Hasty Briefsbeta

All tags

#encryption

136 stories total

Bilingual

TeleMessage, used by Trump officials, can access plaintext chat logs
a year ago
- TeleMessage's TM SGNL app, a modified version of Signal used by senior Trump officials, can access plaintext chat logs despite claims of end-to-end encryption.
- The app archives every message to TeleMessage's server, breaking Signal's encryption model, and sends plaintext logs to a server hosted on AWS.
- TeleMessage is an Israeli company founded by a former IDF intelligence officer, raising concerns about potential access by Israeli intelligence.
- Analysis of TM SGNL's Android source code reveals it stores messages in a SQLite database and syncs them to TeleMessage's archive server in plaintext.
- A hack of TeleMessage's archive server confirmed the presence of plaintext Signal, Telegram, and WhatsApp messages, along with private key material.
- The archive server was vulnerable, allowing unauthorized access to sensitive data, including chat logs from government officials.
- Senator Ron Wyden has called for a DOJ investigation into TeleMessage, citing national security risks due to its insecure software.
The Company Behind Signal Clone Mike Waltz Used Has Direct Access to User Chats
a year ago
- TeleMessage Signal, used by a top Trump administration official, has suffered breaches exposing security flaws.
- Micah Lee's analysis shows TM Signal's archiving feature undermines Signal's end-to-end encryption, sending messages unencrypted to TeleMessage.
- A hack revealed user messages, usernames, plaintext passwords, and private encryption keys from TM Signal's archive server.
- TeleMessage, acquired by Smarsh, is a federal contractor but its apps aren't FedRAMP-approved for US government use.
- TM Signal was used by former Trump national security adviser Mike Waltz, potentially exposing communications with high-ranking officials.
- US senator Ron Wyden calls for a DOJ investigation, labeling TeleMessage a 'serious threat to US national security'.
Gmail will soon stop support for the 3DES encryption cipher for incoming SMTP
a year ago
- Gmail will stop supporting the 3DES encryption cipher for incoming SMTP connections.
- Google Cloud Community allows users to connect with Googlers and other Google Workspace admins.
- The community offers product discussions, articles, and tips to make work and life easier.
- Users can stay updated on Google Workspace changes via the 'What’s new in Google Workspace?' Help Center page.
- The page includes information on new products, features, and smaller updates not announced on the Google Workspace Updates blog.
CryptPad: An Alternative to the Google Suite
a year ago
- CryptPad is an end-to-end encrypted, open-source collaborative office suite.
- Users appreciate CryptPad as a privacy-first alternative to Google Docs, maintaining functionality and usability.
- No account is required for sharing files or folders, enhancing privacy and accessibility.
- Features like folder organization and sharing options are highly valued.
- CryptPad supports multi-OS use and is praised for its ease of use.
- The platform helps users organize their lives securely and privately.
- Real-time collaboration tools are available without tracking or data mining.
- CryptPad is seen as a private version of Google Drive, offering similar functionalities without privacy concerns.
- Open-source nature and E2EE (End-to-End Encryption) are major positives.
- Users highlight the intuitive interface and the ability to work remotely with colleagues securely.
- The service is free, which is appreciated, especially for educational and non-profit uses.
- CryptPad's Kanban boards, spreadsheets, and document editors are frequently mentioned as useful tools.
- The ability to use CryptPad without personal data submission is a significant advantage.
- Self-hosting options and server locations in the EU add to its appeal for privacy-conscious users.
- CryptPad is recommended for its security, ease of sharing, and collaborative features without compromising privacy.
Florida bill requiring encryption backdoors for social media accounts has failed
a year ago
- A Florida bill requiring social media companies to provide encryption backdoors for police access failed to pass.
- The bill, named 'Social Media Use by Minors,' was indefinitely postponed and withdrawn from consideration in the Florida House.
- It had previously advanced in the Florida Senate but required approval from both legislative chambers to become law.
- The proposed legislation would have mandated social media firms to decrypt end-to-end encryption upon receiving a subpoena, often issued without judicial oversight.
- The Electronic Frontier Foundation criticized the bill as 'dangerous and dumb,' citing risks of malicious abuse and data breaches.
How the Signal Knockoff App TeleMessage Got Hacked in 20 Minutes
a year ago
- Mike Waltz, Trump's national security adviser, was caught checking messages on a Signal clone called TeleMessage Signal (TM SGNL), which archives messages, compromising security.
- A hacker easily breached TeleMessage by exploiting weak password hashing (MD5) and outdated JSP technology, accessing sensitive data like usernames, passwords, and chat logs.
