Posts

Despite Pete Hegseth, Signal is Good

Why you should use Signal (But maybe ditch Whatsapp?)

Pete Hegseth is Bad at His Job

The Secretary of Defense and Fox Host Pete Hegseth keeps using Signal to talk about war plans with people he’s not supposed to be talking with at his day job. He also gets caught, because he’s bad at security as well as his job. Hegseth uses his personal phone for Department of Defence business, including killing a lot Yemenis.

What Hegseth was supposed to use instead of his consumer cell phone is a SCIF, or Sensitive Compartmented Information Facility. I’ve been in one. I was emphatically invited to leave my phone at the door. There were large men making this point to me, and I took it to heart. A SCIF is secure, but it is as much about control and legal obligations as it is about security, and rightfully so. Secure communications for a national government don’t just require security, they require accountability, integrity, and a durable record. After its classification period, that information belongs to all Americans. Historical accountability is something we’ve decided matters, and encoded into our laws.

On a technical level I wouldn’t be shocked if SCIFs use some of the same technology that’s in Signal to secure communications. It’s good stuff! But SCIFs are SCIFs, and consumer cell phones are cell phones. Your phone is not designed for government records retention, or hardened against specific nation-state threats. But modern, up-to-date phones have very good security, more hardened then most of the government systems that have ever existed. And it’s right there! In your phone without you having to do anything to get it! (Except apply new software updates when they turn up.)

So despite the fact that Hegseth’s phone would be one of the more targeted in the world, and Hegseth himself is an idiot, his phone isn’t necessarily compromised. It might be, but it’s hard to be sure. It’s quite hard to hack a modern phone, especially if the person using the phone updates it every time there’s an update released, and doesn’t click on things they don’t know are OK. There are fancy attacks, called Zero-Click Attacks, that don’t require any user interaction, but they’re hard to build and expensive.

At any given moment, you don’t know whether someone had a working attack against an up-to-date iPhone or Android until it’s discovered and patched. But mostly, the average user doesn’t have to worry about trying to secure their phone. You already secure your phone when you update it. The hackers aren’t in a race with you, or even Pete Hegseth, they’re in a race with large and well-funded security and design teams at Google and Apple — and those people are very good at their jobs. This is why the nerds (like me) always tell you to update software as soon as possible; these updates often patch security holes you never knew were there.

You’re more likely to download a vulnerability in something like Candy Crush, weird social media apps, or random productivity tools you’re tying out. But the folks at Google and Apple have your back there, too. They’ve put every app into its own software-based “container,” and don’t let apps directly interact with the core functions of your phone, or the other apps on it. Hackers try to break out of these containers, but again, it’s not easy. Even if they get a foothold in one, they might know a lot about how good you are at subway surfing, but not much else.

It’s hard out here for a phone hacker.

Sometimes the hackers hit pay dirt, and find some flaw in phone software that lets them take over the phone from the air, with no user interaction — that zero-Ccick attack. This is very scary, but also very precious for the hackers. Unless there’s a very good reason, no one is going to risk burning that bug on you. If an attack like that is found, it will be top priority for those big smart security teams at Google and Apple. There will be long nights. There will also be an update that fixes it; apply updates as soon as you see them. Once a vulnerability is patched, the malware companies have to go back to the drawing board and look for another bug they can exploit to get their revenue stream back.

The high profile malware companies often sell their software, especially if they have a zero-click attack, to governments and corporations. They don’t want normal people using it, because the more it gets used, the faster they will be back at square one after Google and Apple take their toys away.

Nerd’s Delight

Signal LogoSignal is usually the favorite app your exhausting nerd friend keeps badgering you to download. It’s risen to even more prominence due to Pete Hegseth’s repeated idiocy. But this has caused doubt and confusion, because if you found out what Signal was from Hegseth’s leaks and blunders, it doesn’t look so good. Using Signal for DoD high level communications is not only illegal, it is stupid. Signal isn’t meant for government classified communications.

But it is meant for you, and it’s very good at what it does.

