Jae's Blog

If you haven’t been keeping up with the news lately, after the whole Signal fiasco, it appeared that USA government officials are using some fork called “Telemessage”.

That app claims to offer backup solutions for popular messengers including Signal, to comply with government directives. Funnily enough, their website got completely wiped, a large change from what it was a few months ago.

Putting aside all the issues that using a Signal fork exposes you to, it appears that despite their marketing, they could access plaintext messages.

Even better, according to 404 Media, the entire thing is now under investigation thanks to their reporting on the matter.

Edit: a senator asked for an investigation, my bad.

If you’re interested, I’ve archived the source code of both the Android and iOS apps on my GitLab instance (tho those aren’t rare):

• https://g.j4.lc/backups/TM-SGNL-iOS
• https://g.j4.lc/backups/TM-SGNL-Android

Overall, it’s quite fun to look at this from the outside, but also a bit worrying.

And remember, if you switch to Signal, use the official version and don’t add random journalists to your convos.

Previously, I’ve shared about EUVD, the European Vulnerability Database.

Turns out in the wake of the whole CVE debacle, a bunch of other initiatives were also announced!

• OWASP’s unified framework, this one aims to be a bit more decentralized from what I’ve seen in the article
• GCVE (Global CVE Allocation System), this one as well seems to be a bit more decentralized than before

As more alternatives pile up, this paints a good outlook for the future, shall CVE go definitely down the drain.

I’ve recently discovered that the EU has their own vulnerability database: EUVD.

As noted by the message on top of the page:

This website is currently in its beta phase. We appreciate your collaboration in reporting any inaccurate or incomplete information via the link below “Provide feedback”.

The site is still in a really early stage, but hopefully it gains a bit more traction as the future of other vulnerability databases is uncertain (for instance, with CVE almost dying abruptly due to a contract ending).

As of now, there also are no feeds (RSS more particularly) to watch this database, so hopefully this will be added soon.