Security

Facebook has open-sourced encrypted group chat

Governments hate encrypted chat tools on social media, so brace for outrage in 3 ... 2 ...


Updated Facebook has responded to governments' criticism of cryptography by giving the world an open source encrypted group chat tool.

It's hardly likely to endear the ad-farm to people like FBI Director Christopher Wray, who yesterday told an international infosec conference it was “ridiculous” that the Feds have seized nearly 8,000 phones they can't access. UK prime minister Theresa May has also called for backdoors in messaging services and for social networks to stop offering "safe spaces" for extremists.

Facebook's latest project, which went live on GitHub yesterday, tackles the problem of protecting group chat. ART, Asynchronous Ratcheting Tree, was created by Facebook's Jon Millican and Oxford University's Katriel Cohn-Gordon, Cas Cremers, Luke Garratt and Kevin Milner.

As the group explains in a December paper* [PDF] about ART at the International Association for Cryptologic Research (IACR) pre-press site, existing chat solutions are great between individuals but not so good at protecting group chats.

In group chats, the paper said, “WhatsApp, Facebook Messenger and the Signal app … use a simpler key-transport mechanism ('sender keys') which does not achieve PCS” - that's post-compromise security – if Alice realises a conversation is compromised, the system has a means re-establish secure communications).

The shortcomings of those apps, the group wrote, means if someone hacks one member of a group, they can “indefinitely and passively read future communications in that group … In practice this means that in these apps, if a third party is added to a two-party communication, the security of the communication is decreased without informing the users.”

To protect group chats, ART “derives a group key for a set of agents” that's secure even if some members aren't online, and “even after total compromise, an agent can participate in a secure group key exchange.”

The ART scheme sets up conversations using what the paper calls “asymmetric prekeys” (a model created by Moxie Marlinspike for TextSecure) and a one-time asymmetric setup key. The Diffie-Hellman setup key is generated by the creator of a group chat, and is only used during session creation, allowing the group leader to create secret “leaf keys” for other group members while they're offline.

To add PCS to this, Alice needs a way to replace a leaf key if hers is compromised, and other group members need to be able to get the new key.

To get a new leaf key, Alice “computes the new public keys at all nodes along the path from her leaf to the tree root, and broadcasts to the group her public leaf key together with these public keys.”

The protocol then lets other group members compute the updated group key, “again without requiring any two group members to be online at the same time”.

The implementation Facebook published is offered under a Creative Commons license. ®

*Bootnote: There's no significance whatever to the IACR paper's filename being "666.pdf", we're sure you'll agree.

Update: Here's one possible reason Faceboook got to work on multi-party chat encryption: last July, a group of German researchers published their analysis of WhatsApp, Signal, and Threema group chat security.

This paper, first posted in July 2017, didn't attract media attention at the time. However, its language closely mirrors the problem statement Facebook put forward – including the lack of Future Secrecy when private messaging is used for groups.

The older paper was updated earlier this month to add a reference to the Facebook ART paper.

Send us news
31 Comments

Telcos crammed 8.5m fake comments against net neutrality into FCC's inbox

While some teen generated 7.7m bogus pro-NN notes to US broadband regulator

Broadband companies in 2017 launched an $8.2m campaign to repeal America's net neutrality rules that spent $4.2m to sway policymakers with millions of fake comments. But only their hired guns are being held accountable.

Net neutrality, the proposition that broadband service providers should handle internet traffic without bias, has been bitterly opposed by broadband service providers because utility pricing tends to be less profitable than the premium charges gatekeepers can impose. Supporters of net neutrality argue that broadband companies should not be able to distort the competitive market to favor firms that pay them fees.

After the Trump administration appointed Ajit Pai to be chairman of the Federal Communications Commission in 2017, Pai set about to repeal net neutrality policies and the broadband industry proved keen to see that happen. His repeal went through but has been complicated by a 2019 appeals court decision that affirms the ability of states to implement their own net neutrality rules, which three states have passed into law and others have done through Executive Orders or have proposed new laws.

