@sbug I remember, you already explained that.
I was thinking about making a proto of #E2EE with #ActivityPub and while it was conceptually not so difficult, real problems started about risk models (XSS, evil extensions, other attacks replacing builtin APIs like window.crypto to intercept locally generated keys, and so on.
But I was not able to sort out some important aspects, and later I thought that creating yet another new/incompatible software is bad idea.
🚨 It's NOT "For The Children".
🏦 💸 Greed Appears To Fuel Ashton Kutcher's Thorn: Client-Side Scanning For Profit From Corporate Interests Using NGO Fronts
➝ 🔓 ❌ TransUnion Denies #Breach After Hacker Publishes Allegedly Stolen Data
➝ 🔓 ⚖️ Hackers breached International Criminal Court’s systems last week
➝ 🔓 🤖 #Microsoft #AI researchers accidentally exposed terabytes of internal sensitive data
➝ 🦠 💸 #BlackCat #ransomware hits #Azure Storage with #Sphynx encryptor
➝ 🇮🇷 🇮🇱 Iranian Nation-State Actor OilRig Targets Israeli Organizations
➝ 🇮🇳 #India's biggest tech centers named as #cybercrime hotspots
➝ 🇫🇮 💊 Finnish Authorities Dismantle Notorious #PIILOPUOTI Dark Web Drug Marketplace
➝ 🇨🇦 🇷🇺 Canadian Government Targeted With #DDoS Attacks by Pro-#Russia Group
➝ 🇨🇳 🇺🇸 #China Accuses U.S. of Decade-Long #Cyberespionage Campaign Against #Huawei Servers
➝ 🇺🇸 🇨🇳 China's Malicious Cyber Activity Informing War Preparations, #Pentagon Says
➝ 🇨🇳 🦠 New #SprySOCKS Linux #malware used in cyber espionage attacks
➝ 🇬🇧 🔐 UK Minister Warns #Meta Over End-to-End Encryption
➝ 🇺🇸 🇷🇺 One of the #FBI’s most wanted hackers is trolling the U.S. government
➝ 🦠 🥸 Fake #WinRAR proof-of-concept exploit drops #VenomRAT malware
➝ 🦠 📈 #P2PInfect botnet activity surges 600x with stealthier malware variants
➝ 🦠 📡 Hackers backdoor #telecom providers with new HTTPSnoop malware
➝ 🦠 🐝 #Bumblebee malware returns in new attacks abusing #WebDAV folders
➝ 🔐 #GitHub launches #passkey support into general availability
➝ ☑️ 🐧 Free Download Manager releases script to check for #Linux malware
➝ 💬 🔐 #Signal adds quantum-resistant encryption to its #E2EE messaging protocol
➝ 🍏 🔐 #iOS 17 includes these new security and #privacy features
➝ 🩹 High-Severity Flaws Uncovered in #Atlassian Products and ISC BIND Server
➝ 🩹 😡 Incomplete disclosures by #Apple and #Google create “huge blindspot” for 0-day hunters
➝ 🍏 🩹 Apple emergency updates fix 3 new zero-days exploited in attacks
➝ 🩹 #TrendMicro fixes #endpoint protection zero-day used in attacks
➝ 🩹 #Fortinet Patches High-Severity #Vulnerabilities in FortiOS, FortiProxy, FortiWeb Products
➝ 🔓 Nearly 12,000 #Juniper #Firewalls Found Vulnerable to Recently Disclosed RCE Vulnerability
📚 This week's recommended reading is: "Future Crimes: Everything Is Connected, Everyone Is Vulnerable and What We Can Do About It" by Marc Goodman
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end ⬇️
@sbug Oops... I was not aware with your sponsoring effort...
The veilid protocol described as mobile-centric thing and it sorta makes me sad as desktop-centric user.
Every time I read any page on requirements for #E2EE (risk models) I fear that it is not doable to make "really safe" E2EE solution, and going offline and no-tech/low-tech is single way to go.
This is really about basic stuff, like avoiding MITM and other common attacks, and keeping shared secrets in sync properly or safely store .
@sbug May be instead spreading effort to yet another new software, it is better to help improve and sponsor development of existing solution?
