U.S. officials urge Americans to use encrypted apps amid unprecedented cyberattack

The US Govt 5 years ago: e2e encryption is for terrorists. The govt should have backdoors.

The US Govt now: Oh fuck, our back door got breached, everyone quick use e2e encryption asap!

The Australian government tried to straight up ban encryption some years ago.
- I laughed so much at that. Encryption is literally just long complicated numbers combined with other long complicated numbers using mathematical formulae. You can't ban maths.
  
  If I remember correctly, there's also a law in Australia where they can force tech companies to introduce backdoors in their systems and encryption algorithms, and the company must not tell anyone about it. AFAIK they haven't tried to actually use that power yet, but it made the (already relatively stagnant) tech market in Australia even worse. Working in tech is the main reason I left Australia for the USA - there's just so many more opportunities and significantly higher paying jobs for software developers in Silicon Valley.
Different parts of the government. Both existed then and now. There has for a long time been a substantial portion of the government, especially defense and intelligence, that rely on encrypted comms and storage.
- FBI has definitely always been anti-encryption
More like 23 years ago when the Patriot Act was signed, and every time it has been re-authorized/renamed since. Every President since Bush Jr. is complicit, and I'm getting most of them in the previous 70-ish years (or more) wish they could've had that bill as well.

Oh gee, forcing companies to leave backdoors for the government might compromise security, everyone. Who'd have thunk it? 🤦

They knew, they were putting backdoors when they needed them.

Now the new administration will take half of the blame in public opinion (that's how this works) and also half of the profits, so they won't investigate too strictly those who've done such things.

But also words don't cost anything. They can afford to say the obvious after the deed has been done.

It's probably also good practice to assume that not all encrypted apps are created equal, too. Google's RCS messaging, for example, says "end-to-end encrypted", which sounds like it would be a direct and equal competitor to something like Signal. But Google regularly makes money off of your personal data. It does not behoove a company like Google to protect your data.

Start assuming every corporation is evil. At worst you lose some time getting educated on options.

End to end is end to end. Its either "the devices sign the messages with keys that never leave the the device so no 3rd party can ever compromise them" or it's not.

Signal is a more trustworthy org, but google isn't going to fuck around with this service to make money. They make their money off you by keeping you in the google ecosystem and data harvesting elsewhere.
- google isn't going to fuck around with this service to make money
  
  Your honor, I would like to submit Exhibit A, Google Chrome “Enhanced Privacy”.
  
  https://www.eff.org/deeplinks/2023/09/how-turn-googles-privacy-sandbox-ad-tracking-and-why-you-should
  
  Google will absolutely fuck with anything that makes them money.
- Signal doesn't harvest, use, sell meta data, Google may do that.
  E2E encryption doesn't protect from that.
  Signal is orders of magnitude more trustworthy than Google in that regard.
- It could be end to end encrypted and safe on the network, but if Google is in charge of the device, what's to say they're not reading the message after it's unencrypted? To be fair this would compromise signal or any other app on Android as well
- End to end could still - especially with a company like Google - include data collection on the device. They could even "end to end" encrypt sending it to Google in the side channel. If you want to be generous, they would perform the aggregation in-device and don't track the content verbatim, but the point stands: e2e is no guarantee of privacy. You have to also trust that the app itself isn't recording metrics, and I absolutely do not trust Google to not do this.
  
  They make so of their big money from profiling and ads. No way they're not going to collect analytics. Heck, if you use the stock keyboard, that's collecting analytics about the texts you're typing into Signal, much less Google's RCS.
- end to end is meaningless when the app scans your content and does whatever with it
- End to end matters, who has the key; you or the provider. And Google could still read your messages before they are encrypted.
- Note that it doesn't mean metadata is encrypted. They may not know what you sent, but they may very well know you message your mum twice a day and who your close friends are that you message often, that kinda stuff. There's a good bit you can do with metadata about messages combined with the data they gather through other services.
- You may be right for that particular instance, but I'd still argue caution is safer.
- Unless you’re Zoom and just blatantly lie lol
  
  https://arstechnica.com/tech-policy/2021/08/zoom-to-pay-85m-for-lying-about-encryption-and-sending-data-to-facebook-and-google/
- Of course our app is end-to-end encrypted! The ends being your device and our server, that is.
- They do encrypt it and they likely dont send the messages unencrypted.
  