Signal is two things: First, an app for Android and iPhone (with a handy desktop client) which encrypts chats and phone calls. That’s the Signal app you see on your phone. second, the other part is the Signal Protocol, Signal’s system of scrambling communications so that people outside of the chat can’t see or hear anything inside the chat.

Signal Protocol, the encryption system Signal uses, is a technology called a Double Ratchet. It is an amazing approach that is pretty much unbreakable in a practical sense. The very short version of how that encryption works is this: Your computer finds a special number on a curve (think of the pretty graphs in trig class) and combines this number with another number the other person has, from a different spot on another curve. These numbers are used to encrypt the messages in a way that only you both can see them. (This number generation is done by your phone and servers on the net in the background of your chat, and you never have to see any of it.) You each use the numbers from picked out these curves to encrypt a message that only the other person can read. Picking out the number from the curve is easy, but guessing it from the outside is functionally impossible. Any attempt to figure out the points on the curve you used is very hard and tiring — meaning it takes the computer a lot of energy to try. In computers, very hard always translates to expensive and slow. The extra trick in Signal’s double ratchet is a mechanism for taking that already hard number to guess and “ratcheting” it to new hard numbers – with every single message. Every Hi, Whatup, and heart emoji get this powerful encryption. Even if someone was using super computers to break into your chat (and they aren’t) every time they broke the encryption, they’d just get that message, and be back at square one.

That’s expensive, frustrating hard work, and your chats aren’t worth the bother.

The Strongest Link, Weakened?

Messenger also uses the Signal protocol

Whatsapp adopted Signal Protocol in 2014, granting encrypted privacy and safety to over a billion people.

Signal is secure. Whatsapp and Facebook Messenger use Signal protocol too, and are also secure, for now… but Meta has made some decisions that complicate things. In a rush to add AI to everything whether you want it or not, Meta has added AI to its Signal Protocol-secured chat rooms. This doesn’t break the Signal Protocol, that works fine. But to have AI in chats means that by definition, there’s another participant listening in your chat. If there wasn’t, it couldn’t reply with AI things. If you’re not comfortable with this, it might be time to ditch Whatsapp and Facebook Messenger for Signal.

I’m personally not comfortable with it, in part because as far as I can tell, there’s nothing technically or legally stopping law enforcement from demanding access to that listening function in any chat room. It may only give the police access to parts of the conversation, but I’d like the chance to defend my data myself if it comes to it. I don’t want to have it picked up from a third party without so much as notice to me.

Meta is in the the room with you, like it or not. Is it recording all your chats somewhere? I doubt it. It’s a bad idea that would make too much trouble for Meta if it got out. But I can’t know for sure. I know there’s no listener in Signal, because the protocol makes hiding a listener functionally impossible. (To be clear, Meta isn’t hiding it, they’re advertising it. But it’s still a listener.)

Encryption for All

Make no mistake, that Whatsapp and Facebook Messenger use Signal’s protocol is wonderful news. It means that, without having to know anything about internet or computer security, one day there was an update, and billions of users got to rely on some of the best encryption ever designed, without even knowing it. This is important both for keeping people safe online, and for making society better, as activists, small businesses, families, and everyone with and internet connection can talk freely and safely to their people and their communities. It doesn’t stop ill-intentioned people from doing bad and deceptive things like lie, cheat, and steal, but it makes it harder for them to enlist the computers into their schemes.

The problem with Pete Hegseth using Signal is two-fold: He has to retain records legally, and ratcheting encryption is intentionally ephemeral. Signal is the worst way to retain records, beyond perhaps toilet paper and sharpie. The second problem is that if he does have a vulnerable app on his phone, or there’s a general vulnerability the teams at Apple and Google haven’t found yet, someone could be listening into what his phone is doing. Maybe even through his Candy Crush Saga, a fun game you will never find in a SCIF, no matter how much you wish you could.

SCIFs are kind of boring. No phones, the windows are weird (to defeat directional mics) and in my case, I had to have security escort me to the bathroom. I imagine that’s why an exciting guy like Hegseth doesn’t use them. But he is not only putting people in danger with his shenanigans, he’s also robbing the American people of a record that is, by law, our right to have. And it’s looking like an era of American history in which we want to be preserving evidence.