I asking it because I had an urge to make own #e2ee solution but seeing how even #Matrix project struggle to keep self sustainable, due to lack of funding, I feel that creating new solution is mistake as it will create yet another tech split among users & communities.
Helping existing project especially matters even more with possible time constrains.
So many years in the making and still so much problem with Matrix.
"Unable to decrypt" when chatting using E2EE, missing media, unconsistency in rooms between servers, slow joining big rooms, etc.
I would love to see another decentralized alternative.
Something using veilid maybe.
And hopfully before Chat Control becomes law.
Good for Signal! If a willfully misguided government regulation fundamentally breaks your product in a way that compromises user safety, it doesn’t make much sense to continue offering it in the affected market. #E2EE #ForeverCryptoWars #CryptoMeansCryptography
Meredith Whittaker Reaffirms That Signal Would Leave UK If Forced By Privacy Bill - Slashdot https://it.slashdot.org/story/23/09/22/1913215/meredith-whittaker-reaffirms-that-signal-would-leave-uk-if-forced-by-privacy-bill
I looked into #Usenet and found it to be a very expensive and convoluted way of #FileSharing. It has some pros, sure, but overall it seems to be worse than #Torrenting. I hope one day someone designs something that is like torrenting but #E2EE and no port forwarding. Looking at you #GnuNet.
@asei_sano @aruiz #Fact: #Bitcoin :bitcoin: just like #Ethereum are indefensible and both #EnvoirmentalCrimes and can only be meaningfully used for Capital Flight by rich oligarchs that don't have easier tools for #MoneyLaundering!
* which necessitates self-custody of keys.
The official web cryptography features are so limited, and "professional" risks models for web app is so scary, that if you want to create some #e2ee application, that according to these models, essentially, web is not suitable for this kind of apps.
"Isobel Hadley-Kamptz: Chatcontrol är galenskap – att Sverige stöder massövervakningen är en skandal"
🇪🇺 😑 🇸🇪
@anthony This tendency is so scary that I tried to see where it goes about #e2ee and come to conclusion that next step is some law will be enforced (or with informal pressure from LE agencies) that will force all OSes and platforms first centralize all encryption stuff to be done via gov-approved chips which will do all encryption/decription using keys saved in hardware container and either will send all keys to gov or send copy of data to gov. Other encryption will be outlawed then.
“While the UK government has admitted it’s not possible to safely scan all of our private messages, it has granted Ofcom the powers to force tech companies to do so in the future.”
🗣 @JamesBaker, ORG Campaigns Manager.
I'm not usually the activist type by any measure of the word, but the Online Safety Bill, whether enforceable or not (hint: It's not), is a terrible idea and a massive invasion of privacy. Many vulnerable people depend on End-to-End Encryption for their safety. As it stands, this bill is achieving the opposite of what it was meant to do. There are undoubtedly better ways to address this issue.
Jak już piszę o komunikatorach z #E2EE (szyfrowanie) to Signala nie będę opisywał bo jest w każdym sklepie z apkami i wystarczy kliknąć by mieć.
1. Każda osoba na #PolSocial ma konto na matrix. Wystarczy pobrać apkę Element, wskazać serwer pol.social i „Logowanie z Pol.social” czyli nawet konta nie trzeba zakładać i wpisywać user / password.
Osoby przeglądarkowe mogą wejść na https://Chat.pol.social i tak samo.
Dodaliśmy Wam matrix bo DM / Priv na #Mastodon jest słaby.
Serwery matrix się federują jak fedi. Nieważne gdzie masz konto, rozmawiasz z każdym na matrix.
A fajne „pokoje” do rozmów, taki nowoczesny irc, to dodatkowy plus.
Gorąco polecam nie dać się podsłuchiwać 🕵️
USA: „Czaty na Facebooku dostarczone przez firmę Meta doprowadziły kobietę do przyznania się do zarzutów związanych z aborcją / Oficer śledczy doręczył nakaz firmie Meta, która dostarczyła niezaszyfrowane sesje czatu pokazujące kobietę i jej córkę omawiające pigułki aborcyjne.”
