Profile picture
, 10 tweets, 2 min read
The EFF has a piece out on how client-side scanning ‘breaks’ end-to-end encryption. They take a pretty strong position here (one I happen to agree with.) But I thought it would be helpful to explain my specific technical concerns. Thread: 1/ eff.org/deeplinks/2019…
Just to explain what we’re talking about: many current unencrypted messaging systems scan every photo sent through the service, in order to detect abusive content (CP). Encrypted messaging systems can’t do this. Hence proposals to do scanning on the client side. 2/
The service would send down some kind of list of content hashes that are problematic, and your app would check for matches before encrypting the message/photo/whatever. 3/
The problem with this approach is that it’s subject to abuse in two ways.

1. The system is designed to filter “bad” content, and “bad” means different things to different people.

2. Even if the service provider is decent, bad actors can slip inappropriate content into the DB.
People tend to discount the first concern because we live in a society of laws, etc. But it’s helpful to imagine how an authoritarian government will use this system. In fact, you don’t have to imagine. Just use WeChat. 5/
But even if you live in a healthy democracy (good for you) and you basically trust that this system will be used for good, there’s still the possibility of abuse. To prevent that, someone needs to audit the database to make sure everything in it is supposed to be there. 6/
And this is where existing systems largely fall down. Today’s “sexual abuse imagery” systems rely fundamentally on keeping a *secret* database of image hashes, which are computed using a *secret* algorithm. This creates a lot of potential for undetectable abuse. 7/
A malicious provider can insert the hash of any data they want — say political content — and they’re guaranteed to get a report from any client that sends this. Normal clients can’t audit the database since it’s kept deliberately opaque. 8/
Even worse, if the hashing system has collisions (much more likely for ‘fuzzy’ image hashing systems), it may be possible to find legitimate abuse imagery that just happens to collide with non-abuse content. 9/
In short, using today’s SAI detection systems on the client side (assuming we can even solve the ‘secret algorithm’ problem) basically means “the system is secure as long as you fully trust the provider.” That’s a pretty important security downgrade from normal e2e. /Fin
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Matthew Green

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @matthew_d_green see all

Profile picture
Matthew Green
@matthew_d_green
@AriannaSimpson @zcash @avichal @JacobPPhillips Why not just take the existing non-profit ZF board and make that your elected five person council? Note that this organization exists (and already has community elected members) while spinning up yet another organization is risky and redundant.
@AriannaSimpson @zcash @avichal @JacobPPhillips PS I am a board member (nominated originally by Zooko) but I’m happy to resign or stand for a new election if the community wants to.
@AriannaSimpson @zcash @avichal @JacobPPhillips Anyway I have several concerns here. The biggest is that the sudden creation of this new five-member counsel creates a huge opportunity for scammers to take control of Zcash. This is a foolish risk.
Read 4 tweets
Profile picture
Matthew Green
@matthew_d_green
Wait, Apple is sending URLs to Tencent?! reclaimthenet.org/apple-safari-i…
Does anyone know how Tencent Safe Browsing works? I know Google uses some (weak) k-anonymity solution to provide *some* degree of privacy. How about Tencent?
Also, can we assume that only users configured in the Mainland China region are having their data sent to Tencent? That warning is pretty damn broad.
Read 10 tweets
Profile picture
Matthew Green
@matthew_d_green
So I guess we’re getting a new coordinated push for encryption backdoors of some kind. This time based around child exploitation, rather than terrorism.
These statistics on child sexual imagery are confusing. Does an increase in the *number of images* correlate to an increase in the rate of child abuse? Or do pictures just pile up over time?
I mean, obviously this stuff is disgusting. But we live in an era when it’s easier than ever to take and keep pictures. So of course statistics like “number of images” are going to show huge increases.

But I don’t care about the size of someone’s SD card, I care about kids.
Read 10 tweets

Related threads

Profile picture
Symbolism
@CodesUcq
1.
 10/25/2019 FBI Tweet
THE FINDERS PDF- 324 pages - Partially redacted
Slaves, Traffic, Sexual Exploitation of Children,
I'll highlight pieces as I go thru, Note after the redaction about allegations of a cover-up with the intel community #Qanon
2.
 The "Finders" were discovered due to a mistake in Florida -the 6 kids they were with linked to Washington, D.C. which revealed the base of ops. Note they were near Broward. Connecting it to another nest of exploiting kids. #MKUltra #GreatAwakening
3.
 The official account is in 1987 six dirty kids were found due to a complaint - they were in the care of non related adults on a park far from home. The men with the kids were UNCOOPERATIVE ABOUT THEIR OWN IDENTITIES AND THE KIDS IDENTITIES.
Read 83 tweets
Profile picture
(((❌40Head❌⭐⭐⭐❌)))
@40_head
1. We were introduced to Lt. General Paul Nakasone in drop 1268. (1+2+6+8 = 17) He became the new director of the NSA and CyberSpace Command when Adm Mike [R]ogers retired. You will see through this thread, it appears he has also served with @GenFlynn!

