Re: [liberationtech] Wicker: Déjà vu all over again
On 06/10/2014 05:03 PM, Tom Ritter wrote: I just want to jump in and mention again that it's entirely possible to pick apart applications written for Android, iPhone, Windows, Mac, etc and understand how they operate. Going even deeper than just 'what they store on disk' and 'what they send on the wire'. It requires a little bit of technological know-how, but places one could look for that expertise are organizations' technologists, the computer security group at one's university, many of the people on this mailing list, groups like Citizen Lab, and just following tutorials online and learning it yourself. You forgot to explicitly address the _ease_ of picking apart free software vs. proprietary apps. I think the coffee break bug spotters on this list implicitly address the ease of picking apart free software when the source is publicly accessible. I think you implicitly addressed the ease of picking apart proprietary apps by writing about possibilities instead of actually picking this one apart during a coffee break. (Just to be clear-- I'm talking about picking apart what the software actually does, not picking apart what somebody claims it does.) -Jonathan -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Wicker: Déjà vu all over again
Seems like a good idea. I wonder what journalists on the list think about it. I know there are a number of Knight Fellows and other journalists on the list, so I hope they chime in. BTW, here is the press release received via Twitter in response to an inquiry about Wickr's security: https://www.mywickr.com/en/downloads/RSA_Security_Announcement.pdf ***Attention Security Geeks, This One is for You*** Wickr Releases Perfect Forward Secrecy, No Back Door Guarantee, Transparency Report Veracode Audit RSA ® Innovation Sandbox Recognizes Wickr as a Top Security Innovator of 2013 Visit the Wickr Demo Booth on February 25th By Dr. Robert Statica, Wickr Cofounder February 25, 2013 Today is the opening of RSA ® Conference 2013, the largest security conference in the world. In honor of this event, we are making some announcements that only security geeks, like us, understand. Wickr provides more advanced encryption technology than pricey alternatives To kick things off, we changed our key encryption algorithm from RSA 4096 to ECDH 521. Isn’t that ironic?! This elliptical curve encryption algorithm enables us to offer perfect forward secrecy to mainstream consumers with faster performance. If Suite B specifications are good enough for NSA Top Secret information, then they are good enough for our family and friends. As a result of this change, Wickr provides the most advanced level of data and key encryption available on the market to date. Oh, by the way, Wickr is free. We’d also like to point out that we have not tried to reinvent encryption. While we do have a patentpending protocol for transport of the encrypted communication as well as ephemeral messages and media, this does not mean we are using patent-pending encryption. In fact, we use well-known encryption algorithms - AES 256, ECDH 521 and TLS. The receiver’s device is the only one to know the decryption key, which changes every message to prevent harvesting attempts. Our peer-to-peer data encryption/decryption does not rely on a centralized KDC (key distribution center) thus making secure communication easier than ever; even the non-technical can do it! Backdoors are so last century Additionally, the Wickr architecture eliminates back doors. We don’t use servers outside of the country because we don’t need to. Each message is encrypted, no matter what server it is sent through, rendering backdoors obsolete. By eliminating back doors, our architecture protects Article 12 of the Universal Human Rights Doctrine in the United Nations as well as the First Amendment to the Constitution of the United States. This mission is fundamental to Wickr and everything we do. Let’s be clear, open source code does not guarantee there are no back doors – it requires a good architecture and good intentions. This is our commitment to you. Encrypted and self-destructing messages tell no tales Today Wickr released its very first Transparency Report. The report shows we have had requests for information from law enforcement in 2013. It also shows we have absolutely nothing to provide in response to these requests because we don’t know who is communicating on our platform or what is being said. We do not store any personal identifiable information on our servers whatsoever. Our servers only see encrypted messages, and even those are deleted as soon as they are downloaded by the recipient. You can view the full report