So this indictment is puzzling. It concerns Michael Sussman, a lawyer who organized the collection of DNS data from hosting providers allegedly for political purposes. Many of the companies are anonymized, can we tell who they are? (Thread) context-cdn.washingtonpost.com/notes/prod/def…
So we begin with “Internet Company-1”, which is a (major?) DNS resolver.
The executive in question (Tech Executive-1) claims to have been offered a position as Hillary Clinton’s cyberczar if she won, so maybe that’s a clue?
There are two other Internet companies in here. Internet Company-2 collects DNS data (maybe passively) and Internet Company-3 is maybe a threat Intel company owned by company #2. The executive has ownership interest in all three.
In case it isn’t obvious from context, this whole thread is about the Trump-Alfa Bank DNS allegations. Some of these quotes sent between researchers are pretty damning.
Overall this is an awful-looking story. The Clinton campaign and sympathetic executives at tech companies ran wild through private DNS data (which apparently has no protections at all) to concoct a narrative, and then dragged university researchers in to help confirm it.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
The “age verification” and the “human identification” problem are the same problem. It upsets me to be around people who think they’re working on the first, but don’t understand they’re actually working on the second.
To be really clear: it’s pretty obvious that the central (Internet communication) problem of our time is going to be determining whether the stranger you’re talking to (or delivering ads to) is a person or a bot. And every existing tech we have for doing this will fail.
So how do we do this? Presumably by tightly binding physical identity to your device and then proving possession (with some other bells and whistles). Not coincidentally that’s exactly what age verification is. Weird how corporate and gov’t priorities suddenly align, right?
Trying to plan a seminar on the topic of “how do we maintain privacy in the coming dystopia” and it’s kind of a thing.
Over the past thirty years we’ve done amazing thing technologically when it comes to anonymity and privacy, and to some extent it was “all theoretical” that we’d need it. That’s all behind us.
So here we are in the bad timeline. Social networks want to jam AI into your encrypted messages; governments want to access your private messages; everyone you maybe once hoped to rely on is either planning to sell you out or else trying to find the fastest way to monetize you.
Specifically, Google when asked by a US senator could easily have denied that the UK was pressuring them, but instead said this.
If you call someone in their home and ask them if someone has a gun to their head, and they say “I can’t talk about that” then you call 911 because that’s what common sense tells you to do.
It is insane how scary the threat models of encrypted messaging apps providers are.
You have these apps with billions of users. Some of those users are doing huge financial transactions. Some are politicians. Some are coordinating literal national security operations. And all these messages go through a few vulnerable servers.
I think older people (that includes me I guess) think that messaging apps are like AOL Instant Messenger, not used for anything important. It’s completely insane how much of our society now runs on them, and what a total disaster it would be if a couple of major apps were broken.
Ok, look people: Signal as a *protocol* is excellent. As a service it’s excellent. But as an application running on your phone, it’s… an application running on your consumer-grade phone. The targeted attacks people use on those devices are well known.
There is malware that targets and compromises phones. There has been malware that targets the Signal application. It’s an app that processes many different media types, and that means there’s almost certainly a vulnerability to be exploited at any given moment in time.
If you don’t know what this means, it means that you shouldn’t expect Signal to defend against nation-state malware. (But you also shouldn’t really expect any of the other stuff here, like Chrome, to defend you in that circumstance either.)
You should use Signal. Seriously. There are other encrypted messaging apps out there, but I don’t have as much faith in their longevity. In particular I have major concerns about the sustainability of for-profit apps in our new “AI” world.
I have too many reasons to worry about this but that’s not really the point. The thing I’m worried about is that, as the only encrypted messenger people seem to *really* trust, Signal is going to end up being a target for too many people.
Signal was designed to be a consumer-grade messaging app. It’s really, really good for that purpose. And obviously “excellent consumer grade” has a lot of intersection with military-grade cryptography just because that’s how the world works. But it is being asked to do a lot!