"Tool allows stealthy tracking of #Signal and #WhatsApp users through delivery receipts"
cyberinsider.com/tool-allows-s…
Another privacy vulnerability caused by the dependency on phone numbers.
In #ArcaneChat (and other #chatmail clients like #DeltaChat) you don't need a phone number (or any private data at all!) to register, so such attacks are simply impossible, keep your family safe, join arcanechat.me
Tool allows stealthy tracking of Signal and WhatsApp users through delivery receipts
A new tool named Device Activity Tracker exposes a privacy flaw in WhatsApp and Signal that lets attackers covertly monitor user activity.Alex Lekander (CyberInsider)
Dodik ally wins vote in Bosnia’s autonomous Republika Srpska – DW – 11/23/2025
An ally of former Bosnian Serb leader Milorad Dodik won a snap presidential election in Bosnia and Herzegovina's Serb-majority Republika Srpska, preliminaryBYTESEU (Bytes Europe)
Japan finance chief effectively accepts BOJ rate hike
According to a recent Bloomberg survey of 50 analysts, all forecast that the central bank will raise its policy rate at the meeting.The Japan Times
Today in History: Heart of Atlanta Motel v. United States
https://www.chicagotribune.com/2025/12/14/today-in-history-heart-of-atlanta-motel-v-united-states/?utm_source=flipboard&utm_medium=activitypub
Posted into Chicago history @chicago-history-chicagotribune
Sensitive content
Somalia and Serbia Eye Broader Partnership in Technology, Security, and Education
BELGRADE, Serbia – Deputy Foreign Minister of Somalia lawmaker Isaak Mursal met with his Serbian counterpart Damjan Jović in Belgrade this week.BYTESEU (Bytes Europe)
Hong Kong's biggest pro-democracy party votes to disband after more than 30 years of activism
https://apnews.com/article/hong-kong-democratic-party-disband-vote-china-614950a8f77f3fdf89045852decf353f?utm_source=flipboard&utm_medium=activitypub
Posted into Asia @asia-AssociatedPress
Taming the Problem Bear: "The Russian did it" is not enough
The federal government holds Russia responsible for cases of disinformation and cyberattacks. The attribution sometimes took a very long time.
Watching trump on TV (selective hi lights only)...
Is like having an open sore on your arm and occasionally sticking a finger in it
It's really painful watching the leader of the free world (joke) speak .
Why mobile apps trackers are one of the most impactful threats regarding your privacy and your freedom: read our Privacy Guide at e.foundation/wp-content/upload…
Sensitive content
Beverley reshared this.
Montenegro will close all five chapters at the next Intergovernmental Conference
Milatović, Photo: Boris PejovićBYTESEU (Bytes Europe)
GUESS WHAT, ITS THIS SHIT AGAIN
"Google DeepMind will seek to develop a version of Gemini to help teachers focus on what they do best: teaching. This would be grounded in the national curriculum and tested for safe use - supporting research into AI in education and its impact on teaching and learning."
AI to accelerate national renewal and growth as Google DeepMind backs UK tech and science sectors - GOV.UK
gov.uk/government/news/ai-to-a…
AI to accelerate national renewal and growth as Google DeepMind backs UK tech and science sectors
A new partnership with Google DeepMind will help to turn cutting-edge AI into real benefits for working people.Department for Science, Innovation and Technology (GOV.UK)
"AI to accelerate national renewal and growth - Gov.UK"
Since UK GDP growth was 0% in August and -0.1% in September I can quite believe that more "AI" is going to accelerate that.
Hopefully we can accelerate the growth or -0.1% per month to, like -1% per month!
#BBCLauraK makes mischief with Madmoo saying, "A lot of your colleagues are focused on who will replace him."
Sherbs nods twice
David Chisnall (*Now with 50% more sarcasm!*)
in reply to ArcaneChat • • •When you post something about a vulnerability in another messenger and completely misrepresent it, in a way that implies that you don’t understand the cause of it at all, it gives me no confidence in your system.
The root cause is nothing to do with phone numbers. It depends on two things:
If you actually wanted to convince people your system was better you would:
Email-based flows tend to not be vulnerable to this kind of attack because they do mos
... show moreWhen you post something about a vulnerability in another messenger and completely misrepresent it, in a way that implies that you don’t understand the cause of it at all, it gives me no confidence in your system.
The root cause is nothing to do with phone numbers. It depends on two things:
If you actually wanted to convince people your system was better you would:
Email-based flows tend to not be vulnerable to this kind of attack because they do most of the processing on the server, so you’d only be able to probe the server. But you wouldn’t bother because email has so little metadata protection that you don’t need to bother with an attack like this. From what I know of DeltaChat’s group chat protocol, I suspect there is a way of triggering a similar attack by sending broadcast invalid messages and timing the error response. If you really wanted to convince people that your system is better, you’d show a security analysis that explains why I’m wrong, rather than just say ‘I don’t understand this attacks but the researchers who published it didn’t bother trying to attack the protocol I use and so I’m sure it is secure!’ That is exactly the attitude to security that makes me distrust DeltaChat.
Oh and before anyone jumps in with anything about XMPP: this attack is completely trivial on XMPP. Send an invalid iq stanza to the client’s bare JID and time the response. And this is impossible to fix without redesigning the protocol because unknown iq stanzas must be forwarded to the client to enable future extension and clients must respond with errors.