Słuchajcie, pisanie na FB, TT czy G. to jak pisanie w komputerze min. Ziobry. Występują do BigTech o dane i dostają. Używajcie tylko komunikatorów z szyfrowaniem end to end #E2EE
Statystyki nie kłamią. Bigtechy mają oficjalne strony z info o przekazanych rządom danym.
The Home Office launching a PR campaign against Facebook for rolling out end-to-end encryption a day after the Online Safety Act passed is pretty surreally weird.
I used to think one of the arguments against end-to-end encryption -- that e2ee helps child abusers avoid detection -- contained a grain of truth, but Suella Braverman reciting that argument on the Today programme on BBC Radio 4 and in today's Guardian, convinces me the argument is probably specious.
I'd like to take this opportunity to thank the Home Secretary for being so consistently unreasonable.
This is why you don't trust anything beyond your endpoint.
#E2EE for everything!
The fight to defend our digital rights in the UK has only just begun.
Powers in the Online Safety Bill, and how they are exercised, will have huge consequences for our rights to privacy and freedom of expression.
Join ORG today as we ready for the fight ahead.
Perhaps the biggest failing with the Online Safety Bill (UK) is the lack of detail in how these extraordinary powers will be implemented.
It throws the ball over to Ofcom to sort this mess.
We call on the regulator to work with cyber experts, tech companies and civil society to reduce the harms to our fundamental rights.
The #OnlineSafetyBill (UK) is an overblown legislative mess.
Powers to scan private messages remain, despite it being impossible to achieve without blowing a hole in our security.
"While the UK government has admitted it’s not possible to safely scan all of our private messages, it has just granted Ofcom the powers to force tech companies to do so in the future. These are powers more suited to an authoritarian regime not a democracy." – @JamesBaker for ORG.
⚠️ The Online Safety Bill has been passed in the UK Parliament. ⚠️
The threat it poses to our right to privacy and freedom of expression will soon become law.
It'll make us less secure, including the children and young people that the law is supposed to protect.
Find out more here ⤵️
The #e2ee is not a spell that can transform anything into forest full of rainbow unicorns.
It is a feature that when implemented properly, really to full its strength, comes with some limitations.
Because in this case your decryption keys never touch servers, at least in its plain (unencrypted/wrapped form).
It assumes that if you lose access to all your devices where you signed in, and forget your password or its equivalent, you lose access to all data you previously uploaded to the servers.
The more I immerse myself into cryptography and all that #e2ee the deeper my these 2 feels:
* the #fediverse will never get #e2ee for mentioned-only messages (it is more proper name for these messages that are sent to only mentioned only, as these messages essentially are not private.
* i should follow for "don't" and "never try to implement this" advice that emanates from all these #e2ee and #cryptography related articles I see. Especially using browser built-in WebCrypto API's.
Password hashing is standard practice. It protects people's passwords from hackers, governments, and rogue employees.
But we don't typically protect people's data the same way; hackers could theoretically get access to your Dropbox files, a rogue Google employee could read your Gmail messages, Meta could hand over your messages to law enforcement.
Why isn't end-to-end encryption considered standard industry practice? Why is my password better protected than my data?
In case you needed more reasons not to trust #Telegram, here's something to worry about:
Telegram claims they've never given away phone number and IP addresses. *This is an outright lie*.
Not only is there a report from last year showing they handed over data to the German police, but it was yesterday confirmed by a Freedom of Information request that the Dutch police was handed user data as well.
Don't use Telegram.
@thepracticaldev Thought-provoking for sure. Something like that happens across all software ecosystems, proprietary, open-source, free software..
It happens with all purposed ecosystems, e. g. social media, office apps, chats, messengers, etc.
E. g. if someone creates some "new revolutionary [product category]", it essentially just increase useless split. We already have TOO MUCH of non-interoperable software everywhere, i guess.
That is why I abandoned idea of creating a #E2ee messaging app.
Ja äh nun... so simpel ist es nicht und Messenger mit E2EE (Ende-Zu-Ende-Verschlüsselung) sind nicht perse mit allen Daten anonym & sicher beim Anbieter 🤷♂️
»WhatsApp wird für Telegram, Signal & Co geöffnet«
Reminder that #Telegram is not secure communication. Most chats aren't end-to-end-encrypted to begin with, and even those that are use a strange custom-built algorithm rather than actual cryptographically sound algorithm such as the double-ratchet.
