[md_]

> Plus, managing DIY security is more complicated than just running Signal on an encrypted phone. Same concerns regarding supply chain interdiction, remote code execution, and other security vulnerabilities on the operating system running Signal.

Yes, but specifically to supply chain security, as this attack shows, the most affordable option to secure your supply chain is to ensure your devices and downloads cannot be uniquely targeted.

Buying a stock iPhone in cash and downloading Signal from the App Store is a far better approach than buying a "drug dealer phone."

I do think this attack, as you imply, simply highlights how hard it is for even motivated consumers in the market to make actually secure choices, which in turn is why the market underemphasizes real security improvements.

[9wzYQbTYsAIc]

Well put, and I agree that right now the most effective thing would probably be to buy a stock iPhone, from a random source, in cash, etc.

That said, one huge caveat: any stock, internet-connected phone is always one law away from being rendered completely transparent to law enforcement with legal jurisdiction over the place of sale.

In the US, for example, Congress could write a law that forces a back door.

The back door doesn’t even have to be to the encryption keys or algorithm, but could be a simple screen capture interface that can be remotely triggered with a warrant.

[mianos]

This exact law exists in Australia, the "Assistance & Access Act". That these laws exist in Australia is also a reason why there is a lot of co-operation between US and Australian law enforcement. I am not sure how but it gives the US an ability to do things they can't do on their own shore. The US often works on other countries, like Bucharest in the An0m case to work around their own laws.

[9wzYQbTYsAIc]

https://www.homeaffairs.gov.au/about-us/our-portfolios/natio...

At least there’s this:

> The Assistance and Access Act contains an express prohibition against building or implementing any weakness or vulnerability in software or physical devices that would jeopardise the security of innocent users. This is found in section 317ZG of the Act which also makes clear that any assistance that makes a system's encryption or authentication less effective for general users is strictly prohibited. This same section prohibits the construction of new decryption capabilities and rules out any requirements that would prevent a company from patching existing security flaws in their systems.

[katatonik]

That legislation also has Technical Assistance Requests (TAR) where company isn't compelled but can choose to comply. As not trying to compel they have few safeguards in being issued and less limitations on what can be requested.

https://www.zdnet.com/article/whats-actually-in-australias-e...