here. Don’t believe us? It is too good to be true? Rest assured, Wickr is the real deal. We’ve undergone a code audit from Veracode, the most respected secure coding experts in the world. Wickr’s app and server code scored a 100/100 after undergoing an extensive review conducted by Veracode professionals. You can verify the Veracode certified seal on our web site here. No such thing as 100 percent secure – but we’ll keep trying Wickr will never promise 100 percent perfect security solutions because we are security experts and understand that nothing can ever be 100 percent secure. We do, however, promise 100 percent commitment to becoming more secure, all the time. Security is an attitude we have built into Wickr from the ground up. RSA ® Innovation Sandbox recognizes Wickr as a top security innovator Wickr is proud to be recognized as one of the most innovative new companies at RSA this year. Visit us at the Wickr demo booth on February 25th at Moscone Hall E Room 134 from 1-5pm. More about Wickr Headquartered in San Francisco, Wickr is comprised of top security and privacy experts who strongly believe private communication is a universal human right that is extremely important to a free society. Today, this right is almost nonexistent. Companies like Apple, Facebook and Google offer messaging that is archived, easily traceable, controlled by the recipient and shared with strangers. We have flipped this concept on its head and are giving the control back to you, the sender. After all, who doesn’t want control of the messages and media they
Re: [liberationtech] Wicker: Déjà vu all over again
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 6/9/2014 8:42 PM, Yosem Companys wrote: Wickr is back in the news in spectacular form: http://www.inc.com/magazine/201407/ceo-of-wickr-leads-social-media-resistance-movement.html ...despite known security problems we've discussed on the list before: https://mailman.stanford.edu/pipermail/liberationtech/2012-June/004239.html Seems as though we need better tactics to share with journalists our impressions about security. YC Looking at the list of issues Nathan mentioned, I'm seeing that at least some of them like PFS have been addressed since that posting (with the glaring exception of Open Source, unfortunately). They've also received an audit from Veracode since then IIRC. Obviously I can't speak expertly on the crypto, but I think it should be a positive thing that there's a push for ephemeral social media/messaging with some semblance of security in mind (aka - not Snapchat). I've spoken with one of the creators several times and they've always struck me as forthcoming and fairly determined to hammer out these issueseventually. A lot of people I talk to in the infosec community also seem pretty enthusiastic about it. But yeah, would definitely love to have some kind of catalog of concerns about this and other commercial solutions - I get pitched on the latest magic email encryption snakeoil regularly. - -- Joshua Kopstein ? Cyberculture Journalist ? PGP Key: http://is.gd/lHEXgs https://joshk.contently.com -BEGIN PGP SIGNATURE- iQEcBAEBCgAGBQJTlxQEAAoJEP1hZpSrdQtYFNoH/26KB0xR7XoqcWVfujlGbv7C rR5mj6qA61c7zD+thtIRQMJ1FAK7DUa2tuYaa127YIlEPfpu9B25MWitcCMe2zmm saUrVyZ/Y/8j/zfX1XTjXmArdv4Fg1EMuEvvTXx9aXPx4yRbl2cNY3bpW9k0z4Fo PNlxSZ9cKR1cSVhtb9YrGoRNz8RSdYmYwEPhYFvMxtcRLY42GbfiTQVUC1e7LL/W ZUWoeJm6aXPaih2alW5l4MgauIF1pGE9e7nVUVv7MO6tpOjzN5iYnym/Qv2u6FQa +ilbTOAwL+Vy3LrsymKsL+UoMNoQ3qT7THfBtbnYC5UPBJYAkJcI+5BipjuV2zI= =f+qA -END PGP SIGNATURE- -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Wicker: Déjà vu all over again
Le 10/06/2014 16:19, Joshua Kopstein a écrit : I get pitched on the latest magic email encryption snakeoil regularly. That's not magic but the initial idea of Peersm was to exchange encrypted data anonymously inside browsers (so from any device, no installation) without any third party in the path being aware of what's going on, now the idea has been extended to pure multi-sources p2p for anonymous/encrypted download/streaming. Currently the interface is not designed for chat but it would be easy to implement, right now you can upload your message inside your browser, encrypt it and send by whatever means you like the hash_name of the message and the encryption key to other people so they can download the message and decrypt it (painfull to do? Not really, it's fast and it does worth it, I take always the same example but personnaly I am quite upset each time someone is using a dropbox or snapstuff to send personal family photos), of course that's a standalone app inside your browser and not a web site . I don't see any cons from Nathan's list, except: - the current phase is using our servers to relay the data but they don't know what it is, where it's coming from and where it's going. The servers disappear with the target phase where peers (browsers) are relaying the traffic. - the code is not open source (except the initial node-Tor code on git) but might become, anyway it's a javascript code, so impossible to hide and easy to check. I could add other pros I believe. It's using the same encryption than Tor since it is based on the Tor protocol. Regards Aymeric -- Peersm : http://www.peersm.com node-Tor : https://www.github.com/Ayms/node-Tor GitHub : https://www.github.com/Ayms -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Wicker: Déjà vu all over again