- The hacker found a vulnerable URL (/heapdump) on TeleMessage's archive server, exposing unencrypted messages, including those from US Customs and Border Protection and Coinbase.
- TeleMessage's archive server was misconfigured, exposing Spring Boot Actuator's heap dump endpoint, which contained sensitive data like encryption keys and plaintext chats.
- Despite known security flaws, TeleMessage was used by Trump's administration, including on Waltz's phone, risking national security communications.
DDoSecrets publishes 410 GB of heap dumps, hacked from TeleMessage
a year ago
- DDoSecrets published 410 GB of data hacked from TeleMessage, an Israeli firm that modifies messaging apps like Signal, WhatsApp, Telegram, and WeChat to archive messages centrally.
- The data contains sensitive PII, so DDoSecrets is sharing it only with journalists and researchers.
- Timeline of events includes: Mike Waltz using TeleMessage's modified Signal (TM SGNL), TeleMessage getting hacked twice in May, and revelations that TeleMessage lied about end-to-end encryption.
- TeleMessage's server vulnerability allowed downloading Java heap dumps containing plaintext chat logs via a public URL.
- The released heap dumps include plaintext messages and metadata like sender/recipient info, timestamps, and group names.
- DDoSecrets has extracted text from the heap dumps to facilitate research.
- The author is investigating the data and highlights DDoSecrets' impactful work, urging donations.
Windows 11's most important new feature is post-quantum cryptography. Here's why
a year ago
- Microsoft is updating Windows 11 with quantum-resistant encryption algorithms to prepare for future quantum computing threats.
- Quantum computers, which use qubits instead of binary states, promise breakthroughs in fields like metallurgy, chemistry, drug discovery, and financial modeling.
- Quantum computers could break RSA and elliptic curve encryption, which currently secure sensitive data worldwide, in hours or minutes instead of millions of years.
- Microsoft announced the availability of quantum-resistant algorithms in SymCrypt, Windows 11's core cryptographic library, starting with Build 27852 and higher.
- Microsoft also updated SymCrypt-OpenSSL, enabling the OpenSSL library to use SymCrypt for cryptographic operations.
Recreating a video from raw captured network traffic (2023)
a year ago
- Used Wireshark to capture live TV stream traffic by filtering source IP.
- Noticed live stream starts a new TCP connection every ~10 seconds.
- Extracted data from payloads of each TCP stream using tcpflow.
- Saved PCAP file and ran tcpflow to create files for each TCP stream.
- Played back the video using mpv, which showed a Formula1 podium ceremony.
- Highlighted the importance of encryption as unencrypted traffic can be captured similarly.
Paperbak, Paper Backups
a year ago
- PaperBack v1.10 introduces key improvements over v1.00, including proper AES encryption with key stretching and a switch from ECB to CBC mode for better security.
- AES key length is now selectable in the software, with a recommendation against using AES-256 due to its substandard key schedule.
- The software allows backing up files on paper as oversized bitmaps, with a capacity of up to 3MB per page when using compression.
- PaperBack is free, open-source software released under the GNU GPL v3, encouraging modifications and improvements by users.
- Installation is straightforward, requiring no formal setup—just copying the software to a directory with unrestricted write access.
- Setup involves configuring dot density, compression, redundancy, and encryption settings to optimize data storage and recovery.
- Data restoration requires a scanner with at least 900 dpi physical resolution and supports TWAIN interface and uncompressed bitmaps.
- The software uses Reed-Solomon error correction to restore partially damaged data, enhancing reliability.
- PaperBack was inspired by a practical question about data density on paper and developed as a proof of concept over a few weeks.
- The project acknowledges contributions from Phil Karn for Reed-Solomon code, Christophe Devine for AES encryption, and Julian R. Seward for bzip2 compression.
Twitter's new encrypted DMs aren't better than the old ones
a year ago
- Twitter's encrypted DMs were initially flawed, allowing easy key injection and lacking features like sending pictures.
- Elon Musk announced 'XChat', a new encrypted messaging platform, but it still has significant security issues.
- The new system uses Libsodium's boxes for encryption but lacks forward secrecy, making past messages vulnerable if a private key is leaked.
- Twitter's old system had scaling issues and didn't allow new devices to decrypt old messages.
- The new approach uses the Juicebox protocol to store private keys, protected by a PIN, but the PIN can be brute-forced relatively easily.
- Juicebox's security relies on trustworthy backends, but Twitter controls all backends, making them potentially untrustworthy.
- Twitter can still MITM (man-in-the-middle) messages by providing fake public keys, and metadata leakage remains a significant issue.