ArcaneChat
in reply to David Chisnall (*Now with 50% more sarcasm!*) • • •David Chisnall (*Now with 50% more sarcasm!*)
in reply to ArcaneChat • • •So there is no way for anyone to use a public identifier like an email address or similar to reach you?
What do you put on business cards or similar if you want people to contact you? An invite link?
ArcaneChat
in reply to David Chisnall (*Now with 50% more sarcasm!*) • • •#DeltaChat is for private chatting, so you normally don't put your link anywhere publicly, you could create a dedicated profile for public interactions tho, which, unlike in signal, it is super easy to do and you can have as many as you want,
and notice the use case I am talking here is family chat, not business and public interactions, that is why I said "keep your family safe" I am talking about family chat solution here
David Chisnall (*Now with 50% more sarcasm!*)
in reply to ArcaneChat • • •Okay, so your use case for 'private chatting' excludes journalists publishing contact information for whistleblowers? It excludes union organisation? It excludes protest organisation?
I guess that's fine, but maybe don't claim to be operating in the same space as Signal then.
Then you need to learn about the concept of an anonymity set. If you have one mechanism for talking to your family and another different one for talking to your union rep, it's really easy for a passive adversary to track when you suddenly start using a different mechanism for high-value conversations.
Delta Chat (39c3)
in reply to David Chisnall (*Now with 50% more sarcasm!*) • • •@david_chisnall
what kind of passive adversary are you talking about here? server, provider, global?
Identifying whether you are using this or that chat profile is not necessarily trivial, especially since the 2.33 releases which introduced multi-relay profiles. A single chat profile can jump between using different relays/hosts.
FWIW we share the recommendation of @arcanechat to split between a public profile (invite link published etc.) and private ones (no publishing).
ArcaneChat
in reply to David Chisnall (*Now with 50% more sarcasm!*) • • •> Okay, so your use case for 'private chatting' excludes journalists publishing contact information for whistleblowers? It excludes union organisation? It excludes protest organisation?
> I guess that's fine, but maybe don't claim to be operating in the same space as Signal then.
the ArcaneChat slogan is "private chats for the family" I don't get why you jump angry into my thread to attack, I never said anything about "whistleblowers" whatsoever, please, calm down 😅
ArcaneChat
in reply to David Chisnall (*Now with 50% more sarcasm!*) • • •@david_chisnall
> rather than just say ‘I don’t understand this attacks but the researchers who published it didn’t bother trying to attack the protocol I use and so I’m sure it is secure!’ That is exactly the attitude to security that makes me distrust DeltaChat.
I don't understand why do you seem so upset, #DeltaChat has received several REAL PROFESSIONAL INDEPENDENT security audits, all listed here: delta.chat/en/help#security-au…
can you provide a similar list of REAL sec. audits for Signal?
Delta Chat: FAQ
delta.chatDavid Chisnall (*Now with 50% more sarcasm!*)
in reply to ArcaneChat • • •Because you're spreading misinformation to score marketing points and spreading misinformation about secure messengers gets people killed.
So, none after this particular class of attack was discovered and therefore none that include this in the threat model?
Delta Chat: FAQ
delta.chatl
in reply to David Chisnall (*Now with 50% more sarcasm!*) • • •The attack class is not really new though, for Signal "delivery receipts" it is known that they can be used to track when devices get online since at least 2018: anarc.at/blog/2018-07-27-signa…
It is also very similar to "Silent SMS" problem.
Concerns with Signal receipt notifications
anarc.atDelta Chat (39c3)
in reply to David Chisnall (*Now with 50% more sarcasm!*) • • •Prevent silent probing of device online status
link2xt (GitHub)Mikalai
in reply to Delta Chat (39c3) • • •I like on QR code "Scan to chat with adb"
I just type in terminal "adb --help" 👀
Mikalai
in reply to Delta Chat (39c3) • • •Delta(s). Your design -- separation of chatting logic from transport -- is what will allow to overcome this observation and correlation constructions.
You can swap to different transport, like ASMail from 3NWeb set, it is web-style federation, reducing metadata on servers, and correlations between servers.
And then clients and servers may sit on mixnet, like Nym (say hi to them at 39c3).
l
in reply to David Chisnall (*Now with 50% more sarcasm!*) • • •support.delta.chat/t/careless-…
Careless Whisper on DeltaChat
Delta ChatDavid Chisnall (*Now with 50% more sarcasm!*) reshared this.
l
in reply to David Chisnall (*Now with 50% more sarcasm!*) • • •@david_chisnall
Re XMPP:
> And this is impossible to fix without redesigning the protocol because unknown iq stanzas must be forwarded to the client to enable future extension and clients must respond with errors.
I guess the client can still pretend to fail to receive it? Just like responding with TCP RST or ICMP echo-response, technically yes, you MUST respond according to the spec, but in practice you can just firewall it away to slow down network scans.
David Chisnall (*Now with 50% more sarcasm!*)
in reply to l • • •@link2xt
Maybe, as long as you have a good allow list, because there are a bunch of extensions that do feature discovery by sending an iq stanza and handling an error as a ‘I don’t know what this feature even is’ response. You might be able to get away with ignoring them for people not in your roster, but that would probably break other things in subtle ways.
Pings are a bit different because the sender expects them to be dropped in some cases. XMPP is built around the idea that you have a mostly reliable network once you have connected and stanzas will either be buffered by a server and delivered eventually or delivered immediately, and that they will be delivered in order between two peers. Breaking that will have a bunch of knock-on effects that are hard to predict because it’s such an ingrained assumption in how every higher-level bit of the extended protocol is designed.