The Online Lives of Others

If you’ve never seen the movie The Lives of Others, go watch it. It’s great, and annoyingly relevant right now.

There is another threat coming from the EU and UK that rears its head every few years, and probably from the US soon enough as well. Many governments and law enforcement agencies want, have wanted for years, a scheme digital rights advocates call Chat Control. Law enforcement would have a back door into everyone’s encryption, usually a listener, like the Meta AI, but much worse. It would bug all chats — a spook in every phone. The excuse is always CSAM, or Child Sexual Abuse Material, but the proposal is always the same – to strip every person of privacy and the technical means to protect it, in the name of protecting children. This ignores a lot of of issues that I won’t go into here, but suffice to say the argument is as dishonest as it is ineffectual.

It’s an ongoing fight pitting children against a right of privacy and personal integrity, and it always will be an ongoing fight, because it would give the police and governments nearly limitless power to spy on the entire populous all the time.

Total digital surveillance is simply not a feasible way to run a society. It is the police state the East German Stasi dreamed of having. It must be resisted for human decency and flourishing. Let’s give the totalitarian desire for a spy in every phone no oxygen, it has no decency, no matter who it claims to be protecting.

Even if you never do anything that could be of interest to governments or law enforcement, using encryption creates more freedom for all. If only “criminals” or “enemies” use Signal, then using Signal becomes a red flag. If everyone uses Signal (or Signal protocol in Whatsapp/Messenger), then it’s normal. You get the measure of protection it provides from scammers and hackers, and you help people fighting criminals and resisting tyranny, all over the world. This is one of the reasons adding Signal protocol to the Meta systems was such a great moment in the history of the net. A good portion of humanity gained a real measure of privacy that day.

If activists and people “with something to hide” are the only people using encryption like Signal, it’s grounds for suspicion. But if everyone is using it, the journalists and activists who need it for political reasons don’t stand out. The battered partners and endangered kids can find it and use it safely to get help. And everyone is safer from scams and hacking attacks — because what you do and say has some of the best protection we’ve every conceived of as a society, even if it’s just your shopping list.

 

Correction: A previous version of this article included a description of Diffie–Hellman key exchange in the explanation of how Signal’s encryption works. Signal changed from Diffie–Hellman to Elliptic Curve Cryptography, which is much more efficient, in 2023. I regret the error. 

Share this entry

I Did Nazi Crustpunk Bar Fail, Redux [UPDATE-1]

[NB: Check the byline, thanks. Updates to appear at bottom of post. /~Rayne]

Because you people will NOT stop whining about the bird-logoed crustpunk Nazi bar sinking even further below the waterline, I am putting up a dedicated post for that subject.

RULE NUMBER ONE: Nothing but Twitter and social media related comments allowed in this thread.

RULE NUMBER TWO: Do NOT take your comments about Twitter and other social media platforms to other threads.

RULE NUMBER THREE: See the first two rules, and don’t expect this site to have any power to do anything to change the crustpunk Nazi bar or other similarly centralized social media failures like Reddit and that scofflaw Meta (home of Facebook, Instagram, and WhatsApp).

~ ~ ~

UPDATE-1 — 8:30 P.M. ET —

Here’s a rough tick-tock leading to today’s huge uptick in new Mastodon account sign-ups —

Wednesday, May 24 — Ron DeSantis’ live campaign launch via Twitter Spaces was an utter disaster; DeSantis’ supporters try desperately to put a positive spin on it.

Thursday, May 25 — Twitter’s chief engineer resigned.

Friday, May 26 — Apparently Twitter had not paid the software company which provided service for live video feeds used in Twitter Spaces.

Sunday, June 11 — Engadget reports there may be problems ahead for Twitter:

More platform instability could be in Twitter’s near future. In 2018, Twitter signed a $1 billion contract with Google to host some of its services on the company’s Google Cloud servers. Platformer reports Twitter recently refused to pay the search giant ahead of the contract’s June 30th renewal date. Twitter is reportedly rushing to move as many services off of Google’s infrastructure before the contract expires, but the effort is “running behind schedule,” putting some tools, including Smyte, a platform the company acquired in 2018 to bolster its moderation capabilities, in danger of going offline.

