So, government argues it needs broad spying powers for the "security" of the people, but many individuals in the government personally use tools they believe to be beyond the government's reach.
Since I don't anticipate the USA ever outlawing unbreakable crypto for use by private citizens or companies, does that mean eventually government can only spy on those citizens not savvy enough to use secured tech to communicate?
I guess the flipside here is: how many of those officials using Signal have an Amazon Echo in their homes that's recording all their conversations?
Of _course_ those in power believe themselves smart enough to avoid the rules they wrote - they want to be secure, and know the presence of very real threats both within and outside of the US. I'm not defending it - but you'd have to be extremely foolish to commit a crime from your @whitehouse.gov email address. You'd have to be equally foolish to commit any crime over email or unencrypted IM if you'd talked to a lawyer with half a braincell to rub against a rock.
And the US /has/ banned unbreakable crypto - those 56 bit ciphers in old browsers? That was export law banning the export of 'weapons' to unfriendly states. While the law has been recinded, nothing has made it hard for congress (or even the executive) to change that.
And lastly - Echo does NOT transmit to amazon when the light is off (perhaps unless compelled to by court order - but I leave paranoia to your imagination). Don't believe me? Disconnect your internet and ask for the time - it knows how to do a few very minimal things without the network -- No AWS transmission needed if your clock's in sync.
This view of the amazon Echo threat model is very narrow and credits a great deal of trust into Amazon and or how things "should" work. I won't go into the likelihood that what I am about to explain is an actual reality, but in practical terms a nation state actor like the NSA can backdoor the Echo.
Just because a simple test (disconnecting) the network shows you one behavior means and tells you absolutely nothing about how it could be backdoored. It could be as exotic as a payload deep in the NIC firmware that merely requires the right packet to cross through it completely altering the behavior so it can silently listen. Anyone that can accomplish this much can make the device behave normally until they want it not to. And even then, it will APPEAR normal. It could also be as simple as code Amazon knows about and is compelled by a NSL to never reveal.
So, paranoia or likelihood aside, using some cursory behavioral conclusion as an argument is weak at best. We can also talk about phones, laptops and so many other things and why the meme of the echo being /the/ spy device has gained mind share. Anyhow, for the truly paranoid even something like a modern mobile device is a bit of a non-starter.
Based on the things Snowden leaked, they would backdoor the hardware before it ever reached your home.
Or at the design level. A part of me strongly suspects that the Intel IME was dreamed up by the NSA and I'd be very surprised if they don't have a way to own it.
That would be my suspicion for a well funded nation state as well. The NSA dedicates a non-trivial amount of time to analyzing the chips they source and use in their infrastructure for backdoors. That is not a defensive only capability :)
Is there any special reason to worry about your Echo being backdoored rather than your PC or laptops with their frequently built-in microphones? Heck even my computer monitors seem to have microphones today.
I'm sure my PC is a lot easier to break into than the Echo. Depending on how the Echo works, it might not be so easy to back door. It's not likely to be running any system services that can be connected to remotely. It's a pretty simple device without a lot going on internally (compared to a phone or PC). I'd be far more worried about complex electronics like a television or PC being backdoored than an Echo. Furthermore, because these other devices are an order of magnitude more popular, and actually store people's data there's far more incentive for malicious actors of all kinds to develop back doors for them.
The Echo is actually a pretty uninteresting target. It doesn't store any data. Maybe you can break into it remotely and use it to listen, but that's it. That's all. You cannot, just by breaking in, sift over a vast trove of preexisting information, like you can with a PC. You'll never steal someone's documents, or read their email, or steal their passwords. Plus if you get into someone's PC or phone you can probably turn on a mic and record them too! I think the Echo honestly has pretty limited value on average as an attack target. It will be low in the priority list for attackers to target.
Regardless, if any of these devices are backdoored and recording me, then it will be trivially easy to detect that unexpected network activity. I am far less worried about my Echo than my PC, because I expect my Echo to have zero network activity except when I'm using it. Since it does one thing, it has no excuse for unexpected network activity. It's very easy for me to monitor that network activity - built right into my wireless router. With my PC, who knows what the hell it's doing because some software decided to download an update. PCs and phones are not simple enough that you can expect them to have no network activity when idle. The Echo is simple enough to have no network activity when idle.
