WhatsHerBucketU.S. officials urge Americans to use encrypted apps amid unprecedented cyberattack
A_A“The hacking campaign, nicknamed Salt Typhoon by Microsoft, is one of the largest intelligence compromises in U.S. history, and not yet fully remediated. Officials in a press call Tuesday (2024-12-3) refused to set a timetable for declaring the country’s telecommunications systems free of interlopers. Officials had previously told NBC News that China hacked AT&T, Verizon and Lumen Technologies to spy on customers.”
ImgonnatrythisThanks I thought from reading this maybe Salt Typhoon was the codename for the next version of windows.
RiskableNo, that’s Salty AI
Sounds bad I guess, but the USA has been spying on us for a long time now. Is the bad part that it’s China?
TropicalDingdongBets on this being directly related to back doors that US spy agencies demand be installed?
treadfulSo, bet won?
When a whole nation’s communications are intercepted by another entity, yes, the bad part is that it’s another nation. Especially an adversarial one.
This is not about individuals’ personal privacy. It’s about things that happen at a much larger scale. For example, leverage for political influence, or leaking of sensitive info that sometimes finds its way into unsecured channels. Mass surveillance is powerful.
Yes. Wars happen. Even corrupt politicians are nicer when their control base is inside the country.
Like Signal?
Or alternatively, Molly
I read Molly is forked from Signal. Can I message Signal users from Molly, or do all parties need Molly?
Molly connects to Signal’s servers, so you can chat with your Signal contacts seamlessly.
JackFrostNColaFrom my experience parties are always better with Molly
Yes, like Signal!
Which does not only use end-to-end encryption for communication, but protects meta data as well:
Signal also uses our metadata encryption technology to protect intimate information about who is communicating with whom—we don’t know who is sending you messages, and we don’t have access to your address book or profile information. We believe that the inability to monetize encrypted data is one of the reasons that strong end-to-end encryption technology has not been widely deployed across the commercial tech industry.
Source: signal.org/blog/signal-is-expensive/
I haven’t verified that claim investigatingthe source code, but I’m positive others have.
Privacy is Priceless, but Signal is Expensive
Signal is the world’s most widely used truly private messaging app, and our cryptographic technologies provide extra layers of privacy beyond the Signal app itself. Since launching in 2013, the Signal Protocol—our end-to-end encryption technology—has become the de facto standard for private commu...
jagged_circleNo, BPs are a risk. Better to avoid apps that require phone numbers
Guess that confirms that E2EE is effective against these backdoors.
We’ve long had NSA slides that showed e2ee solutions as “disastrous” to their visibility.
FBI: Here’s some communications security tips from the Sureños: tell someone you’ll meet them and leave your phone in a nightstand
OldManBOMBINJust stop using your electronic devices. Not like they don’t all have monitors built in already anyway. Every connected device could be sending screenshots home and we’d never know. I mean, I guess you could use something like Wireshark to monitor your home network, but something tells me nowadays there are ways around even that. I’m not a certified network tech or even a script kiddie, but I don’t trust my tech as far as my dog can throw it. I just try to secure through obfuscation as much as possible. Everyone thinks I have carbon monoxide poisoning, but it’s a small price to pay for peace of mind - even a small one.
There’s really no law against using geofencing, just laws allowing admissability. Have a 2nd phone without a SIM and use it at hotspots for encrypted stuff, leave the main one at home if you’re feeling fat and sassy
I’m just saying that, unless you built the device you’re using, and you know what every component does, and you know what it’s doing when, and you know it wasn’t manufactured by a foreign state-owned manufacturer with a penchant for putting spy chips in their devices, then you can’t truly trust anything you do on it, encrypted or not. It doesn’t really matter if the software is being encrypted by backdoored hardware.
Yeah, we’re in agreement, but also, if any device can be traced back to you in any way (ie: cell phone bill), it’s 100% sus, regardless of what you have installed or what preventative measures you’ve taken. If you ping some towers there’s a non-zero chance someone notices, and you’d be better off not having some easily-tracked signature behind it.
It’s basically just an addendum, leave all personal devices at home when doing anything remotely sketchy, or for the sake of privacy, but a burner phone off ebay with no sim in airplane mode is about as hard to track as anything
Oh yeah for sure. Gang gang.
