I wrote my Congressional representation about this. Only Chuck Schumer sent me back a reply, and I can't actually tell what his position is. He summarized the bill, then said he worked on making Big Tech more secure ("I have worked to have these sites deploy more secure internet protocols"; must have had some help from Al Gore there) and that he values privacy ("I voted in favor of H.R.2048, the USA Freedom Act, which became law on June 2, 2015. This bill provides additional safeguards for individual privacy in our surveillance rules and ends bulk metadata collection. Moving forward, I will continue working to strengthen privacy protections under the law.").
For whatever reason, my first reading of this email was "fuck you, I'm outlawing encryption TOMORROW" but after re-reading it, I'm actually less sure about that. This one is a nail-biter; outlawing encryption is probably the end of the iOS and Android ecosystem, because we'll have to use OSes from outside the US. Or let random low-level NSA employees read all your illustrated love letters to your partner. Feels a little gross just thinking about it.
I used to live in Illinois and wrote a lot of letters to Durban on tech issues. His responses were consistently awful. Above average awful.
I feel like tech is the most underrepresented demographic in politics. Neither party cares about us at all. We hear cries of "defund the police", but we want to give the police the right to read all of our thoughts? It's so hypocritical; if you think the government is abusing its citizenry and that removing their source of funding is your political goal, why give them spying tools?
Meanwhile, the country's tax plan seems to hinge on one strategy: "software engineers should pay for everything". We make enough money to pay a ton of taxes (I paid the AMT every year before 2017), but we don't make enough money to afford lobbyists. It does get a little better as you get older; mortgage interest and dependents are nice deductions. But really, a lot of our money is being taken to make the country objectively worse. It doesn't feel great.
That said, you can't vote for Republicans because of their hot takes on social issues. They would have half of my friends killed just for existing if they had their way. At least the Democrats kind of let people exist and even get married. (It's also not clear to me that they would ever meaningfully reduce the tax burden on people that work for a living; Trump's supposed tax cuts which removed the state tax deduction increased my taxes!)
It's a mess out there. Consistently depressing. But you gotta keep writing the letters and make them think about the issues. Sometimes they accidentally do the right thing.
What's more frustrating is the security absolutist mindset that seems too common in these sorts of discussions, where meaningful improvements in security are derided as useless because they don't solve every single problem in every scenario. Or worse, because they don't satisfy a particular ideological view of how computing should work, whether or not that truly impacts security.
Is running Signal on an iPhone going to stop the Mossad from Mossading your chats if they want to? Probably not, but then neither will exclusively communicating using some fully open source cellphone with full root access that doesn't actually exist. The benefit of Signal on an iPhone is that people will actually use that and it will help against a lot of things that aren't the Mossad pulling out all the stops coming after you personally.
Honestly a lot of security discourse feels like calling airbags and seat belts useless because they won't help if you drive head on into a bullet train. Let's have a discussion about limitations and paths to improvement, absolutely. But ignoring "better" because it's not "perfect" is rarely a good strategy.
> But ignoring "better" because it's not "perfect" is rarely a good strategy.
But "better" it is not. When the attacker controls the CA and your OS there is nothing "better".
Those days the Web Browser and the apps hapilly sending telemetry over the internet are the main entry point for an attacker. And yet we see statements like "if you use E2EE you are secure.
The point is that both Apple and Google can just read your messages out of memory. It’s no different than having a private conversation in a room with a microphone.
Yes, ultimately you have to trust your endpoint device when relying on e2ee. Having root access to that device does not significantly change that requirement. If you're worried about Apple and Google subverting your device to read your e2ee messages, them giving you root access does not actually solve the problem.
Even if you trust Apple and Google not abusing their capabilities (which is somewhat reasonable in this context), both are still US companies - I imagine they could be ordered by the US government to pull your E2EE messages from device memory.
I'd assume Apple and Google would seriously consider relocating if they were so ordered, even if they ultimately decided not to; but let's say for the sake of argument that they decide they have to supply the unencrypted content of messages of apps they didn't write running on operating systems they did write.
If I was an engineer tasked with doing that, I would refuse, even if it meant leaving.
But if I wasn't that kind of person, I'd have the OS take screenshots whenever a certain app was in the foreground.
