Facebook

Did WhatsApp Backdoor Rumor Come From 'Unanswered Questions ' and 'Leap of Faith' For Closed-Source Encryption Products? (forbes.com) 105

On Friday technologist Bruce Schneier wrote that after reviewing responses from WhatsApp, he's concluded that reports of a pre-encryption backdoor are a false alarm. He also says he got an equally strong confirmation from WhatsApp's Privacy Policy Manager Nate Cardozo, who Facebook hired last December from the EFF. "He basically leveraged his historical reputation to assure me that WhatsApp, and Facebook in general, would never do something like this."

Schneier has also added the words "This story is wrong" to his original blog post. "The only source for that post was a Forbes essay by Kalev Leetaru, which links to a previous Forbes essay by him, which links to a video presentation from a Facebook developers conference." But that Forbes contributor has also responded, saying that he'd first asked Facebook three times about when they'd deploy the backdoor in WhatsApp -- and never received a response.

Asked again on July 25th the company's plans for "moderating end to end encrypted conversations such as WhatsApp by using on device algorithms," a company spokesperson did not dispute the statement, instead pointing to Zuckerberg's blog post calling for precisely such filtering in its end-to-end encrypted products including WhatsApp [apparently this blog post], but declined to comment when asked for more detail about precisely when such an integration might happen... [T]here are myriad unanswered questions, with the company declining to answer any of the questions posed to it regarding why it is investing in building a technology that appears to serve little purpose outside filtering end-to-end encrypted communications and which so precisely matches Zuckerberg's call. Moreover, beyond its F8 presentation, given Zuckerberg's call for filtering of its end-to-end encrypted products, how does the company plan on accomplishing this apparent contradiction with the very meaning of end-to-end encryption?

The company's lack of transparency and unwillingness to answer even the most basic questions about how it plans to balance the protections of end-to-end encryption in its products including WhatsApp with the need to eliminate illegal content reminds us the giant leap of faith we take when we use closed encryption products whose source we cannot review... Governments are increasingly demanding some kind of compromise regarding end-to-end encryption that would permit them to prevent such tools from being used to conduct illegal activity. What would happen if WhatsApp were to receive a lawful court order from a government instructing it to insert such content moderation within the WhatsApp client and provide real-time notification to the government of posts that match the filter, along with a copy of the offending content?

Asked about this scenario, Carl Woog, Director of Communications for WhatsApp, stated that he was not aware of any such cases to date and noted that "we've repeatedly defended end-to-end encryption before the courts, most notably in Brazil." When it was noted that the Brazilian case involved the encryption itself, rather than a court order to install a real-time filter and bypass directly within the client before and after the encryption process at national scale, which would preserve the encryption, Woog initially said he would look into providing a response, but ultimately did not respond.

Given Zuckerberg's call for moderation of the company's end-to-end encryption products and given that Facebook's on-device content moderation appears to answer directly to this call, Woog was asked whether its on-device moderation might be applied in future to its other end-to-end encrypted products rather than WhatsApp. After initially saying he would look into providing a response, Woog ultimately did not respond.

Here's the exact words from Zuckerberg's March blog post. It said Facebook is "working to improve our ability to identify and stop bad actors across our apps by detecting patterns of activity or through other means, even when we can't see the content of the messages, and we will continue to invest in this work. "
Facebook

Facebook Insists No Security 'Backdoor' Is Planned for WhatsApp (medium.com) 56

An anonymous reader shares a report: Billions of people use the messaging tool WhatsApp, which added end-to-end encryption for every form of communication available on its platform back in 2016. This ensures that conversations between users and their contacts -- whether they occur via text or voice calls -- are private, inaccessible even to the company itself. But several recent posts published to Forbes' blogging platform call WhatsApp's future security into question. The posts, which were written by contributor Kalev Leetaru, allege that Facebook, WhatsApp's parent company, plans to detect abuse by implementing a feature to scan messages directly on people's phones before they are encrypted. The posts gained significant attention: A blog post by technologist Bruce Schneier rehashing one of the Forbes posts has the headline "Facebook Plans on Backdooring WhatsApp." It is a claim Facebook unequivocally denies.

"We haven't added a backdoor to WhatsApp," Will Cathcart, WhatsApp's vice president of product management, wrote in a statement. "To be crystal clear, we have not done this, have zero plans to do so, and if we ever did, it would be quite obvious and detectable that we had done it. We understand the serious concerns this type of approach would raise, which is why we are opposed to it."

