It doesn’t require them to have a compromised device. If they have Signal, or something similar, you just need to message them with an image attachment, then get to work checking where that image got cached.
No content blockers (lots have CDN bypass as a feature for this exact reason)
Any of these being different would not make this possible for a number of reasons. The author is talking about journalists and security minded people being at risk, but it’s hard to imagine anyone going above the defaults to protect would be at much risk if they didn’t take one or two of these steps as protection.
I assume from your comment you’re thinking “compromised device” to mean attacked, and those are synonymous. It’s just a phone with no protections.
Yes, which is a compromised device. A Windows machine without any antivirus or malware protection is a compromised device, for example.
Read the back half of this writeup and realize the target audience should be people with basic security steps taken. No journalist going out of their way to talk to whistleblowers is going to have a default settings phone, or any phone on them at all for that matter I would expect.
Windows machines have default antivirus. I would not expect disabling push notifications to be a basic security measure. Pretty much everyone has push notifications, including the target audience. A lot of them also don’t take a device-wide VPN because they expect only websites to track them.
It doesn’t require them to have a compromised device. If they have Signal, or something similar, you just need to message them with an image attachment, then get to work checking where that image got cached.
Not at all.
Any of these being different would not make this possible for a number of reasons. The author is talking about journalists and security minded people being at risk, but it’s hard to imagine anyone going above the defaults to protect would be at much risk if they didn’t take one or two of these steps as protection.
I assume from your comment you’re thinking “compromised device” to mean attacked, and those are synonymous. It’s just a phone with no protections.
That’s not a compromised device though, it’s a device with default settings.
Yes, which is a compromised device. A Windows machine without any antivirus or malware protection is a compromised device, for example.
Read the back half of this writeup and realize the target audience should be people with basic security steps taken. No journalist going out of their way to talk to whistleblowers is going to have a default settings phone, or any phone on them at all for that matter I would expect.
Windows machines have default antivirus. I would not expect disabling push notifications to be a basic security measure. Pretty much everyone has push notifications, including the target audience. A lot of them also don’t take a device-wide VPN because they expect only websites to track them.
The user profile picture is not an attachment.