Profile picture
, 23 tweets, 5 min read
My Authors
Read all threads
There are two iron laws of security that are often tragically ignored:

I. "There is no abstract 'security' - only security from some specific threat"

II. "There is no security in obscurity."

1/
Bridgefy, an app that's been billed as a way for protesters to communicate securely, illustrates both of them.

Bridgefy is an offline messaging tool - a mobile app that uses Bluetooth to pass encrypted messages around a crowd where there is no internet access.

2/
It was originally billed as being useful for big festivals and concerts out in the countryside, where there were lots of people but little or no internet connectivity.

3/
However, as protests have spread around the world, the company has promoted its product as a tool for at-risk protesters seeking to coordinate uprisings for which they might face severe retaliation, including imprisonment, torture and murder.

arstechnica.com/features/2020/…

4/
In April, a group of UCL researchers audited the app and found it severely unsuitable for these contexts, potentially exposing users to life-threatening hazards. They told the company about these flaws then, but have only now published their findings.

martinralbrecht.files.wordpress.com/2020/08/bridge…

5/
The researchers' findings reveal that the threats to users from using the app at festivals are very different to the threats that protesters face in repressive regimes ("There is no abstract 'security' - only security from some specific threat").

6/
They also find that the product team made a bunch of mistakes that they overlooked, a common problem (it's why I can't find my own typos!) that exposed users to attacks from anyone who knew how to hunt for these errors ("There is no security in obscurity").

7/
For example, the app sends the ID of both the sender and recipient of every message "in the clear" (without encryption). That allows an attacker who intercepts this metadata to assemble social graphs: Alice knows Bob, Bob knows Carol.

8/
This might expose concertgoers to some risk (for example, if Carol is arrested for selling drugs, Alice and Bob's messages to her might put them under suspicion). But in a protest context, that exposes the whole movement to risk.

9/
What's more, the identifiers the app uses are tied to users' phone numbers: an attacker at a concert would need access to a database that maps phone numbers to real identities. A state-level adversary can simply demand these connections from the phone company.

10/
But not all the flaws in the system stem from the differences in threats at concerts and protests. Some of Bridefy's flaws threaten users in ANY context, and stem from the developers' own blind spots about errors in their thinking.

11/
For example, the system doesn't have any "out of band" way to initialize keys between users. That means that when Alice wants to send a secret message to Bob, she first announces to the whole network that she is Alice and this is her public key that Bob should use.

12/
An attacker in the network can - rather than passing that message on - replace it with a message that substitutes their OWN key, and thereafter intercept, read, and relay all the messages from Alice to Bob (a "man in the middle" attack).

13/
Worse than that, the actual encryption formatting used for the messages is PKCS #1, a system that has been deprecated since 1998 due to unsalvageable flaws.

14/
The app also fails to do vital forms of input sanitization: it doesn't check for "zip bombs" - small compressed files that, when decompressed, expand to junk files that are millions of times larger. These bombs could crash enough devices in the network to shut it down.

15/
Though Bridgefy has known of the vulnerabilities since April, they are only now announcing them. They attribute the delay to their fruitless internal efforts to remediate these defects, and their ultimate conclusion that their system needs to be rebuilt from the ground up.

16/
They say they are now doing that work, rebuilding the app around the Signal protocol, which is very robust and has been widely probed to identify and shore up weaknesses.

17/
It's good that they're doing this. A third iron law of security is that "Security is a process, not a product" - that is, security is always contingent, and requires constant tending and upgrading to patch newly identified defects.

18/
We can't and shouldn't expect products to be perfectly secure - all we can ask is that product teams are transparent about which threats they considered in their design, how their products work, and which defects have been identified in them.

19/
Unfortunately, while Bridgefy is doing the right thing by acknowledging these bugs, thanking the reasearch team, and fixing the bugs, the rest of their conduct is less than exemplary.

20/
It was wrong to promote an app designed for concerts as a tool for protesters without considering the differences in the threats to those user populations.

21/
Worse, though the team has known of these defects since April, they didn't start correcting the record on end-to-end encryption promises until June. And, as @dangoodin001 points out on @arstechnica, their messaging continues to imply that it is safe to use.

eof/
ETA: Correction, the work was done by researchers from Royal Holloway, not UCL!
Missing some Tweet in this thread? You can try to force a refresh.

Keep Current with Cory Doctorow #BLM

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @doctorow see all

Profile picture
Cory Doctorow #BLM
@doctorow
For those of us who use work to cope with stress and anxiety with work, the plague months have been an oddly productive time.

For data scientist @eprosenthal, it was an opportunity to optimize his banana-sandwich process.

ethanrosenthal.com/2020/08/25/opt…

1/ Image
Rosenthal's ideal peanut-butter and banana sandwich is calibrated to have precisely the same amount of banana in every mouthful.

Naturally, Rosenthal eschews obviously incorrect solutions to this like mashing the banana or cutting it into lengthwise, rectangular slices.

2/
Rosenthal wants to figure out how to cut banana cross-sections and then arrange them such that they cover as much of the bread-slice as possible without overlapping ("maximizing the packing fraction"). And he used machine learning to do it.

3/
Read 12 tweets
Profile picture
Cory Doctorow #BLM
@doctorow
You've probably heard Zuboff's excellent coinage "Surveillance Capitalism" and perhaps you've read the paper it was introduced in, or the book that it led to.

Today, I've published a response to that book, "How to Destroy Surveillance Capitalism."

onezero.medium.com/how-to-destroy…

1/
I wrote "How to Destroy..." after reading Zuboff's book and realizing that while I shared her alarm about how Big Tech was exercising undue influence over us, I completely disagreed with her thesis about the source of that influence and what should be done about it.

2/
Zuboff calls surveillance capitalism a "rogue capitalism," a system that has used machine learning to effectively control our minds and shape our behavior so that we can no longer serve as market actors whose purchase decisions promote good firms and products over bad ones.

3/
Read 25 tweets
Profile picture
Cory Doctorow #BLM
@doctorow
The Chinese film regulator has released a new policy document: "Several Opinions on Promoting the Development of Science Fiction Films," which sets out guidelines for new sf movies.

chinafilm.gov.cn/chinafilm/cont…

1/
Writing in @variety, China Bureau Chief @rebeccaludavis breaks down the new rules and gives some context for them.

variety.com/2020/film/news…

2/
The top priority, of course, is to "thoroughly study and implement Xi Jinping Thought."

After that empty nod to the cult of personality, the guidelines get more specific.

3/
Read 15 tweets

Embed code for your website

×
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!