SoylentNews is people
SoylentNews
from the Uou-say-good-bye-and-I-say-Allo-Allo-Allo dept.
Google is 'pausing investment' in Allo
If you've been using Google's messaging app, Allo, it's probably a good time to start thinking about switching to something else. The app isn't getting dropped in a Google-style "Spring Cleaning," but development on the app is being "paused." Specifically, the new head of the communications group at Google, Anil Sabharwal, has made the decision to "pause investment" in Allo and move that team over to focus on Android Messages.
As we explain in our exclusive feature, the move is necessary because Google is going all in on Rich Communication Services, or RCS. The service will be branded "Chat" once carriers launch it, and Google wants to apply as many resources as possible to make sure that this time, finally, Android has a successful messaging app.
Amnesty International has criticized the move:
Responding to Google's launch of a new messaging service for Android phones, Amnesty International's Technology and Human Rights researcher Joe Westby said:
"With its baffling decision to launch a messaging service without end-to-end encryption, Google has shown utter contempt for the privacy of Android users and handed a precious gift to cybercriminals and government spies alike, allowing them easy access to the content of Android users' communications.
Following the revelations by CIA whistleblower Edward Snowden, end-to-end encryption has become recognized as an essential safeguard for protecting people's privacy when using messaging apps. With this new Chat service, Google shows a staggering failure to respect the human rights of its customers.
"Not only does this shockingly retrograde step leave Google lagging behind its closest competitors - Apple's iMessage and Facebook's WhatsApp both have end-to-end encryption in place by default - it is also a step backwards from the company's previous attempts at online messaging. Google's own app Allo has an option for end-to-end encryption but the company says it will no longer invest in it."
(Score: 3, Interesting) by Anonymous Coward on Sunday April 22 2018, @06:26PM (15 children)
a friend of mine tried to get me to install signal.
it requires a phone with active valid number with a harvestable contact list, to run it on a desktop. it won't run on a desktop without syncing to that phone you can prove is yours.
fuck that
encrypted isn't secure when your goal is privacy. signal doesn't need to know who's on my contact list, and their helpful benefit of finding out who in it has signal.. what if I don't want those people to know because I intend to contact one or two people specifically? nope. wizards know best, and the lack of privacy is security.
eventually, we installed an xmpp compatible server and ssl encryption on the client/server connection. but it was a private cert and so the friends that dont understand how any of it works were more afraid of the scary "this wasn't a cert from someone else's computer we approve of!" than the EULA of the signal program.
i dont know how to get people to understand how much it costs to get things for free and how much effort it takes to undo the damage of effortless.
(Score: -1, Troll) by Anonymous Coward on Sunday April 22 2018, @06:38PM
Your friends wouldn't be so scared if there were happy little app for helping them maintain a proper web of trust, but nobody has ever seemed to get that to work.
I blame GNU, which tends to take simple ideas, elevate minutiae, and then submerge the whole thing in obscure ideology. GnuPG is an example; I suppose it doesn't help that it has received funding from the government in Germany, a place where people are known for their complicated over-engineering.
Is the problem really that hard? Or is there a formidable foe arrayed against a workable solution?
(Score: 5, Informative) by frojack on Sunday April 22 2018, @07:18PM (2 children)
Half true.
Full truth here: https://support.signal.org/hc/en-us/articles/115005045728-Does-Signal-send-my-number-to-my-contacts- [signal.org]
No names is harvested. No numbers are retained.
There are many ways to use signal without giving out your actual phone number. All of them a bit tricky.
https://theintercept.com/2017/09/28/signal-tutorial-second-phone-number/ [theintercept.com]
Signal devs has mentioned that they may be coming up with an alternate number option. [reddit.com] The problem here is one of making that number unique and letting others know what it is. That would make using signal without an actual phone much easier, and make it easier to set up the desktop client.
But you know that any SERVICE that can send messages to you has to have you registered in some way. Even XMPP has to know how to route your connection in order to send your encrypted messages. Pick an xmpp server in some foreign place (beyond the reach of a warrant), one that advertises they they don't even keep connection logs. Get a free cert from lets encrypt for your own server (A raspberry PI ought to work for this.) But even that will need an IP address.
