Whatsapp: Facebook's ability to decrypt messages is a "limitation," not a "defect"

Facebook spokespeople and cryptographers say that Facebook's decision to implement Open Whisper Systems' end-to-end cryptographic messaging protocol in such a way as to allow Facebook to decrypt them later without the user's knowledge reflects a "limitation" -- a compromise that allows users to continue conversations as they move from device to device -- and not a "defect." Read the rest

A critical flaw (possibly a deliberate backdoor) allows for decryption of Whatsapp messages -- UPDATED

Update: Be sure to read the followup discussion, which explains Facebook's point of view, that this is a deliberate compromise, and not a defect, that makes the app more usable for a wide variety of users, while putting them to little additional risk (namely, that Facebook might change its mind; or be forced to spy on its users; or suffer a security breach or internal rogue employee).

When Facebook implemented Open Whisper Systems' end-to-end encrypted messaging protocol for Whatsapp, they introduced a critical flaw that exposes more than a billion users to stealthy decryption of their private messages: in Facebook's implementation, the company can force Whatsapp installations to silently generate new cryptographic keys (without any way for the user to know about this unless a deep settings checkbox had been ticked), which gives the company the ability to decrypt user messages, including messages that have already been sent in the past.. Read the rest

Thailand's military-appointed Assembly unanimously passes an internet law combining the world's worst laws

On Dec 15, an amendment to Thailand's 2007 Computer Crime Act passed its National Legislative Assembly -- a body appointed by the country's military after the 2014 coup -- unanimously, and in 180 days, the country will have a new internet law that represents a grab bag of the worst provisions of the worst internet laws in the world, bits of the UK's Snooper's Charter, America's Computer Fraud and Abuse Act, and the dregs of many other failed laws. Read the rest

Free audiobook of Car Wars, my self-driving car/crypto back-door apocalypse story

Last month, Melbourne's Deakin University published Car Wars, a short story I wrote to inspire thinking and discussion about the engineering ethics questions in self-driving car design, moving beyond the trite and largely irrelevant trolley problem. Read the rest

Trump's policies on net neutrality, free speech, press freedom, surveillance, encryption and cybersecurity

Three posts from the Electronic Frontier Foundation dispassionately recount the on-the-record policies of Trump and his advisors on issues that matter to a free, fair and open internet: net neutrality; surveillance, encryption and cybersecurity; free speech and freedom of the press. Read the rest

Bruce Schneier's four-year plan for the Trump years

1. Fight the fights (against more government and commercial surveillance; backdoors, government hacking); 2. Prepare for those fights (push companies to delete those logs; remind everyone that security and privacy can peacefully co-exist); 3. Lay the groundword for a better future (figure out non-surveillance internet business models, privacy-respecting law enforcement, and limits on corporate surveillance); 4. Continue to solve the actual problems (cybercrime, cyber-espionage, cyberwar, the Internet of Things, algorithmic decision making, foreign interference in our elections). Read the rest

Xiaomi phones are pre-backdoored; your apps can be silently overwritten

Thijs Broenink audited the AnalyticsCore.apk app that ships pre-installed on all Xiaomi phones (Xiaomi has their own Android fork with a different set of preinstalled apps) and discovered that the app, which seemingly serves no useful purpose, allows the manufacturer to silently install other code on your phone, with unlimited privileges and access. Read the rest

DoJ report: less than a quarter of one percent of wiretaps encounter any crypto

Despite all the scare talk from the FBI and the US intelligence services about terrorists "going dark" and using encrypted communications to talk with one another, the reality is that criminals are using crypto less than ever, according to the DoJ's own numbers. Read the rest

Russian bill mandates backdoors in all communications apps

A pending "anti-terrorism" bill in the Duma would require all apps to contain backdoors to allow the secret police to spy on the country's messaging, in order to prevent teenagers from being "brainwashed" to "murder police officers." Read the rest

UK Parliament votes in Snoopers Charter, now it goes to the House of Lords

The Members of Parliament voted in favour of the far-ranging, massively invasive spying bill after the Tories agreed to minor improvements, like dropping the requirement for mandatory crypto backdoors if they would be infeasible or expensive to implement. Read the rest

Canadian government records censored with Scotch tape, paper

A Paris based Associated Press correspondent was flabbergasted to receive a freedom of information request from the Public Health Agency of Canada that had been censored with scotch tape and paper. “I’ve never seen someone use an arts and crafts method in order to hide information from me,” he told the Star.

Tom Henheffer, executive director of Canadian Journalists for Free Expression, has never heard of any redactions being made with tape and paper.

“This is the weirdest thing I’ve ever seen,” he said. “It must’ve been someone’s first day.”

Read the rest

Ron Wyden vows to filibuster anti-cryptography bill

Senators Richard Burr [R-NC] and Dianne Feinstein [D-CA] finally introduced their long-rumored anti-crypto bill, which will ban US companies from making products with working cryptography, mandating that US-made products have some way to decrypt information without the user's permission. Read the rest

The UK government's voice-over-IP standard is designed to be backdoored

GCHQ, the UK's spy agency, designed a security protocol for voice-calling called MIKEY-SAKKE and announced that they'll only certify VoIP systems as secure if they use MIKEY-SAKKE, and it's being marketed as "government-grade security." Read the rest

Apple engineers quietly discuss refusing to create the FBI's backdoor

If you're one of the few engineers at Apple qualified to code up the backdoor that the FBI is seeking in its court order, and if your employer loses its case, and if you think you have a solemn duty as a security engineer to only produce code that makes users more secure, not less, what do you do? Read the rest

Redaction fail: U.S. government admits it went after Lavabit looking for Snowden

Ladar Levison shut down his secure email service Lavabit in 2013, when the Feds served a warrant and gag-order on him, seeking to get him to backdoor his service to let them snoop on someone. Everyone since then has known that the target of the order was Edward Snowden, but Levison faced jail time if he ever admitted it out loud, under the terms of the gag-order. Read the rest

Hack-attacks with stolen certs tell you the future of FBI vs Apple

Since 2014, Suckfly, a hacker group apparently based in Chengdu, China, has used at least 9 signing certs to make their malware indistinguishable from official updates from the vendor. Read the rest

French Parliament votes to imprison tech execs for refusal to decrypt

Amendment 90 to France's penal reform bill provides for five year prison sentences and €350,000 fines for companies that refuse to accede to law enforcement demands to decrypt devices. Read the rest

More posts