- Signal is recommended as a more secure alternative, offering better encryption and privacy features.
Why not use DNS over HTTPS (DoH)?
a year ago
- DoH (DNS over HTTPS) is criticized for centralizing DNS queries to a single provider like Cloudflare, raising privacy concerns.
- Mozilla's collaboration with Cloudflare for DoH implementation in Firefox has sparked debates over data privacy and commercial use of DNS queries.
- Alternatives like DNS over TLS (RFC 7858) offer transport encryption without the complexity and potential security flaws of DoH.
- The article advises disabling DoH in Firefox by setting 'network.trr.mode' to 5 to prevent its use under any circumstances.
- Critics argue that DoH's complexity and reliance on HTTP as a transport protocol introduce unnecessary security risks.
US lawmakers say UK has 'gone too far' by attacking Apple's encryption
a year ago
- US lawmakers criticize the UK for ordering Apple to weaken encryption, calling it a threat to global privacy and security.
- The UK's secret legal order under the Cloud Act allows access to encrypted data stored by Apple, raising concerns over US citizens' privacy.
- Lawmakers propose amendments to the Cloud Act to prevent undermining encryption and enhance cybersecurity protections.
- Experts warn that backdoors in encryption can be exploited by cybercriminals and foreign governments, posing national security risks.
- The UK's actions could set a precedent for other countries to issue similar orders against US tech companies.
- Apple is challenging the UK's order in the Investigatory Powers Tribunal, with hearings held in secret.
- The debate highlights the tension between privacy, security, and government surveillance in the digital age.
CoverDrop: A secure messaging system for newsreader apps
a year ago
- CoverDrop is a system for confidential communication between news app users and journalists without leaving traces.
- The system includes mobile app modules, a cloud API, CoverNode services, and a desktop app for journalists.
- It ensures plausible deniability by making all app instances behave identically, whether used for secure communication or normal news consumption.
- Messages are encrypted and indistinguishable from routine 'cover messages' to prevent detection by network observers.
- Secure servers process messages asynchronously, distinguishing real messages from cover ones and delivering them to journalists via dead drops.
- Journalists can reply to sources using the source's public key, with replies handled similarly to incoming messages.
- Message storage on apps is uniformly encrypted, showing no evidence of secure communication if a device is seized without the passphrase.
- The project is documented in a white paper and includes various components like Android/iOS libraries, APIs, and CLI tools.
- Security is a priority, with a focus on confidentiality, integrity, and anonymity, and the team welcomes responsible disclosures.
- The software is classified under U.S. export controls but is eligible for export under certain exceptions.
- The repository is licensed under Apache License 2.0 and accepts feedback via email, including for security issues.
A bit more on Twitter/X's new encrypted messaging
a year ago
- XChat's end-to-end encryption lacks forward secrecy, encrypting messages under recipients' long-term public keys.
- User private keys are stored on X's servers, accessible via PIN, without Hardware Security Modules (HSMs) for protection.
- Juicebox, X's key storage protocol, shards keys across three servers but all under X's control, raising security concerns.
- Juicebox aims to strengthen weak passwords using threshold OPRFs but relies on server enforcement of guess limits.
- X's Juicebox deployment appears to use software-based servers without HSMs, making it vulnerable to brute-force attacks.
- Threshold OPRFs in Juicebox allow distributed key generation but require careful implementation to prevent attacks.
- Potential attacks include server impersonation and replay attacks, highlighting the complexity of secure distributed protocols.
New Quantum Algorithm Factors Numbers with One Qubit
a year ago
- A new quantum algorithm can factor numbers using just one qubit and three oscillators, a significant reduction from the hundreds of thousands of qubits required by Shor's algorithm.
- The method encodes information using continuous variables in quantum oscillators, which can take any value within a range, unlike qubits that are limited to 0 or 1 upon measurement.
- Despite its theoretical breakthrough, the algorithm is impractical for large numbers due to exponentially increasing energy requirements, potentially needing the energy of multiple stars.
- The research introduces a novel approach to quantum computing by utilizing oscillators as information carriers, potentially opening new avenues for quantum algorithms beyond factoring.
- The team is exploring modifications to reduce energy costs and applying this continuous variable approach to other quantum computations, indicating broader implications for quantum computing technology.
Protecting Kids Shouldn't Mean Breaking the Tools That Keep Us Safe
a year ago
