- cross-posted to:
- news
- cross-posted to:
- news
You must log in or register to comment.
I use a one time pad with all of my contacts. I ask them to eat or burn each page when they are used up.
until the republicans ban them so they can find queer kids and pregnant people getting healthcare and people reading books
All that happens under Dems, too. Stop giving them a pass.
Y’all keep hitting that downvote button. I’d like to know how many of you are ok with fascism when it’s a Dem at the helm.
Yup. The Apple-FBI encryption dispute started under Obama, as did the Snowden leak.
Neither party is particularly pro-encryption, because governments in general see encryption by the public a hurdle for their operations (i.e. you don’t need encryption if you have nothing to hide).
Encryption isn’t a partisan issue, and my understanding is that both major parties suck about equally on this issue.
It’s a wonder they’re not also trying to outlaw printing presses at this point. They openly believe that we are not entitled to private conversations.
Printing press is okay. One-time-code books are tantamount to treason!
The Snowden leaks came out when Obama was president. Obama was the one who said, “The only people who don’t want to disclose the truth are people with something to hide”. The republicans and democrats are the same fucking people.
Only if you look at it in the most general, limited, pov. Are they the same people on corporate greed? Not all, but mostly yes. Are they the same people on encryption? Yes. Are they the same on human rights? Absolutely fucking not. If the only thing important for you is encryption, voting isn’t going to change the government’s policy decisions. However, if things other than encryption and corporate greed are important, then voting for a Republican is voting against your interests. History is filled with people who can’t see past their own fucking biases and look out for the greater interest… So you have a lot of historical company.
As if most of the legal provisions for widespread surveillance were not done under Clinton administration.
On January 20th: The cyberattack is coming from inside the house!
Dumbfuck and his cronies now have access to PRISM and ECHELON. Again.
Question for more tech savvy people: should I be worried about wiping old data, and if so for which apps? Just messaging apps, or also email and social media? Or can I just use the encrypted apps moving forward?
the safest perspective to have is this -
every single thing you send online is going to be there forever. “the cloud” is someone’s server and constitutes online. even end to end encryption isn’t necessarily going to save you.
for example iCloud backup is encrypted. but Apple in the past has kept a copy of your encryption key on your iCloud. why? because consumers who choose to encrypt and lose their passwords are gonna freak out when all their data is effectively gone forever.
so when FBI comes a’knocking to Apple with a subpoena… once they get access to that encryption key it doesn’t matter if you have the strongest encryption in the world
my advice
never ever ever write something online that you do not want everybody in the world seeing.
to put on my tin foil hat, i believe government probably has access to methods that break modern encryptions. in theory with quantum computers it shouldn’t be difficult
I’d imagine operating a quantum computer for blanket surveillance is cost-prohibitive, but yea, if you’ve given them reason to look at you just assume they have the means to break your encryption.
just wanted to add that deleting an app will not result in deletion of your data stored in the cloud (e.g. your emails)
Wiping old stuff won’t hurt, but they might not actually delete it.
The US Govt 5 years ago: e2e encryption is for terrorists. The govt should have backdoors.
The US Govt now: Oh fuck, our back door got breached, everyone quick use e2e encryption asap!
Different parts of the government. Both existed then and now. There has for a long time been a substantial portion of the government, especially defense and intelligence, that rely on encrypted comms and storage.
FBI has definitely always been anti-encryption
I have never understood why electronic communications are not protected as physical mail
Because physical mail can be easily opened with a warrant. Encryption can be nigh impossible to break. The idea of a vault that cannot be opened no matter how hard you try is something that scares law makers.
Lobbying as well as developmental issues I would assume. I’m no real developer just yet but I’d imagine creating robust security protocols is time-consuming and thinking of every possible vulnerability is not entirely worth it.
The Australian government tried to straight up ban encryption some years ago.
I laughed so much at that. Encryption is literally just long complicated numbers combined with other long complicated numbers using mathematical formulae. You can’t ban maths.
If I remember correctly, there’s also a law in Australia where they can force tech companies to introduce backdoors in their systems and encryption algorithms, and the company must not tell anyone about it. AFAIK they haven’t tried to actually use that power yet, but it made the (already relatively stagnant) tech market in Australia even worse. Working in tech is the main reason I left Australia for the USA - there’s just so many more opportunities and significantly higher paying jobs for software developers in Silicon Valley.
You can’t ban maths.
tell me about it; it tried that against my teacher in middle school
I laughed so much at that. Encryption is literally just long complicated numbers combined with other long complicated numbers using mathematical formulae. You can’t ban maths.
Now laugh at banning chemistry and physics (guns and explosives and narcotics). Take a laugh at banning murder too - how do you ban every action leading to someone’s death?
and the company must not tell anyone about it
Any “must not tell” law is crap. Unless you signed some NDA knowing full well what it is about.
