Tag Archives: Security

Signalling virtue

Dear Reader,

Can I encourage you to try something today? Go to Signal.org and get hold of the Signal messaging app, and/or go to your app store and download Signal for your phone. And while it’s downloading, come back here and I’ll tell you why I’ve become so fond of it, and why you might actually want another messaging app.

To put it in a nutshell, Signal is like WhatsApp but without selling your soul. Imagine what a good time Faust would have had without that awkward business with the Devil, and you get the idea. Well, OK… you don’t quite have to sell your soul to Facebook to use WhatsApp, but you do have give away your privacy, your friends’ privacy, endure a lot of advertising, and so forth. (More info in an earlier post.)

For Apple users, Signal is rather like Messages, which I also like and use a lot, but you can use Signal with your non-Apple friends too, on all of your, and all of their, devices.

Signal:

  • is well-designed and nice to use.
  • runs on iOS, Android, Windows, Mac, Linux, tablets, desktop and mobile.
  • uses proper end-to-end encrypted communications, unlike some alternatives such as Telegram.
  • is Open Source, so if you doubt any aspect of it, you can go and see how it works.
  • is free: supported by grants and donations. No advertisements.
  • allows most of the interactions you expect on a modern messaging service: group chats, sharing files and images, audio and video chat, etc.

Now, of course, it has the problem that all networks initially have: what happens if none of my friends are on it? And yes, that can be an issue, but it’s becoming less so. When I first signed up, I think I knew about three other users. Now, over 100 of my contacts are there, and more arrive every week. When I see them pop up, I send them a quick hello message just to welcome them and let them know I’m here too. It’s a bit like wondering if you’re at the wrong party because you know so few people here, and then over time more and more of your friends walk through the door.

How do you find them? Well, like WhatsApp, Signal works on phone numbers, and when you sign up you have the option to let it scan your contacts list and see if any of them are on Signal too. Unlike Facebook/WhatsApp, however, your contacts’ details aren’t transmitted to the company’s servers and used to build the kind of personal profiles that FB keeps even on people who aren’t members.

Signal instead encrypts (hashes) the phone numbers in your contacts, truncates the encrypted form so it can’t be used to match the full phone number, sends those truncated versions to their servers, and if it finds matches for any truncated other account numbers it sends the encrypted possible matches back to you for your app to check. Security experts will realise that this isn’t perfect either, but it’s so much better than most of the alternatives that you can be much more comfortable doing it. Here’s a page talking about it with a link to more detailed technical descriptions about how they’re trying to make it even more secure. And here’s the source code for all their software in case you don’t trust what they say and want to check it out for yourself.

So in recent months, if I’ve wanted to set up group chat sessions to discuss the care of an elderly relative, or plan a boating holiday with friends, or discuss software development with colleagues in another timezone, I tell people that I disconnected from Facebook a few years back so I don’t do WhatsApp, but have you tried Signal? It’s pretty much the same, with all the bad bits taken out, and works much better on the desktop and on tablets, in my now-rather-dated experience, than WhatsApp ever did.

So give it a try, and if you find that not many friends are there, don’t delete it. Just wait a bit… and tell all your friends about this post, of course!

Keep it secret! Keep it safe!

Some very smart friends of mine have created a rather neat device called EnCloak. It looks and acts just like a normal USB drive, but it can encrypt and decrypt files in cunning ways as you save and retrieve them.

“So what?”, you may say, “There are lots of encrypted storage devices on the market.”

Yes, but this one has some particularly smart attributes, most notably that the hardware just uses standard USB file storage operations, so you don’t need any software or drivers on the machine to make use of it. And if you drop it in the car park and somebody picks it up and plugs it in, they’ll just see a small standard flash drive and won’t even know there are also secret files on it without having the appropriate credentials, let alone be able to read them.

Need to take those super-secret exam questions to the publishing company without wanting to trust any intervening networks? Or keep a backup copy of the things you normally store in your password manager, which you could get at anywhere in future without access to that bit of software? This might be the thing for you.

There are lots of other ways to get encrypted data from place to place, so you may not need this. But hey, the printing company may not know about your GPG keys, and the examination board may not want to install your decryption software, and you know the Feds will get at anything you have in the cloud. If they don’t, Facebook will. Besides, gadgets are fun!