Because the Echo would be so easy to detect if it were improperly recording you, I do not think a state actor would risk trying to observe anyone security-conscious in that way.
Also we have to separate assessments of irrational paranoia into pre-Snowden and post-Snowden realities. The lens through which we now view these things is fundamentally different.
> Don't believe me? Disconnect your internet and ask for the time
well that settles it then. I'm sure an unscrupulous entity would never think of compressing an audio stream for later retrieval/conversion to text/spurious retrieval. That would be dishonest.
I worked on the Echo firmware and cloud software. Let me definitively say:
It's easier for a malicious software engineer to embed a backdoor than the NSA, barring any vulnerabilities in open source software (openssl, Linux, etc.).
The "wakeword" is detected by a pretty large user space program, constantly observing filtered audio. The device can not recognize much on its own.
The Echo family also can't stream audio continually, the CPU is not very powerful and the sheer bandwidth required would be enough for anyone tech savvy to notice.
The firmware and OTA process is likely more secure than necessary and it would be stupid difficult for a 3rd party to produce a signed firmware image, and involving Amazon would likely rouse the suspicion of many engineers and they're not known to keep their mouths shut.
I would be (and am) much more concerned about my phone or laptop (or surroundings) recording me than the Echo devices.
I am happy to talk more about the device security privately. I am sick at the amount of FUD around this class of products. There are so many more frightening threats out there.
(Disclaimer: I used to, but no longer, work for Amazon.)
The Echo family also can't stream audio continually, the CPU is not very powerful and the sheer bandwidth required would be enough for anyone tech savvy to notice
You can stream voice in 10kbps. When I was a kid I streamed voice using a Z80. CPU and bandwidth are not limiting factors.
The fear isn't over what the Echo does in normal operation, it is what the Echo does when it has been compromised. It is nothing but a fancy remote controlled microphone sitting in your living room -- people used to write books about this to describe a dystopian future.
> It's easier for a malicious software engineer to embed a backdoor than the NSA, barring any vulnerabilities in open source software (openssl, Linux, etc.).
Of course. An engineer within the company has access to source code without having to involve multiple parties. This does not preclude other threats or diminish the reach of a well-funded agency.
Can an engineer at Google write code to log searches more easily than an outsider? Sure. That doesn't mean that you should write off the possibility that a third party could do the same.
> easier for a malicious software engineer to embed a backdoor than the NSA,
> and involving Amazon would likely rouse the suspicion of many engineers and they're not known to keep their mouths shut
pretend I'm NSA. I show up to head counsel at AMZN with an NSL saying "all your code are belong to me". He says "yessa massa" and bows. I say, "ok, not all your code, but give me full disk images of the build server that signs code for the echo, and full disk images of the git server housing the current echo build.
One "yessa massa" later, and he briefs CTO of DevOps to do the pull, which happens at 2:30am on a sunday morning (when those chatty-cathy engineers are fast asleep in their neckbeard nests). `cp disk1 disk2 /nsa_folder/` wait 20 minutes, done. NSA is doing full signed echo builds by EOD Monday.
what is actually precluding that from happening. Now NSA can build "updates" for the echo, sign their builds, "deploy" them using their rooted telco infrastructure. what would actually keep this hypothetical scenario from happening ?
> The Echo family also can't stream audio continually, the CPU is not very powerful and the sheer bandwidth required would be enough for anyone tech savvy to notice.
This is probably the most compelling independently-verifiable argument.
Even assuming the ability to do arbitrary things with an Echo, logging or transmitting useful voice all the time without notice isn't doable. And it seems hard to recognize suspicious discussions and turn on just for those (Echo has enough trouble recognizing "Alexa" 100% reliably).
You could subvert Echo so that it records you during pre-determined times - but there are so many other devices you could subvert, too. Getting malware on a government official's personal laptop via spearphishing seems so much easier.
"The Echo family also can't stream audio continually, the CPU is not very powerful and the sheer bandwidth required would be enough for anyone tech savvy to notice."