UPDATE: Later Friday technologist Bruce Schneier wrote that after reviewing responses from WhatsApp, he's concluded that reports of a pre-encryption backdoor are a false alarm. He also says he got an equally strong confirmation from WhatsApp's Privacy Policy Manager Nate Cardozo, who Facebook hired last December from EFF. "He basically leveraged his historical reputation to assure me that WhatsApp, and Facebook in general, would never do something like this."
Encryption

Is Facebook Planning on Backdooring WhatsApp? (schneier.com) 131

Bruce Schneier: This article points out that Facebook's planned content moderation scheme will result in an encryption backdoor into WhatsApp: "In Facebook's vision, the actual end-to-end encryption client itself such as WhatsApp will include embedded content moderation and blacklist filtering algorithms. These algorithms will be continually updated from a central cloud service, but will run locally on the user's device, scanning each cleartext message before it is sent and each encrypted message after it is decrypted. The company even noted. that when it detects violations it will need to quietly stream a copy of the formerly encrypted content back to its central servers to analyze further, even if the user objects, acting as true wiretapping service. Facebook's model entirely bypasses the encryption debate by globalizing the current practice of compromising devices by building those encryption bypasses directly into the communications clients themselves and deploying what amounts to machine-based wiretaps to billions of users at once."

Once this is in place, it's easy for the government to demand that Facebook add another filter -- one that searches for communications that they care about -- and alert them when it gets triggered. Of course alternatives like Signal will exist for those who don't want to be subject to Facebook's content moderation, but what happens when this filtering technology is built into operating systems?
Separately The Guardian reports: British, American and other intelligence agencies from English-speaking countries have concluded a two-day meeting in London amid calls for spies and police officers to be given special, backdoor access to WhatsApp and other encrypted communications. The meeting of the "Five Eyes" nations -- the UK, US, Australia, Canada and New Zealand -- was hosted by new home secretary, Priti Patel, in an effort to coordinate efforts to combat terrorism and child abuse.
UPDATE: 8/2/2019 On Friday technologist Bruce Schneier wrote that after reviewing responses from WhatsApp, he's concluded that reports of a pre-encryption backdoor are a false alarm. He also says he got an equally strong confirmation from WhatsApp's Privacy Policy Manager Nate Cardozo, who Facebook hired last December from EFF. "He basically leveraged his historical reputation to assure me that WhatsApp, and Facebook in general, would never do something like this."
EU

'No More Ransom' Decryption Tools Prevent $108M In Ransomware Payments (zdnet.com) 95

An anonymous reader quotes ZDNet: On the three-year anniversary of the No More Ransom project, Europol announced today that users who downloaded and decrypted files using free tools made available through the No More Ransom portal have prevented ransomware gangs from making profits estimated at at least $108 million... However, an Emsisoft spokesperson told ZDNet that the $108 million estimate that Europol shared today is "actually a huge underestimate. They're based on the number of successful decryptions confirmed by telemetry -- in other words, when the tools phone home to confirm they've done their job," Emsisoft told ZDNet... Just the free decryption tools for the GandCrab ransomware alone offered on the No More Ransom website have prevented ransom payments of nearly $50 million alone, Europol said.

The project, which launched in July 2016, now hosts 82 tools that can be used to decrypt 109 different types of ransomware. Most of these have been created and shared by antivirus makers like Emsisoft, Avast, and Bitdefender, and others; national police agencies; CERTs; or online communities like Bleeping Computer. By far the most proficient member has been antivirus maker Emsisoft, which released 32 decryption tools for 32 different ransomware strains... All in all, Europol said that more than three million users visited the site and more than 200,000 users downloaded tools from the No More Ransom portal since its launch.

One Emisoft researcher said they were "pretty proud" of their decryptor for MegaLocker, "as not only did it help thousands of victims, but it really riled up the malware author."
Encryption

Did Facebook End The Encryption Debate? (forbes.com) 163

Forbes contributor Kalev Leetaru argues that "the encryption debate is already over -- Facebook ended it earlier this year." The ability of encryption to shield a user's communications rests upon the assumption that the sender and recipient's devices are themselves secure, with the encrypted channel the only weak point... [But] Facebook announced earlier this year preliminary results from its efforts to move a global mass surveillance infrastructure directly onto users' devices where it can bypass the protections of end-to-end encryption. In Facebook's vision, the actual end-to-end encryption client itself such as WhatsApp will include embedded content moderation and blacklist filtering algorithms. These algorithms will be continually updated from a central cloud service, but will run locally on the user's device, scanning each cleartext message before it is sent and each encrypted message after it is decrypted. The company even noted that when it detects violations it will need to quietly stream a copy of the formerly encrypted content back to its central servers to analyze further, even if the user objects, acting as true wiretapping service...