  Likely what's happening is they're extracting keywords to determine what you're talking about (namely what products you might buy) on the device itself, and then uploading those categories (again, encrypted) up to their servers for storing and selling.
  
  This doesn't invalidate their claim of e2ee and still lets them profit off of your data. If you want to avoid this, only install apps with open source clients.
If its not Open Source and Audited yearly, its compromised. Your best option for secure comms is Signal and Matrix.
Well yeah, to use RCS on Android, you need to use Google's Messenger app, so they can absolutely still get your data. Source from GrapheneOS.

I don't use RCS because I refuse to use Google's Messenger app. Simple as.
RCS is an industry standard, not a Google thing.
End-to-end encryption matters if your device isn't actively trying to sabotage your privacy.

If you run Android, Google is guilty of that.

If you run Windows in a non-enterprise environment Microsoft is guilty of that.

If you run iOS or MacOS, Apple is (very likely) guilty of that.
- Yup, so I run GrapheneOS without Google at services. It probably doesn't spy on me, which is nice.

Like Signal?

Yes, like Signal!
Which does not only use end-to-end encryption for communication, but protects meta data as well:

Signal also uses our metadata encryption technology to protect intimate information about who is communicating with whom—we don’t know who is sending you messages, and we don’t have access to your address book or profile information. We believe that the inability to monetize encrypted data is one of the reasons that strong end-to-end encryption technology has not been widely deployed across the commercial tech industry.

Source: https://signal.org/blog/signal-is-expensive/

I haven't verified that claim investigating the source code, but I'm positive others have.
Or alternatively, Molly
- I read Molly is forked from Signal. Can I message Signal users from Molly, or do all parties need Molly?
No, BPs are a risk. Better to avoid apps that require phone numbers

until the republicans ban them so they can find queer kids and pregnant people getting healthcare and people reading books

A good advice: start learning how to self host, specially a matrix instance.
- How does that help me hook up on Grindr?
All that happens under Dems, too. Stop giving them a pass.

Y’all keep hitting that downvote button. I’d like to know how many of you are ok with fascism when it’s a Dem at the helm.
- Yup. The Apple-FBI encryption dispute started under Obama, as did the Snowden leak.
  
  Neither party is particularly pro-encryption, because governments in general see encryption by the public a hurdle for their operations (i.e. you don't need encryption if you have nothing to hide).
  
  Encryption isn't a partisan issue, and my understanding is that both major parties suck about equally on this issue.
- The Snowden leaks came out when Obama was president. Obama was the one who said, "The only people who don't want to disclose the truth are people with something to hide". The republicans and democrats are the same fucking people.
- All that happens under Dems, too
  
  Fucking what? Which democrats are banning books and putting together lists of trans children?
  
  And no, I'm not a fan of the DNC, I'm just not a fucking dishonest piece of shit.
- As if most of the legal provisions for widespread surveillance were not done under Clinton administration.
- Those downvoting need to learn about the PATRIOT act and FISA “courts”.
- Dumb people are down voting you despite the fact that you're 1000000% correct.
  
  Leftists need to stop defending the Democratic party so hard, it's making them look like neo liberals

Everybodies aunt at thanksgiving:

"I should be fine. I only trust the facebook with my information. Oh, did I tell you? We have 33 more cousins we didn't know about. I found out on 23andme.com. All of them want to borrow money."

Real encrypted apps, ...or just the ones their own government can use to spy on them?

In the voice of Nelson Muntz: "Nobody spies on our citizens but us!"
The reporter mentioned signal, though the gov spokespeople didn't seem to recommend any specific app
Use something where the client is open source.

Sounds bad I guess, but the USA has been spying on us for a long time now. Is the bad part that it's China?

Bets on this being directly related to back doors that US spy agencies demand be installed?
- RTFA
  
  The third has been systems that telecommunications companies use in compliance with the Commission on Accreditation for Law Enforcement Agencies (CALEA), which allows law enforcement and intelligence agencies with court orders to track individuals’ communications. CALEA systems can include classified court orders from the Foreign Intelligence Surveillance Court, which processes some U.S. intelligence court orders.
- Wouldn't surprise me. "We're doing this to be helpful to you!" is actually moustached disney villain behavior.
  
