Notices by Martin (mshelton@mastodon.social), page 2

You can always change the username later. It's important to know that the username is just for beginning a conversation, and not the same as the display name someone sees in the chat. More on all the Signal identifiers here: https://freedom.press/digisec/blog/signal-identifiers/

Okay, so you're using @signalapp for encrypted messaging. Cool. It's a good time to use usernames instead of a phone number to talk to people. That and lots more about how to make the most of Signal's security features in here: https://freedom.press/digisec/blog/locking-down-signal/

Signal's new "call links" feature has important implications:
- This makes it easier to start a call with other users (including strangers)
- You don't have to give away your identity to anyone in conversation
- Again, this all underscores the need for trusted networks, and vetting who is included

Signal now supports an option to send links to calls. This could be a very big deal, because you don't even need to join a group chat to join a call any more. https://signal.org/blog/call-links/

End-to-end encryption only helps if you are talking to people who you trust. The "ends" — the devices used by people in conversation — really need to be trustworthy. Keep those devices up to date, and take seriously the relationships you're going to include in these conversations.

I don't really have any words that can meet this moment. One small thing I can offer is digital security assistance to people at risk. Most of my experience is supporting journalists and media activists with security. If this in any way overlaps with your needs, reach out: https://mshelt.onl/contact.html

This interview with @mmasnick and Don McGowan, a former NCMEC board member, is eye opening. McGowan talks about the board's political alignment and connects this to its selective attention when it comes to its safety efforts. It's a pretty damning interview. https://www.techdirt.com/2024/08/08/the-many-reasons-why-ncmecs-board-is-failing-its-mission-from-a-ncmec-insider/

The AT&T breach underscores the importance of being mindful of call and text metadata — something Signal handles much better than traditional phone calls and texts. Unlike your telecom provider, Signal doesn't retain logs of your calls and texts on their servers. Your activities are stored on your device and with anyone you speak to. https://freedom.press/training/signal-beginners/

If you're a journalist who used AT&T between May 1-October 31, 2022, you're going to want to revisit your call and text history from that time and see which of your sources you were communicating with. These records have been improperly secured by AT&T. https://www.usatoday.com/story/tech/2024/07/12/att-data-breach-who-affected-what-to-do/74379292007/

I like how Elon's own community notes fact check him on @signalapp.

No one's going to respond more effectively than @Mer__edith, so if you want to learn more, just read Meredith's post: https://twitter.com/mer__edith/status/1787958712595784166

The founder behind @mozilla's data broker removal service… Apparently runs data broker sites?

"The data privacy company Onerep.com bills itself as a Virginia-based service for helping people remove their personal information from almost 200 people-search websites. However, an investigation into the history of onerep.com finds this company is operating out of Belarus and Cyprus, and that its founder has launched dozens of people-search services over the years." https://krebsonsecurity.com/2024/03/ceo-of-data-privacy-company-onerep-com-founded-dozens-of-people-search-firms/

In response to username changes, we've also made some small updates to our guide on setting up a secondary Signal account.
- We try to help people decide if this guide addresses their specific need for a secondary account, or if usernames are sufficient for their needs.
- We no longer recommend an iPod Touch because it has been discontinued, and we encourage people to use devices that have long-term security updates. https://freedom.press/training/secondary-signal-account/

- Updated our guide to locking down Signal in response to some of the new username and phone number privacy changes
- We also made some cosmetic changes because Signal's UX has changed somewhat. E.g., they updated the UI in safety number verification; removed disappearing messages and verification from the three-dot menu on Android

Check it out: https://freedom.press/training/locking-down-signal/

In response to Signal's username changes, we've updated our guide to sharing sensitive leaks with the press. https://freedom.press/news/sharing-sensitive-leaks-press/

Via @mmasnick: cybersecurity training and alleged "hack for hire" firm, Appin, has a history of attempting (sometimes successfully) to silence journalism about the firm with legal threats. It seems to be backfiring. https://www.techdirt.com/2024/02/01/sorry-appin-were-not-taking-down-our-article-about-your-attempts-to-silence-reporters/

Reminder: At @freedomofpress we wanted to stress test security keys, so we ran over a bunch of them… Among other things. https://freedom.press/training/blog/security-keys-meet-real-world/

Nice. @maxeddy at Wirecutter / @nytimes did a good writeup on recommended security keys. Spoiler: Yes, the top picks are USB Type-C and NFC-friendly YubiKeys. https://www.nytimes.com/wirecutter/reviews/best-security-keys/

"A fake version of the private messaging app Signal has found a way onto Google Play and appears to be linked to a Chinese spy operation, researchers claimed on Wednesday." https://www.forbes.com/sites/thomasbrewster/2023/08/30/malicious-signal-app-planted-on-google-play-by-china-linked-cyber-spies/

New topics-based behavioral ads in Chrome just dropped, and it's enabled by default.

If you use Chrome and want to disable new ad settings click the three-dot menu at the top right corner > Settings > Privacy and Security > Ad privacy.