• gravity
    link
    fedilink
    arrow-up
    5
    ·
    4 years ago

    Since the messages are fully public, be sure to avoid using them for applications that can send confidential information, like passwords, addresses, private phone numbers, or any other personal information.

    Is there any way around this? As this would seem to defeat the purpose. Using it as 2FA means all your 2FA codes get sent publicly. Using it is a temporary messenger means anybody can read those messages, etc.

    Also I would totally be ok with a spin off of this, if it could be secured (not publicly readable as mentioned above), but also essentially act as a middleman for my real number, of course this would mean the middleman service would need to know my number creating a link to me, but it’s better than services knowing my number directly, instead they’d only know the middleman number which would have little information besides associated services attached to it. This would be great for stuff like 2FA because if it is disposable then you would get locked out of the account if you dispose of it. Also you could essentially just hand out the middleman number to everyone while protecting your original number, that’d be absolutely amazing.

    Whether this is possible or not, I don’t know. But this program is a step in the right direction, I think it reeeeally needs something to make it so all the messages aren’t publicly viewable though as that massively limits use cases.

    • UpmaskedOP
      link
      fedilink
      arrow-up
      4
      ·
      4 years ago

      Thanks for bringing up some excellent points. I agree right now you wouldn’t want to use it for anything personal. I think something like a middleman service could be possible. We’ll look into it. Thanks again for the feedback, really appreciate it.

      • gravity
        link
        fedilink
        arrow-up
        3
        ·
        4 years ago

        Thank you for the swift reply, definitely hope to see this considered. Either way, thank you for this project though. There is pretty much nothing relating to phone numbers that are FOSS as of right now that I am aware of, and I’m glad to see there are people looking into this as it would be hugely beneficial to users.

    • dirtfindr
      link
      fedilink
      arrow-up
      3
      ·
      edit-2
      4 years ago

      Is there any way around this? As this would seem to defeat the purpose. Using it as 2FA means all your 2FA codes get sent publicly. Using it is a temporary messenger means anybody can read those messages, etc.

      It’s a race condition. They send a verification code, you use it to verify your account immediately, and then the one-time-use code is no longer usable. The others who see the codes coming in have no simple way of knowing which account the code is for, so the code is useless to them. Even if someone knows the number you used and how to reach the service, they would also have to know when you’re going to receive the code and they would have to know your userid (and possibly pw).

      In short, a highly skilled adversary would have to be in your threat model. And if the adversary is so skilled that they’ve penetrated your system and rooted it, then you’re pawned anyway.

      People who use the kinds of services that need your phone number aren’t really committed to privacy as an activist, but they care about their own privacy from a selfish standpoint. E.g. they’re willing to create a Google account and help a privacy abuser profit as long as their getting enough privacy for themselves (like not sharing their phone number).

      I used to use pinger numbers to create accounts but evolved past that realizing that I was still feeding the privacy abuser by dancing for them and using their service. So I simply walk when asked for a phone number. It’s really the best solution.

      Exceptionally, there are some situations where you already have an account (e.g. for your bank, school, or even Twitter), and out of the pure blue Twitter says “we think you’re a bot – for ‘your protection’ you must verify your phone number.” Then you’re trapped. Access to the profile you’ve built over the years is suddenly threatened, and your data is being held hostage until you surrender a phone number. In that case, the pinger number is quite useful… use it, download your data, and gtfo and don’t come back.

      • gravity
        link
        fedilink
        arrow-up
        1
        ·
        4 years ago

        This would only work with Signal’s 2FA though, no? Of course SMS based 2FA is terrible, but for whatever reason there’s still sites and services who use this scummy method and don’t offer OTP.