• chevron_right

      Apple partly halts Beeper’s iMessage app again, suggesting a long fight ahead

      news.movim.eu / ArsTechnica · Thursday, 14 December - 19:59 · 1 minute

    Beeper group chat illustration

    Enlarge / The dream of everybody having blue bubbles, and epic photos of perfectly digestible meals, as proffered by Beeper. (credit: Beeper)

    A friend of mine had been using Beeper's iMessage-for-Android app, Beeper Mini to keep up on group chats where she was the only Android user. It worked great until last Friday, when it didn't work at all .

    What stung her wasn't the return to being the Android interloper in the chats again. It wasn't the resulting lower-quality images, loss of encryption, and strange "Emphasized your message" reaction texts. It was losing messages during the outage and never being entirely certain they had been sent or received. There was a gathering on Saturday, and she had to double-check with a couple people about the details after showing up inadvertently early at the wrong spot.

    That kind of grievance is why, after Apple on Wednesday appeared to have blocked what Beeper described as "~5% of Beeper Mini users" from accessing iMessages, both co-founder Eric Migicovksy and the app told users they understood if people wanted out . The app had already suspended its plans to charge customers $1.99 per month, following the first major outage. But this was something more about "how ridiculously annoying this uncertainty is for our users," Migicovsky posted.

    Read 11 remaining paragraphs | Comments

    • Sc chevron_right

      Facebook Enables Messenger End-to-End Encryption by Default

      news.movim.eu / Schneier · Monday, 11 December - 04:14

    It’s happened . Details here , and tech details here (for messages in transit) and here (for messages in storage)

    Rollout to everyone will take months, but it’s a good day for both privacy and security.

    Slashdot thread .

    • chevron_right

      Meta begins rolling out end-to-end encryption across Messenger and Facebook

      news.movim.eu / TheGuardian · Thursday, 7 December - 03:16


    Under the changes, Meta will no longer have access to the contents of what users send or receive, unless a user reports a message

    Facebook’s parent company has begun rolling out end-to-end encryption across Messenger and Facebook, Meta announced on Thursday.

    The company’s vice-president for Messenger, Loredana Crisan, said the encryption was built on the Signal protocol and Meta’s own Labyrinth protocol.

    Continue reading...
    • chevron_right

      Beeper Mini for Android sends and receives iMessages, no Mac server required

      news.movim.eu / ArsTechnica · Tuesday, 5 December - 15:00

    Beeper messages looking iMessage-like blue on an Android phone

    Enlarge / A Pixel 3, messaging a savvy iPhone owner, one with the kinds of concerns Beeper hopes to resolve for its customers. (credit: Kevin Purdy)

    In the past week, I have sent an iMessage to one friend from a command-line Python app and to another from a Pixel 3 Android phone.

    Sending an iMessage without an Apple device isn't entirely new, but this way of doing it is. I didn't hand over my Apple credentials or log in with my Apple ID on a Mac server on some far-away rack. I put my primary SIM card in the Pixel, I installed Beeper Mini , and it sent a text message to register my number with Apple. I never gave Beeper Mini my Apple ID.

    From then on, my iPhone-toting friends who sent messages to my Pixel 3 saw them as other-iPhone blue, not noticeably distracting green. We could all access the typing, delivered/read receipts, emoji reactions, and most other iPhone-to-iPhone message features. Even if I had no active Apple devices, it seems, I could have chosen to meet Apple users where they were and gain end-to-end encryption by doing so.

    Read 16 remaining paragraphs | Comments

    • chevron_right

      The UK’s problematic Online Safety Act is now law

      news.movim.eu / ArsTechnica · Saturday, 28 October - 10:43 · 1 minute

    The UK’s problematic Online Safety Act is now law

    Enlarge (credit: panorios/Getty Images)

    Jeremy Wright was the first of five UK ministers charged with pushing through the British government’s landmark legislation on regulating the Internet, the Online Safety Bill. The current UK government likes to brand its initiatives as “ world-beating ,” but for a brief period in 2019 that might have been right. Back then, three prime ministers ago, the bill—or at least the white paper that would form its basis—outlined an approach that recognized that social media platforms were already de facto arbiters of what was acceptable speech on large parts of the Internet, but that this was a responsibility they didn’t necessarily want and weren’t always capable of discharging. Tech companies were pilloried for things that they missed, but also, by free speech advocates, for those they took down. “There was a sort of emerging realization that self-regulation wasn’t going to be viable for very much longer,” Wright says. “And therefore, governments needed to be involved.”

    The bill set out to define a way to handle “legal but harmful” content—material that wasn’t explicitly against the law but which, individually or in aggregate, posed a risk, such as health care disinformation, posts encouraging suicide or eating disorders, or political disinformation with the potential to undermine democracy or create panic. The bill had its critics—notably, those who worried it gave Big Tech too much power. But it was widely praised as a thoughtful attempt to deal with a problem that was growing and evolving faster than politics and society were able to adapt. Of his 17 years in parliament, Wright says, “I’m not sure I’ve seen anything by way of potential legislation that’s had as broadly based a political consensus behind it.”

