Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Tuesday October 04 2016, @07:44PM   Printer-friendly
from the but-I'd-have-to-shoot-you dept.

The company whose message-scrambling software is being adopted across Silicon Valley has had a first legal test of its commitment to privacy.

Open Whisper Systems—whose Signal app pioneered the end-to-end encryption technique now used by a swathe of messaging services—was subpoenaed for information about one of its users earlier this year, according to legal correspondence released Tuesday.

The American Civil Liberties Union, which represented Open Whisper Systems, says the company didn't produce the user's name, address, call logs or other details requested by the government.

"That's not because Signal chose not to provide logs of information," ACLU lawyer Brett Kaufman said in a telephone interview. "It's just that it couldn't." Created by anarchist yachtsman Moxie Marlinspike and a crew of surf-happy developers, Signal has evolved from a niche app used by dissidents and protest leaders into the foundation stone for the encryption of huge tranches of the world's communications data.

http://phys.org/news/2016-10-subpoena-privacy-encrypted-messaging-app.html

[More Details At]: New Documents Reveal Government Effort to Impose Secrecy on Encryption Company

[Also Covered By]:
The Washington Post
ABC News

[Legal Correspondence]: Legal correspondence released by the ACLU:


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Insightful) by melikamp on Tuesday October 04 2016, @08:26PM

    by melikamp (1886) on Tuesday October 04 2016, @08:26PM (#410288) Journal

    Open Whisper Systems makes the following claim:

    Stay Private - We cannot read your messages, and no one else can either. Everything is always end-to-end encrypted and painstakingly engineered in order to keep your communication safe.

    This is a lie. OWS cannot read the messages, so much is true, and the software they write may well be secure when used correctly. But OWS only works on compromised operating systems/platforms. OWS endorses and recommends Apple App Store and Google Play Store, which require spyware to work, and distribute malware on behalf of their clients. OWS must be aware that everything their users type and/or receive is available or can be made available (trivially) to any privileged app via lifting input & output. By extension, here is an incomplete list of parties with full on-demand access to all communications carried by OWS software installed on a commercial spy-phone: phone manufacturer, wireless adapter manufacturer, battery controller manufacturer, wireless network provider, Google/Apple or both, some business affiliates of the above, and the law enforcement agencies around the globe (via exclusive bug reports at least). Since OWS cannot possibly be ignorant of these facts, what they do to their users amounts to lying and selling them out to all of the parties mentioned above, and also Twitter, if you visit their website with javascript enabled. Even the desktop version of Signal, still in beta, is designed to work with Chrome, a closed source app which contains spyware.

    In response to comments like "well, what is the alternative? No software at all for cell phone users?", here are some very simple steps OWS could have taken, but haven't, and probably won't, since it would interfere with their business model. First, educate the users: tell them what I just said, and stop falsely claiming that "Everything is always end-to-end encrypted and painstakingly engineered", because it is not, specifically because OWS itself locks its user into compromised platforms. Second, provide an option of a free and secure alternative for GNU/Linux desktop, free all the way down to the iron. These steps must be taken by any user-centric security solution provider before it can claim good faith or indeed competency. As it stands, OWS does not even have a public discussion forum where these concerns can be raised of a constructive criticism be leveled. What they are doing is exploiting the "privacy dollar" (see Bill Hicks), while showing blatant disregard to their own users' privacy.

    Starting Score:    1  point
    Moderation   +2  
       Insightful=2, Informative=1, Overrated=1, Total=4
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   4  
  • (Score: 0) by Anonymous Coward on Tuesday October 04 2016, @08:43PM

    by Anonymous Coward on Tuesday October 04 2016, @08:43PM (#410303)

    We have to insist on 100% free software (not merely "open source"), not software that refuses to respect the user's freedoms. Otherwise, we cannot even hope to achieve reasonable levels of security and privacy.

  • (Score: 5, Informative) by opinionated_science on Tuesday October 04 2016, @08:52PM

    by opinionated_science (4031) on Tuesday October 04 2016, @08:52PM (#410311)

    yeah , but you can build it from source (I did) and it doesn't differ from the play store.

    Granted maybe android has a built in keylogger - but signal allows a separate pass code for the app.

