Signal was cheeky, but right

Mon, May 17, 2021 3-minute read

In her article "I Have a Lot to Say About Signal’s Cellebrite Hack", the extremely qualified Riana Pfefferkorn argues that Signal's blog post, "Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app's perspective", could have been a bit more serious and professional:

On the other hand, although this was serious work with a serious point to it, the unseriousness of Signal’s tone in the blog post and video hampered public understanding of the point they were making. You aren’t helping your cause when a reporter can’t tell which parts of your blog post are jokes and which parts are serious, or what you mean by your weird coy phrasing. This blog post was plainly written in order to impress and entertain other hackers and computer people. But other hackers aren’t the real target audience; it’s lawyers and judges and the law enforcement agencies that are Cellebrite’s customers. They tend to prefer clear communication, not jokes and references to 25-year-old cult films.

To be clear, Pfefferkorn is way more qualified to have an opinion on this than I am. Still, as I said in a Hacker News comment:

Eh, I can’t be bothered to care. Cellebrite hoards 0-days so they can use them to hack phones. They know about exploitable vulnerabilities but aren’t saying anything about them because they profit from insecurity. Thing is, just because Cellebrite knows about a thing doesn’t mean, say, China’s CCP or the Russian mafia or anyone else doesn’t also know about that thing. You and I are less safe just because Cellebrite wants to profit off of those vulnerabilities.

I just can’t work up the ability to sympathize with Cellebrite. The law may have something to say about Moxie’s writing, but in my opinion he has the clear ethical upper ground in this argument.

Pfefferkorn goes on to say:

But if Cellebrite machines stop working reliably, or the evidence obtained from them is hella sus and can’t be relied upon in court, then that safety valve — the ability for the cops to get courtroom-worthy evidence off phones notwithstanding strong encryption — gets plugged up. And closing the safety valve adds more pressure. It’ll become easier for law enforcement to make the case for why smartphone encryption needs to be backdoored.

That may be true, but I contend:

I also disagree with the notion that it’s good that Cellebrite exists because without them we’d have stronger anti-encryption laws. That’s hypothetical and all we know is what we have today. I’m not thrilled that someone is peeing on my basement carpet instead of peeing in my living room; I’d rather not have someone peeing on any of my rugs.

It's not that I disagree with Pfefferkorn on an intellectual or legal level. She's the expert. If our factual positions disagree, listen to her, not me. It's just that I don't care if Signal was crude in their anti-Cellebrite post. It brought a lot of attention to Cellebrite's awful ethical stance, and for that I'm grateful to Signal's CEO, Moxie Marlinspike.