  ^ similar to the prisoners with cats gimmick. "look how nice we're being to our prisoners" is actually "stop yelling at your bunkmate or we'll take away your cat"
When a whole nation's communications are intercepted by another entity, yes, the bad part is that it's another nation. Especially an adversarial one.

This is not about individuals' personal privacy. It's about things that happen at a much larger scale. For example, leverage for political influence, or leaking of sensitive info that sometimes finds its way into unsecured channels. Mass surveillance is powerful.
Yes. Wars happen. Even corrupt politicians are nicer when their control base is inside the country.

From RFC 2804:

The IETF believes that adding a requirement for wiretapping will make affected protocol designs considerably more complex. Experience has shown that complexity almost inevitably jeopardizes the security of communications even when it is not being tapped by any legal means; there are also obvious risks raised by having to protect the access to the wiretap. This is in conflict with the goal of freedom from security loopholes.

https://datatracker.ietf.org/doc/rfc2804/

This was written in 2000 in response to US government requests to add backdoors to voice-over-IP (VoIP) standards.

It was recognized 25 years ago that having tapping capabilities is fundamentally insecure.

You don't need technical knowledge to see the problem.

If you live in an apartment and your landlord has a master key, then all an attacker needs to do is get that master key. In an apartment complex, maybe that's okay because who's going to break in to the landlord's office? But on the internet, tons of people are trying to break in every day, and eventually someone will get the key.

Even for the landlord, I'd rather them have a copy of my key than a master key, because that way they'd need to steal my key specifically.
- And I had one experience where our landlords attempted to rob us.
It was always recognized.

Every time I go to the Interwebs and read what people have to say on security, it's always the same high horse absolutism.

I've read Attwood's book on Asperger's syndrome a couple weeks ago. There such absolutism was mentioned as a natural trait of aspies, but one that, when applied to social power dynamics or any military logic, gets you assroped in jail.

People who want to spy on you or read all your communications understand too that general security suffers, but just not having that power is out of question for them, and also with the power they already have the security effect on them personally won't be too big.

It's a social problem of the concept of personal freedom being vilified in the Western world via association with organized crime, terrorism, anarchism, you get the idea.

It's not hard to see that the pattern here is that these things are chosen because they challenge state's authority and power, because, well, subsets of what's called organized crime and terrorism that can be prevented by surveillance are not what people generally consider bad, and anarchism is not something bad in any form.

What's more important, people called that do not need to challenge the state if the state is functional, as in - representative, not oppressive and not a tool for some groups to hurt other groups.

As we've seen in all the world history, what's called organized crime and what's called terrorism are necessary sometimes to resolve deadlocks in a society. It has never happened in history that a society could function by its formalized laws for long without breaking consistency of those. And it has never happened that an oppressed group\ideology\movement would be able to make its case in accordance with the laws made by its oppressor.

Why I'm typing all this - it's not a technical problem. It's a problem of bad people who should be afraid not being afraid and thus acting, and good people who should be afraid not being afraid and thus not acting.

End-to-end encryption is indispensable. Our legislators (no matter where we live) need to be made to understand this next time they try to outlaw it.

“So it’s like a filter on the tubes?” - Our legislators
- "you wouldn't put a dump truck full of movies on a snowy road without chains on the tires would you?"
- Ew.
  
  Think of it like this:
  
  no encryption - sending a postcard
  
  client to sever encryption - dropping off the postcard at the post office instead of the mailbox
  
  end to end encryption - security envelope in the mailbox
  
  read receipts - registered mail
  
  Hopefully you're less wrong now Mr/Mrs legislator.

On January 20th: The cyberattack is coming from inside the house!

Dumbfuck and his cronies now have access to PRISM and ECHELON. Again.

I use a one time pad with all of my contacts. I ask them to eat or burn each page when they are used up.

I go one further and also use public/private key pairs that my acquaintances must use to decrypt the scrambled letters I mail them.
- All my official communications are in a rotating cypher of Navajo, Hungarian, and Korean.
I use some decoder ring I found in a cereal box, it's totally secure.