From: m d 2md...@gmail.com The term open source was missing from the article. I'm curious if any of the other projects mentioned are open source like Indie Box, other than Diaspora. The mention of NDAs by the Wickr founder makes it a non-starter. Their web site doesn't have any download link for the source files, nor mention of open source, but they do mention patent pending technology. How do they expect anyone to trust closed source, proprietary technology to be secure? -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Wicker: Déjà vu all over again
From: Brian Behlendorf br...@behlendorf.com You don't have to; trust, but verify. Or trust those who *can* verify. Microsoft, Google and Apple are at the top of the most trusted brands lists and have been for years, so even in the light of the Snowden revelations, most have tended to give them the benefit of the doubt and keep using their proprietary software and services. But those who don't, and instead use self-hosted open source tools, are making a different trust choice - they prefer to trust Linus Torvalds, the Linux community, Firefox developers, Pidgin developers, Apache developers, and the broader developer community, on a gut-level calculus that those parties are less likely to intentionally corrupt their software, and are more likely to find each-other's (intentional or accidental) corruptions. That calculus integrates across all software, teams, and time, so even disasters like Heartbleed aren't enough to change the result for most of us. Speaking personally, it only reinforced it, by watching not only how quickly the disparate communities reacted and pushed solutions out, but how much it's caused further inspection of OpenSSL and other underlying packages. This calculus does have some bigger blindspots, though - I was never comfortable with promoting TrueCrypt, a package written by intentionally anonymous authors without any of the trappings of an open source project - open revision control, open bug tracker, open discussion boards for development. I like being able to attach names to code - software is made of people, not unlike Soylent Green. Even though it's not really truely Open Source licensed, I trust qmail, djbdns, and other packages written by Dan J. Bernstein because he's a no-bullshit mathematician, scientist, coder, and fighter for liberty (see Bernstein v. United States). With proprietary solutions, including Wickr, the verify window is much more narrow. You can inspect what it sends over the wire or stores on disk, but even that's pretty opaque. Without that verify loop, you can trust those who they've hired to do security audits. You can also figure out whether you trust Nico herself. There are those of us on the advisory board for Wickr (full disclosure) who are working with them to figure out some way to broaden that trust+verify window. We'll see what happens. Brian -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Wicker: Déjà vu all over again
I have to say: I'm not as uncomfortable with this article as I thought I'd be. I'm definitely uncomfortable with some of Wickr's promotional text (military-grade encryption, leave no trace) but I felt that this particular article addressed the NSA concerns and was fairly realistic about what Wickr can and cannot do. I've been playing around with Wickr and for normal concerns (like, a parent looking at a kid's phone, or even me losing my phone), it's great! I see it more of a Snapchat competitor than a TextSecure competitor, but I really think it will do well with a certain crowd. Still, I'd much prefer it to be open-source. On Tue, Jun 10, 2014 at 3:13 PM, Yosem Companys compa...@stanford.edu wrote: From: Brian Behlendorf br...