At least with signal, once your contact and you both get signal running, there is no logging that actual calls or messages even took place, let alone what was said.
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Sunday April 22 2018, @08:17PM
Of course, all of these discussions end up at the same place: A working Web of Trust, where endpoints are identified with public keys.
(Score: 0) by Anonymous Coward on Monday April 23 2018, @07:22PM
The whole "we have to identify you to get you your stuff" is bullshit. Service could be fully centralized, semi-centralized, or totally decentralized mesh/blockchain whatever and trivially allow users to find messages meant for them without identifying or being tracked.
(Score: 0, Redundant) by Ethanol-fueled on Sunday April 22 2018, @08:19PM (2 children)
Android Studio is your friend, buddy. You can bullshit any goddamn thing you like if you set it up properly, although that's a lot more of a hassle than just putting up with signal's bullshit.
(Score: 0) by Anonymous Coward on Sunday April 22 2018, @11:18PM (1 child)
Please quit posting stupid.
(Score: 0) by Anonymous Coward on Monday April 23 2018, @11:32AM
Fine - we'll stop posting you. And, please don't open the letter we dropped into the mailbox yesterday.
(Score: 0, Redundant) by Anonymous Coward on Sunday April 22 2018, @10:17PM (7 children)
Your friends wouldn't be so scared if there were a happy little app for helping them maintain a proper web of trust, but nobody has ever seemed to get that to work.
I blame GNU, which tends to take simple ideas, elevate minutiae, and then submerge the whole thing in obscure ideology. GnuPG is an example; I suppose it doesn't help that it has received funding from the government in Germany, a place where people are known for their complicated over-engineering.
Is the problem really that hard? Or is there a formidable foe arrayed against a workable solution?
(Score: 3, Insightful) by stormwyrm on Monday April 23 2018, @03:26AM (4 children)
Yes, the problem is really that hard. There is no formidable foe arrayed against a workable solution because the web of trust alternative you are proposing to replace the current system of centralised CAs is not really more workable or even more secure. The big problem here is that effective security has to be usable, and the web of trust that you so extol is a usability nightmare for ordinary people who are not really interested in and don't really care overmuch about security, not even when it leads to them being hacked. It basically winds up at the end to just asking the user whether or not to trust the keys presented by some random website, a question which they would in general be unable to answer properly. It would wind up looking from the user perspective like those annoying UAC prompts of Windows Vista: every new site would pop up some kind of cryptic prompt about trusting the keys the site is presenting. This is no more than passing the buck that stops at the CAs today to the end user. Great, it gives the power users who do know a thing or two about computer security something to crow about, but it doesn't help the rest of the world which needs the security even more. In fact it leaves these non-savvy users even more vulnerable to hacking than under the current system of centralised CAs. There are far more of these ordinary users out there, and if they are hacked, the effects of their hacking will not be limited to themselves alone.
If you do have a better solution that solves the problem of website authentication any better from the known ones so far, the IETF and the W3C await your proposal.
Numquam ponenda est pluralitas sine necessitate.
(Score: 0) by Anonymous Coward on Monday April 23 2018, @05:14AM
Stop building the world for morons.
It's time to cut them out, and move the bell curve up the axis.
(Score: 2) by Runaway1956 on Monday April 23 2018, @11:37AM (2 children)
How sure are you that there is no "formidable foe"?
How many cool applications have been bought out, then subverted? Microsoft may have been the first, but they aren't the only ones to "Embrace, Extend, Extinguish". We had a conversation about Winamp not terribly long ago. Just about the best music player on the market, until a bunch of shitheads bought it, and tried to turn it into a marketing gimmick. And, that game has just gone on and on . . .
More specific to secure communications, we actually do have a "formidable foe", which wears many masks, and goes by many names. Let's just call him Five Eyes.