Continue reading

UK vaccine booking website had unexpected side effect: It leaked people's jab status

Wanna find out if Jane Brit has had a shot? Just lob her postcode and DoB into this NHS site

An NHS Digital-run vaccine-booking website exposed just how many vaccines individual people had received – and did so with no authentication, according to the Guardian.

The booking page, aimed at English NHS patients wanting to book first and second coronavirus jabs, would tell anyone at all whether a named person had had zero, one or two vaccination doses, the newspaper reported on Thursday.

All you need, it says, are the date of birth and postcode of the person whose vaccination status you wanted to check up on. These details are not difficult to find online with some obvious search terms.

Continue reading

The quest for faster Python: Pyston returns to open source, Facebook releases Cinder, or should devs just use PyPy?

Official CPython is slow, but there are many ways to get better performance

Facebook has released Cinder, used internally in Instagram to improve Python performance, while another faster Python, called Pyston, has released version 2.2 and made the project open source (again).

Python is the world's second most popular programming language (after JavaScript) according to some surveys; but it is by no means the fastest. A glance at benchmarks tells us that Python 3 computation is often many times slower than compiled languages like C and Go, or JIT (Just-in-Time) compiled languages like Java and JavaScript.

One reason is that the official implementation of Python, called CPython, is an interpreted, dynamic language, and its creator Guido Van Rossum has resisted optimising it for performance, saying in 2014 that "Python is about having the simplest, dumbest compiler imaginable, and the official runtime semantics actively discourage cleverness in the compiler like parallelizing loops or turning recursion into loops."

Continue reading

Qualcomm Snapdragon 855 modem code flaw exposed Android smartphones to possible snooping

Good thing researchers spotted it, no evidence of exploit in the wild

A heap overflow vulnerability in Qualcomm's Snapdragon 855 system-on-chip modem firmware, used in Android devices, could be exploited by baddies to run arbitrary code on unsuspecting users' devices, according to Check Point.

The software bug, tracked as CVE-2020-11292, can be abused to trigger a heap overflow in devices that use a Qualcomm Mobile Station Modem (MSM) chip, thanks to some in-depth jiggery-pokery in the Qualcomm MSM Interface (QMI) voice service API.

"If exploited, the vulnerability would have allowed an attacker to use Android OS itself as an entry point to inject malicious and invisible code into phones, granting them access to SMS messages and audio of phone conversations," said some not-at-all-excitable researchers from Israeli security firm Check Point in a blog post today.

Continue reading

Just one in 5 Googlers plan to swerve the office permanently after COVID-19

Free breakfast, lunch and dinner? Listening to Ryan Reynolds talk shit? Massages for gratis? Why the hell wouldn't they return

One in five Googlers will be permanently working from home once the pandemic abates but for the majority it seems free meals in staff canteens, guest celebrity speaker appearances, resident gyms and massage therapy are irresistible lures.

A pre-Christmas directive from the Chocolate Factory was for the majority of employees to work from home until September, with a hybrid model being tested that involves a mix of office-based and remote working.

Now Sundar Pichai, CEO at Google and parent company Alphabet, has provided a written update to explain how he thinks the set-up will work, saying that in areas where the organisation has opened up offices on a “voluntary capacity”, around 60 per cent of staff has chosen to “come back”.

Continue reading

Day 3 of the Apple vs Epic trial: What actually is an iPhone anyway?

Microsoft Xbox exec called up to explain differences with gaming console

The legal spat between Epic Games and Apple entered somewhat philosophical territory on Wednesday as the battling sides debated over whether the iPhone legitimately constitutes a general-purpose computing device, or is merely a locked-down platform with a specific purpose, such as a games console.

Epic Games, which has alleged Apple's tight control on the way iOS software is distributed and monetised is tantamount to an antitrust abuse, called up Lori Wright, Microsoft's head of Xbox business development, as a witness.

During her testimony (audio-only link to the hearing here), Wright divided devices into two categories. Special-purpose devices like the Xbox, she said, are purchased by consumers because they perform a specific function. While the Xbox can be used to stream content on Spotify or Netflix, its raison d'etre is playing games.

