"Unfortunately, #Converso is not open source and their website is totally silent on cryptographic primitives and protocols, which is highly unusual for a self-proclaimed 'state-of-the-art' privacy application."
"Highly unusual" is the understatement of the century. If anyone believes encryption software can reliably protect their privacy without publishing full source code, I have a bridge they may wish to purchase.
Client-side scanning of private chat messages was top of the Today programme political debate this morning with @Mer__edith and Ciaran Martin, former Head of the National Cyber Security Centre.
Client-side scanning is a technology that intercepts and checks chat messages on mobile phones before being encrypted.
@Mer__edith: these are mass surveillance measures that operate at scale. The government has used sleight of hand to put them in.
Will client-side scanning impact UK’s international reputation?
Ciaran Martin: it’s an unhappy situation. UK could take reputational hit for introducing it in law but then never actually use it. The language of the debate is toxic. We should stop shouting at each other and get around a table.
ORG's Policy Manager, Dr Monica Horten agrees, there needs to be a grown up debate about client-side scanning and other proactive measures in the #OnlineSafetyBill.
If you've followed my work for a long time, you've watched me transition from a "#linkblogger" who posts 5-15 short hits every day to an "essay-#blogger" who posts 5-7 long articles/week. I'm loving the new mode of working, but returning to linkblogging is also intensely, unexpectedly gratifying:
Kutcher, it seems, has learned nothing from SESTA/FOSTA. Now he's campaigning to ban working cryptography, in the name of ending the spread of CSAM. In March, Kutcher addressed the #EU over the "#ChatControl" proposal, which, broadly speaking, is a ban on #EndToEndEncrypted Messaging (#E2EE):
The Platformer's recent article about Twitter claims that Twitter's encrypted DMs are not end-to-end encrypted:
"These messages are not encrypted end to end, making them vulnerable to so-called man-in-the-middle attacks."
This is wrong. Twitter's encrypted DMs truly are end-to-end encrypted. That is, no one other than the sender and recipient can decrypt the messages. However, Twitter does not provide a mechanism for users to verify the public key of other contacts. And this makes the design vulnerable to man-in-the-middle attacks.
Users negotiate a shared key to start an encrypted conversation using their public keys. After the negotiation phase, both the sender and recipient agree on a shared key to encrypt/decrypt messages in the conversation. Thus, every user has to trust that Twitter delivers the correct public key of the DM counterpart. Otherwise, an attacker can intercept the communication between one user and Twitter and act on behalf of the victim to negotiate the shared key with the DM counterpart. In the end, the attacker obtains the shared key and can decrypt [also alter and re-encrypt] the messages in the encrypted DM.
This major flaw does not disqualify the communication from being end-to-end encrypted. Twitter can easily overcome this flaw by letting users view the fingerprint of their own public keys.
Given the increase of delusional/ignorant sentiments in governance groups, leading them to believe that removing encryption will help them fight crime or protect certain groups online (e.g. children), it's definitely time to reach out to your #EU#MEP.
Don't hesitate to point out arguments (even the obvious ones) and facts ranging from technical feasibility all the way to what depends on our ability to safely and securely communicate and remain anonymous online.
In diesem Dokument bestätigen diverse EU-Mitgliedsstaaten, dass die “Slippery Slope” zum Bruch und Zugriff auf #E2EE durch die #Chatkontrolle ihr Ziele ist
Deutschland setzt sich für den Schutz von #E2EE
“die Bundesregierung ist dabei, geeignete Technologien zu erproben. DE hält es für notwendig […], dass keine Technologien eingesetzt werden, die die Verschlüsselung stören, schwächen, umgehen oder verändern.”
Interessant wäre evtl auch ein Federated Chat Service...
Hab ein bisschen nachgedacht und möglicherweise ist das sogar mit #activitypub zu machen.
So ein bisschen "back to the roots" mäßig, zurück in Richtung TS3. Wobei natürlich die Frage wäre wie viele Leute bereit wären ihren eigenen Server zu hosten wenn Dinge wie #Discord existieren
Holy shit, @protonmail just doubled my base storage to six terabytes for #ProtonMail, #ProtonDrive, etc. I’m only using a little over 16 GB.
Granted I’ve been a paid subscriber since the summer of 2016 (first on their Plus plan, then on Visionary starting the following year). But this is ridiculous.
Client-side scanning is like having a “government-supplied CCTV camera in every room of your house.” It puts faith in “an unknown algorithm to detect bad things, which get reported to a private moderation team provided by the people who built your house” - Matthew Hodgson, CEO of @element
The #UK#OnlineSafetyBill is a poorly written proposal which would have devastating effects for privacy and availability of online services in the UK, breaking end-to-end encryption. Please sign this petition and boost for visibility.
Just saw someone implementing user authentication for an #E2EE application by taking the users password, running it through libsodium's crypto_pwhash with a fixed salt derived from the user's email address, before sending the (email, hash) pair to the remote server.. and I'm just like "is this secure?"
I'd always thought you'd want a construct like SRP6a for conducting the authentication between client & server (without the server learning the user's password)... #security#cryptography
🤔 The #EU quite obviously can't do anything about legislation in other democracies, let alone dictatorships, apart from being a positive example for respecting the UN charter for #humanrights (which itself is toothless because now the despots are lobbying for their stooges to run key international organizations!).
The point being that representative democracy must and will address any harebrained attempts to deprive citizens of inviolable right to privacy instead of corporations (or anyone who can afford lobbyists!) deciding a suitable compromise that also appeals to the sharks.
Democracy worldwide in under attack, but the defence against interference must become more sophisticated than denying free citizens' private communications. In fact those very dictatorships hostile to democracy would love to see democracies panic and ban #E2EE (end-to-end-encryption) because that would only help validate their repression.
And wrt. to your initial lobbying battle cry again, #Apple Corp is just about the least qualified nominally western corporation to lobby over any privacy issues in Europe because they've bet their entire corporate body on being in #CCP's good graces for over two decades now.
https://www.privacyguides.org/en/ For LGBTQAI+ people needing privacy and anonymity tools right now, I really like this site for that purpose. It can take time to navigate, though, if it's unfamiliar. And I realize this doesn't solve all the issues, but in terms of people trying to track your identity/location, it can be helpful in that regard.
@EwanCroft AFAIK re: the #ActivityPub protocol, what we can direct messaging thanks to birdsite language is really just a one-to-one post. Even if #Mastodon established #E2EE#encryption over AP, it's unlikely to federate well at this stage. Perhaps better to keep #Matrix as the #Fediverse go-to for that?