🇬🇧 LEAK: The Spanish EU Presidency plans to line up a majority of EU governments for warrantless #ChatControl by the end of the month by paying lip service to #E2EE encryption.
If you want to have one last effort to persuade parliament not to make a huge mistake that would damage all our privacy, then contact your own MP asap before they vote in the commons later today. #onlinesafetybill #encryption #privacy #E2EE The amendment is published in this set of papers https://publications.parliament.uk/pa/bills/cbill/58-03/0362/amend/online_day_ccla_0912.pdf
Quiet - Private messaging. No servers.
Whether it's for an organization, a community, or a group chat with friends, Quiet lets you control all your data without running your own servers.
"Searching through email content in an end-to-end encrypted email provider is no easy feat. Because Skiff does not have access to any user emails, all search queries have to be performed client-side. To make this possible, we’ve developed innovative search indexing algorithms that work in the browser, in Skiff’s Windows and macOS apps, and in our iOS and Android native apps."
Einfach nur Ende-zu-Ende-Verschlüsselung (E2EE) bei Chats zu nutzen reicht nicht, wenn die Randdaten wie Nutzername, Verbindung, Datum & Zeit etc. doch noch ausgelesen werden und NUR der Inhalt verschlüsselt ist. Das macht @signalapp von Anfang an richtig obwohl eines der ersteren Chat-App dieser Art ist.
«Warum Ende-zu-Ende-Verschlüsselung für den Schutz unserer Chats so wichtig ist»
@JamesBaker I guess eventually this law against #e2ee will be adopted/signed, that will become a big cart blanche to all other governments to adopt same laws. It will end up that encryption routines at OS level will be forced to pre-scan the data, and it will be forbidden by laws to use other encryption code than embedded into OS, and usage of OS that does not include these state approved scanning into encryption/decryption routines, will be forbidden as well, even if it is an old version.
The government knows and has admitted it cannot scan messages without undermining or breaking encryption, but wants to pretend otherwise. It is playing us for fools. #onlinesafetybill #encryption #e2ee
It’s been a confusing week for those of us trying to understand what the UK Government is doing with its plans to break end-to-end encryption. This article by @jim and I tried to make sense of the omnishambles https://www.openrightsgroup.org/blog/omnishambles-over-encrypted-messages-continues/ #spyclause #e2ee #onlinesafetybill #privacy #encryption
Michelle Donelan, MP (with the Home Office in addition to DSIT) "said further work to develop the technology was needed but added that government-funded research had shown it was possible. This, incidentally is entirely untrue: their researchers were at pains to explain that the technology is unfit for purpose:"
@JamesBaker of @openrightsgroup writes "At the eleventh hour of the Online Safety Bill’s passage through Parliament, the Government has found itself claiming to have both conceded that it won’t do anything stupid and that it may well press ahead if it wants to. It is in a total mess over its proposals to break end-to-end encryption and scan our private messages.."
The currently relevant argument against government moves to ban #e2ee would be to discuss what can be done to actually protect children **offline** (aka on the body/direct experience level) because that is what counts in the end. Unfortunately, the discourse is framed in terms of technology and technical feasibility instead of actually discussing what helps children in the real world: more social work and more financial support, more trained personell for schools etc.
Basically the big problem of US, EU, UK legislation trying to kill #e2ee encryption has always been **synchornization**: if just one of these power blocks illegalizes #e2ee then there would be an exodus of tech companies. It's an innovation to rather legislate all the legal instruments for banning e2ee but say "we won't use them until needed and possible". Watch out for the EU and the US trying to modify their ongoing e2ee banning legislation similarly. I hope i am wrong about this.
The UK "not applying" the powers they ask to get is maybe worse compared to pushing through directly. Why?
Pushing through now would likely mean WA/Signal/iMessage pulling out of UK with a big public backlash. And then the equivalent EU "ChatControl" bill would have a hard time to pass. But now the UK can wait and sync with the EU, possibly the US, and then the threat of pulling out of UK is muted.