B̷̡̡̢̧̺̩̝̤̜̪̰͖̻̗͇͓͙͍̦̹̹͚̠̲͔͕̫̤͎̳̱̦̜̖̤͙̎͌͑̂̿̋͐͂̉͜͜͜ͅe̸̺̠̰̋̐͑͒͗͑̑͂̿͑͘͠͝ ̴̡̨̢̨̨̡̯̺̤̝͇̠̯͚͇̰͈͙͍͕̖͕͖̜̹̰̗͙̈̍̄͂́͜ṣ̵̡̞̰͎̝͙͚̘̞̓̊̿̂̉͐͐̐̀̍̂́͋̏́̚͘͠͠ư̴̧̧̨̧̝͙̰̗͓͉͚͇̻͇̝͖̞͙̤͙̞͔̯͈̙̗̰̖̺̼͕͇̗̂̎̐̅͊̔͋̄̿̅̎̍͂̏͘̚ͅṛ̶͙͙͚͖̭̆̄̎̔̾͛̏̈̽͌̎͋̿̈̌̃̃͑̑̏̐̽̎̉́̊̿̆̌̕͜͝͠e̵̛̝̱͓̐̂͊̀̓̑̈́̒̓́̂̿̒̒̔͌̆͌̎͆̓͂̂̏͆̑͜͝͝ ̶̧̧̳̮̬̤̱̯͚̜̜͔̞̰̠̼̩̘͖̹͕̥͔̰͎͖̩̠͇̭̭̺̮̔͊͛̉͐͗͛͌̓̂͐̇̔̑̓̐̇̀̅̿̿̃͛̈́̔̏͛̓͂̏̕̚̕͜͠͠ͅͅͅͅţ̵͔͂̋͌̋͊͗̇ơ̷̘̱͙̝͖͍̪̗̮̫͉͖̪͉̯͙͛̋̾̑͛̇́̑̒̓͐̀̇̓͒̾͛͆̾͗̒̕̚͘͜͝ ̶̧̡̢̭̥͚̱̲̮͙̠̼͉͖̞̩̞̰̠͍̭̭͖͖̻̜͖͇̬͎̮͙̦͗͌̈̌̍̔̋̔̈́̈́̃̍̓͌͒̉̓͐̓̏̓̃̇̅́̐̃̂̚̕͜͝͝d̸̢̨̢̧̢͔͚̼̩̮͖̭̥̮͓̭͇͖̞̰̞̰̋̓̊̈́̈̐̄̆͊̈͑̓̉͝͠ͅŗ̵̲͓̠̮͉̹͍̰̟̘̄̈́̈́̂̀̆͗̔̓̔̐̀̍̓̄̾̋͋̆̈́̓͐͊͒͋͂̓̽͌̂̊͂̔͋̓͌͐̈́̓͠͝ĩ̴̛̛̝̹͓͚̦̱̰̫̌̋͌̏̒́̇̂̅̎̄͒̏̎̈͊͊̽͘̕͜͝͝͝͠n̴̨̡̡̛͚͖̼̖̦͔̬̩̝̞͔̥͖̫̮͎̻͔̪͍͖̣̻̯͉̝̜͓̐̏̾̋̂͛́̍̄̿̔͛̉̾̏̆̍͋͒̂́̽̆͐̋̈͆̊̈̈́̽̔̏̏̎̕̚͘̚͠k̴̡̭̙̼̻̟͔̏̂ ̵̨͓̺̲͇͔̪͇͓̥̰͈̲͊́̂́͋̊̀̾̌͋̉͑̍̿̆̊͐͆̏̑̑͛̾̀̀̏͆̽́͝͠ỵ̶̡̝̺̙͇̪̮͚̣̓̍̐̄̉̇̀͋̔̀̂͒̾̋͘ǫ̴͇̝̤͕̮̺̦̼̪̯̟̼̳͙̼̃̈́́͗̓̊͑́̾̈́͘̕͜͝͠ͅͅų̷̢̛̭̟̭̖̟͇̪̦̪̳̯̟̬͉̬͉͎̫͎̮̜̠͔̝̜̭̪̤͆̆͋̉̆̓̽̋̀̆̌͝r̵̨̡̳͈̝͈̖͈̻̺̮͖̻͓͓͇̩͖̬̣̪͙̗̥̯̍̍͂͂́̑ͅ ̷̢̧̢̧̛̛̖̹͉̳͚̞̟̻̮̟͙̥̥͓͙̻̩̙̈̓͆͌̈́͊́̈́̎̑͗̑̆̀̈́͆̏ͅƠ̴̛̛̱̰̬̲̼̹̬̰̮͓̜̐̔̈́̾̓͆̔͂̂͂̂̓̏̾͐͌͘̕͘͝͝͝v̴̛̤̝̹͙̩͌̾̾̒͋͐͂̍̽̈́͛̎̆̋̓̔̀́̍͑͌͌͂͆̈̚̚̚͘͜͝͝ͅå̶̡̢̹̻͙͗͒̌̓̑̋̂̉̿̌̋͋̆͋͋̈́̋̎̀͝͝ĺ̶̡̨̨̨̛̻͙̘̖͍̥̝̺͔͙̱̼͙̱̀͌̃̍́͊̉͑̐ͅt̶̡̛͎͕̥͉̙̰̫̲̺̩̘̜̖͔̝̜̤̮͙̳̻̮̠̦́̌͌̍̑̃̿̔͒͗̑̏̎̿̉̀̀͊̽̃̽͌͆̏͗͗̋̈́̔̉́̒͗̑̊͜͝ͅį̴̡̢̡̪̥͉̩̯͎̩̤̺̙̩̳̘͓̣̮̰͔̯̘̰̖̪̻͉̣̖̬̩͉̦̃̂̍͜ͅͅņ̵̡̢̧̢̯̠͍͖͔̬̜̥̗̜͈̮͖̗̺̳̱̣̟̦̗͉̮̥̏̿͒̏͆̔̀͐̉̀͗͋͐͌͒̀́̿́͗͂́̏̂͊̑̅͝͝͝͝ȩ̶̨̡̨̫͉̱͉̦̫͇̪̼̰̺̩̘̼̬̝̘̥͖͎̬̺̀̓͋̄̂̉͝͝