    Thinking about this, multi-passcode access is probably a good thing, when the $GOVT can force your finger onto the reader....

    • (Score: 2) by melikamp on Tuesday October 04 2016, @08:58PM

      by melikamp (1886) on Tuesday October 04 2016, @08:58PM (#410317) Journal
      Like I said, the software seems benign and useful, but the way it's marketed is deceptive, and the way it's deployed renders it ineffective.
      • (Score: 4, Insightful) by opinionated_science on Tuesday October 04 2016, @09:20PM

        by opinionated_science (4031) on Tuesday October 04 2016, @09:20PM (#410333)

        deceptive? You have the source? Does what it says?

        Be specific - how is it deceptive? Surely you understand that every single piece of hardware is plausibly backdoored - the only way to prevent that is software.

        Grant, we cannot be sure there isn't a hardwire keylogger that has been include because of $NSL

        • (Score: 2) by melikamp on Tuesday October 04 2016, @09:29PM

          by melikamp (1886) on Tuesday October 04 2016, @09:29PM (#410342) Journal
          I get as specific as I can in the first post.
        • (Score: 0) by Anonymous Coward on Wednesday October 05 2016, @06:24PM

          by Anonymous Coward on Wednesday October 05 2016, @06:24PM (#410753)

          he said the marketing was deceptive, you jackass. the appropriate response to his post is "thank you for the info".

      • (Score: 3, Insightful) by Anonymous Coward on Tuesday October 04 2016, @10:34PM

        by Anonymous Coward on Tuesday October 04 2016, @10:34PM (#410381)

        By your standards nothing is safe.
        What they are claiming can be legitimate, that their software is locked down and doesn't leak info by design. To claim that the hardware or OS it runs on IS compromised in such a way as to render this software ineffective HAS NOT BEEN PROVEN. Onus is on you, especially since you insist alternative OSes such as Linux have no weakness that are exploited, another claim that HAS NOT BEEN PROVEN.

        • (Score: 1, Interesting) by Anonymous Coward on Wednesday October 05 2016, @09:27AM

          by Anonymous Coward on Wednesday October 05 2016, @09:27AM (#410536)

          To claim that the hardware or OS it runs on IS compromised in such a way as to render this software ineffective HAS NOT BEEN PROVEN.

          Many modern CPUs have microcode that you can't even inspect. There's plenty of proprietary firmware. Many operating systems come loaded with proprietary software or are themselves proprietary software, which means the computer essentially has many black boxes that prevent you and/or others from even having a reasonable chance of understanding it.

          In an age where the government conducts mass surveillance on the populace and exploits every bug possible and even tries to insert backdoors into existing software, saying that many operating systems or even hardware might be compromised is hardly unreasonable, and this is especially true when you have operating systems which are proprietary software or rely on proprietary software.

          especially since you insist alternative OSes such as Linux have no weakness that are exploited

          That's not the claim. We must not accept software that does not respect our freedoms, or we have no real control over it. With Free Software, you can inspect the code yourself, hire someone you trust, organize a group to inspect the code, or any number of other things; you have options that you don't have with proprietary software and are not dependent upon a specific company or developer, even if you do not always make use of those options. Having the freedom to inspect the code is necessary if you want to have any confidence whatsoever in the security of the software; black boxes do not inspire confidence. Free Software is not immune to exploits or backdoors, but the additional freedoms it grants users do help to prevent those things, even if it doesn't prevent 100% of them.

          It's amazing how we live in a society filled with computers, and yet there are still people who don't seem to care that many of those computers are simply incomprehensible to us. How can that possibly be acceptable?

        • (Score: 0) by Anonymous Coward on Wednesday October 05 2016, @06:39PM

          by Anonymous Coward on Wednesday October 05 2016, @06:39PM (#410757)

          another fine example of the whining people do when you bring up inconvenient truths. they attack the messenger and defend their masters. as aldous huxley said in the interview at berkely before he croaked, "people can be made to quite enjoy their servitude" or some such shit. the OP was simply pointing out that it is dishonest of OWS to fail to mention the full/actual security situation when advertising their products. It's irresponsible and callous to not tell people that may need secure comm for their safety and that may not be security aware/IT people that "oh, btw if you run our shit on any of the available platforms you may still be screwed b/c they are not secure". That should be obvious to anyone who pays attention to security/privacy matters, as it was to me when i first looked at this stuff a few years ago but i guess if you're one of these dipshits who installs closed source "security" software on your closed source OS and thinks you're secure you're too ignorant to even talk to.

