Then I would ask "don't raise your hands, but when dealing with your kids, have any of you ever acted in a way wasn't captured on camera?"
I don't mean beating or physical abuse or anything that horrible, and everyone knew it. Combine young tired kids with a cranky, tired adult, and it's almost guaranteed that the adult will have had at least one rage meltdown.
They probably only yelled and ranted. But they probably looked like a monster doing it.
How quickly would such an image or film go viral? And how condemned would the person be?
We are all foibly humans, we all have moments that we regret or that fill us with shame. And we're all glad they weren't recorded for posterity.
Privacy isn't about protecting your best face, your public face. It's about protecting all of your faces, all of your moods, your knowledge, your relationships, etc.
We have free speech, but do we have freedom from judgementalism? Until we do, we all need privacy.
A less biological, more modern concern, is that a potentially super-intelligent actor (e.g. an ML team dedicated to finding human weakness and exploiting it, like marketing depts do) could find out things about me that even I didn't know and use it against me.
In the modern world complete paranoia and distrust in is the only strategy with guaranteed sucess which respects our drive to survive. Mass-manipulation of elections is a symptom of the disease.
I’d be shocked if most people would be ok with public disclosure of every inconsiderate, off-color, or poorly worded joke you’ve ever made in private. That’s leaving aside things like intimate conversations with a spouse/SO, etc.
That said, I wouldn’t be using a service like this to get there, but I do value the ability to use a privacy-focused messaging app in my day-to-day life.
How you want your doctor to tell you that you've got gonorrhea: in a private conversation in their office, or through shouting it at you in the waiting room?
They're a bit thin on the details of exactly who those critics are, which makes that statement inadmissible other than for us to draw the inference that the critics are law enforcement agencies - or worse still, governments.
Don't get me wrong, I'm not condoning the misuse of encrypted messaging, only pointing out the convenient straw man that's been erected here to manipulate readers' emotions in order to short-circuit their ability to think critically about what's ACTUALLY been done by the authorities.
I'd not at all be surprised if they had a disproportionately large number of criminals among their users. There are plenty of non-criminal uses for which you need highly secure messaging, but much fewer for which you need 30 second deletion, a panic mode, and to hide the fact that you have a secure messaging app.
These activities are very high risk, very low reward. Almost all repeat offenders are caught. In fact of the hundreds of robbers that passed through our doors, only one wasn't convicted. The penalties when caught are large.
In my experience, planning and doing something that would make life easier this time tomorrow isn't something they do, or they wouldn't be robbing a store today. If they are a king pin importing drugs the time span might expand to a year or two, but nonetheless the calculation they will be in jail after that and have lost all their gains plus some hasn't been made, or perhaps just not appreciated.
These people aren't the sort of people who spend €2100 worrying about tomorrow. It's possible the people who do spend that sort of money aren't any nicer, but they are smart enough not to be criminals.
(I agree with your assessment, of course. Just curious what your personal stance is.)
OTOH, I do not take it as axiomatic that if I use a medium to coordinate commission of a crime, it's a misuse of that medium. There are plenty of crimes that are not only perfectly fine to commit, it may even be immoral to not commit them.
Up there with [cash is used for bad things, so we should ban cash](https://www.businessinsider.com.au/why-cash-should-be-illega...)
Calling the users "criminals" makes it harder to defend them at first glance because the first reaction is "you're defending criminals". And attaching a number to this, even an impossible to support statistic, is meant to make the statement more believable, everyone likes nice, round numbers.
Of course they hope nobody raises the not so obvious points. Even taking that statement at face value (which you definitely should not) what about the other 10% non-criminals whose privacy was violated without any reasonable cause? Where else are they using the excuse that 90% success rate is acceptable? If 90% is enough to paint everyone with the same brush, when 90% of users are not criminals why aren't the other 10% also treated as innocent too?
In reality just about 100% of "critics" saying this are law enforcement agencies or governments who will violate your rights or break the law in a heartbeat if it means getting their way.
I mean, isn't it fairly legitimate for law enforcement agencies or governments to criticize software which facilitates crime, or stops those agencies from stopping it?
People always reflexively dismiss this argument, but crime is a real issue.
Also, LEA and govts routinely abuse their powers in the name of fighting "crime" or "terrorism" or whatever is the newest thing they can scare people with. It is only reasonable to assume malintent in their propaganda.
I wonder if the press knows what it's talking about.
Fun, unrelated story: apparently some of the intelligence operations managed to get their hands on the laptop of a target while it was at some maintenance store to get the screen replaced. They managed to install a physical keylogger inside it with its own radio, but hooked up to the laptops power supply. This is the kind of shenanigans you have to be aware of and defend against when you run a service like Sky ECC. The slightest slip up and you are doomed.
But is it me or police techniques such as gaining physical access to criminals, flipping them to informers, close surveillance, etc. continue to be very efficient even in the face of quite good technology ?