(Score: 2) by stormwyrm on Monday April 23 2018, @12:49PM (1 child)
Do tell me then what alternative protocol has been ignored and marginalised by the Five Eyes in favour of the all too easily-exploitable centralised certification authorities that are the core of the public key infrastructure of today. Independent cryptographic researchers all around the world have agonised for a better solution to the problem of website authentication and haven't really come up with anything significantly better. The web of trust is decentralised, but it puts too big a burden on the end user for it to be usable or secure as I have argued, and I don't see it as being any harder for an opponent with the resources of the intelligence agencies of major nation-states to subvert than the current CA system. Certification authorities can be subverted and made to issue keys impersonating websites, but the system least does not give an undue burden on the user, and as such it remains the dominant model for website authentication today. If there were a better solution available, I imagine some enterprising and resourceful minds might have already tried to build and use it today. But I don't yet see any serious alternatives.
Yes, the Five Eyes are a formidable foe, but I don't see them as having interfered with cryptographic standards to marginalise alternatives to the centralised CA PKI system that we use today. If there were a practical alternative to the CA system that were more usable and more secure than either web of trust or CAs, we'd hear prominent cryptographers talking about it, and it would quickly gain traction in spite of the fact the intelligence and law enforcement agencies wouldn't like it. To posit that such an authentication protocol exists but knowledge of it is being suppressed by all cryptographers around the world (since they're all in the pay of the Five Eyes) is a preposterous conspiracy theory. It's on the level of the of anti-vaccine conspiracy theory that posits that all medical scientists and professionals around the world (since they're all in the pay of Big Pharma) are suppressing knowledge of the deleterious effects of vaccines.
Numquam ponenda est pluralitas sine necessitate.
(Score: 2) by Runaway1956 on Monday April 23 2018, @02:20PM
Every month or so, we hear about congress critters demanding back doors into any crypto applications. Apple is on their shit list for not volunteering to crack an iPhone for them. There is an antagonistic relationship between government, and any crypto team. From 2013, Lavabit and Silent Mail shut down their encrypted emails, due to government pressure. (I believe that Lavabit is back up now.) https://mashable.com/2013/08/09/silent-circle-lavabit-shut-down-to-avoid-nsa-snooping/ [mashable.com] Whatsapp has been under attack in various places, although this particular case doesn't involve the Five Eyes (unless maybe indirectly). https://mashable.com/2013/08/09/silent-circle-lavabit-shut-down-to-avoid-nsa-snooping/ [mashable.com] While definitely NOT part of the Five Eyes, Russia is working hard to shut down Telegram - https://arstechnica.com/information-technology/2018/04/in-effort-to-shut-down-telegram-russia-blocks-amazon-google-network-addresses/ [arstechnica.com]
The Intel communities need not attack the standards, or even openly attack the implementation of those standards. The sneaky bastards can work quietly, behind the scenes, for the most part. When they are successful with their back door plans, we hear nothing. We only hear about their less successful attacks.
(Score: 3, Interesting) by TheRaven on Monday April 23 2018, @12:35PM
I enjoy GNU bashing at least as much as the next guy, but GNU Ring [ring.cx] is one of the better attempts at building a distributed, secure, IM system.
sudo mod me up
(Score: 0) by Anonymous Coward on Monday April 23 2018, @05:20PM
the problem isn't "that" hard.
we could replace all "real world" identifiers of a person with a
unique number online.
"real world" identifiers, are for example post address, name, sex, age, phone number (since most SIMs now are tied to all/some of previous), passport number, social security number, I.D. number etc.)
a person could choose "any" number of unique numbers and use them in certain
domains, like some for friends, some for business, some for amazon, some for facebook, some for google etc. ... or just one.
the point is that "you" are then a "throw-away" number that has no relation to any real world identifiers.
ofc, from the perspective of having to sell advertisement, you can only profile this throw-away number and you don't get to
profile a set of UNCHANGEABLE identifiers (ok, sure you can move to a new physical address)!
for some on-line services, some of the real world identifiers are required to function, say shipping stuff to home address.
for other stuff, advertisement is probably the best example, it MUST NOT be a requirement.
of course, nobody likes law makers, but maybe it's time to help them a bit and so here a suggestion that data breaches that involve real world identifiers should be fined heavy handed, since once lost, remain un-re-collectible, due to their very nature of being unchangable.
in the second case, people will just try and get a new throw-away number ...
least, let's not forget, the source of this insane on-line tracking of real identity: FAME!
people crave FAME, because it makes them (seem) important, thus a small constellation of people ADVERTISE themselves openly and as much as possible. this makes them seem important ... and the sheep follow!