Don't trust any company that sells "Swiss neutrality" in the name of security. Mitto AG is the 21st century Crypto AG, who sold secure phones to almost all countries, so that the five eyes can spy on diplomatic communications.
Phones in general are terrible for opsec. Even if you've flashed a Pixel with GrapheneOS[0] you can't reliably determine if you have malware on your device. They're totally opaque. So are computers in general: They're largely black boxes which we have no insight to and can't readily inspect what they're doing at any given moment. Also: Welcome to the Internet!
You know one time my computer was compromised I actually tried to clear the malware without reinstalling the OS. Like breaking out of a prison without outside help, just like sending commands trying to kill the virus beyond its capacity to hide itself, move around inside the computer, defend itself against my commands, extend and capture, all that.
Maybe it's possible.
The other thing is at a some point code transitions into medicine. A friend was describing codebases of like 15000 lines, that they had tumors. And they won't go away just like that, you have to try to contain them from spreading, help them become benign, it's more like medicine at that point. Like you can't sequence every cell, you can't debug completely, you can't clear all malware. Just like in the body there's germs going around, there's lots of cells whose DNA gets modified over time due to radiation, all kinds of shit going on and you can't just debug them one by one.
The problem of course is that accepting such a backdoor presumes there is some benevolent institution that can be trusted to fairly regulate use of the backdoor.
The Russian shell company as a proof of involvement of Russian intelligence services puzzles me quite a bit. I thought this could be done remotely without the need of a local branch. It sounds more like it has been established there to sell these backdoored encryption products on their market. Or am I missing something?
I have never been under the impression that 2fa with telephone numbers was anything other than surveillance. Either by the company touting it as a security enhancement or by mitm.
And for the record don't think that apps that use the central messaging frameworks enforced by Google and Apple are doing anything different.
Every time I log in to my bank with Firefox or and device anywhere in the world, Google is told about it. In the real world this means that Google has to autorize my access to my bank.
The headline is editorializing beyond what’s supported by the article. That technology, SS7, wasn’t intended as a backdoor. It was about network management. As such, it may have been possible to gain access to it far easier than it would be to some intentional backdoor.
The vulnerabilities allegedly exploited in the article (in SS7) have nothing to do with encryption being backdoored.
It’s a bit of a weird conclusion to make…
Maybe they are saying that if the PSTN ran with strong encryption and authentication and that encryption wasn’t backdoored, this thing that is alleged to have happened wouldn’t have happened ?
SS7 may or may not have been intentionally backdoored at the time, but its development also predates the invention of the RSA algorithm upon which all modern security is founded. A key–exchange system like RSA or its successors is really required to do end–to–end encryption, and some sort of CA system is necessary if you are going have any hope of verifying that you are talking to the correct phone on the other end.