  • (Score: 2, Insightful) by Anonymous Coward on Tuesday October 04 2016, @08:53PM

    by Anonymous Coward on Tuesday October 04 2016, @08:53PM (#410313)

    But every current hardware platform is compromised down to ring -3 or so (ring 0 was normally the max until system management mode, and then virtualization hardware became a thing. Now there are layers upon layers of privilege levels above your supposed operating system cpu, many of them running signed software you cannot audit, remove, reverse engineer, or replace.)

    At this point in time there are maybe a few dozen ARM SBCs which *MIGHT* be safe, since none of those signing features are enabled, or the hardware does not actually support 'hypervisor' ringlevels. Assuming that none of those have hardware level triggers injected into the design files by russian, chinese, american, british, or israeli intelligence services (all of whom have their fingers in ever major chip developer out there.)

    Electronics security is truly in a dark age, and unless we can bring it back into the fold through open design and auditing of chip fabrication techniques (a rare and often 'voodoo' field, even for engineers and scientists working in it on a daily basis, of whom there are possibly not enough for a 'from scratch' documented solution for whoever can assemble the required facilities and technology.)

    If we can however, we can tear wide the shutters the elites are attempting to pull over our eyes and regain control of electronics for the good of all. My faith in that opportunity happening and being taken is slim, much like a science fiction novel that ends with the protagonist realizing everything they did came to naught. But there is always hope, even if false.

    • (Score: 3, Insightful) by Arik on Tuesday October 04 2016, @09:15PM

      by Arik (4543) on Tuesday October 04 2016, @09:15PM (#410330) Journal
      Thinking about it, the guys at the NSA aren't dumb. They have to realize that all these compromised devices cannot be trusted - not even by them. They aren't the only ones that know and use these exploits, not by a long shot. So what do they use?

      I want to think that they have something roughly analogous to the the fictional 'Q' of the James Bond stories - a section of hardware geeks who can fabricate functional and secure systems that can masquerade as commercially available, compromised equivalents. The other possibility is that even our top operatives are relying on fundamentally insecure devices to do their work, with obvious potential for catastrophic consequences.

      --
      If laughter is the best medicine, who are the best doctors?
    • (Score: 3, Interesting) by melikamp on Tuesday October 04 2016, @09:16PM

      by melikamp (1886) on Tuesday October 04 2016, @09:16PM (#410331) Journal
      While the hardware powering most GNU/Linux and BSD systems is probably infected with malware, it is far from clear how much that affects the end user privacy or security. To take CPU as an example, the malicious logic would be visible to a reverse engineer, and would not be removable once found, which may act as a deterrent. It would also have to solve a rather difficult problem of loading enough very-low-level code into an unknown to an attacker OS, and having that code be functional enough to talk to the unknown network adapter and make a link to the mothership over the net, before any significant harm to user can be done. Spying on a commercial cell phone user, on the other hand, is not merely technically trivial and perfectly legal, but has been fully implemented by now, in all likelihood, so I don't see much of a contradiction in drawing a line here. As miniaturization continues and hardware becomes "smarter", we will have to tackle this problem with the same degree of urgency and scrutiny, but for now, I think, we would be consistent in pursuing software freedom without necessarily asking just as much from the hardware in the same breath.
      • (Score: 3, Insightful) by Arik on Tuesday October 04 2016, @09:54PM

        by Arik (4543) on Tuesday October 04 2016, @09:54PM (#410363) Journal
        "While the hardware powering most GNU/Linux and BSD systems is probably infected with malware, it is far from clear how much that affects the end user privacy or security."

        Exactly. It's almost certainly compromised and we don't know exactly how. And you act like this is reassuring?

        "Spying on a commercial cell phone user, on the other hand, is not merely technically trivial and perfectly legal, but has been fully implemented by now, in all likelihood, so I don't see much of a contradiction in drawing a line here."

        All such hardware is clearly deeply compromised, and not only by design, but also by incompetence in many cases.

