"... concerns that miscreants and hackers will find and exploit these Feds-only backdoors to spy on victims."
No concerns that the Feds will misuse the backdoors to spy on victims?
It's time for another rapid roundup of computer security news beyond what we've already reported. US prosecutors want Facebook Messenger crypto cracked Uncle Sam is demanding Facebook alter its Messenger software so that American g-men can easily snoop on suspected criminals, it is claimed. The social network is said to be …
No just the bad guys and victims, but anyone including CongressCritters, administration officials...might as well get the goods on those who control the purse strings of their budget.
Gotta' love their belief that a backdoor isn't crackable by miscreants. Or maybe the know that and just don't care?
Once it is public knowledge that Messenger is readable by the US Government, part of its reason for existence goes away and it hits the Facebook share price.
At one end of the scale you have photocopiers controlled by KGB agents (mind you in some companies in this country they used to be controlled by MI5 cleared women). At the other end you have uncrackable encryption available to everybody, thus facilitating all kinds of crime.
As I see it the problem is that nobody has really sat down and thought about where in the middle the optimum solution lies, and nobody ever will because of special interests and lobbying.
A third factor is that nobody has shown for sure (1) that uncrackable encryption that can be read only by the "good guys" and never by the "bad guys" actually exists or can be created, and (2) how we identify with 100% certainty which are the good guys and which are the bad guys so the bad guys can NEVER get in. .
A third factor is that nobody has shown for sure (1) that uncrackable encryption that can be read only by the "good guys" and never by the "bad guys" actually exists or can be created
"nobody has shown for sure"? It's a prima facie impossibility, unless and until you have provably-correct mechanical detection of intent.1,2 I'd say it's pretty clearly sure that you can't have "encryption that can be read only by the 'good guys'". No one who has any shred of a clue seriously believes that's possible.
1And even that has failure modes which will be unacceptable to many users, such as a "good guy" unwittingly using a compromised system, or operating under instructions from a corrupt superior.
2Also - and this ought to be obvious - since human judges can't agree on what constitutes good action, they're not going to agree on an algorithmic proxy for it. We're still debating the moral valences of actions that took place millennia ago. There are reasons these are unsettled questions; we have entire academic disciplines and huge bodies of literature dedicated to the meta-problem of why there's no universal ethics.
They'll have more than enough info on a particular phone if they do that
Quite sure they can tap the endpoints (phones) with the assistance of the network provisioners (i.e. telco's) **SINCE THOSE LAWS ALREADY EXIST**, and could track the conversations before they were encrypted. The issue here is that ... well... finding these bodies on the street, or finding out what their real cell numbers are requires that the FBI, ICE, Border Patrol, Local Cops, CIA, NSA, and NASA all talk nice to one another and do this thing that is so ultra new, cutting edge and outrageously exotic called COOPERATING, instead of DICK WAVING.
> sensitive profile info including email addresses, dates of birth, gender, and geolocation were taken
Could somebody be so kind to explain why a "video editing site" needs date of birth, gender and geolocation? All right, date of birth might be required to prove one is not a minor - although a simple yes/no question would be enough (you can lie just as easily for both). Now gender is definitely nothing of their concern, and so is geolocation of the user. (IMHO, but then I'm old school.)
gender is definitely nothing of their concern
Sure it is - it's demographic userbase information for marketing. "Looks like our users are 97% male. Target venues with predominantly male users for upgrade advertising, and female-predominant ones for ads aimed at new users."
True, it's not a technical concern. But that doesn't mean there's no reason for the organization to solicit that information.
You might not like it. I might not like it. We might both feel they could damn well do without it. But there's a reason for it.
So let me get this straight, the only messages "leaked" are "strangers' private messages", but they are all "promotional and mass-mailed messages from Twitch's marketing partners". Riiiight. Something not quite adding up here, that story is leaving my spider sense all twitchy.
"notify all users who had their messages accidentally shared, and give them a full copy of the messages at issue." Ah, the marketing partners will get a bucket load of their own adverts thrown back in their faces. So it's not all bad.
They can force back doors as much as they like, but that’s not going to suddenly uninvent cryptography. Miscreants will just find new platforms or implement their own platforms using the same technology, whilst everyone else can be readily spied upon for no reason, but then that’s obviously their intention, I guess.
We've got end to end encryption now on messaging systems because various Governments proved that they couldn't help themselves by breaching the privacy of everyone to snoop on a few miscreants. If the Govt gets what they want who's to say that the determined crims or terrorists won't just fall back to older forms of encryption such as one time pads, stenography etc. American prison gangs seem to be able to communicate at will between inside & outside the jails using old fashioned ciphers & other techniques. Rather than SIGINT perhaps the governments invest more in HUMINT.
"Those with Pixel devices should already have the update – for everyone else, it will be up to your device vendor and carrier, where appropriate."
For everyone else, just avoid using those features / doing whatever it is that's now exploited until you buy a new phone. I've used Android since release and unless / until Google makes it a requirement or make it so the base Android can be updated directly by them it will always be a problem. I like that this is the route they are kind of heading down but it's never going to be soon enough.
This is exactly why myself and several ex techies i know of my generation have finally bowed down and bought iphones.
The hardware generally has enough 'poke' for me for about 4 years so I need security patches delivered for that period, not just until the next handset is released
Well That's too too bad so sad, as I can make up an HTML5 web app that runs in ANY web browser while you are on ANY major social media site that gives FULLY ENCRYPTED Peer-to-peer SMS, multi-party text messaging ane even realtime audio and VIDEO communications which uses Triple-CAAST (768 bit), Lattice, Invariate AND other SHOR'S resistant anti-quantum encryption algorithms to give basically impenetrable digital communications to EVERYONE FOR ABSOLUTELY FREE !!!! And since I am NOT in the USA and no in no way bound to THEIR legal system, I can tell them to GO STUFF IT UP THEIR PFERD ARSES...Hmmm....I should have that finished within two weeks AND it will work on Windows, Android, Linux and MACOS/iOS!
Since I've ALREADY designed and coded all the components and they are ready to go LIKE RIGHT NOW on all the world's major OS'es, I just need a decent user interface which will take less than two weeks to do !!!
THERE ! I just stuffed your spy prods up your keester.. Go Suck and Egg !!!!!!!