@behlendorf.com You don't have to; trust, but verify. Or trust those who *can* verify. Microsoft, Google and Apple are at the top of the most trusted brands lists and have been for years, so even in the light of the Snowden revelations, most have tended to give them the benefit of the doubt and keep using their proprietary software and services. But those who don't, and instead use self-hosted open source tools, are making a different trust choice - they prefer to trust Linus Torvalds, the Linux community, Firefox developers, Pidgin developers, Apache developers, and the broader developer community, on a gut-level calculus that those parties are less likely to intentionally corrupt their software, and are more likely to find each-other's (intentional or accidental) corruptions. That calculus integrates across all software, teams, and time, so even disasters like Heartbleed aren't enough to change the result for most of us. Speaking personally, it only reinforced it, by watching not only how quickly the disparate communities reacted and pushed solutions out, but how much it's caused further inspection of OpenSSL and other underlying packages. This calculus does have some bigger blindspots, though - I was never comfortable with promoting TrueCrypt, a package written by intentionally anonymous authors without any of the trappings of an open source project - open revision control, open bug tracker, open discussion boards for development. I like being able to attach names to code - software is made of people, not unlike Soylent Green. Even though it's not really truely Open Source licensed, I trust qmail, djbdns, and other packages written by Dan J. Bernstein because he's a no-bullshit mathematician, scientist, coder, and fighter for liberty (see Bernstein v. United States). With proprietary solutions, including Wickr, the verify window is much more narrow. You can inspect what it sends over the wire or stores on disk, but even that's pretty opaque. Without that verify loop, you can trust those who they've hired to do security audits. You can also figure out whether you trust Nico herself. There are those of us on the advisory board for Wickr (full disclosure) who are working with them to figure out some way to broaden that trust+verify window. We'll see what happens. Brian -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- We must not be afraid of dreaming the seemingly impossible if we want the seemingly impossible to become a reality - *Vaclav Havel* -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Wicker: Déjà vu all over again
I just want to jump in and mention again that it's entirely possible to pick apart applications written for Android, iPhone, Windows, Mac, etc and understand how they operate. Going even deeper than just 'what they store on disk' and 'what they send on the wire'. It requires a little bit of technological know-how, but places one could look for that expertise are organizations' technologists, the computer security group at one's university, many of the people on this mailing list, groups like Citizen Lab, and just following tutorials online and learning it yourself. The 'Trust but Verify' applies to open source, closed source, and that window of 'open source but distributes binaries e.g. through the play store'. -tom On 10 June 2014 16:37, Jillian C. York jilliancy...@gmail.com wrote: I have to say: I'm not as uncomfortable with this article as I thought I'd be. I'm definitely uncomfortable with some of Wickr's promotional text (military-grade encryption, leave no trace) but I felt that this particular article addressed the NSA concerns and was fairly realistic about what Wickr can and cannot do. I've been playing around with Wickr and for normal concerns (like, a parent looking at a kid's phone, or even me losing my phone), it's great! I see it more of a Snapchat competitor than a TextSecure competitor, but I really think it will do well with a certain crowd. Still, I'd much prefer it to be open-source. On Tue, Jun 10, 2014 at 3:13 PM, Yosem Companys compa...@stanford.edu wrote: From: Brian Behlendorf br...@behlendorf.com You don't have to; trust, but verify. Or trust those who *can* verify. Microsoft, Google and Apple are at the top of the most trusted brands lists and have been for years, so even in the light of the Snowden revelations, most have tended to give them the benefit of the doubt and keep using their proprietary software and services. But those who don't, and instead use self-hosted open source tools, are making a different trust choice - they prefer to trust Linus Torvalds, the Linux community, Firefox developers, Pidgin developers, Apache developers, and the broader developer community, on a gut-level calculus that those parties are less likely to intentionally corrupt their software, and are more likely to find each-other's (intentional or accidental) corruptions. That calculus integrates across all software, teams, and time, so even disasters like Heartbleed aren't enough to change the