If Facebook's model succeeds, it will only be a matter of time before device manufacturers and mobile operating system developers embed similar tools directly into devices themselves, making them impossible to escape... Governments would soon use lawful court orders to require companies to build in custom filters of content they are concerned about and automatically notify them of violations, including sending a copy of the offending content. Rather than grappling with how to defeat encryption, governments will simply be able to harness social media companies to perform their mass surveillance for them, sending them real-time alerts and copies of the decrypted content.

Putting this all together, the sad reality of the encryption debate is that after 30 years it is finally over: dead at the hands of Facebook. If the company's new on-device content moderation succeeds it will usher in the end of consumer end-to-end encryption and create a framework for governments to outsource their mass surveillance directly to social media companies, completely bypassing encryption.

In the end, encryption's days are numbered and the world has Facebook to thank.


UPDATE: 8/2/2019 Will Cathcart, WhatsApp's vice president of product management, took to the internet with this forceful response. "We haven't added a backdoor to WhatsApp. To be crystal clear, we have not done this, have zero plans to do so, and if we ever did, it would be quite obvious and detectable that we had done it. We understand the serious concerns this type of approach would raise, which is why we are opposed to it."
Encryption

AG Barr Says Consumers Should Accept Security Risks of Encryption Backdoors (techcrunch.com) 582

U.S. attorney general William Barr has said consumers should accept the risks that encryption backdoors pose to their personal cybersecurity to ensure law enforcement can access encrypted communications. From a report: In remarks, Barr said the "significance of the risk should be assessed based on its practical effect on consumer cybersecurity, as well as its relation to the net risks that offering the product poses for society." He suggested that the "residual risk of vulnerability resulting from incorporating a lawful access mechanism is materially greater than those already in the unmodified product. [...] Some argue that, to achieve at best a slight incremental improvement in security, it is worth imposing a massive cost on society in the form of degraded safety." The risk, he said, was acceptable because "we are talking about consumer products and services such as messaging, smart phones, e-mail, and voice and data applications," and "not talking about protecting the nation's nuclear launch codes."
Security

Microsoft Warns of Political Cyberattacks, Announces Free Vote-Verification Software (nbcnews.com) 67

"Microsoft on Wednesday announced that it would give away software designed to improve the security of American voting machines," reports NBC News.

Microsoft also said its AccountGuard service has already spotted 781 cyberattacks by foreign adversaries targeting political organizations -- 95% of which were located in the U.S. The company said it was rolling out the free, open-source software product called ElectionGuard, which it said uses encryption to "enable a new era of secure, verifiable voting." The company is working with election machine vendors and local governments to deploy the system in a pilot program for the 2020 election. The system uses an encrypted tracking code to allow a voter to verify that his or her vote has been recorded and has not been tampered with, Microsoft said in a blog post...

Edward Perez, an election security expert with the independent Open Source Election Technology Institute, said Microsoft's move signals that voting systems, long a technology backwater, are finally receiving attention from the county's leading technical minds. "We think that it's good when a technology provider as significant as Microsoft is stepping into something as nationally important as election security," Perez told NBC News. "ElectionGuard does provide verification and it can help to detect attacks. It's important to note that detection is different from prevention."

Microsoft also said its notified nearly 10,000 customers that they've been targeted or compromised by nation-state cyberattacks, according to the article -- mostly from Russia, Iran, and North Korea.

"While many of these attacks are unrelated to the democratic process," Microsoft said in a blog post, "this data demonstrates the significant extent to which nation-states continue to rely on cyberattacks as a tool to gain intelligence, influence geopolitics, or achieve other objectives."
Government

Should Local Governments Pay Ransomware Attackers? (phys.org) 129

At least 170 local or state government systems in America have been hit with ransomware, and the French Interior Ministry received reports of 560 incidents just in 2018, according to Phys.org. (Though the French ministry also notes that most incidents aren't reported.)