What is the bandwidth required to stream speech? I remember reading back in the old days that speech only required 8k of bandwidth. Now with codecs that do efficient compression of speech, like Speex[1] and Opus[2], I expect that figure should be much improved.
Are you really going to notice an 8k increase in your bandwith usage?
> does that mean eventually government can only spy on those citizens not savvy enough to use secured tech to communicate?
One of Signal's goals is to be proliferated in main stream applications (like Whatsapp) so hopefully those not savvy enough to use signal directly can benefit from the pressure that savvy users exert on Facebook and others to be reasonably confident in their crypto. Similarly, I've never personally verified that my version of Signal is the same as one that I could build from source, but I make the tradeoff that someone more paranoid than me would notice a widespread compromising of the app store.
I'm a little confused about what point you're trying to make what with all these kitchen sinks you've thrown in. Not everyone in the 'political world' works for the government, I'd think that includes members of the media and lobbyists and many others who have a relationship with government but aren't necessarily part of it.
The copy on the package says it only records when triggered, by a key phrase. There's nothing that prevents it to record and process differently on other "key phrases", or on receipt of a remote command
I'd rather have an infosec-competent government than one that's an open book to foreign adversaries. The last few months have been embarrassing. We had one top official run their own email server out of a private basement in suburban New York, unsecured and unmonitored. We had John Podesta, seventy years old, fall for a Russian phishing scheme that involved downloading an executable email attachment, presumably clicking thru the warning and running it anyway.
In the wake of that, political officials may have been scared into caring about infosec. We may be winning the fight against apathy and incompetence -- but we are still losing the fight against hypocrisy.
--
Both the current and previous administrations are full of powerful people who want privacy and security for themselves, while denying the same to the citizens they serve.
The previous administration promised, in 2008, to be the most transparent ever. It proceeded to have an abysmal record with respect to whistleblower prosecution, government transparency, and FOIA obstruction. The new administration looks likely to be even worse.
Laws like the Snoopers Charter, recently passed in the UK, cast an ominous shadow over the whole American security profession. Thoroughly nontechnical old men run our government. We must convince them and the public that strong encryption with no backdoors is critical both for national security and for the preservation of our First Amendment rights.
Call your senators and call your representative. Demand better.
> We had John Podesta, seventy years old, fall for a Russian phishing scheme that involved downloading an executable email attachment, presumably clicking thru the warning and running it anyway
What does Podesta's age have to do with anything at all??
Talking to teachers is eye-opening: younger kids are more comfortable with a few specific tasks but on average they're no better than their parents, especially when it comes to things like security[1]. We need a combination of country-wide education and the equivalent of UL/Consumer Reports for buying advice.
1. my wife did have a student protest the no phones in class ban so he could login with Google Authenticator, so it's not like there aren't exceptions.
IIRC Signal did get a "knock at the door" and, rightly, had almost nothing to give the government - mostly because of how they designed their architecture, but admittedly partially because of the metadata they chose not to store.
Lavabit's situation was different because they were a "choose not to look" solution, not a "can't look" solution.
That said, Signal is centralized, so it's not like they are particularly robust against that sort of thing, just that other than getting Signal shut down, any strong-arm tactics are unlikely to result in very useful information from OWS.
I think if Signal gets shut down it will be a real turning point. Either a huge number of people are going to move to the Riot solution of hosting their own messaging, or a hundred new Signal's are going to pop up just forking the already OSS Signal code.
I thought the Snowden revelations were going to be the turning point. But it turned out it was not a turning point, but just a wake-up call.
I honestly don't see a revolution coming if Signal is shut down. There will be some angry folks, sure, and that will last a while, but then everyone will move on. Exactly as it happened with the Snowden revelations.
I doubt any sort of real revolution would happen, my comment was probably worded badly. I meant more as a turning point for the sort of privacy-conscious people who already use Signal. I, and a lot of the people I talk to, take a position on personal tech privacy on something of a middleground, not the full nuclear option and not the Facebook option.