Anyway, they’ve been working on this for quite a while; and I saw an early prototype over two years ago, so I can vouch that it worked even back then. Now they’ve just launched a Kickstarter project to fund the initial production run, so you can now sign up for one — either for yourself, or to get your Christmas presents sorted out nice and early for your geeky friends!

A Day in the Life of Your Data

This is a nicely-written document from Apple which is intended to give people an idea of the amount of data that can be gathered about them as they go about their normal lives.

It is also, of course, intended to persuade you that it’s a good idea for your phone to run software from Apple, rather than from a company that makes its money from selling data about you. But it’s pretty balanced overall, and might be useful if you have non-technical friends who haven’t considered this stuff.

As a photographer, I have quite a few photo-related apps, and I often give them access to my entire photo library, because I may want to use them to edit any of my images. And even though the article doesn’t highlight this directly, it did make me realise that, by doing so, I’m also giving them access to a great deal of my location history, because all of my photos are geotagged. Something to consider.

iOS tip of the day

When you’re setting up your fingerprints for Touch ID, take the time after registering each one to go in and give it a name. Then if you find one finger becoming unreliable, you know which one to delete and reprogram.

Preparing for the cybercrime of the future

My friend Frank helped organise what looked like a great event at the Computer Lab recently – called Cambridge2Cambridge, it’s a joint initiative between us and MIT, and they’ve done a splendid video about it.

More information here.

Always look on the dark side of life

I love these nihilistic security questions from Soheil Rezayazdi…

nihilisticsecurity

Thanks to Rory C-J for the link.

Not as secure as it SIMs

simIf you knew, or cared, anything about the way your mobile phone communicates with the mobile network, you may have believed that your calls were secure and private, at least as far as the core of your provider’s network. They should be, too, if you’re on a 3G or 4G network: the SIM in your phone includes encryption keys known only to it and the mobile provider, and these are used to encode the voice and text traffic so that anyone snooping on the radio signal, or on the backhaul network between the base station and the provider’s headquarters, would not be able to make head or tail of the stream of bytes flowing by. To do so on any scale would need vast amounts of computing power.

However, if this article in The Intercept, The Great SIM Heist, is correct, the NSA and GCHQ have a much better approach. To quote the article:

Adi Shamir famously asserted: “Cryptography is typically bypassed, not penetrated.” In other words, it is much easier (and sneakier) to open a locked door when you have the key than it is to break down the door using brute force.

So that’s what they allegedly did, according to the latest revelations from Ed Snowden: they hacked into the networks of the SIM card manufacturers, most notably Gemalto, the largest in this field and a supplier to 450 mobile providers around the world, and just stole copies of the keys before they were shipped to the mobile providers. They focused on the activities of employees who used email encryption and those exploring more secure methods of file transfer, since they were more likely to have valuable information to hide.

Perhaps the most shocking thing about these thoroughly illegal activities is that the companies and individuals targeted were not in any way assumed to be engaged in illicit activities. They were innocents going about their daily business, but they just had information that was of potential use to the authorities.

Snowden’s information is from 2009/10, so it is to be presumed that this has been going on for some time. Meanwhile, this is what it did to poor old Gemalto’s stock price when the news came out a couple of days ago:

gemalto

Learning from the disaster

Most of you have probably heard by now about how the technology reporter Mat Honan’s accounts were hacked and how he lost his Google Mail, his Apple and Amazon account, his Twitter account and the contents of his iPhone and laptop. All in under one hour.

What’s fascinating about this story is that we know how it was done: there was no heavy brute-force attack on weakly-encypted passwords, no SQL injections on his company’s website. The hackers had no animosity towards him; they didn’t know who he was, they just liked his three-letter @mat Twitter ID. In other words, this could easily happen to you too!

If you haven’t heard the story, then I recommend listening to episode 364 of Security Now, which you can get from here or here. The discussion starts 30 mins into the programme.

You should probably listen to this if you, say, use the Internet…

Brand confusion

An elderly colleague turned to me at lunch yesterday.

“Tell me”, he said. “you’re a computer expert… All of these leaks must mean that nobody in government will be able to use email ever again. Just what are the political motivations of an organisation like Wikipedia?”

© Copyright Quentin Stafford-Fraser