        "As miniaturization continues and hardware becomes "smarter", we will have to tackle this problem with the same degree of urgency and scrutiny, but for now, I think, we would be consistent in pursuing software freedom without necessarily asking just as much from the hardware in the same breath."

        That sounds like a very myopic lesson to take from this.

        Free software is absolutely important, important enough even to preserve through a period of compromised hardware, but its promise requires trustable hardware to be fulfilled.

        --
        If laughter is the best medicine, who are the best doctors?
      • (Score: 2) by Anal Pumpernickel on Wednesday October 05 2016, @09:44AM

        by Anal Pumpernickel (776) on Wednesday October 05 2016, @09:44AM (#410539)

        Spying on a commercial cell phone user, on the other hand, is not merely technically trivial and perfectly legal,

        It's not perfectly legal. What are you even talking about?

  • (Score: 0) by Anonymous Coward on Tuesday October 04 2016, @09:22PM

    by Anonymous Coward on Tuesday October 04 2016, @09:22PM (#410339)

    While that is all true, the majority of encrypted data will be secure. Yes your phone can likely be backdoored, but do you really think every keystroke is logged and sent to servers? I would like to believe that only a targeted attack would have a chance of getting the OWS key.

    • (Score: 2, Interesting) by pTamok on Tuesday October 04 2016, @09:40PM

      by pTamok (3042) on Tuesday October 04 2016, @09:40PM (#410348)

      If the hardware is compromised, you don't need to log every keystroke. Just recognising the keys used in encrypted conversations and any passwords typed in is enough - they can then be surreptitiously transmitted to third parties who will already be logging the entire encrypted message in transit towards the recipient. With a copy of the keys and passwords and a copy of the encrypted message, it doesn't take much to have the plaintext.

  • (Score: 1, Touché) by Anonymous Coward on Tuesday October 04 2016, @09:46PM

    by Anonymous Coward on Tuesday October 04 2016, @09:46PM (#410356)

    You can't trust ANY software because they render to a screen. It is highly disingenuous of ANY provider of software to make ANY claims of security if their software renders images to a graphics screen because in principle there could be a spook looking over your shoulder. Unless they've taken care to prevent spooks from looking over your shoulder, THEY CAN'T MAKE ANY CLAIMS ABOUT SECURITY!

  • (Score: 0) by Anonymous Coward on Tuesday October 04 2016, @10:39PM

    by Anonymous Coward on Tuesday October 04 2016, @10:39PM (#410385)

    http://pdfernhout.net/why-encryption-use-is-problematical-when-advocating-for-social-change.html [pdfernhout.net]
    "Here is a partial list of all the ways a tool [using encryption] like Briar can fail when being used by activists engaged in controversial political actions. ..."

  • (Score: 2) by NotSanguine on Wednesday October 05 2016, @03:15AM

    by NotSanguine (285) <NotSanguineNO@SPAMSoylentNews.Org> on Wednesday October 05 2016, @03:15AM (#410485) Homepage Journal

    This is a lie. OWS cannot read the messages, so much is true, and the software they write may well be secure when used correctly. But OWS only works on compromised operating systems/platforms.

    That may well be true. However, it's really irrelevant. Your dystopian view isn't nearly bleak enough. Any communication is suspect. Full stop.

    If you want to keep a secret, don't tell anyone. As Benjamin Franklin is purported to have said, "Three can keep a secret, if two of them are dead."

    If your concern is secrecy/privacy, then keep your thoughts to yourself. If there's anyone you actually trust (big mistake), then have a conversation inside an enclosure that has shielding to block the entire range of EM radiation and is additionally shielded to block vibrations (sound).

    Otherwise, you're practically begging to be spied upon. Don't like it? Blame human nature and the laws of physics.

    --
    No, no, you're not thinking; you're just being logical. --Niels Bohr
    • (Score: 3, Funny) by melikamp on Wednesday October 05 2016, @03:45AM

      by melikamp (1886) on Wednesday October 05 2016, @03:45AM (#410489) Journal
      Oh no it's worse than that. Full information about everything you do propagates with the speed of light as light & gravity, and beyond that the quantum information is passed across wormholes in entangled particles instantly across the entire universe: all space and all time, even the "unobservable" part.