What i read [and corrected] from the article :

"The hacking ~~campaign~~ [group], nicknamed [ by Microsoft ] Salt Typhoon ~~by Microsoft~~,
[ this actual campaign of attacks ] is one of the largest intelligence compromises in U.S. history, and not yet fully remediated. Officials in a press call Tuesday [ 2024-12-3 ] refused to set a timetable for declaring the country’s telecommunications systems free of interlopers. Officials had previously told NBC News that China hacked AT&T, Verizon and Lumen Technologies to spy on customers."

Thanks I thought from reading this maybe Salt Typhoon was the codename for the next version of windows.
- No, that's Salty AI

The same people who want to get rid of encryption

I mean, clearly not the SAME people.

Guess that confirms that E2EE is effective against these backdoors.

We've long had NSA slides that showed Tor and e2ee solutions as "disastrous" to their visibility.

Hear me out, maybe we should update pots and sms to have optional end-to-end encryption for modern implementations as well...Optional as backwards compatible and clearly shown as unencrypted when used that way to be clear.

Att won't make money off that unless they offer it as a paid service. No reason to give that away for free and the other cell carriers can just pay off (bribe with campaign contributions) legislators to understand encryption is "too costly to implement at such a scale"
You mean RCS?

I'll raise you one better: use Signal (or simplex.chat if you're cool). Google and Apple control RCS, and carriers can still sniff metadata. Cut both groups out with a proper messenger.

There's been a lot of good research done lately on how to achieve trusted communication on untrusted platforms and over untrusted channels. Encryption is a big part of that.

And there are a number of scenarios where the ISP creates a hostile environment without having been compromised by an external actor. A malicious government, for example, or an ISP wanting to exploit customer communications for commercial reasons.

Hey you guys remember that big AT&T breach recently?

Question for more tech savvy people: should I be worried about wiping old data, and if so for which apps? Just messaging apps, or also email and social media? Or can I just use the encrypted apps moving forward?

the safest perspective to have is this -

every single thing you send online is going to be there forever. "the cloud" is someone's server and constitutes online. even end to end encryption isn't necessarily going to save you.

for example iCloud backup is encrypted. but Apple in the past has kept a copy of your encryption key on your iCloud. why? because consumers who choose to encrypt and lose their passwords are gonna freak out when all their data is effectively gone forever.

so when FBI comes a'knocking to Apple with a subpoena.. once they get access to that encryption key it doesn't matter if you have the strongest encryption in the world

my advice

never ever ever write something online that you do not want everybody in the world seeing.