Do what the Germans did in ww1 when they knew their diplomatic code was broken but couldn’t change it. They put the important stuff in plain sight and treated it like junk mail and encoded the boring stuff.
That’s what I’m sayin. Or if nothing else just fill the airwaves with garbage.
Some Universal Friend(s)You & others might be interested in this:
…cmu.edu/…/field-stripping-a-weapons-system-build…
and maybe this:
en.wikipedia.org/wiki/Intel_Management_Engine
…cmu.edu/…/field-stripping-a-weapons-system-build…
and maybe this:
en.wikipedia.org/wiki/Intel_Management_Engine
Thank you!
Oh gee, forcing companies to leave backdoors for the government might compromise security, everyone. Who'd have thunk it? 🤦
They knew, they were putting backdoors when they needed them.
Now the new administration will take half of the blame in public opinion (that’s how this works) and also half of the profits, so they won’t investigate too strictly those who’ve done such things.
But also words don’t cost anything. They can afford do say the obvious after the deed has been done.
The US gov should provide us with their own encryption app to protect us and just have a backdoor only they can access so they can keep an eye on any baddies!
#Igotnothingtohide
#amiright
#muricafuckyeah
Poe’s law?
Coles law
End-to-end encryption is indispensable. Our legislators (no matter where we live) need to be made to understand this next time they try to outlaw it.
Boomer Humor Doomergod“So it’s like a filter on the tubes?” - Our legislators
“you wouldn’t put a dump truck full of movies on a snowy road without chains on the tires would you?”
I’m a cryptographer in Florida, and now I’m more confused
Ew.
Think of it like this:
- no encryption - sending a postcard
- client to sever encryption - dropping off the postcard at the post office instead of the mailbox
- end to end encryption - security envelope in the mailbox
- read receipts - registered mail
Hopefully you’re less wrong now Mr/Mrs legislator.
“I didn’t have my pills today. Can you explain that to my staffer? They’ll make a note of it.”
Hey you guys remember that big AT&T breach recently?
Everybodies aunt at thanksgiving:
“I should be fine. I only trust the facebook with my information. Oh, did I tell you? We have 33 more cousins we didn’t know about. I found out on 23andme.com. All of them want to borrow money.”
BluetreefrogInterpretation - the NSA can now crack all common encryption methods, so let’s disadvantage our adversaries at no real cost to us.
LofenyyI vaguely recall Bruce Schneier saying that there is good evidence that the NSA cannot crack certain encryption methods. At the time, RSA was on the list. Maybe common methods mean roll-your-own corporate encryption, but it’s my understanding that GNUpg and similar software are safe.
Well, GPG doesn’t have PFS, but its a good starting point to say hello and then upgrade to some better encrypted messaging app
circuitfarmerIt’s probably also good practice to assume that not all encrypted apps are created equal, too. Google’s RCS messaging, for example, says “end-to-end encrypted”, which sounds like it would be a direct and equal competitor to something like Signal. But Google regularly makes money off of your personal data. It does not behoove a company like Google to protect your data.
Start assuming every corporation is evil. At worst you lose some time getting educated on options.
End to end is end to end. Its either “the devices sign the messages with keys that never leave the the device so no 3rd party can ever compromise them” or it’s not.
Signal is a more trustworthy org, but google isn’t going to fuck around with this service to make money. They make their money off you by keeping you in the google ecosystem and data harvesting elsewhere.
google isn’t going to fuck around with this service to make money
Your honor, I would like to submit Exhibit A, Google Chrome “Enhanced Privacy”.
How To Turn Off Google’s “Privacy Sandbox” Ad Tracking—and Why You Should
Google has rolled out "Privacy Sandbox," a Chrome feature first announced back in 2019 that, among other things, exchanges third-party cookies—the most common form of tracking technology—for what the company is now calling "Topics." Topics is a response to pushback against Google’s proposed...
Thats a different tech. End to end is cut and dry how it works. If you do anything to data mine it, it’s not end to end anymore.