Not open source: check
Not federated (so they can force you to update the client): check
Integrates with carrier value add: check (SIM crap)
Integrates with OS vendor value add: check
Flashy website with third party requests to google.com: check
Yeah this looks like crap to me.
Does not federated mean not using a jailbroken phone?
Or is it related to how the app is installed?
Or the underlying infrastructure relying on a central server instead of distributed?
Encryption is really hard, and one mistake can unravel all of your efforts. I doubt that a boutique shop like Sky ECC's owners had the resources to secure it as well as they claimed.
"Sky ECC platform remains secure and our authorized devices have not been hacked.
There have been recent news articles that claim Sky ECC has been hacked and is involved in criminal activity. This information is not accurate. We have looked into these claims and discovered that a small group of individuals illegally created and distributed an unauthorized version of Sky ECC which they modified and side-loaded onto unsecure devices. Security features that come standard with the Sky ECC phones were eliminated in these bogus devices. ..." [0]
Have you read those bizarre fake facts like "it is illegal to eat oranges in your bathtub in California" ? If you haven't, I am sure you have broken myriad weird laws like that and are, in fact, a criminal ! :-).
Not sure why they said they cracked this app, because now they lost a source of intelligence.
Most of these hacks are the equivalent of hacking signal and backdooring the software
This shit is hard especially when LE is determined, but criminal syndicates aren’t dumb and hire a lot of smart people
That is, do a bunch of crap that will immediately make you stand out to any modern (by which I mean, total) surveillance agency. The syndicates' problem isn't stupidity but immodesty – typical of organized crime. They thought they were, not smart, but the smartest, and that made it easy for other criminals to sell them garbage security products.
There was a case where a company was selling a "PGP phone" where it turned out that, to save having to bother the customer with key generation on the phone, they were doing it on the servers[1]. So the police grabbed the servers with all the private keys and there were a lot of sad customers.
To do end to end encryption in a way that works, there is a minimum level of understanding required. These "secure" phones are really a type of scam that preys on the not sufficiently informed.
[1] https://securityaffairs.co/wordpress/57036/cyber-crime/black...
The conviction prevented him to run for office (he was the favorite in the polls). Yesterday the ex-president got his political rights back and will probably be candidate in 2022 to try to defeat Bolsonaro.
Everything due to the hacker (And the journalist Glenn Greenwald of Snowden fame)
I think you mean "the belief that non-E2E encrypted messaging apps are actually E2E-encrypted messaging apps" is a goldmine. Ditto TFA.
Real E2E systems aren't invulnerable: there are certainly hacks that target endpoint devices. But it's astonishing to me how many people end up using centralized, non-E2E apps when secure ones are available.
The US is just simply centuries ahead of everyone else.
Take for example Ex Parte. The concept of ex-parte does not exist in Brazil, or in the vast majority of the world.
Case in point: Ecuador. Lawyer Danziger took on monster Texaco/Chevron and got a huge 10B judgement against them for environmental destruction. Now he's sitting in a US jail for doing something perfectly legal in the tiny andean nation.
Donziger looks like a crook according to your provided reference.
The judge may have been compromised but there are also cases where brazilian judges retaliated against WhatsApp when it failed to deliver decrypted messages:
https://theintercept.com/2016/05/02/whatsapp-used-by-100-mil...
https://greenwald.substack.com/p/brazils-high-court-invalida...
> Sky ECC promised a 5 million USD (€4.2 million) prize on its website, which is currently down, to anyone who could crack its encryption.
> It is not yet clear if Belgian authorities plan to claim the reward.
Confusing the KEX with the encryption itself “521-ECC encryption”, does not inspire much confidence.
If I worked for the government and I wanted to break into an app, I'd simply send a letter to the app store saying "Yeah you have to post this app update that contains code written by government hackers to leak the keys / messages of (investigation targets | everyone). If you don't, your executives / employees will (be sent to jail | be kidnapped by black ops forces, shot, and buried in an unmarked grave). Ditto if you tell anyone about this letter."
There is no need for the "if" qualifier. How about this:
You pass a law that says the government can compel any software company to assist them in any way they deem fit. For example they might demand Apple assist them by modifying their iPhone keyboard so it sent all the keys tapped together with the app they sent those keys to (eg, the key strokes the sent to Signal). The law could also demand Apple provides access to any device they target by auto installing the new keyboard app via auto updates. For good measure, the law could carry an automatic gag order, preventing any disclosure of these requests for Assistance and Access.
The country that actually passed such a law is Australia. It's called the "Assistance and Access Bill 2018". [0]
So there you go, it's already been done. There is no need to speculate about what might happen - it's already happened.
[0] https://www.aph.gov.au/Parliamentary_Business/Bills_Legislat...