"The continued existence of the powers [in the Online Safety Bill] means encryption-breaking surveillance could still be introduced in the future"
If the government accepts that they can't scan messages without wrecking privacy and security, why not just remove the spy clause from the Bill?
ORG, along with privacy activists, tech companies and security experts, have long warned that it isn't possible to scan messages that use end-to-end encryption without undermining privacy and security.
While this is a victory for all campaigners who've highlighted the dangers of the spy clause to be used for mass surveillance, the powers could still be used in the future.
✊ We continue to fight for the removal of the spy clause.
🚨 BREAKING: The UK government has confirmed it is rowing back on its plans to scan private messages.
They've finally back down with an announcement that Ofcom won't use powers in the spy clause contained in the Online Safety Bill until it's 'technically feasible' to do so.
They've conceded that no current technology exists that would protect privacy or avoid breaking encryption.
This statement from Apple is clear. Scanning private messages is "a slippery slope of unintended consequences".
The UK's parliamentarians need to listen to this before they pass the Online Safety Bill and put all of our privacy and security at risk.
Without end-to-end encryption "the UK becomes more vulnerable to attacks which can expose personal information and, especially in the case of LGBTQ+ youth, lead to non-consensual outings with potentially disastrous consequences."
Secure messaging provides essential security both within the UK and to people living in oppressive regimes in other countries.
The spy clause in the Online Safety Bill threatens the #lgbtq community.
@awaspnest Haha, glad you like it. (And thank you for the kind words.) :)
There’s more to do but the goal is to use it to enable people (including me) to build peer-to-peer Small Web sites.
Here’s a very simple example of what I mean:
"Private communication is a fundamental human right, and in the online world, the best tool we have to defend this right is end-to-end encryption."
Instead of blaming #E2EE encryption for all the evils in this world, and trying to dismantle it on a weekly basis, your government should pay its police forces to do what they're supposed to do: run investigations, get mandates, sneak into the channels used by criminals (and only those used by criminals), while leaving everybody else alone.
If your police forces are lazy, ineffective or don't even know where to start when it comes to investigating criminal rings, then you should find better people for that job rather than lowering the privacy bar for everyone else.
So far we have caught more drug traffickers by snooping into their Signal chats than by preaching for the end of E2EE for everyone else too.
Glad to hear Apple has killed its plans to implement privacy-destroying on-device scan and snitch into its devices (although it will make autocrats like Erdoğan unhappy to hear it because they likely had plans for it).
Here’s what I wrote about it at the time:
Remember that end-to-end encryption is moot if the ends are already compromised.
"We want child abuse and crime dealt with, but if the approach to communication is too draconian then freedom is lost and security weakened."
The cost of the 'haphazard and shambolic' #OnlineSafetyBill (UK) will be paid with our privacy and national security.
Client-side scanning remains in the Bill, despite warnings from experts and tech companies. Is the true intent of this legislation to be a trojan horse for mass surveillance?
This system should be an open standard, so that all existing contact book apps could implement it. Kinda like an updated version of CardDAV (https://en.wikipedia.org/wiki/CardDAV).
And ideally, all of that would be end-to-end encrypted, so that only your friends get to see your personal data. The host where you store your profile and your friends hosts should not be able to read your contact info!
The UK government plans have nothing to do with protecting our security. It's about allowing State intrusion into the lives of UK residents.
People and businesses need quick roll outs of security updates and end-to-end encryption for safety.
Meanwhile criminals and authoritarian governments want to exploit vulnerabilities for nefarious purposes.
The UK government is taking a side in hindering important security measures that isn't in the public interest.
"An operator of a messaging service wishing to introduce an advanced security feature would now have to first let the Home Office [UK] know in advance."
Secure IT systems prevent fraud in commercial transactions and protect our private lives from undue intrusions.
If the UK government were concerned about national security, they’d want to encourage (rather than delay) security updates or end to end encryption.
People in the UK may be left in the wilderness without secure messaging services, if the #OnlineSafetyBill retains its encryption busting clause.
Forcing platforms to comply with client-side scanning is state-mandated private surveillance of the kind that we see in authoritarian regimes. Platforms will leave rather than compromise #security and #privacy.