Thursday, June 29 — Some folks observe difficult sporadically with accessing Twitter links.

The New York Times reported new Twitter CEO Linda Yaccarino ordered Google to be paid after she spoke with the head of Google’s Cloud division.

Friday, June 30 — Persons attempting to access any Twitter page are unable to do so unless they are a logged-in registered user.

Elon Musk later confirmed access has been deliberately cut off for all outside users, claiming Twitter is being scraped aggressively.

There is a lot of speculation the service is degrading because Twitter didn’t pay Google, but NYT’s report suggested otherwise.

Saturday, July 1 — Twitter users note Twitter is down. Musk also tweets that users will be rate limited on the amount of tweets they can read each day.

Before the widespread outage, observers noted Twitter had been DDoS-ing itself:

Twitter and Mastodon user Sheldon Chang offered more detail:

Sheldon Chang 🇺🇸 @[email protected]
This is hilarious. It appears that Twitter is DDOSing itself.

The Twitter home feed’s been down for most of this morning. Even though nothing loads, the Twitter website never stops trying and trying.

In the first video, notice the error message that I’m being rate limited. Then notice the jiggling scrollbar on the right.

The second video shows why it’s jiggling. Twitter is firing off about 10 requests a second to itself to try and fetch content that never arrives because Elon’s latest genius innovation is to block people from being able to read Twitter without logging in.

This likely created some hellish conditions that the engineers never envisioned and so we get this comedy of errors resulting in the most epic of self-owns, the self-DDOS.

Unbelievable. It’s amateur hour.

#TwitterDown #MastodonMigration #DDOS #TwitterFail #SelfDDOS

Jul 01, 2023, 11:03 · Edited Jul 01, 13:02

You can see the videos he shared at the link above.

Techdirt’s Mike Masnick offered his opinion about the rate limiting:

I don’t have words for this clusterfuck except to say I expected this level of fail and worse to come, even with a new CEO on board. Good luck, Yaccarino. I hope you got a guaranteed payout.

~ ~ ~

Meanwhile, at Mastodon:

Mastodon Users @[email protected]

12,916,975 accounts
+4,614 in the last hour
+34,484 in the last day
+108,119 in the last week

[Graphic alt text: Four time-based charts

Upper blue area: Number of Mastodon users
Upper cyan area: Hourly increases of number of users
Lower orange area: Number of active instances
Lower yellow area: Thousand toots per hour

For current figures please read the text of this post]
Jul 01, 2023, 19:00

~ ~ ~

If there is more news in the next 12-24 hours about Twitter, I will update this post.

Share this entry

Wednesday: Time Travel

In this roundup: A short film about a mother’s time travel adventure, the Internet of Stupid Things, and more.

Read more

Share this entry

Monday Morning: Feeling Rather Mussorgsky

It’s not even 7:00 a.m. here as I start to write this post, and the day is already frantic — like Mussorgsky’s Night on Bald Mountain. I don’t expect a placid ending to the first day of this week, either.

Strap in, lock and load.

Volkswagen on a roll — downhill, fast

  • A former employee who worked at the Michigan-based Volkswagen Group of America’s data processing center filed suit for wrongful termination. The employee lost their job after warning against data deletion after the U.S. Department of Justice ordered VW to halt normal data deletion processes to preserve potential evidence. Michigan is an at-will state, meaning employees can be fired for any reason at any time if they do not have a contract. However, employers may not fire workers in retaliation for refusing to do illegal acts or for reporting violations of health and safety code. Not a sketchy situation at all…this case might be an opportunity for discovery.
  • VW cutting jobs back home in Germany, with administrative roles taking the biggest hit. At the same time, VW says it intends to hire more software and technology personnel as it shifts away from traditional automotive technology. Huh — not a move I would expect when VW clearly hasn’t a handle on electronic vehicle technology.
  • Car sales are up 6.3 percent in the EU, but VW-brand car sales are off 4 percent. Ford and GM’s Opel picked up what VW lost in terms of sales.