It was fairly common to see on Android dev forums people posting “I’ve lost my signing key, what do I do?” To he told they gotta upload under a different package name and hope their existing users would migrate over to the “new app”
Now these days Google offer to hold your signing keys for you (cause if you lose your keys you lose the ability to update the app) and if you want to use Googles App Bundle ability you have to opt in (because Google repackage your app for different device types automatically) but you are still free to hold the keys yourself and sign your builds without Google taking a peak at them. Opting into App Bundles for an existing app requires you to upload your existing signing key, so Google can sign on your behalf and devices with your existing app will accept the updates Google’s bundle process produce.
Now of cause Google could push some updates to Android as a whole and make a back door to bypass app sig checking, but that would be opening holes on a lot of devices, most of which won’t actually be your target. And if we are going to go down the road of back roofing OS’s to allow apps from unknown keys, might as well just back door the OS and skip the process of creating a fake update for that one app.
Now if the app is using Google’s App Bundle feature, it would be possible. But if you were creating a “secure messaging app” why would you hand the keys to the kingdom to anyone else? Just write some extra build scripts, compile the different builds your self and keep those security brownie points.
(sourced from https://hn.algolia.com/?q=encrochat )
> But critics say more than 90% of its customers are criminals.
How do the critics know? This appears to be an attack on privacy. The implied idea is that personal communication for all should be published at least to law enforcement so law enforcement can do a better job of finding the baddies.
If you build an anti-witch-hunt app, most of your clients will be witches.
You assume just because the feature exists the clientele are using it.
Besides which, stop marginalizing the 5 civil libertarians you insensitive clod.
(The Aphorism goes: Make a country where witch hunts are illegal, then the population will be 5 civil minded libertarians and a million witches).
Of course nobody wants to discuss that the 5 civil minded libertarians might have a point, and the unsaid snicker that reverbrates in the ensuing silence is that if you make something easier, you select for it, therefore one should not make undesirable things easier. Therefore the implication is left that the one being persuaded is too dim to realize the consequences of their decision.
This goes completely out the window when one takes into account that there may be a legitimate, though unpleasant need to tolerate the existence of something unpleasant due to the greater damage that could result from doing something drastic.
Fun and hilarity only continue to escalate from here. The wise would be well advised to simply move on.
Turn of all cloudy functions, hell maybe use some kind of enterprise MDM to enforce polices on your subordinates.
I didn’t use OTR since a long time now, so not sure if that’s still a good choice, but it’s quite versatile and easy to setup.
Edit: OTR doesn’t seem to be recommended anymore, OMEMO seems to be the modern alternative https://en.wikipedia.org/wiki/OMEMO
OMEMO seems tied to XMPP.
I expect if the series lasts long enough they'll work the storyline up to manufacture.
-------------
Sky ECC platform remains secure and our authorized devices have not been hacked.
There have been recent news articles that claim Sky ECC has been hacked and is involved in criminal activity. This information is not accurate. We have looked into these claims and discovered that a small group of individuals illegally created and distributed an unauthorized version of Sky ECC which they modified and side-loaded onto unsecure devices. Security features that come standard with the Sky ECC phones were eliminated in these bogus devices.
Sky ECC considers these actions as malicious and we are taking legal action against these individuals for defamation and fraud.
We have also blocked these users from our system and enhanced security to prevent reoccurrence of this issue. The implementation of these enhancements temporarily interrupted our Sky ECC service which has now been re-established.
We continue to stand by our position and our product. We strongly support that people have the fundamental right to privacy. With the extensive and broadly documented rise worldwide of corporate espionage, cybercrime and malicious data breaches, systems like SKY ECC are the foundation of the effective functioning for many industries including legal professionals, public health providers and vaccine supply chains, celebrities, manufacturers and many more.
We believe that the individual right to privacy is paramount for those who are acting within the law and we do not condone the use of our product for criminal activity. We also have our Terms of Service that every user must adhere to and, provided that they do, our company will work feverishly to protect their rights with the world's most secure platform.
------------
Thoughts?
For the EncroChat takedown they didn't crack the encryption. They instead flipped an employee who cooperated in the installation of a remote access Trojan on all the phones. Are they actually claiming they did something different here?
Surely disclosing that will just have driven the same users to other apps and they’ll have to start from scratch (and presumably get lucky again in the future)?
>Surely disclosing that will just have driven the same users to other apps and they’ll have to start from scratch
From the sounds of it this app had already been cracked when the Eurochat bust was announced, allowing them to scoop up all the users who tried to just move to the next alternative. I imagine trust in the "secure communications for criminals" ecosystem will be low for a while.
Police did a similar thing with darknet markets, they secretly took control of the second largest (Hansa) and then publicly announced the bust of the largest (Alphabay). They ran it for a month, collecting all the information (and money) they could (even pulling tricks like deleting all the images so drug vendors might accidentally reupload ones with EXIF data) before shutting it down. All the better to erode trust in the entire ecosystem.
It is not yet clear if Belgian authorities plan to claim the reward
This tongue-in-cheek comment made me chuckle.
Anyway, Hail hydra. Another one will take its place soon enough.
I'd have used one-time pads in conjunction with Enigma.
