Thank god for independent security researchers with enough time on their hands to look into such bogus claims! I can’t believe the audacity of this company to make such strong claims and not even getting the basics right
I do wonder how security researchers evaluate the risk of investigating a company like this that has a high chance of being litigious and annoying.
Technically “bypassing” checks over the internet can be a crime. Bug bounty programs put in exceptions and rules to protect the researchers but a company like this won’t have that.
That’s really horrifying. I’m curious about the metadata leaks that are mentioned off-hand in Signal. Signal claims that the only thing that they can provide as metadata is the last time that you connected. With the sealed sender mechanism, they can’t tell who sent a message after it has been stored in the receiver’s queue and, as I understand it, they don’t authenticate senders (the messages are encrypted with a key negotiated between the sender and receiver, so they just know that IP address x pushed some messages into receiver y’s queue).
Signal still has persistent user IDs that the servers are aware of. Perhaps Signal really does nothing malicious with this metadata, but there are protocols that expose even less information to the servers. One example I’m aware of but don’t actively use is SimpleX, whitepaper here: https://github.com/simplex-chat/simplexmq/blob/stable/protocol/overview-tjr.md
I thought about the honeypot too. But it doesn’t take a government to make a honeypot like this. It really feels like something that could be coded in a weekend (plus waiting for the applications to be approved).
Converso elsewhere asserts that WhatsApp “generates unencrypted chat backups in Google Cloud or iCloud,” however this is also untrue, or misleading at best. WhatsApp backups are optional and end-to-end encrypted – unless the user turns off the encryption.
Misleading for sure. WhatsApp backups were uploaded to a dedicated slot in Google Drive, and reacharound access to this slot was handed to Facebook. This changed after it was exposed.
Dang, you know it’s bad when even I can think of a trivial exploit for this. Spoof the DNS or IP or something for the server holding the public keys, return a public key you like, decrypt everything.
Edit: spoke too soon, much easier to just talk to the unencrypted database.
Is there any evidence that this is coming from cryptobros? According to the article, one of the “selling points” is that, “unlike Signal”, they “don’t use a blockchain”
Absolutely no evidence. The strong language (“the future of privacy is here :tm:”) with the inability to deliver any of it is what leads me to that conclusion.
There’s a lot of money for security things at the moment, but there’s also a huge amount of snake oil. Anyone selling AI for security is almost certainly snake oil (ML is pretty good at anomaly detection but only in the absence of an adaptive attacker. There have been a bunch of DARPA projects to try this and they’ve all failed red teaming exercises), unless they’re on the offensive side (ML is great for state-space exploration and a system that has a 99% failure rate but that can generate thousands of exploit candidates per second is a huge win).
Thank god for independent security researchers with enough time on their hands to look into such bogus claims! I can’t believe the audacity of this company to make such strong claims and not even getting the basics right
I do wonder how security researchers evaluate the risk of investigating a company like this that has a high chance of being litigious and annoying.
Technically “bypassing” checks over the internet can be a crime. Bug bounty programs put in exceptions and rules to protect the researchers but a company like this won’t have that.
Whoaboy that is car crashing into a derailed train falling off the side of a cliff.
Seriously… it just keeps going.
So the guy discovers that their entire database that isn’t even supposed to exist is exposed to the public, and their first question is
This app looks more like someone’s side project, the type of thing you do to play with Firebase, or a company’s SDK, etc… Great article.
That’s really horrifying. I’m curious about the metadata leaks that are mentioned off-hand in Signal. Signal claims that the only thing that they can provide as metadata is the last time that you connected. With the sealed sender mechanism, they can’t tell who sent a message after it has been stored in the receiver’s queue and, as I understand it, they don’t authenticate senders (the messages are encrypted with a key negotiated between the sender and receiver, so they just know that IP address x pushed some messages into receiver y’s queue).
Signal still has persistent user IDs that the servers are aware of. Perhaps Signal really does nothing malicious with this metadata, but there are protocols that expose even less information to the servers. One example I’m aware of but don’t actively use is SimpleX, whitepaper here: https://github.com/simplex-chat/simplexmq/blob/stable/protocol/overview-tjr.md
Good read. My first thought is that it could be some kind of federal government honeypot (remember the Anom phones + messenger?).
“Never attribute to malice that which is adequately explained by stupidity.”
Sounds like greed should be substituted for “stupidity” in the above.
I thought about the honeypot too. But it doesn’t take a government to make a honeypot like this. It really feels like something that could be coded in a weekend (plus waiting for the applications to be approved).
My impression anyway
The app’s claims take me back to the SRWare Iron days: https://neugierig.org/software/chromium/notes/2009/12/iron.html.
Misleading for sure. WhatsApp backups were uploaded to a dedicated slot in Google Drive, and reacharound access to this slot was handed to Facebook. This changed after it was exposed.
Can you recommend good reading about that, or WhatsApp incidents incidents in general?
Uhh, look up the Eastern Texas monopoly case against Google, the Third Amended Complaint.
Can you recommend any source for reading about it outside the direct legalese?
Dang, you know it’s bad when even I can think of a trivial exploit for this. Spoof the DNS or IP or something for the server holding the public keys, return a public key you like, decrypt everything.
Edit: spoke too soon, much easier to just talk to the unencrypted database.
It looks like the crypto bros are branching out into encrypted chat; standing on the shoulders of their stellar success in cryptography.
At least they can’t bilk retail investors out of their life savings this way.
Is there any evidence that this is coming from cryptobros? According to the article, one of the “selling points” is that, “unlike Signal”, they “don’t use a blockchain”
Absolutely no evidence. The strong language (“the future of privacy is here :tm:”) with the inability to deliver any of it is what leads me to that conclusion.
Well if it walks like a duck..
Company seems to pitch itself as cybersecurity. I think cybersecurity might be the next big vc bubble https://www.crunchbase.com/organization/converso-f6e8
There’s a lot of money for security things at the moment, but there’s also a huge amount of snake oil. Anyone selling AI for security is almost certainly snake oil (ML is pretty good at anomaly detection but only in the absence of an adaptive attacker. There have been a bunch of DARPA projects to try this and they’ve all failed red teaming exercises), unless they’re on the offensive side (ML is great for state-space exploration and a system that has a 99% failure rate but that can generate thousands of exploit candidates per second is a huge win).
[Comment removed by author]
Shows how marketing is dangerous