But when a government system is hit by ransomware, do they have a responsibility to pay the ransomware to restore their data -- or to not pay it? "You have to do what's right for your organization," said Gregory Falco, a researcher at Stanford University specializing in municipal network security. "It's not the FBI's call. You might have criminal justice information, you could have decades of evidence. You have to weigh this for yourself." Josh Zelonis at Forrester Research offered a similar view, saying in a blog post that victims need to consider paying the ransom as a valid option, alongside other recovery efforts.

But Randy Marchany, chief information security officer for Virginia Tech University, said the best answer is to take a hardline "don't pay" attitude. "I don't agree with any organization or city paying the ransom," Marchany said. "The victims will have to rebuild their infrastructure from scratch anyway. If you pay the ransom, the hackers give you the decryption key but you have no assurance the ransomware has been removed from all of your systems. So, you have to rebuild them anyway."

Victims often fail to take preventive measures such as software updates and data backups that would limit the impact of ransomware. But victims may not always be aware of potential remedies that don't involve paying up, said Brett Callow of Emsisoft, one of several security firms that offer free decryption tools. "If the encryption in ransomware is implemented properly, there is a zero chance of recovery unless you pay the ransom," Callow said. "Often it isn't implemented properly, and we find weaknesses in the encryption and undo it."

Callow also points to coordinated efforts of security firms including the No More Ransom Project, which partners with Europol, and ID Ransomware, which can identify some malware and sometimes unlock data.

Security

Monroe College Hit With Ransomware, $2 Million Demanded (bleepingcomputer.com) 97

A ransomware attack in New York City's Monroe College has shut down the college's computer systems at campuses located in Manhattan, New Rochelle and St. Lucia. The attackers are seeking 170 bitcoins or approximately $2 million dollars in order to decrypt the entire college's network. Bleeping Computer reports: According to the Daily News, Monroe College was hacked on Wednesday at 6:45 AM and ransomware was installed throughout the college's network. It is not known at this time what ransomware was installed on the system, but it is likely to be Ryuk, IEncrypt, or Sodinokibi, which are known to target enterprise networks. The college has not indicated at this time whether they will be paying the ransom or restoring from backups while gradually bringing their network back online. "The good news is that the college was founded in 1933, so we know how to teach and educate without these tools," Monroe College spokesperson Jackie Ruegger told the Daily News. "Right now we are finding workarounds for our students taking online classes so they have their assignments."
Security

Logitech Wireless USB Dongles Vulnerable To New Hijacking Flaws (zdnet.com) 63

A security researcher has publicly disclosed new vulnerabilities in the USB dongles (receivers) used by Logitech wireless keyboards, mice, and presentation clickers. New submitter raikoseagle shares a report: The vulnerabilities allow attackers to sniff on keyboard traffic, but also inject keystrokes (even into dongles not connected to a wireless keyboard) and take over the computer to which a dongle has been connected. When encryption is used to protect the connection between the dongle and its paired device, the vulnerabilities also allow attackers to recover the encryption key. Furthermore, if the USB dongle uses a "key blacklist" to prevent the paired device from injecting keystrokes, the vulnerabilities allow the bypassing of this security protection system. Marcus Mengs, the researcher who discovered these vulnerabilities, said he notified Logitech about his findings, and the vendor plans to patch some of the reported issues, but not all.
Piracy

A Look at How Movies and Shows From Netflix and Amazon Prime Video Are Pirated (torrentfreak.com) 219

News blog TorrentFreak spoke with a member of piracy group "The Scene" to understand how they obtain -- or rip -- movies and shows from sources such as Netflix and Amazon Prime Video. The technique these people use is different from hardware capture cards or software-based 'capping' tools. From the report: "Content for WEB releases are obtained by downloading the source content. Whenever you stream a video online, you are downloading chunks of a video file to your computer. Sceners simply save that content and attempt to decrypt it for non-DRM playback later," the source said. When accessing the content, legitimate premium accounts are used, often paid for using prepaid credit cards supported by bogus identities. It takes just a few minutes to download a video file since they're served by CDNs with gigabits of bandwidth.