Only the users involved in end to end can access the data in that chat. Everyone else sees encrypted data, i.e noise. If there are any backdoors or any methods to pull data out, you can’t bill it as end to end.
micballinThey can just claim archived or deleted messages don’t qualify for end to end encryption in their privacy policy or something equally vague. If they invent their own program they can invent the loophole on how the data is processed
Or the content is encrypted, but the metadata isn’t, so they can market to you based on who you talk to and what they buy, etc.
This part is likely, but not what we are talking about. Who you know and how you interact with them is separate from the fact that the content of the messages is not decryptable by anyone but the participants, by design. There is no “quasi” end to end. Its an either/or situation.
It doesn’t matter if the content is encrypted in transit if Google can access the content in the app after decryption. That doesn’t violate E2EE, and they could easily exfiltrate the data though Google Play Services, which is a hard requirement.
I don’t trust them until the app is FOSS, doesn’t rely on Google Play Services, and is independently verified to not send data or metadata to their servers. Until then, I won’t use it.
Provided they have an open API and don’t ban alternative clients, one can make something kinda similar to TOR in this system, taking from the service provider the identities and channels between them.
Meaning messages routed through a few hops over different users.
Sadly for all these services to have open APIs, there needs to be force applied. And you can’t force someone far stronger than you and with the state on their side.
The messages are signed by cryptographic keys on the users phones that never leave the device. They are not decryptable in any way by google or anyone else. Thats the very nature of E2EE.
How end-to-end encryption works
When you use the Google Messages app to send end-to-end encrypted messages, all chats, including their text and any files or media, are encrypted as the data travels between devices. Encryption converts data into scrambled text. The unreadable text can only be decoded with a secret key.
The secret key is a number that’s:
Created on your device and the device you message. It exists only on these two devices.
Not shared with Google, anyone else, or other devices.
Generated again for each message.
Deleted from the sender’s device when the encrypted message is created, and deleted from the receiver’s device when the message is decrypted.
Neither Google or other third parties can read end-to-end encrypted messages because they don’t have the key.
They cant fuck with it, at all, by design. That’s the whole point. Even if they created “archived” messages to datamine, all they would have is the noise.
Exactly. We know corporations regularly use marketing and doublespeak to avoid the fact that they operate for their interests and their interests alone. Again, the interests of corporations are not altruistic, regardless of the imahe they may want to support.
Why should we trust them to “innovate” without independent audit?
You are suggesting that “end-to-end” is some kind of legally codified phrase. It just isn’t. If Google were to steal data from a system claiming to be end-to-end encrypted, no one would be surprised.
I think your point is: if that were the case, the messages wouldn’t have been end-to-end encrypted, by definition. Which is fine. I’m saying we shouldn’t trust a giant corporation making money off of selling personal data that it actually is end-to-end encrypted.
By the same token, don’t trust Microsoft when they say Windows is secure.
Its a specific, technical phrase that means one thing only, and yes, googles RCS meets that standard:
support.google.com/messages/answer/10262381?hl=en
How end-to-end encryption works
When you use the Google Messages app to send end-to-end encrypted messages, all chats, including their text and any files or media, are encrypted as the data travels between devices. Encryption converts data into scrambled text. The unreadable text can only be decoded with a secret key.
The secret key is a number that’s:
Created on your device and the device you message. It exists only on these two devices.
Not shared with Google, anyone else, or other devices.
Generated again for each message.
Deleted from the sender’s device when the encrypted message is created, and deleted from the receiver’s device when the message is decrypted.
Neither Google or other third parties can read end-to-end encrypted messages because they don’t have the key.
They have more technical information here if you want to deep dive about the literal implementation.
You shouldn’t trust any corporation, but needless FUD detracts from their actual issues.
You are missing my point.
I don’t deny the definition of E2EE. What I question is whether or not RCS does in fact meet the standard.
You provided a link from Google itself as verification. That is… not useful.
Has there been an independent audit on RCS? Why or why not?
Not that I can find. Can you post Signals most recent independent audit?
Many of these orgs don’t post public audits like this. Its not common, even for the open source players like Signal.
What we do have is a megacorp stating its technical implementation extremely explicitly for a well defined security protocol, for a service meant to directly compete with iMessage. If they are violating that, it opens them up to huge legal liability and reputational harm. Neither of these is worth data mining this specific service.
I’m not suggesting that Signal is any better. I’m supporting absolute distrust until such information is available.