Any kind of “national secret disclosure” punishment when you didn’t sign anything to get that national secret is the same.
It’s an order given to a free person, not a voluntarily taken obligation.
That said, you can’t fight force with words.
Real encrypted apps, …or just the ones their own government can use to spy on them?
Use something where the client is open source.
In the voice of Nelson Muntz: “Nobody spies on our citizens but us!”
The reporter mentioned signal, though the gov spokespeople didn’t seem to recommend any specific app
It’s probably also good practice to assume that not all encrypted apps are created equal, too. Google’s RCS messaging, for example, says “end-to-end encrypted”, which sounds like it would be a direct and equal competitor to something like Signal. But Google regularly makes money off of your personal data. It does not behoove a company like Google to protect your data.
Start assuming every corporation is evil. At worst you lose some time getting educated on options.
If its not Open Source and Audited yearly, its compromised. Your best option for secure comms is Signal and Matrix.
End-to-end encryption matters if your device isn’t actively trying to sabotage your privacy.
If you run Android, Google is guilty of that.
If you run Windows in a non-enterprise environment Microsoft is guilty of that.
If you run iOS or MacOS, Apple is (very likely) guilty of that.
End to end is end to end. Its either “the devices sign the messages with keys that never leave the the device so no 3rd party can ever compromise them” or it’s not.
Signal is a more trustworthy org, but google isn’t going to fuck around with this service to make money. They make their money off you by keeping you in the google ecosystem and data harvesting elsewhere.
end to end is meaningless when the app scans your content and does whatever with it
Note that it doesn’t mean metadata is encrypted. They may not know what you sent, but they may very well know you message your mum twice a day and who your close friends are that you message often, that kinda stuff. There’s a good bit you can do with metadata about messages combined with the data they gather through other services.
They do encrypt it and they likely dont send the messages unencrypted.
Likely what’s happening is they’re extracting keywords to determine what you’re talking about (namely what products you might buy) on the device itself, and then uploading those categories (again, encrypted) up to their servers for storing and selling.
This doesn’t invalidate their claim of e2ee and still lets them profit off of your data. If you want to avoid this, only install apps with open source clients.
E2EE means a 3rd party cant extract anything in the messages at all, by definition.
If they are doing the above, it’s not E2EE, and they are liable for massive legal damages.
End to end matters, who has the key; you or the provider. And Google could still read your messages before they are encrypted.
You have the key, not the provider. They are explicit about this in the implementation.
They can only read the messages before encryption if they are backdooring all android phones in an act of global sabotage. Pretty high consequences for soke low stakes data.
End to end could still - especially with a company like Google - include data collection on the device. They could even “end to end” encrypt sending it to Google in the side channel. If you want to be generous, they would perform the aggregation in-device and don’t track the content verbatim, but the point stands: e2e is no guarantee of privacy. You have to also trust that the app itself isn’t recording metrics, and I absolutely do not trust Google to not do this.
They make so of their big money from profiling and ads. No way they’re not going to collect analytics. Heck, if you use the stock keyboard, that’s collecting analytics about the texts you’re typing into Signal, much less Google’s RCS.
Signal doesn’t harvest, use, sell meta data, Google may do that.
E2E encryption doesn’t protect from that.
Signal is orders of magnitude more trustworthy than Google in that regard.google isn’t going to fuck around with this service to make money
Your honor, I would like to submit Exhibit A, Google Chrome “Enhanced Privacy”.
Google will absolutely fuck with anything that makes them money.
This. Distrust in corporations is healthy regardless of what they claim.
Dont trust. Verify. Definitely dont touch it if its closed source
Thats a different tech. End to end is cut and dry how it works. If you do anything to data mine it, it’s not end to end anymore.
Only the users involved in end to end can access the data in that chat. Everyone else sees encrypted data, i.e noise. If there are any backdoors or any methods to pull data out, you can’t bill it as end to end.
You are suggesting that “end-to-end” is some kind of legally codified phrase. It just isn’t. If Google were to steal data from a system claiming to be end-to-end encrypted, no one would be surprised.
I think your point is: if that were the case, the messages wouldn’t have been end-to-end encrypted, by definition. Which is fine. I’m saying we shouldn’t trust a giant corporation making money off of selling personal data that it actually is end-to-end encrypted.
By the same token, don’t trust Microsoft when they say Windows is secure.
Its a specific, technical phrase that means one thing only, and yes, googles RCS meets that standard:
https://support.google.com/messages/answer/10262381?hl=en
How end-to-end encryption works
When you use the Google Messages app to send end-to-end encrypted messages, all chats, including their text and any files or media, are encrypted as the data travels between devices. Encryption converts data into scrambled text. The unreadable text can only be decoded with a secret key.