I don't see that as the case. There doesn't need to be a provably secure device for another device to be shown to be fundamentally insecure. What is secure, is leaving all phones, hell, all electronics, out of the windowless room to have the sensitive conversation in. It's a lot of friction but if your thread model includes APTs, you have to give up a lot of convenience.
E2EE is only truly reliable if you control the endpoints fully, and verify keys. Short of that is is mostly security theater and marketing.
I have an e2ee chat where everyone in it is a security researcher that exclusively accesses it from a dedicated QubesOS VM, and everyone has cross verified each others keys.
I have other e2ee chats where almost everyone but me is using iPhones, Android phones, windows, macos and no one verify keys, and thus I just operate as though anything said in those chat will be made public at any moment.
> Short of that is is mostly security theater and marketing.
There is a difference between "security theater and marketing" and "threat model".
A random ISP in a random country does not necessarily have the power to take over control on your iPhone, so with e2ee they just can't read your messages. It's not completely useless, it just depends on the threat model.
Root, and a community of people that you trust who are incentivized to audit the contents of whatever updates you install, and the infrastructure to bind that trust to those updates in a scalable and trustworthy way. And tools for catching apps being shady so you can revoke trust in auditors that blessed a bad one.
Root is kind of like the wooden sword in Zelda, it's where the journey begins.
Which dungeon is next is an open question but I'd propose something that installs packages by cryptographic hash so that whatever community we build for trusted packages can publish signed predicates referring to the trustworthiness of their referents without having to also host the packages themselves (given that servers which resolve names to packages become high-value targets and probably shouldn't be trusted). nix-on-droid seems like it could be modified to do this.
I wish that community effort actually worked, but the truth is almost no one reviews 99% of the open source libraries linked into every app, let alone the binary blob drivers and OMA-DM toolkits with root access to your phone controlled by Apple/Google and Qualcomm.
Truly no e2ee chat is safe if even one person accesses it from a smartphone with code the community cannot review, or is not actively reviewing.
Until we have 100% open code on endpoints with auditable hardware (like the Precursor) and have crowd sourced signed code reviews... we are vulnerable to any company, state actor, or teen that phishes the credentials to an NPM repo.
The state of software supply chain integrity today is about as good as hospital sanitation practices in the 1800s.
Communities coming together to protect themselves against a common enemy is something that we've been doing for perhaps a million years. We're actually quite good at it. But there hasn't yet been a market for tooling that brings those instincts into the realm of software. So far it has been "trust us, we're the vendor," and not "let's use this to trust each other but not our enemy".
I agree that our software supply chains are in their infancy. Regrettably, so is our ability to use software to inflict harm (if you haven't played Cyberpunk 2077, it has a pretty good take on this--you spend a lot of time killing people by hacking into their implants). I hate to be gloomy, but I think that as the threats become more real, more deadly, the supply chain integrity piece will have to level up as well.
According to ChatGPT 4, US-based cloud providers are not necessarily legally required to inform or disclose sharing your data with or selling your data to the US government.
And near-every single "security" tech being used to take rights from user to decide what their device is doing. So we have tech allowing app to be secure from risks outside of its box mostly used to push DRM...
An open and flexible boot loader would also be nifty. The ability to dynamically boot into any of several operating systems on the same phone could be useful for testing new OS versions without fear of bricking the device. This should make vendors less apprehensive about updating devices by removing the risk of bricking them. Get rid of internal storage and have a slot for an OS card with multiple boot partitions and a slot for multimedia. Add to this every phone OS must have a proper file manager and terminal shell by default.
Adding to this the lack of open source hardware and firmware is problematic for e2ee. I believe there is a lack of transparency around attestation and chain of custody in the entire build process and not just for the SoC but also the modular baseband modems.
I would personally like to see entirely modular, upgradable and serviceable phones similar to FairPhone but even more open and easier to swap parts. 6G deprecates 5G? No problem, pop out the 5G module and pop in the 6G in its external slot. Rijndael+E2EE found weak? Pop in the Twofish+Serpent+E2EE Custom encryption module. Or the AI-CoProcessor. Or the MIDI module. Or the Hack-RF module!