- The STOP CSAM Act of 2025 (S. 1829) threatens internet security and free speech by undermining end-to-end encryption and forcing companies to remove lawful content.
- The bill expands current laws by criminalizing and allowing civil lawsuits against services for 'promoting' or 'facilitating' child exploitation, even if they unknowingly host CSAM due to encryption.
- Broad terms like 'promote' and 'facilitate' could penalize encrypted apps, even if they cannot access or verify user content.
- The bill's affirmative defense for encrypted services is insufficient, as providers must still face costly litigation to prove it's 'technologically impossible' to remove CSAM without breaking encryption.
- The bill creates a new exception to Section 230, exposing platforms to lawsuits over user content, which may lead to excessive censorship and harm free speech online.
- Encrypted services and startups may struggle to defend against lawsuits, favoring large corporations like Meta and Google.
SimpleX – messaging network operating without user identifiers
a year ago
- SimpleX is a messaging platform with no user identifiers, ensuring 100% privacy by design.
- Features include double ratchet end-to-end encryption, mobile apps for Android and iOS, and terminal apps for Linux, MacOS, and Windows.
- Users can connect via one-time invitation links or temporary addresses, ensuring privacy.
- SimpleX stores all user data on client devices, with messages temporarily held on relay servers.
- The platform supports multiple languages and encourages community contributions like translations and donations.
- Groups and developer communities are available for user interaction and development support.
- SimpleX prioritizes privacy and security, with plans for future enhancements like automatic queue rotation and message mixing.
- The platform has undergone security audits and is open-source, with protocols in the public domain.
- Donations are accepted via various cryptocurrencies to support development.
- SimpleX differentiates itself by not using persistent user identifiers, enhancing privacy compared to other platforms.
Breaking My Security Assignments
a year ago
- Security assignments involve using a VM where updates are installed via encrypted GPG files.
- The VM's update mechanism uses GPG encryption with a passphrase file and keys stored in /root.
- By mounting the VM's disk locally, the author accessed the necessary files to decrypt updates manually.
- Decrypted updates contain Java code for generating tokens, which are AES encrypted with a module key.
- Tokens are generated using a combination of exercise identifiers and random strings, ensuring uniqueness.
- The author exploited this system to generate tokens without completing assignments, highlighting a security flaw.
- Preventing such exploits would require stricter access controls, like remote VMs, but is impractical for large classes.
- Despite the exploit, the author acknowledges the importance of completing assignments for learning and exam preparation.
Iran asks its people to delete WhatsApp from their devices
a year ago
- Iranian state television urged the public to delete WhatsApp, alleging it gathers user information for Israel without providing specific evidence.
- WhatsApp responded, denying the claims and stating it does not track precise locations, keep message logs, or provide bulk information to governments.
- The app uses end-to-end encryption, ensuring only senders and recipients can read messages, with intercepted messages appearing as unreadable garble without the key.
- WhatsApp is owned by Meta Platforms, which also owns Facebook and Instagram.
- Iran has a history of blocking social media platforms, with citizens often using VPNs to bypass restrictions. WhatsApp was previously banned in 2022 during protests but was later unblocked.
- WhatsApp was one of Iran’s most popular messaging apps, alongside Instagram and Telegram.

first prev1next

About|Login

#encryption

TeleMessage, used by Trump officials, can access plaintext chat logs

The Company Behind Signal Clone Mike Waltz Used Has Direct Access to User Chats

Gmail will soon stop support for the 3DES encryption cipher for incoming SMTP

CryptPad: An Alternative to the Google Suite

Florida bill requiring encryption backdoors for social media accounts has failed

How the Signal Knockoff App TeleMessage Got Hacked in 20 Minutes

DDoSecrets publishes 410 GB of heap dumps, hacked from TeleMessage

Windows 11's most important new feature is post-quantum cryptography. Here's why

Recreating a video from raw captured network traffic (2023)

Paperbak, Paper Backups

Twitter's new encrypted DMs aren't better than the old ones

Why not use DNS over HTTPS (DoH)?

US lawmakers say UK has 'gone too far' by attacking Apple's encryption

CoverDrop: A secure messaging system for newsreader apps

A bit more on Twitter/X's new encrypted messaging

New Quantum Algorithm Factors Numbers with One Qubit

Protecting Kids Shouldn't Mean Breaking the Tools That Keep Us Safe

SimpleX – messaging network operating without user identifiers

Breaking My Security Assignments

Iran asks its people to delete WhatsApp from their devices