No thanks
That is all.
Facebook has responded to governments' criticism of cryptography by giving the world an open source encrypted group chat tool. It's hardly likely to endear the ad-farm to people like FBI Director Christopher Wray, who yesterday told an international infosec conference it was “ridiculous” that the Feds have seized nearly 8,000 …
Except that the source code has been released to the public, so it can be inspected for flaws. If Facebook has slipped some nasty code into the public domain, people will be able to tell. Bitching about Facebook employees originating the code is therefore both pointless and counter-productive.
Perhaps I should elaborate before I get deservedly downvoted into oblivion..
I do believe that it is great for ANY company to open source their software.
Especially if that software enables users to communicate over a (supposedly) secure, encrytped way.
I am a staunch supporter of open source software especially any software that helps with security and/or privacy.
But trust is earned not given.
Zuck and Co. are well known for collecting as much personal, private information from as many people as possible and aggragating all that data into graphs and selling it or even giving it away freely to anyone with a FB developer account.
Facebook has the technology, money and manpower to create powerful software that could help keep communications secure but it goes 180 degrees from what their current format is all about.
So pardon me when I have an knee jerk reaction to any software that is supposed to be private and secure with the Facebook name attached.
Then why publish it open-source on Github? Any backdoor Facebook would want to include would have to be included in that code, wouldn't it, meaning they could be found out and pretty easily, too?
Not that I like Facebook, mind you, but in this case we're talking about an Enemy of My Enemy situation. Facebook hates The Man as much as you do.
Then why publish it open-source on Github? Any backdoor Facebook would want to include would have to be included in that code, wouldn't it, meaning they could be found out and pretty easily, too?
Needle, haystack.
You're right of course, except that "pretty easily" might be the rose-tinted specs speaking (how long could a needle lurk undetected)? I'd put more faith in Facebook's motivations: namely the kudos of giving the world something useful vs the very obvious likelihood of reputational damage from even the hardest-to-find needle in there.
Shellshock and Heartbleed (not to mention meltdown) are bugs. And they're historic, from an era when security simply wasn't a concern the way it is today (we all know Unix shells are full of bizarre idiosyncracies). That's fundamentally different to a deliberate backdoor which some commentards here seem to see.
Bottom line: no-one was looking for shellshock. Contrast, lots of people will be looking hard for backdoors in an app promoting itself as offering cryptographic security.
This post has been deleted by its author
Then why publish it open-source on Github? Any backdoor Facebook would want to include would have to be included in that code, wouldn't it, meaning they could be found out and pretty easily, too?
1 - origin and motives. As it's Facebook, suspect by default given how they make their money.
2 - who is going to review it?
3 - why do we need this? Plenty of alternatives.
4 - ever heard of the Obfuscated C contest?
5 - is that really all the functionality? What about downloading address books in full? Has that been fixed?
Anyway, that's just a short list to start with. I'm sure others will add many more.
A lot of the modern tech companies make extensive use of open source and participate actively in projects including making their own stuff available. The logic behind this seems largely to be a continuation of IBM's EWS (employee written software) rules: if you can't sell it then you might as well give it away. You get peer review and possibly investment in the project from others. For free. It's also cheap but targeted advertising for companies looking for developers.
ART looks at first glance to be a proof of concept implementation of something that Facebook itself is not yet using in either WhatsApp or Facebook Messenger, ie. it wants peer review of the technology because secure, serverless group chat is hard.
Sorry but this is like the otherwise faultless sports car the Mythbusters buried (?) a few pig carcasses in then dug up and attempted to clean up and sell - it might all be level in theory, but the stench of the attached brand is just so nauseating I'd never touch this in a billion years, no matter how many times it gets confirmed as completely legit. Also, Greeks and gifts. No. Fuck off, Facebook.
The government love the encrypted group chat provided by Facebook. All they need is to compromise one member and voila - the whole group is compromised.
For an example of how people tried to use encrypted group chat and how the government went to leverage it against them see the analysis of the recent Turkish coup. It was on el reg somewhere, too lazy to search.
So did you read the article at all, where it discussed how this group chat was different from the other group chats (including the ones currently offered by facebook) in that this algorithm has Post Compromise Security?
Guess the urge to come directly to the comments and shout obscenities was just too great.
Post Compromise Security?
Post Compromise Security is useless if you do not know that a member has been compromised and it is the adversary listening to the chat instead. That is one lesson from the Turkish putch analysis - governments actually LOVE group chats instead of various person-to-person relay methods. All it takes is one application of a rubber hose for them to get in and sit and listen for a sufficient amount of time to pick up everyone.
Nothing new in this too - no insurgency or resistance with "large distribution" channels has ever succeeded. There is a reason why WW2 resistance always used the principle of cells and deliberate fragmentation. It is easier to detect compromise and cut-off a compromised branch than in a flat large distribution group.
Anything is useless if one of the people you are talking to turns out to be the enemy (whether they started out as the enemy or became the enemy after application of RH). That does not mean that you should just give up: it's still possible to reduce the problems, even if they can't be made to vanish completely.
What seems ridiculous to me is that the Feds have seized 8000 phones and have no other clue as to the culpability of the suspects.
Do your job : gather suspicions, follow the suspects, inquire about their lives, and THEN swoop in with reasonable cause and gather all the rest.
If you have nothing but the phones to go on, you're not doing your job and you have no right to complain about it.
No backdoor access for the lazy.
@Richard1:
Hints:
Cat videos become the social equivalent of child porn
Climate Change becomes the new Nazi Manifesto
The concept of one citizen one vote becomes the equivalent of a panel van with Free Candy painted on the side.
You fail to see that you suffer from the privilege of at least moderate freedom, relative wealth, and some individuality. For the moment.
But.... But... The "I" stands for Investigation, not Intelligence.
On the other hand, as others have noted, the FBI seems to be sat on 8000 phones with no other evidence of the "perp's" guilt. So maybe they shouldn't have that last letter either, given they don't seem to be doing any actual investigating
"due to flaws in both Signal and WhatsApp...it’s theoretically possible for strangers to add themselves to an encrypted group chat"
from Matthew Green's blog: https://blog.cryptographyengineering.com/2018/01/10/attack-of-the-week-group-messaging-in-whatsapp-and-signal/