"Once files are downloaded from the streaming platform, however, they are encrypted in the .mp4 container. Attempting to view such video will usually result in a blank screen and nothing else -- streams from these sites are protected by DRM. The most common, and hard to crack DRM is called Widevine. The way the Scene handles WEB-releases is by using specialized tools coded by The Scene, for The Scene. These tools are extremely private, and only a handful of people in the world have access to the latest version(s)," source noted. "Without these tools, releasing Widevine content is extremely difficult, if not impossible for most. The tools work by downloading the encrypted video stream from the streaming site, and reverse engineering the encryption." Our contact says that decryption is a surprisingly quick process, taking just a few minutes. After starting with a large raw file, the finalized version ready for release is around 30% smaller, around 7GB for a 1080p file.

Communications

Why Is Slack Retaining Everyone's Chat History? (nytimes.com) 104

The associate director of research at the Electronic Frontier Foundation published a new warning in the Opinion section of the New York Times this week, calling Slack the only unicorn going public this year "that has admitted it is at risk for nation-state attacks" and saying there's a simple way to minimize risk -- that Slack has so far refused to take:

Right now, Slack stores everything you do on its platform by default -- your username and password, every message you've sent, every lunch you've planned and every confidential decision you've made. That data is not end-to-end encrypted, which means Slack can read it, law enforcement can request it, and hackers -- including the nation-state actors highlighted in Slack's S-1 -- can break in and steal it...

Slack's paying enterprise customers do have a way to mitigate their security risk -- they can change their settings to set shorter retention periods and automatically delete old messages -- but it's not just big companies that are at risk... Free customer accounts don't allow for any changes to data retention. Instead, Slack retains all of your messages but makes only the most recent 10,000 visible to you. Everything beyond that 10,000-message limit remains on Slack's servers. So while those messages might seem out of sight and out of mind, they are all still indefinitely available to Slack, law enforcement and third-party hackers...

Slack should give everyone the same privacy protections available to its paying enterprise customers and let all of its users decide for themselves which messages they want to keep and which messages they want to delete. It's undeniably Slack's prerogative to charge for a more advanced product, but making users pay for basic privacy and security protections is the wrong call. It's time for Slack to step up, minimize the amount of sensitive data hanging around on its servers and give all its users retention controls.

The article notes that Slack's stock filings acknowledge that it faces threats from "sophisticated organized crime, nation-state, and nation-state supported actors."

The filings even specifically add that Slack's security measures "may not be sufficient to protect Slack and our internal systems and networks against certain attacks," and that completely eliminating the threat of a nation-state attack would be "virtually impossible."
Encryption

Someone Is Spamming and Breaking a Core Component of PGP's Ecosystem (vice.com) 88

A new wave of spamming attacks on a core component of PGP's ecosystem has highlighted a fundamental weakness in the whole ecosystem. From a report: Unknown attackers are spamming a core component of the ecosystem of the well-known encryption software PGP, breaking users' PGP installations and clients. What's worse, there may be no way to stop them. Last week, contributors to the PGP protocol GnuPG noticed that someone was "poisoning" or "flooding" their certificates. In this case, poisoning refers to an attack where someone spams a certificate with a large number of signatures or certifications. This makes it impossible for the the PGP software that people use to verify its authenticity, which can make the software unusable or break. In practice, according to one of the GnuPG developers targeted by this attack, the hackers could make it impossible for people using Linux to download updates, which are verified via PGP.
Crime

Sting Finds Ransomware Data Recovery Firms Are Just Paying The Ransom (propublica.org) 148

"ProPublica recently reported that two U.S. firms, which professed to use their own data recovery methods to help ransomware victims regain access to infected files, instead paid the hackers. Now there's new evidence that a U.K. firm takes a similar approach."

An anonymous reader quotes their report: Fabian Wosar, a cyber security researcher, told ProPublica this month that, in a sting operation he conducted in April, Scotland-based Red Mosquito Data Recovery said it was "running tests" to unlock files while actually negotiating a ransom payment. Wosar, the head of research at anti-virus provider Emsisoft, said he posed as both hacker and victim so he could review the company's communications to both sides. Red Mosquito Data Recovery "made no effort to not pay the ransom" and instead went "straight to the ransomware author literally within minutes," Wosar said. "Behavior like this is what keeps ransomware running."

Since 2016, more than 4,000 ransomware attacks have taken place daily, or about 1.5 million per year, according to statistics posted by the U.S. Department of Homeland Security. Law enforcement has failed to stem ransomware's spread, and culprits are rarely caught... But clients who don't want to give in to extortion are susceptible to firms that claim to have their own methods of decrypting files. Often, victims are willing to pay more than the ransom amount to regain access to their files if they believe the money is going to a data recovery firm rather than a hacker, Wosar said.

