cloud, why not use that?

Link to my conversation with the person who found this:

https://bsky.app/profile/vure.bsky.social/post/3loe5irieck22