The secret key is a number that’s:
Created on your device and the device you message. It exists only on these two devices.
Not shared with Google, anyone else, or other devices.
Generated again for each message.
Deleted from the sender’s device when the encrypted message is created, and deleted from the receiver’s device when the message is decrypted.
Neither Google or other third parties can read end-to-end encrypted messages because they don’t have the key.
They have more technical information here if you want to deep dive about the literal implementation.
You shouldn’t trust any corporation, but needless FUD detracts from their actual issues.
You are missing my point.
I don’t deny the definition of E2EE. What I question is whether or not RCS does in fact meet the standard.
You provided a link from Google itself as verification. That is… not useful.
Has there been an independent audit on RCS? Why or why not?
Not that I can find. Can you post Signals most recent independent audit?
Many of these orgs don’t post public audits like this. Its not common, even for the open source players like Signal.
What we do have is a megacorp stating its technical implementation extremely explicitly for a well defined security protocol, for a service meant to directly compete with iMessage. If they are violating that, it opens them up to huge legal liability and reputational harm. Neither of these is worth data mining this specific service.
They can just claim archived or deleted messages don’t qualify for end to end encryption in their privacy policy or something equally vague. If they invent their own program they can invent the loophole on how the data is processed
Or the content is encrypted, but the metadata isn’t, so they can market to you based on who you talk to and what they buy, etc.
Provided they have an open API and don’t ban alternative clients, one can make something kinda similar to TOR in this system, taking from the service provider the identities and channels between them.
Meaning messages routed through a few hops over different users.
Sadly for all these services to have open APIs, there needs to be force applied. And you can’t force someone far stronger than you and with the state on their side.
This part is likely, but not what we are talking about. Who you know and how you interact with them is separate from the fact that the content of the messages is not decryptable by anyone but the participants, by design. There is no “quasi” end to end. Its an either/or situation.
The messages are signed by cryptographic keys on the users phones that never leave the device. They are not decryptable in any way by google or anyone else. Thats the very nature of E2EE.
How end-to-end encryption works
When you use the Google Messages app to send end-to-end encrypted messages, all chats, including their text and any files or media, are encrypted as the data travels between devices. Encryption converts data into scrambled text. The unreadable text can only be decoded with a secret key.
The secret key is a number that’s:
Created on your device and the device you message. It exists only on these two devices.
Not shared with Google, anyone else, or other devices.
Generated again for each message.
Deleted from the sender’s device when the encrypted message is created, and deleted from the receiver’s device when the message is decrypted.
Neither Google or other third parties can read end-to-end encrypted messages because they don’t have the key.
They cant fuck with it, at all, by design. That’s the whole point. Even if they created “archived” messages to datamine, all they would have is the noise.
Exactly. We know corporations regularly use marketing and doublespeak to avoid the fact that they operate for their interests and their interests alone. Again, the interests of corporations are not altruistic, regardless of the imahe they may want to support.
Why should we trust them to “innovate” without independent audit?
It could be end to end encrypted and safe on the network, but if Google is in charge of the device, what’s to say they’re not reading the message after it’s unencrypted? To be fair this would compromise signal or any other app on Android as well
That’s a different threat model that verges on “most astonishing corporate espinoage in human history and greatest threat to corporate personhood” possible for Google. It would require thousands if not tens of thousands of Google employees coordinating in utter secrecy to commit an unheard of crime that would be punishable by death in many circumstances.
If they have backdoored all android phones and are actively exploting them in nefarious ways not explained in their various TOS, then they are exposing themselves to ungodly amounts of legal and regulatory risks.
I expect no board of directors wants a trillion dollars of company worth to evaporate overnight, and would likely not be okay backdooring literally billions of phones from just a fiduciary standpoint.
How do spyware services used by nation-state customers, like Pegasus, work?
They use backdoors in commonly used platforms on an industrial scale.
Maybe some of them are vulnerabilities due to honest mistakes, the problem is - the majority of vulnerabilities due to honest mistakes also carry denial of service risks in widespread usage. Which means they get found quickly enough.
It would require thousands if not tens of thousands of Google semployees coordinating in utter secrecy
This is usually used for things like the Moon Landing, where so many folks worked for NASA to make it entirely impossible that the landing was faked.
But it doesn’t really apply here. We know for example that NSA backdoors exist in Windows. Were those a concerted effort by MS employees? Does everyone working on the project have access to every part of the code?
It just isn’t how development works at this scale.
This is usually used for things like the Moon Landing, where so many folks worked for NASA to make it entirely impossible that the landing was faked.
I think it’s also confirmed by radio transmissions from the Moon received in real time right then by USSR and other countries.