Asking oranges from Apple

  • USDOJ hint-hints with little subtlety it will demand Apple’s source code. By subtlety, I mean a footnote shaped like a cudgel in its response to #AppleVsFBI:

    The FBI cannot itself modify the software on Farook’s iPhone without access to the source code and Apple’s private electronic signature.

    The government did not seek to compel Apple to turn those over because it believed such a request would be less palatable to Apple. If Apple would prefer that course, however, that may provide an alternative that requires less labour by Apple programmers.

    You can read Marcy’s take on the USDOJ’s Lavabit gambit for more.

  • The mega-sized tech companies who support Apple are now doubling down on encryption. Couldn’t see that coming, huh?
  • Some speculate WhatsApp as a communications technology may be the next focus of law enforcement in wake of #AppleVsFBI.
  • John Oliver does a Deep Dive into #AppleVsFBI — amusing take, but Oliver and his writing team have far too simplistic a take on this case. It’s not just that FBI wants a ‘master key,’ or that the FBI relies on All Writs to make its demand on Apple. It’s about forcing a company to create something entirely new, and something that’s not intrinsically part of its product.

Another energy industry executive dead
Josh Comstock, CEO of C&J Energy Services in Houston, Texas, died unexpectedly on Friday. He passed away in his sleep at age 46. Comstock was a supporter of NHRA drag racing. His company, which provided hydraulic fracturing (fracking) services, lost considerable value over the last year with the sharp drop in oil prices and field development.

Oil dudes are under a lot of stress these days.

And it being a Monday, so are we. Relax when you can, gang. I’m clocking out.

Share this entry

Wednesday Morning: All the Range from Sublime to Silly

We start with the sublime, welcoming astronaut Scott Kelly back to earth after nearly a year in space — 340 days all told. Wouldn’t you like to know how these first hours and days will feel to Kelly as he regains his earth legs?

And then we have the silly…

Apple’s General Counsel Sewell and FBI Director Comey appeared before House Judiciary Committee
You’d think a Congressional hearing about FBI’s demand to crack open Apple iPhone would be far from silly, but yesterday’s hearing on Apple iPhone encryption…Jim Comey likened the iPhone 5C’s passcode protection to “a guard dog,” told Apple its business model wasn’t public safety, fretted about “warrant-proof spaces” and indulged in a thought exercise by wondering what would happen if Apple engineers were kidnapped and forced to write code.

What. The. Feck.

I think I’ll read about this hearing in French news outlets as it somehow sounds more rational: iPhone verrouillé: le patron du FBI sur le gril face au Congrès américain (iPhone locked: FBI boss grilled by US Congress – Le Monde). Other kickers in Comey’s testimony: an admission that a “mistake was made” (oh, the tell-tale passive voice here) in handling the San Bernardino shooter’s phone, the implication that the NSA couldn’t (wouldn’t?) backdoor the iPhone in question, and that obtaining the code demanded from Apple would set precedent applicable to other cases.

Predictably, Apple’s Bruce Sewell explained that “Building that software tool would not affect just one iPhone. It would weaken the security for all of them.” In other words, FBI’s demand that Apple writes new code to crack the iPhone 5C’s locking mechanism is a direct threat to Apple’s business model, based on secure electronic devices.

Catch the video of the entire hearing on C-SPAN.

Facebook’s Latin American VP arrested after resisting release of WhatsApp data
Here’s another legal precedent, set in another country, where a government made incorrect assumptions about technology. Brazilian law enforcement and courts believed WhatsApp stored data it maintains it doesn’t have, forcing the issue by arresting a Facebook executive though WhatsApp is a separate legal entity in Brazil. Imagine what could happen in Brazil if law enforcement wanted an Apple iPhone 5C unlocked. The executive will be released today, according to recent reports. The underlying case involved the use of WhatsApp messaging by drug traffickers.