Red Mosquito charged their client four times the actual ransom amount, according to the report -- though after ProPublica followed up, the company "did not respond to emailed questions, and hung up when we called the number listed on its website."

The company then also "removed the statement from its website that it provides an alternative to paying hackers. It also changed 'honest, free advice' to 'simple free advice,' and the 'hundreds' of ransomware cases it has handled to 'many.'"
Encryption

Trump White House Reportedly Debating Encryption Policy Behind Closed Doors (gizmodo.com) 199

According to a report in Politico, the Trump administration held a National Security Council meeting on Wednesday that weighed the challenges and benefits of encryption. "One of Politico's sources said that the meeting was split into two camps: Decide, create and publicize the administration's position on encryption or go so far as to ask Congress for legislation to ban end-to-end encryption," reports Gizmodo. From the report: That would be a huge escalation in the encryption fight and, moreover, would probably be unsuccessful due to a lack of willpower in Congress. No decision was made by the Trump administration officials, Politico reported. The White House did not respond to a request for comment. The fact that these discussions are ongoing both within the White House and with Silicon Valley shows that the issue is still very much alive within the corridors of power.
Security

How Secure Are Zip Files? Senator Wyden Asks NIST To Develop Standards For Safely Sending and Receiving Files (senate.gov) 196

Federal workers and the public in general might be mistaken about the security of .zip files, Sen. Ron Wyden said on Wednesday [PDF], and he's asking the National Institute of Standards and Technology to issue guidance on the best way to send sensitive files over the internet. Wyden wrote: Government agencies routinely share and receive sensitive data through insecure methods -- such as emailing .zip files -- because employees are not provided the tools and training to do so safely. As you know, it is a routine practice in the government, and indeed the private sector, to send by email-protected .zip files containing sensitive documents. Many people incorrectly believe that password-protected .zip files can protect sensitive data.

Indeed, many password-protected .zip files can be easily broken with off-the-shelf hacking tools. This is because many of the software programs that create .zip files use a weak encryption algorithm by default. While secure methods to protect and share data exist and are freely available, many people do not know which software they should use. Given the ongoing threat of cyber attacks by foreign state actors and high-profile data breaches, this is a potentially catastrophic national security problem that needs to be fixed. The government must ensure that federal workers have the tools and training they need to safetly share sensitive data. To address this problem, I ask that NIST create and publish an easy-to-understand guide describing the best way for individuals and organizations to securely share sensitive data over the internet.

Google

Google's Private Join and Compute Gives Companies Data Insights While Preserving Privacy (venturebeat.com) 22

An anonymous reader shares a report: Over 70 million records were stolen or leaked from poorly configured databases last year, making privacy a top concern. That's no doubt one motivation behind Google's open-sourcing this morning of Private Join and Compute, a new secure multi-party computation (MPC) tool designed to help organizations work together with confidential data sets. "We continually invest in new research to advance innovations that preserve individual privacy while enabling valuable insights from data," wrote engineering director Sarvar Patel and research scientist Moti Yung in a blog post. "Many important research, business, and social questions can be answered by combining data sets from independent parties, where each party holds their own information about a set of shared identifiers, some of which are common."

At its core, Private Join and Compute lets organizations gain aggregated insights about the other party's data. They're able to encrypt identifiers and associated data, join them, and then perform calculations on the overlapping corpora to draw useful information. All identifiers and their associated data remain fully encrypted and unreadable throughout the process. While neither party is forced to reveal their raw data, they can answer questions at hand using outputs of the computation -- for instance, counts, sums, and averages. Private Join and Compute achieves this with two cryptographic privacy methods devised to protect sensitive data: Private set intersection and homomorphic encryption.

Android

Google Is Finally Taking Charge of the RCS Rollout (theverge.com) 40

Google is finally taking charge of the RCS rollout by allowing Android users in the UK and France to opt in to RCS Chat services provided directly by Google instead of waiting for their carrier to support it, which is largely the reason why it hasn't been more widely adopted. Google says that it will release the services to more countries "throughout the year," but wouldn't commit to saying that it would be available in all regions by the end of the year. The Verge reports: That seems like yet another minor status check-in on the service meant to replace SMS, but in fact it's a huge shift in strategy: as Google rolls this offering out to more countries, it should eventually mean that RCS will become universally available for all Android users. For the first time in years, Google will directly offer a better default texting experience to Android users instead of waiting for cellphone carriers to do it. It's not quite the Google equivalent of an iMessage service for Android users, but it's close. Not knowing when or if RCS Chat would be available for your phone was RCS's second biggest problem, and Google is fixing it.