to put on my tin foil hat, i believe government probably has access to methods that break modern encryptions. in theory with quantum computers it shouldn't be difficult
- I'd imagine operating a quantum computer for blanket surveillance is cost-prohibitive, but yea, if you've given them reason to look at you just assume they have the means to break your encryption.
- I agree with you and I don't put anything that I would consider questionable online, at least not these days. I'm just having a hard time figuring out what adjustments to make in addition to worrying about personal things I've already shared, like my gender and race. You know what I mean? I'm a married woman, and I have info in various places about our family planning choices, to give an example. That's really starting to worry me, but how can I even begin to delete my data? It's everywhere. Every doctor has their own patient portal, I have multiple email accounts, and I don't even want to think about the dumb shit I might have posted when YouTube comment sections were new.
  
  It's all really overwhelming.
just wanted to add that deleting an app will not result in deletion of your data stored in the cloud (e.g. your emails)
- That I do know. I'm not worried about emails, or really anything specific. My online activity is pretty tame, but that's within the context of a country with a functioning democracy that treats women like free humans. Not a surveillance state that plans to criminalize reproductive healthcare and turn women into sex slaves. I guess the problem I'm having is I don't know how much I need to change my online habits because I have no idea how bad things are going to get.
That depends on the privacy protections where you live and the policies of each service:

most places in the US - they already have your data and aren't obligated to delete it

outside the EU - probably the same as the US

the EU or select states (e.g. CA) - you have some protections and a legal obligation to honor delete requests

For the first two, I wouldn't bother. I personally poisoned my data with Reddit before leaving, because I've heard of then reversing deletions. For the third, deleting may make sense.

But in general, I'd keep your other accounts open until you fully transition to the new one.

Below is information when considering a replacement service.

Anything where data is stored on a server you don't directly control can be leaked or subpoenad from the org that owns that server. Any unencrypted communication can be intercepted, and any regular encryption (HTTPS) can be logged by that server (e.g. under court order without notifying the customer).

Even "secure" services can be ordered to keep logs. Here's an example from Proton mai, and here's one involving Tutanota.

So it depends on your threat model, or in other words, who you're trying to keep away from your data. Just think about how screwed you might be if:

a hacker dumps the servers data

a police agency secretly orders recording of data and metadata

someone steals your device

the police confiscate your device

The answers to the above should help you decide which to type of service you'd feel comfortable with, and what tradeoffs you're willing to make.
- Check out your old reddit account. I poisoned my data, too, then deleted it, but they restored it completely like the bastards they are. I deleted my 2F too, so it's there forever now.
Wiping old stuff won't hurt, but they might not actually delete it.
- That's definitely something I worry about, especially after the recent reddit clusterfuck.

Just stop using your electronic devices. Not like they don't all have monitors built in already anyway. Every connected device could be sending screenshots home and we'd never know. I mean, I guess you could use something like Wireshark to monitor your home network, but something tells me nowadays there are ways around even that. I'm not a certified network tech or even a script kiddie, but I don't trust my tech as far as my dog can throw it. I just try to secure through obfuscation as much as possible. Everyone thinks I have carbon monoxide poisoning, but it's a small price to pay for peace of mind - even a small one.

Do what the Germans did in ww1 when they knew their diplomatic code was broken but couldn't change it. They put the important stuff in plain sight and treated it like junk mail and encoded the boring stuff.
- That's what I'm sayin. Or if nothing else just fill the airwaves with garbage.
You & others might be interested in this:
https://insights.sei.cmu.edu/library/field-stripping-a-weapons-system-building-a-trustworthy-computer-video/
and maybe this:
https://en.wikipedia.org/wiki/Intel_Management_Engine
- Thank you!

The US gov should provide us with their own encryption app to protect us and just have a backdoor only they can access so they can keep an eye on any baddies! #Igotnothingtohide #amiright #muricafuckyeah

Poe's law?
- Coles law

Interpretation - the NSA can now crack all common encryption methods, so let's disadvantage our adversaries at no real cost to us.

I vaguely recall Bruce Schneier saying that there is good evidence that the NSA cannot crack certain encryption methods. At the time, RSA was on the list. Maybe common methods mean roll-your-own corporate encryption, but it's my understanding that GNUpg and similar software are safe.
- Well, GPG doesn't have PFS, but its a good starting point to say hello and then upgrade to some better encrypted messaging app