Here Come The Excuses
The Market Ticker - Commentary on The Capital Markets
Logging in or registering will improve your experience here
Main Navigation
Display list of topics
Sarah's Resources You Should See
Sarah's Blog Buy Sarah's Pictures
Full-Text Search & Archives
Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions.

NO MATERIAL HERE CONSTITUTES "INVESTMENT ADVICE" NOR IS IT A RECOMMENDATION TO BUY OR SELL ANY FINANCIAL INSTRUMENT, INCLUDING BUT NOT LIMITED TO STOCKS, OPTIONS, BONDS OR FUTURES.

The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be sent unmodified to lawmakers via print or electronic means or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media, to republish full articles, or for any commercial use (which includes any site where advertising is displayed.)

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.

Considering sending spam? Read this first.

2018-06-21 07:00 by Karl Denninger
in Technology , 119 references Ignore this thread
Here Come The Excuses
[Comments enabled]

This sort of thing never ceases to amaze me....

For the second time this month, federal prosecutors say they’ve obtained a trove of encrypted messages from one of President Trump’s former top associates. 

The relative ease with which investigators appear to have accessed the messages of Trump's longtime personal lawyer Michael Cohen highlights an often overlooked reality: encrypted apps like Signal and WhatsApp are only as secure as users choose to make them. 

Uh huh.

Let's cut the crap: They're only as insecure as the app writers choose to make possible.

Why would an app-writer choose to make it possible insecure storage of encrypted communications?

For the same reason you are dumb enough to stick a microphone in your bedroom that allegedly "does things" for you: Convenience.

It it possible to design an app that never stores an encryption key or the content of messages persistently?  Yes.  Further, Android can be told not to back up data for a given application in the manifest, which the user cannot override.

So why would you, as the writer of an allegedly "secure" application to communicate with someone, put intentional privacy-destroying "features" into your application?  Simple: "convenience".  Specifically, if the app never stores the messages or keys on a persistent basis then they're not there "later on" and further, if you are in an area without immediate and available data service you can't get to anything at all since it's not present on the device.

If you never store the messages on the device beyond the point at which the user exits the app's "in-use" state (that is, the app intentionally destroys any in-memory or on-storage copies when it is closed, exited or hidden) then they can't be retrieved as they're not there.  If they're only transported encrypted with a key generated through secure negotiation then the lifetime of said message in terms of being able to intercept it, absent a failure of the encryption itself, is limited to that of the app's instance.

But this is "inconvenient", you see.  Well, ok, "less convenient." 

Yet people are led to believe that these sorts of communications are "secure" when in fact they're not, intentionally, due to how the app is designed and works.  Rather than explain in great detail that the basis of such a claim is only to prevent interception while in transit and that no security of data on the device is either implied or, realistically provided these folks instead "market" said applications as "safer" than something like a text message.

That may be true but only in the marginal sense, and it does exactly nothing for you if your device is physically compromised or one of the people involved voluntarily turns their device over to someone.

Go to responses (registration required to post)
 

 
Comments.......
User: Not logged on
Login Register Top Blog Top Blog Topics FAQ
User Info Here Come The Excuses in forum [Market-Ticker]
Benthere
Posts: 14
Incept: 2018-06-16

Report This As A Bad Post Add To Your Ignored User List
Yes convenience is the word. I recently sold and bought property and had to move money around, first the proceeds of the sale which I wanted to invest for the interim between sale and purchase and then arrange for the money to be transferred for the purchase as I was not planning to physically be at the closing.

I planned on spending time at our lake cottage in the middle of nowhere during all this and, naively, thought I could let my fingers do the walking. Well some people have woke to the fact texts and e mails are insecure. All this authorization to set up a brokerage account, give authority to transfer money, exchange wire instructions is now, at least with who I deal with, done by fax, and authorizations, gasp, by snail mail, they want wet signatures to protect themselves. I think the pony express can make a comeback.

But if presidential candidates and FBI agents are stupid enough to text damaging info and receive classified e mails, I can understand a lawyer relying on "security"

Tickerguy
Posts: 153486
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
Well now, to be fair, a properly done digital signature is arguably better than a wet ink one.

The problem is the "properly done" thing. Far too many firms take shortcuts when they design and build things, usually because someone has deemed a particular feature "good" even though it breaks the security model that was originally envisioned, if there ever was a model (as opposed to "security" simply being a buzzword!)

----------
Winding it down.
Whitehat
Posts: 547
Incept: 2017-06-27

The People's Republic of New York
Online
Report This As A Bad Post Add To Your Ignored User List
Perhaps there was some wisdom to signing in blood or at least prescient. DNA analysis made this a useful option.

----------
There are two ways to be rich: One is by acquiring much, and the other is by desiring little.
snow, seasons, distance and dirt roads: SSDD
"Be not deceived; God is not mocked; for whatsoever a man soweth, that shall he also reap" (Gal. 6:7)
Invis
Posts: 5
Incept: 2018-01-02

Report This As A Bad Post Add To Your Ignored User List
I see no-one else has mentioned it so I will: there's a feature in Signal called "Disappearing messages". This is controlled by the sender, not the recipient, and after whatever time you decide the messages are securely deleted.

Personally, I wouldn't be so ready to call out something designed by Moxie Marlinspike and endorsed by Bruce Schneier, but hey, that's just me.
Tickerguy
Posts: 153486
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
Quote:
I see no-one else has mentioned it so I will: there's a feature in Signal called "Disappearing messages". This is controlled by the sender, not the recipient, and after whatever time you decide the messages are securely deleted.

Really? How do you know they actually were? What responsibility does the app publisher have if they're not?

----------
Winding it down.

Ckaminski
Posts: 4726
Incept: 2011-04-08

Mass-Hole!
Online
Report This As A Bad Post Add To Your Ignored User List
This is why I don't trust the walled garden.

I can't "share" open source apps on my phones like you used to in the Treo / Windows Phone 6 days.

Everyone out there has a hard-on against things like the GPL, so nothing auditable can make it on the app platforms. And with Apple, you can't even load **** on your own phone without paying Apple a $99 tax.

Invis
Posts: 5
Incept: 2018-01-02

Report This As A Bad Post Add To Your Ignored User List
Quote:
How do you know they actually were?


Because every single part of Signal is open source, and the protocol is very well documented: https://www.signal.org/docs/.

Everything boils down to trust. Do I trust the NSA/FBI/GCHQ/etc? No, not even a picometre. Do I trust Moxie Marlinspike? Yes, actually quite a lot.
Login Register Top Blog Top Blog Topics FAQ