result for most of us. Speaking personally, it only reinforced it, by watching not only how quickly the disparate communities reacted and pushed solutions out, but how much it's caused further inspection of OpenSSL and other underlying packages. This calculus does have some bigger blindspots, though - I was never comfortable with promoting TrueCrypt, a package written by intentionally anonymous authors without any of the trappings of an open source project - open revision control, open bug tracker, open discussion boards for development. I like being able to attach names to code - software is made of people, not unlike Soylent Green. Even though it's not really truely Open Source licensed, I trust qmail, djbdns, and other packages written by Dan J. Bernstein because he's a no-bullshit mathematician, scientist, coder, and fighter for liberty (see Bernstein v. United States). With proprietary solutions, including Wickr, the verify window is much more narrow. You can inspect what it sends over the wire or stores on disk, but even that's pretty opaque. Without that verify loop, you can trust those who they've hired to do security audits. You can also figure out whether you trust Nico herself. There are those of us on the advisory board for Wickr (full disclosure) who are working with them to figure out some way to broaden that trust+verify window. We'll see what happens. Brian -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- We must not be afraid of dreaming the seemingly impossible if we want the seemingly impossible to become a reality - *Vaclav Havel* -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Wicker: Déjà vu all over again
I'll echo Tom: It's relatively easy and a good learning exercise to pick apart mobile apps and see what they're doing. On that note, here's some source generated from the Wickr Android app class files using jd-gui: http://saweis.net/files/wickr.src.zip That doesn't include a native library that comes in the APK, which appears to be used for the core crypto. In that library, I see an aes_encrypt function that uses ECB mode and an aes_encrypt_improved that uses CTR. I don't see any authentication for CTR mode. I also don't see a safe padding mode used with RSA. On Tue, Jun 10, 2014 at 2:03 PM, Tom Ritter t...@ritter.vg wrote: I just want to jump in and mention again that it's entirely possible to pick apart applications written for Android, iPhone, Windows, Mac, etc and understand how they operate. Going even deeper than just 'what they store on disk' and 'what they send on the wire'. It requires a little bit of technological know-how, but places one could look for that expertise are organizations' technologists, the computer security group at one's university, many of the people on this mailing list, groups like Citizen Lab, and just following tutorials online and learning it yourself. The 'Trust but Verify' applies to open source, closed source, and that window of 'open source but distributes binaries e.g. through the play store'. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Wicker: Déjà vu all over again
Wickr is back in the news in spectacular form: http://www.inc.com/magazine/201407/ceo-of-wickr-leads-social-media-resistance-movement.html ...despite known security problems we've discussed on the list before: https://mailman.stanford.edu/pipermail/liberationtech/2012-June/004239.html Seems as though we need better tactics to share with journalists our impressions about security. YC -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Wicker: Déjà vu all over again
Hey Yosem! A good experiment might be to send out releases of factual security info to counteract the dubious press releases that all too often turn into dubious articles. Yosem Companys wrote: Seems as though we need better tactics to share with journalists our impressions about security. -- Sent from my tracking device. Please excuse brevity and cat photos. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Wicker: Déjà vu all over again
On Mon, Jun 9, 2014 at 10:41 PM, Griffin Boyce grif...@cryptolab.net wrote: A good experiment might be to send out releases of factual security info to counteract the dubious press releases that all too often turn into dubious articles. I think it'd be pretty interesting for the cryptographic community to produce some sort of resource for reporters on what tools are good and bad and for what reasons. Press releases seem like an interesting idea too, especially if there were a one-tool-at-a-time approach where a group of people could review and comment on each tool individually. This would generate the kind of news cycle the tech press loves. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