RCS's biggest problem is that messages are still not end-to-end encrypted. iMessage, WhatsApp, and Signal are secured in that way, and even Facebook has said it will make all its apps encrypted by default. Google's chat solution is increasingly looking out of touch -- even immoral. But there is hope on that front as well. The product management director overseeing Android Messages, Sanaz Ahari, assures me that Google recognizes the need for private chat within RCS and is working on it. Here's her full statement: "We fundamentally believe that communication, especially messaging, is highly personal and users have a right to privacy for their communications. And we're fully committed to finding a solution for our users."

Bitcoin

Bizarre New Theories Emerge About Bitcoin Creator Satoshi Nakamoto (cointelegraph.com) 133

"I am not saying that Neal Stephenson is Satoshi Nakamoto," writes the features editor at Reason. "What I am saying is: Would it really be surprising if he were?"

This prompted a strong rebuke from CCN Markets: The article starts, "Consider the possibility that Neal Stephenson is Satoshi Nakamoto, the pseudonymous inventor of Bitcoin."

Let's not do that. That's like saying let's consider the possibility that anyone at all is Satoshi Nakamoto. In one respect, it doesn't matter. In another, it's exhausting the lengths people will go with this... if someone doesn't advance the idea that they are Satoshi Nakamoto themselves, there's no reason to put that sort of grief upon them. If someone is just brilliant, you can tell them that without insinuating that they invented the blockchain and Bitcoin.... You don't just off-handedly claim someone might be Satoshi Nakamoto. There needs to be a reason.

Reason had written that "For nearly three decades, Stephenson's novels have displayed an obsessive, technically astute fascination with cryptography, digital currency, the social and technological infrastructure of a post-government world, and Asian culture," and that the science fiction author "described the core concepts of cryptocurrency years before Bitcoin became a technical reality."

They also note later that "Satoshi Nakamoto's initials are SN; Neal Stephenson's are NS."

Coin Telegraph writes that the question "has seemingly come to a head over the last couple of months, as a number of people have gone a step further" -- not only publicly claiming to be the creator of bitcoin, but even filing copyright and trademark claims. Their list of "Satoshi posers" includes Craig Wright, Wei Liu, and the brother of Colombian drug lord Pablo Escobar. (And another new theory also suggests "global criminal kingpin" Paul Le Roux, the creator of encryption software E4M and TrueCrypt.
Communications

The Clever Cryptography Behind Apple's 'Find My' Feature (arstechnica.com) 91

An anonymous reader quotes a report from Ars Technica, written by Wired's . Andy Greenberg: In upcoming versions of iOS and macOS, the new Find My feature will broadcast Bluetooth signals from Apple devices even when they're offline, allowing nearby Apple devices to relay their location to the cloud. That should help you locate your stolen laptop even when it's sleeping in a thief's bag. And it turns out that Apple's elaborate encryption scheme is also designed not only to prevent interlopers from identifying or tracking an iDevice from its Bluetooth signal, but also to keep Apple itself from learning device locations, even as it allows you to pinpoint yours.

In a background phone call with WIRED following its keynote, Apple broke down that privacy element, explaining how its "encrypted and anonymous" system avoids leaking your location data willy nilly, even as your devices broadcast a Bluetooth signal explicitly designed to let you track your device. The solution to that paradox, it turns out, is a trick that requires you to own at least two Apple devices. Each one emits a constantly changing key that nearby Apple devices use to encrypt and upload your geolocation data, such that only the other Apple device you own possesses the key to decrypt those locations. That system would obviate the threat of marketers or other snoops tracking Apple device Bluetooth signals, allowing them to build their own histories of every user's location. In fact, Find My's cryptography goes one step further than that, denying even Apple itself the ability to learn a user's locations based on their Bluetooth beacons. That would represent a privacy improvement over Apple's older tools like Find My iPhone and Find Friends, which don't offer such safeguards against Apple learning your location.

Slashdot Top Deals