6 March 2024: Signal usernames that aren’t

“I have gone to therapy about this specific issue—on tying your identity and self worth to your work”. These aren’t my words, but those of 404 Media’s Joseph Cox, one of my favorite tech journalists. They hit home hard though, so I decided not to apologize for taking a one week break from this newsletter as I was sick and perhaps slightly overworked.

Thank you for reading this newsletter. If someone forwarded this newsletter to you, that is very kind of them and don't forget to thank them for it. You can subscribe here to receive future newsletters directly into your inbox. Feedback and suggestions are always welcome!

For Spanish readers, I'm happy to let you know that I uploaded Diego Morabito's Spanish translation of three most recent newsletters.

Martijn
martijn@lapsedordinary.net
@martijngrooten.37

Signal usernames that aren’t

It has been the talk in digital security circles all week: Signal introduced usernames. It is a much requested feature, with many security and privacy advantages, including being able to use Signal for work without sharing your phone number with your coworkers.

Signal’s implementation of usernames is a bit unusual though, which may be a bit confusing at first. The TL;DR version is that usernames aren’t really usernames, but more like business cards to your Signal account.

So let’s have a look at how these usernames that aren’t usernames work.

Before the introduction of usernames, every Signal account was linked to a phone number. You needed your phone number for two things: to set up Signal on a phone that used that number and to share with other people who wanted to contact you.

Beyond that, phone numbers didn’t play a role at Signal. They weren’t used for the routing of the messages between two Signal users and they weren’t used for the encryption of the Signal messages. Under the hood, Signal works with accounts. The phone number was just some address label that was put on each account.

Of course, you could always see your correspondents’ phone numbers by clicking on your profile. But if they had wanted to, Signal could have just said: hey, you two have established a connection, there’s no need to see each other’s phone numbers any more. Because for the purpose of a continued conversation, there wasn’t such a need.

Signal could also have decided that to let people contact you, you didn’t need to share your phone number, but instead could give them a unique username you had chosen, that Signal internally linked to your account.

Well, Signal has just done these two things.

You still need a username to set up Signal, but now you can choose a username that you can use next to, or instead of, your phone number as a way for people to contact you. And that username isn’t visible to your contacts in your chats, while if you want to you can set it so that your contacts don’t see your phone number either.

Two important things about these usernames are that they all end on a dot followed by at least two digits (which I guess prevents a race for cool usernames) and that they are ephemeral: you can change your username at any moment, or even stop using one altogether. Your current contacts won’t notice.

You can share your username with others, on your social media account, in a conference presentation or in a newsletter (I’m martijngrooten.37, hi!).

Do keep in mind that they are ephemeral which means that some time after you stop using a particular username, someone else can start using that username. It won’t affect existing conversations (remember, your contacts don’t see your username), but could lead to new people trying to reach you ending up messaging an impersonator.

So if you decide to use usernames (which you don’t have to, the current phone number-based Signal still works fine!), do make up your mind on how you will use them. Either share them publicly, in which case you should really avoid changing them. Or share them very selectively, in which case you can change them at will.

So aside from your favorite two-digit number having changed, why would you want to change your username? Well, Signal is quite upfront about the fact that it could be subpoenaed and share which phone number belongs to an actively used username. If that is at all a concern to you, changing your username regularly keeps your phone number more hidden. 

I deliberately say more hidden, as there may be subtle unforeseen ways in which your phone number does leak. If keeping your phone number private is a matter of life or death, I wouldn’t recommend using it on Signal. But for many people, this makes a big difference to their privacy.

And thus I am with Martin Shelton of the Freedom of the Press Foundation who in an updated guide recommends journalists set up a username on Signal and use that instead of their phone number.

Finally, it’s good to note that you cannot use the ability to hide your phone number to anonymously message existing contacts: the messages will show up in the existing chat. And from an anti-harassment point of view, that’s probably a good thing.

What else?

Security companies Sekoia and Recorded Future published domain names linked to the Predator spyware. Unlike the more infamous Pegasus, which uses zero-day and zero-click exploits, Predator uses one-click exploits. This means a target needs to click a link to get infected. And to make the target more likely to click a link, Predator’s operators often register domain names that look like a popular site in the target’s country. 
For example, the domain mmegi[.]co very much looks like mmegi[.]bw, a popular news website in Botswana. This (together with a number of other lookalike domains) provides strong evidence that Predator has been used to target Botswana, something that hitherto hadn’t been known.
After the publications of the domains, Predator’s operators took them all down, which at least temporarily disrupted their operations. (Update: it turns out a lot of the infrastructure is still up.)
Also significant in that context are the sanctions announced this week by the US government against two people and five entities linked to the spyware for targeting journalists and civil society US citizens.

Predator developer Intellexa isn’t the only spyware operator having a hard time. Variston, a lesser known Barcelona company developing spyware, is in serious trouble and may even be shutting down altogether. This comes shortly after Google’s Threat Analysis group found the company’s spyware being used to target iPhone users in Indonesia.

There’s a saying in security that “you shouldn’t roll your own cryptography” and just like that, you needn’t worry about the cryptographic choices of your messaging apps. But it’s nice to know that Apple has added a post-quantum protocol to its iMessage service.
You may have heard that cryptography tends to rely on computers’ inability to solve certain mathematical problems within a reasonable amount of time, because it would take them millions of years to try all possibilities. Quantum computers, of which only very basic versions have been built, will be able to solve these problems by pretty much trying all possibilities at once and would thus be able to break existing cryptography. And therefore, rather than waiting until full quantum computers are built, it is a good idea to add new quantum-resistant cryptography protocols. Apple just did that for iMessage and Signal, since you asked, has done that too (albeit using a slightly different implementation).

Those trying their hands at malware analysis may want to read Tomas Nieponice’s analysis of a PyRation malware sample. The intern at the Stratosphere lab wrote an easy to access (and, should you like, easy to follow too) overview of the workings of a malicious python script packaged as a Windows executable.

Speaking of malware, a common technique for malware to infect computers is called DLL hijacking. It has for example been used by the Chinese government-lined actor ‘Mustang Panda’ to target NGOs in Myanmar. Security company Palo Alto wrote an easy to read introduction into this technique.

I don’t need to tell you about the importance of multi factor authentication, but for reference, Duo Security wrote a three part series on how various types of MFA stand up to different kinds of cyber attacks. I found the table in the second part quite helpful for some quick threat modeling.

Sucuri, whose easy to read blog posts on website security I have previously praised, has written a useful guide on how websites running WordPress tend to get hacked. 

In non-security news

A book I read: one reason I love reading fiction is to learn about other people’s lives. This, apparently includes the lives of astronauts, six of whom are the subject of Samantha Harvey’s novel Orbital. I have a weak spot for short, largely plotless novels about people and their interactions and the fact that these people are in a small capsule circling 250 miles above the earth’s surface added to the book’s poetry.

A song I liked: if I’ve ever had a music crush it was on Kimya Dawson, once one half of the Moldy Peaches and currently a solo artist, activist and all around cool person. I recently discovered At The Seams (BandcampYouTube), a simple acoustic song she wrote a short decade ago about the Black Lives Matter movement in the US, that feels every bit as relevant today.