Apple can do anything they want with "your" phone. As it's an entirely closed-source ecosystem with obfuscated hardware, trusting Apple is the only reason to believe anything isn't decrypted and sent straight to <insert-TLA-here>.
Google is marginally better, as AOSP exists, but once you deal with an actual Android phone, everything is locked down and Google services have total control.
e2ee only exists if you can verify their isn't a third end.
And we have proof of it happening. A few weeks back, Kaspersky labs and the FSB found thousands of Iphones had been taken over by the NSA or another ABC agency. Russia subsequently banned all Iphones for any government usage. https://www.zerohedge.com/geopolitical/russia-says-us-hacked...
You might say well I am not on their list to target. That could change at any time if you speak up and start becoming a problem. They did it to Tucker Carlson.
No it was seemingly not related to Dominion. Tucker wanted to interview Putin. His emails to someone in Kremlin trying to arrange it were intercepted. Then messages he was sending through Signal were also read. Somebody who knew him in the government warned him that he was under surveillance and knew what he was sending. He has explained this in various interviews. Whatever you might think of his views, he is pretty honest and would not be making it up.
> Whatever you might think of his views, he is pretty honest
He's been repeatedly caught lying through his teeth and he's on record admitting that he lies if he's "cornered or something." but that he tries to never lie on TV, but of course that was before we got all that evidence of the lies he spewed for ages on TV too, so I guess he was "cornered" when he said that. The man lies for a living. You may want to adjust your understanding of "honest".
> messages he was sending through Signal were also read.
That the encryption on Signal has been cracked and/or the corporation has been compromised is a bold claim and I am going to need more than someones uncle on facebook saying it is true to believe it.
Tucker explained how this guy inside an agency told him what they knew which was sent over Signal. They could have either compromised/compelled Signal or taken over his device. Although Tucker thought it was the former, I think the latter is more likely as it has been done many times.
not having root access means that the user doesn't have complete control over the device's operating system and its underlying features. This limitation can potentially compromise the security of end-to-end encryption because the companies controlling the device could theoretically have the ability to intercept or alter the data before it's encrypted or after it's decrypted.
So, the parent is probably suggesting that without root access, and thus full control over the device, the promise of end-to-end encryption is somewhat of a "fantasy" because the user can't guarantee that the device itself isn't compromising the encryption in some way.
Honestly having root on a phone or any OS is generally a bad idea. You can do anything as an unprivileged user. Better to not have root accessible at all. The problem is when someone else has root.
Because these operating systems evolved to the point where root is not needed. Switching to root is dangerous and violates the principle of least privilege. Now privileged actions like getting your location is managed by the operating system and the operating system can ask the user to permit permissions to apps.
This is just not true. If you use sound E2EE, Qualcomm and Google are not in your conversations. (FWIW: Regular text messages are not E2EE. Use something better.)
Hmm maybe you're not talking about the same thing. I think the parent means that if your phone shows you the message in cleartext on the screen, then someone who has access to the phone can read it.
You can read the message by looking at the screen, and Google can technically read it because they "own" the OS that prints it to the screen. Whether they do it or not is another question, but they can.
It's a petition. It's primary function is to serve as a list of names. Your concern is that it might later be used for retaliation, which has always been true throughout the history of man.
The solution is to ensure that the government cannot retaliate against it's own citizens with impunity.
Oh yeah and no human will even know it happened, the dragnet is pre-indexing everything in the event they need to get a warrant later… never should have been allowed, government should not get a copy of my papers and effects in advance so that they can search them later as needed! I bet they even have an ongoing automated decryption queue always running and growing in size.
> I bet they even have an ongoing automated decryption queue always running and growing in size.
Maybe, but it's likely very specific in its targets because the decryption is so expensive.
If they have no reason to decrypt Bob's files today, they can shelve them for a later date when they have a reason and decryption is cheaper -- or a vulnerability has been discovered in the algorithm.
For whatever reason, my first reading of this email was "fuck you, I'm outlawing encryption TOMORROW" but after re-reading it, I'm actually less sure about that. This one is a nail-biter; outlawing encryption is probably the end of the iOS and Android ecosystem, because we'll have to use OSes from outside the US. Or let random low-level NSA employees read all your illustrated love letters to your partner. Feels a little gross just thinking about it.