qmap.pub/read/1268
2. And, you must read drop #2211 for the introduction of Mr Robert Storch and all the side info that QMap has put together on him. Storch has become a major player as the FIRST presidentially nominated Inspector General of the NSA. His role is VITAL.

qmap.pub/read/2211
3. I think it's interesting how little these two men are mentioned in Q drops and yet, their positions and responsibilities are MASSIVE in this "plan". Perhaps the slight mention was meant to inform us, yet also to avoid overdue exposure?

MUST READ.

qmap.pub/read/2230
Read 19 tweets
Profile picture
Makkah
@MsMakkah
As a Muslim who has only recently figured out a way to take my "on again, off again" relationship with prayer to the next level, I thought it might be helpful to share some things that helped solidify salah's position in my daily routine. 1/10
First - remember why we pray. A teacher recently emphasized to me that we're repeatedly told that prayer is something that benefits us. In the blessings sense, of course. But also, prayer is inherently beneficial to our health and well-being. 2/10
Think of prayer as an act of self-care. If my day is so busy that I can't take a few 5 min breaks, isn't that an indication that I need to slow down? If I'm not starting and ending my days with a moment of stillness, am I setting myself up for burnout? 3/10
Read 11 tweets
Profile picture
Adrian Sanabria
@sawaba
This thread is about #Simjacker.

A good friend asked me what I thought about it and I admitted I hadn't bothered to read up on it.

One of the things we did with @savagesec was that we wrote up advisories for our customers. A lot of them had to do with these 'named' vulns.
My first impression is superficial and not positive. We've got all the red flags here.
🚩named vulnerability
🚩logo (animated, even!)
🚩dark, ominous video
🚩lacking key, important details
🚩lead gen form to download paper
I wrote up advisories for some big ones - BlueBorne, KRACK, EFail, Meltdown/Spectre and others.

In addition to the common denominators above, they all had some stuff in common. They claimed HUGE impact, when the impact was actually much smaller because of circumstances.
Read 18 tweets
Profile picture
Santiago Capital
@SantiagoAuFund
1
I've received several (SEVERAL 😅) emails, texts, DMs etc over the last 24 hours asking me if I'm ready to throw in the towel on the strong #dollar thesis and admit I was wrong on #gold because it is "clearly breaking out now" (and I said it was not yet ready to do so).
2
So I thought I'd write a thread so I can answer everyone at once.
First of all, nothing has been definitively proven one way or the other yet on either gold or the dollar.
Second of all, if you think being wrong is something I'm not capable of handling, I assure you I am.
3
I have been wrong many times in my life/career. And I will undoubtedly be wrong many times going forward. Nobody gets it right all the time. Getting things wrong from time to time is part of this job. To think you are not going to get things wrong...is hubris, pride, etc
Read 19 tweets
Profile picture
Daniel Vassallo
@dvassallo
OK, I decided to build this and try to make a living off it:

An end-2-end encrypted serverless platform for web/mobile apps, offering user auth, db, & file store services. The end user gets privacy. The app developer gets spared from the liability & burden of handling user data.
Neither the app developer, nor me (the platform) will be able to see any user data. (Same as what @1Password does.) This also means automatic GDPR compliance for the app developer. I'll share a lot more technical and business details in a few days. I'll also open source it. ✌️
Here's the mailing list if you want to keep up to date. No more than 1 to 2 emails a month. updates.encrypted.dev/subscribe 🙏
Read 32 tweets

Trending hashtags

#Twitter #Money #FaithfullyLGBT #Simjacker #EqualAccessNow #Hussein #dollar #NDAA #TheFinders #Minions #fsi18 #OperationMockingbird #TheFindersDocs #Rojava #HowlingCollins #settlements #progressive #DSMedia #Rafale #MADAGASCAR #Deepstate #RealNews #walkaway #PropagandaOutlet #Finders
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!