USAO-EDNY subpoenaed Citigroup in FIFA bribery, corruption and money laundering allegations
In a financial filing, Citigroup advised it had been subpoenaed by the U.S. Attorney’s office. HSBC advised last week it had been contacted by U.S. law enforcement about its role. No word yet as to whether JPMorgan Chase and Bank of America have been likewise subpoenaed though they were used by FIFA officials. Amazing. We might see banksters perp-walked over a fútbol scandal before we see any prosecuted for events leading to the 2008 financial crisis.

Quick hits

I’m out of here, need to dig out after another winter storm dumped nearly a foot of the fluffy stuff yesterday. I’m open to volunteers, but I don’t expect many snow shovel-armed takers.

Share this entry

How the Government Uses Location Data from Mobile Apps

Screen shot 2015-11-19 at 9.24.26 AMThe other day I looked at an exchange between Ron Wyden and Jim Comey that took place in January 2014, as well as the response FBI gave Wyden afterwards. I want to return to the reason I was originally interested in the exchange: because it reveals that FBI, in addition to obtaining cell location data directly from a phone company or a Stingray, will sometimes get location data from a mobile app provider.

I asked Magistrate Judge Stephen Smith from Houston whether he had seen any such requests — he’s one of a group of magistrates who have pushed for more transparency on these issues. He explained he had had several hybrid pen/trap/2703(d) requests for location and other data targeting WhatsApp accounts. And he had one fugitive probation violation case where the government asked for the location data of those in contact with the fugitive’s Snapchat account, based on the logic that he might be hiding out with one of the people who had interacted with him on Snapchat. The providers would basically be asked to to turn over the cell site location information they had obtained from the users’ phone along with other metadata about those interactions. To be clear, this is not location data the app provider generates, it would be the location data the phone company generates, which the app accesses in the normal course of operation.

The point of getting location data like this is not to evade standards for a particular jurisdiction on CSLI. Smith explained, “The FBI apparently considers CSLI from smart phone apps the same as CSLI from the phone companies, so the same legal authorities apply to both, the only difference being that the ‘target device’ identifier is a WhatsApp/Snapchat account number instead of a phone number.” So in jurisdictions where you can get location data with an order, that’s what it takes, in jurisdictions where you need a probable cause warrant, that’s what it will take. The map above, which ACLU makes a great effort to keep up to date here, shows how jurisdictions differ on the standards for retrospective and prospective location information, which is what (as far as we know) will dictate what it would take to get, say, CSLI data tied to WhatsApp interactions.

Rather than serving as a way to get around legal standards, the reason to get CSLI from the app provider rather than the phone company that originally produces it is to get location data from both sides of a conversation, rather than just the target phone. That is, the app provides valuable context to the location data that you wouldn’t get just from the target’s cell location data.

The fact that the government is getting location data from mobile app providers — and the fact that they comply with the same standard for CSLI obtained from phones in any given jurisdiction — may help to explain a puzzle some have been pondering for the last week or so: why Facebook’s transparency report shows a big spike in wiretap warrants last year.

[T]he latest government requests report from Facebook revealed an unexpected and dramatic rise in real-time interceptions, or wiretaps. In the first six months of 2015, US law enforcement agencies sent Facebook 201 wiretap requests (referred to as “Title III” in the report) for 279 users or accounts. In all of 2014, on the other hand, Facebook only received 9 requests for 16 users or accounts.

Based on my understanding of what is required, this access of location data via WhatsApp should appear in several different categories of Facebook’s transparency report, including 2703(d), trap and trace, emergency request, and search warrant. That may include wiretap warrants, because this is, after all, prospective interception, and not just of the target, but also of the people with whom the target communicates. That may be why Facebook told Motherboard “we are not able to speculate about the types of legal process law enforcement chooses to serve,” because it really would vary from jurisdiction to jurisdiction and possibly even judge to judge.

In any case, we can be sure such requests are happening both on the criminal and the intelligence side, and perhaps most productively under PRISM (which could capture foreign to domestic communications at a much lower standard of review). Which, again, is why any legislation covering location data should cover the act of obtaining location data, whether via the phone company, a Stingray, or a mobile app provider.

Share this entry