    Read 15 remaining paragraphs | Comments

    • chevron_right

      The Signal Protocol used by 1+ billion people is getting a post-quantum makeover

      news.movim.eu / ArsTechnica · Wednesday, 20 September, 2023 - 13:59 · 1 minute

    The Signal Protocol used by 1+ billion people is getting a post-quantum makeover

    Enlarge (credit: Getty Images)

    The Signal Foundation, maker of the Signal Protocol that encrypts messages sent by more than a billion people, has rolled out an update designed to prepare for a very real prospect that’s never far from the thoughts of just about every security engineer on the planet: the catastrophic fall of cryptographic protocols that secure some of the most sensitive secrets today.

    The Signal Protocol is a key ingredient in the Signal, Google RCS, and WhatsApp messengers, which collectively have more than 1 billion users. It’s the engine that provides end-to-end encryption, meaning messages encrypted with the apps can be decrypted only by the recipients and no one else, including the platforms enabling the service. Until now, the Signal Protocol encrypted messages and voice calls with X3DH , a specification based on a form of cryptography known as Elliptic Curve Diffie-Hellman .

    A brief detour: WTF is ECDH?

    Often abbreviated as ECDH, Elliptic Curve Diffie-Hellman is a protocol unto its own. It combines two main building blocks. The first involves the use of elliptic curves to form asymmetric key pairs, each of which is unique to each user. One key in the pair is public and available to anyone to use for encrypting messages sent to the person who owns it. The corresponding private key is closely guarded by the user. It allows the user to decrypt the messages. Cryptography relying on a public-private key pair is often known as asymmetric encryption.

    Read 14 remaining paragraphs | Comments

    • chevron_right

      Sky Targets Sky Go & Now TV Decryption Key Software as Piracy Wars Continue

      news.movim.eu / TorrentFreak · Thursday, 27 July, 2023 - 18:05 · 4 minutes

    encrypted-lock-s Sky has fought piracy mechanisms of all kinds over the years. From set-top box modifications to viewing card tampering, blocking, even full PC-based emulation, the pay TV company has seen it all.

    Exploits that are relatively easy to pull off and work at scale are considered serious threats. Last month we reported on the sale of Sky encryption keys on platforms including Telegram. That type of thing has been going on for some time, but over the space of a few days, direct URLs to watch Sky content in the UK, Italy, and Germany, were posted online and inevitably began to spread.

    Free Decryption Key Extractors

    This week a related problem was observed by intelligence and investigations company, Kopjra S.r.l . Working as a Sky anti-piracy partner in Italy, Kopjra sprang into action after spotting software uploaded to GitHub by a user who only signed up this month.

    The user account ‘TAJLNsScripts’ was created in early July and currently focuses on video platform-related tools. The first script causing concern at Sky was written in Python and claims to allow users to log in to Now TV via a terminal window, browse the platform’s content, and then obtain decryption keys for both VOD content and live TV.

    A second repository named ‘SkyGo-Drm-Solution’ offered a Python script with features broadly in line with the VOD capability of its Now TV-focused namesake. In order to function, the tool requires users to take an extra step using a specific cookie culled from Sky’s platform.

    While still a concern for Sky, the extra steps and the question of what to do with the keys once obtained, are likely to put off most people from venturing further. For people with a rudimentary understanding of how these things work, nothing here is particularly difficult either.

    The broad underlying concern is that these scripts and others like them exploit a fundamental weakness that a) can’t be easily fixed and b) goes way beyond Sky. It’s a fairly sensitive topic, to put it mildly.

    Kopjra’s Aggressively-Worded DMCA Takedown

    After identifying itself as representing Sky UK, Kopjra informed GitHub via a DMCA notice that the tools allow for the decryption of Sky content otherwise protected by Widevine DRM.

    “This activity is manifestly illicit, and it represents a violation of our Client’s exclusive intellectual property rights (COPYRIGHT) on the Asset, given that our Client has never authorized – neither intends to authorize – any of the Page/s displaying contents concerning the Asset,” the notice reads.

    “In consideration of the above, we formally invite you to immediately remove – within 24 hours of receipt of this letter – the above-mentioned Page/s, to disable access to users and cease any further publishing of any content concerning the Asset on the Page/s.”

    As the image above shows, the scripts in question were uploaded to GitHub roughly three weeks ago. The first and second repo were both created on July 8, approximately six minutes apart. Both had obvious topic tags and were very easy to find from the beginning.

    After being publicly exposed for a considerable time, removing the software was presented as an emergency matter, with Kopjra informing GitHub that anything short of immediate compliance would render the coding platform liable for losses.

    “We bring to your attention that, in case of failure to comply with the above requests, you will be deemed directly responsible for the persisting infringement of our Client’s intellectual property rights as well as for the consequent damages (both economic and non-economic) suffered and that can be suffered in the future,” the notice warned.