Ok but no one is arguing Windows is encrypted. Google is specifically stating, in a way that could get them sued for shitloads of money, that their messaging protocol is E2EE. They have explicitly described how it is E2EE. Google can be a bad company while still doing this thing within the bounds we all understand. For example, just because the chat can’t be backdoored doesn’t mean the device can’t be.
Telegram has its supposedly E2EE protocol which isn’t used by most of Telegram users, but also there have been a few questionable traits found in it.
Google is trusted a bit more than Pavel Durov, but it can well do a similar thing.
And yes, Android is a much larger heap of hay where they can hide a needle.
Of course our app is end-to-end encrypted! The ends being your device and our server, that is.
That’s literally what zoom said early in the pandemic.
Then all the business world gave them truck loads of money, the industry called them out on it, and they hired teams of cryptographers to build an actual e2ee system
It’s end to end to end encrypted!
You may be right for that particular instance, but I’d still argue caution is safer.
Oh gee, forcing companies to leave backdoors for the government might compromise security, everyone. Who’d have thunk it? 🤦
They knew, they were putting backdoors when they needed them.
Now the new administration will take half of the blame in public opinion (that’s how this works) and also half of the profits, so they won’t investigate too strictly those who’ve done such things.
But also words don’t cost anything. They can afford to say the obvious after the deed has been done.
Everybodies aunt at thanksgiving:
“I should be fine. I only trust the facebook with my information. Oh, did I tell you? We have 33 more cousins we didn’t know about. I found out on 23andme.com. All of them want to borrow money.”
Like Signal?
No, BPs are a risk. Better to avoid apps that require phone numbers
Yes, like Signal!
Which does not only use end-to-end encryption for communication, but protects meta data as well:Signal also uses our metadata encryption technology to protect intimate information about who is communicating with whom—we don’t know who is sending you messages, and we don’t have access to your address book or profile information. We believe that the inability to monetize encrypted data is one of the reasons that strong end-to-end encryption technology has not been widely deployed across the commercial tech industry.
Source: https://signal.org/blog/signal-is-expensive/
I haven’t verified that claim investigating the source code, but I’m positive others have.
Or alternatively, Molly
I read Molly is forked from Signal. Can I message Signal users from Molly, or do all parties need Molly?
Molly connects to Signal’s servers, so you can chat with your Signal contacts seamlessly.
End-to-end encryption is indispensable. Our legislators (no matter where we live) need to be made to understand this next time they try to outlaw it.
“So it’s like a filter on the tubes?” - Our legislators
“you wouldn’t put a dump truck full of movies on a snowy road without chains on the tires would you?”
I’m a cryptographer in Florida, and now I’m more confused
Sounds bad I guess, but the USA has been spying on us for a long time now. Is the bad part that it’s China?
Yes. Wars happen. Even corrupt politicians are nicer when their control base is inside the country.
When a whole nation’s communications are intercepted by another entity, yes, the bad part is that it’s another nation. Especially an adversarial one.
This is not about individuals’ personal privacy. It’s about things that happen at a much larger scale. For example, leverage for political influence, or leaking of sensitive info that sometimes finds its way into unsecured channels. Mass surveillance is powerful.
Bets on this being directly related to back doors that US spy agencies demand be installed?
RTFA
The third has been systems that telecommunications companies use in compliance with the Commission on Accreditation for Law Enforcement Agencies (CALEA), which allows law enforcement and intelligence agencies with court orders to track individuals’ communications. CALEA systems can include classified court orders from the Foreign Intelligence Surveillance Court, which processes some U.S. intelligence court orders.
So, bet won?
Wouldn’t surprise me. “We’re doing this to be helpful to you!” is actually moustached disney villain behavior.
^ similar to the prisoners with cats gimmick. “look how nice we’re being to our prisoners” is actually “stop yelling at your bunkmate or we’ll take away your cat”
Hear me out, maybe we should update pots and sms to have optional end-to-end encryption for modern implementations as well…Optional as backwards compatible and clearly shown as unencrypted when used that way to be clear.
Att won’t make money off that unless they offer it as a paid service. No reason to give that away for free and the other cell carriers can just pay off (bribe with campaign contributions) legislators to understand encryption is “too costly to implement at such a scale”
What i read [and corrected] from the article :
“The hacking
campaign[group], nicknamed [ by Microsoft ] Salt Typhoonby Microsoft,
[ this actual campaign of attacks ] is one of the largest intelligence compromises in U.S. history, and not yet fully remediated. Officials in a press call Tuesday [ 2024-12-3 ] refused to set a timetable for declaring the country’s telecommunications systems free of interlopers. Officials had previously told NBC News that China hacked AT&T, Verizon and Lumen Technologies to spy on customers.”Thanks I thought from reading this maybe Salt Typhoon was the codename for the next version of windows.
No, that’s Salty AI
Hey you guys remember that big AT&T breach recently?