Continue reading

There may have been problems with the JEDI deal but you still wouldn't have won, Oracle told by US govt

They were not the cloud we were looking for, says DoD in brief to Supreme Court

In another chapter to a saga that refuses to die, the US government has recommended [PDF] that the Supreme Court rejects Oracle’s efforts to overturn a Department of Defense decision to award the $10bn JEDI contract to Microsoft.

Acknowledging there were problems with the controversial contract award, which fellow bidder AWS is also contesting, these would not have affected Oracle’s chances of winning the deal, the government claimed in its brief. Security concerns over the geographic distribution of data centres were the main reason Big Red failed to win.

The US government asked the justices of the Supreme Court to reject Oracle’s challenge, saying that the Court of Federal Claims and the Federal Circuit had been correct in concluding that Oracle would need to show it had a “substantial chance” of winning the contract in order for procurement errors to be addressed.

Continue reading

Microsoft has gone to great lengths to push its tech, but survey suggests many devs slipped through the .NET

Among the findings, WPF remains most-used desktop framework despite years of promotion for UWP

The Microsoft-sponsored .NET Foundation has released a survey-based "State of .NET" report showing that efforts to broaden the appeal of the technology beyond its own platform have had limited success so far.

The .NET Foundation was set up by Microsoft in 2014, around the time that the cross-platform and open-source .NET Core was first announced, the idea being to support the .NET ecosystem.

Between November 2020 and March 2021, it conducted its first survey of .NET developers, the results of which have just been made public.

Continue reading

Visual Basic 6 returns: You've been a good developer all year. You have social distanced, you have helped your mom. Here's your reward

(Almost) Why? Kickstarter and nostalgia of those who have forgotten the pain

The beast is back... almost. A "100 per cent compatible Visual Basic 6 solution" has been promised to the backers of a Kickstarter. There is, however, no word on how much it would cost to ensure it stayed dead.

Visual Basic 6 was the last hurrah in a succession of languages first introduced in 1991 and seemingly killed off once and for all in 2008 (a decade after Visual Basic 6 first shipped in a hefty cardboard box.)

Although devs may sniff at the old thing nowadays, a good many IT professionals owe their start in the computing world to the Rapid Application Development world of Visual Basic. While Visual Basic 1 and 2 could be filed in the novelty drawer (this hack has a particular fondness for 1992's Visual Basic for DOS) it was Visual Basic 3 and its bundled Jet database engine that captured corporate imaginations.

Continue reading

Which? warns that more than 2 million Brits are on old and insecure routers – wagging a finger at Huawei-made kit

Default passwords, no updates, and your data's flowing through these

Consumer org Which? reckons more than two million Britons are connected to the internet through routers that were last updated in 2016.

This eye-catching finding came from a Which? survey launched today, seemingly criticising UK ISPs for not complying with a proposed law whose first draft hasn't been introduced to Parliament. The proposal in question is Secure by Design, where the Department for Culture, Media and Sport (DCMS) will be asking phone, tablet, and IoT gadget makers to state when they'll stop providing security updates for new devices entering the market.

Pre-legislative oddities aside, there was a useful point in the survey of 6,000 UK adults carried out in December 2020: six million Britons are using routers that last received security patches in 2018, while 2.4 million of that number are using boxes that might not have been updated for five years.

Continue reading

OVH outlines three-point 'hyper resilience' plan after Strasbourg fire

Please insert tape number 363 of 4087*

French cloud provider OVH has outlined a three-point plan designed to avoid a repeat of the loss of data and services resulting from the fire which engulfed its Strasbourg operations on 10 March.

Dubbed "Hyper Resilience", the plan employs the combinations of a revamped approach to internal backups, external customer back-ups and a new policy of fail-over between three data centres per region.

OVH founder, chair and CFO Octave Klaba and CEO Michel Paulin outlined the plans in a tweeted video address, viewers of which were implicitly being asked to avoid the conclusion that they were closing the stable door after the horse had not only bolted but bought airline tickets to Cancun where it was now sipping mojitos on a beach.

Continue reading