    GitHub Removes Software

    The DMCA takedown notice published by GitHub shows that the developer of the software was given an opportunity to make changes to their code, provided with advice on how to submit a counternotice , and directed towards GitHub-supplied legal resources .

    These steps are part of GitHub’s commitment to supporting developers following the attempted takedown of youtube-dl in 2021. The commitment doesn’t imply that GitHub endorses a developer’s work, but the company does believe that coders should have the freedom to tinker .

    What response was received by GitHub, if any, isn’t detailed in the notice , but the end result was both repositories being disabled along with several forks. The developer’s account was not suspended due to the takedown notice, but it now contains just three repos rather than the original five.

    tajlnsscripts-account

    For Sky and its anti-piracy partners, this represents just one of many takedowns filed already this month, mostly hoping to make sites and services much harder to find.

    Continuous DMCA Notices

    Sky has several anti-piracy partners and they are always kept busy tackling various threats. Takedown notices targeting pirate IPTV services, their sales portals in particular, are sent to Google on a regular basis. The strategy includes making numerous claims in respect of different types of infringement.

    For example, notices like these ( 1 , 2 ) claim that infringing links to copyrighted content are provided by the sites in question, but very rarely are any links included in takedown notices. To avoid the notices being rejected, they carry additional claims that the sites display Sky’s logos without permission. Since that’s usually the case and is easily proven, these takedowns can be effective.

    Sky isn’t simply a broadcaster, though, it owns content too. That leads to takedown notices like this which target sites that directly host movies and TV shows, or allow them to be streamed via their platforms.

    Like many similar companies, Sky has to deal with a persistent threat from piracy apps, usually in the form of Android APK files offered on various sites. They are tackled with notices like this , while platforms offering DRM keys are dealt with in broadly the same way .

    Image credit: Pixabay / TheDigitalArtist

    From: TF , for the latest news on copyright battles, piracy and more.

    • Sc chevron_right

      Backdoor in TETRA Police Radios

      news.movim.eu / Schneier · Tuesday, 25 July, 2023 - 15:51 · 1 minute

    Seems that there is a deliberate backdoor in the twenty-year-old TErrestrial Trunked RAdio (TETRA) standard used by police forces around the world.

    The European Telecommunications Standards Institute (ETSI), an organization that standardizes technologies across the industry, first created TETRA in 1995. Since then, TETRA has been used in products, including radios, sold by Motorola, Airbus, and more. Crucially, TETRA is not open-source. Instead, it relies on what the researchers describe in their presentation slides as “secret, proprietary cryptography,” meaning it is typically difficult for outside experts to verify how secure the standard really is.

    The researchers said they worked around this limitation by purchasing a TETRA-powered radio from eBay. In order to then access the cryptographic component of the radio itself, Wetzels said the team found a vulnerability in an interface of the radio.

    […]

    Most interestingly is the researchers’ findings of what they describe as the backdoor in TEA1. Ordinarily, radios using TEA1 used a key of 80-bits. But Wetzels said the team found a “secret reduction step” which dramatically lowers the amount of entropy the initial key offered. An attacker who followed this step would then be able to decrypt intercepted traffic with consumer-level hardware and a cheap software defined radio dongle.

    Looks like the encryption algorithm was intentionally weakened by intelligence agencies to facilitate easy eavesdropping.

    Specifically on the researchers’ claims of a backdoor in TEA1, Boyer added “At this time, we would like to point out that the research findings do not relate to any backdoors. The TETRA security standards have been specified together with national security agencies and are designed for and subject to export control regulations which determine the strength of the encryption.”

    And I would like to point out that that’s the very definition of a backdoor.

    Why aren’t we done with secret, proprietary cryptography? It’s just not a good idea.

    Details of the security analysis. Another news article .

    • chevron_right

      Researchers find deliberate backdoor in police radio encryption algorithm

      news.movim.eu / ArsTechnica · Tuesday, 25 July, 2023 - 13:05

    police radio in car

    Enlarge (credit: Evgen_Prozhyrko via Getty )

    For more than 25 years, a technology used for critical data and voice radio communications around the world has been shrouded in secrecy to prevent anyone from closely scrutinizing its security properties for vulnerabilities. But now it’s finally getting a public airing thanks to a small group of researchers in the Netherlands who got their hands on its viscera and found serious flaws, including a deliberate backdoor.

    The backdoor, known for years by vendors that sold the technology but not necessarily by customers, exists in an encryption algorithm baked into radios sold for commercial use in critical infrastructure. It’s used to transmit encrypted data and commands in pipelines, railways, the electric grid, mass transit, and freight trains. It would allow someone to snoop on communications to learn how a system works, then potentially send commands to the radios that could trigger blackouts, halt gas pipeline flows, or reroute trains.

    Read 40 remaining paragraphs | Comments