If Signal goes down I would speculate a lot of people who already have things like encrypted messengers, adblockers, things of that nature, would start to move to the only-vpn, no javascript run ever, no Google Play Services on your phone, no proprietary software at any stage of your life sort of deal.
Truly decentralized solutions like riot may be the next step. I have a group of friends that have been in a singular group chat since high school and I plus one other convinced everyone to move to Signal the day after election day. In another couple years if riot matures and/or Signal shows signs of being inadequate, one or more of us will probably host our own riot messaging server
Sure... they should just use their (clearnet) government email addresses, secured with mandatory 2FA. If those get hacked it would be potentially embarrassing, but it would be less likely if they all had reasonable security measures.
For any classified material officials can use their SIPRNET/JWICS emails, for which suspicious access is much more closely monitored, of course.
It's worth remembering that the fundamental premise of that position is that the government might be able to field a better security team to protect the most sensitive email in the world than could Google.
Not many security people in the world would sign on to that position.
Eh. At some point, the threat isn't how good your crypto is but rather how much you're willing to sacrifice to keep it that way.
Signal's authors may be more technically competent than a government security officer, but Signal can be coerced into releasing an update that surreptitiously changes the behavior of the application whereas well-protected NSA officers are (theoretically) more immune.
gmail isn't the only thing that govt services "compete" with. Clinton's self-"secured" email server, for example. In that case, we all would have been better off is she had used govt services, for security and for the "sunshine" effect.
No, that's also almost certainly false, because at the time she was doing that, unbeknownst to her, the State Department email servers were completely owned up by Russian hackers.
Clearly, I'd rather Clinton use GApps than run her own email server. But for security, her worst option was the official servers.
Well put. But I don't remember "State servers owned by hackers" as part of the narrative. Is that "inside baseball," or was that reported? I'd think it would be part of the conversation on the Senate's possible investigations in that area now.
Heh, there was this business insider piece from Aug 2016:
A month before the hacking revelations, Bilton reported, DNC staffers were told they should use this "Snowden-approved" app whenever they were mentioning Donald Trump, especially if their message was disparaging.
Signal is an incredibly easy-to-use app for iPhone and Android that allows both encrypted text and voice communications. Founded by Moxie Marlinspike in 2014, it requires no sign-up, registration, or exchange of information between parties. You just download the app, install it on your phone, and call whoever you want to talk to, using regular phone number.
I like how "our duly-represented governments ignore the will of the people and their own laws and constitutions to effect illegal searches of citizens who've done nothing wrong" as "hacking".
The way Signal handles key changes is a not very user friendly for non-tech users. When the user's key changes, Signal does not automatically resend dropped messages like Whatsapp does. Curious whether the Signal users in the Government are aware of this.
So, there are a few things that OWS can do with its privileged position: it can, for example, lie about what your public key is and then receive all messages intended for you. I wonder if any of the folks over there would be tempted to do that, if they disagreed strongly enough with one politician or another.
I'd hope not, and I rather think they they all hope not. But I wonder what happens when push comes to shove.
Signal does allow users to manually compare key fingerprints ("safety numbers"), and it does ask for confirmation when the numbers change. Whether users actually verify is a different story.
Signal has a built in 'export' function that produces a plaintext file with chat logs. However that might defeat the point of end-to-end encrypted messages.
Another approach is to use Signal's "Linked Devices" capability. Designate a central "device" (server) for FOIA purposes, and mandate all relevant public servants/elected officials using Signal add that as a linked device.
Then there's no need to retrieve a device and dump its message store, which obviously depends on the device being in a functional state. Instead there's a one-time setup when Signal is first installed.
Could be an interesting article, anybody know how to read it? WSJ has been hiding the article text behind a paywall, and even Google doesn't seem to cache the full text.
Tried web link, incognito mode, user agent spoofer, and my Android phone, none of them work. Thanks for trying, but I gotta flag this article. I don't support paywalled content being on HN.
Since I don't anticipate the USA ever outlawing unbreakable crypto for use by private citizens or companies, does that mean eventually government can only spy on those citizens not savvy enough to use secured tech to communicate?
I guess the flipside here is: how many of those officials using Signal have an Amazon Echo in their homes that's recording all their conversations?