November 2015 – DoGoodSoft's Official Blog

The secret American origins of Telegram, the encrypted messaging app favored by the Islamic State

An encrypted communications app called Telegram has been in the news a lot this week, amid fears that the Islamic State has adopted it as its preferred platform for messaging.

On Nov. 18, Telegram reportedly banned 78 ISIS-related channels, “disturbed” to learn how popular the app had become among extremists. Those extremists had used the app both to spread propaganda, according to an October report, and to crowdfund money for guns and rockets, according to Vocativ.

Telegram makes an obvious choice for both activities: In media interviews and on his Web site, the app’s founder — Pavel Durov, often called the “Zuckerberg of Russia” — has boasted that Telegram is technologically and ideologically unsurveillable. In the wake of the terrorist attacks in Paris, however, questions have begun to emerge about how trustworthy Telegram actually is.

Multiple cryptologists and security experts have claimed that Telegram is actually not all that secure: a flaw that may reflect the fact that Telegram wasn’t initially conceived as an encrypted messaging platform.

On top of that, while Telegram is typically described as a highly principled, Berlin-based nonprofit, that hasn’t always been the case: Up until about a year ago, Telegram was an opaque web of for-profit shell companies — mired in conflict and managed, in large part, from the United States.

“Pavel is really unpredictable,” said Axel Neff, the estranged co-founder and former chief information officer at the company. “His biggest drive has always been notoriety.”

Neff makes an odd protagonist in a tale of international corporate intrigue. Raised in rural ski country south of Buffalo, N.Y., and schooled in engineering, Neff was essentially working in construction when Durov founded Russia’s largest social network, Vkontakte, in 2006. Neff’s a salt-of-the-earth guy — a Bills fan and the co-owner, with his mother, of a train-themed restaurant — who seems to have stumbled into Russian tycoon circles entirely by accident. (Neither Pavel nor Telegram returned the Post’s request for comment.)

In college, one of his high school buddies studied abroad in Russia, where he was fortuitously placed in a study group with Durov and a guy named Ilya Perekopsky. Neff befriended Perekopsky when he came to Buffalo for a summer to practice English; Perekopsky went on to help found VK. Before he knew it, a random 28-year-old who drove an old Toyota and lived in rural New York state was the assistant director of international operations at one of the world’s largest social networking companies.

Neff was pretty good at his job, according to court documents made public in 2014 that shed light on the business practices and dealings of Telegram — although he did depart, that same year, under sketchy circumstances. After joining VK in 2008, Neff helped develop the site in foreign markets and transition it away from vkontakte.com URL. By 2011, when the political situation in Russia was making business perilous for social networks and other Internet companies, Neff was good friends with both Durov and Perekopsky. In 2012, they and several other VK executives began discussing a new app; Neff began researching server space and renting a downtown Buffalo office.

At the time, Neff said, the concept for the company was simple: a series of messaging apps — of which Telegram would be the first — that relied not on cellphone carriers but on data networks.

Encryption Debate Erupts Post-Paris Attacks But Don’t Expect Any Change Soon

Despite the lack of evidence, the Obama Administration has revived the encryption debate, pointing to encryption as an aid to the terrorists behind the Nov. 13 Paris attacks.

Investigators from France and the U.S. have conceded that there has been no evidence backing up their conclusion that the terrorist behind the attacks relied on the latest, high-level encryption techniques being offered to consumers by Google and Apple.

Yet, the debate over government-grieving encryption is back in high gear.

Decrypting the Encryption Debate

The Great Encryption debate kicked into full swing about a year ago, when current and former chiefs of the U.S. Department of Justice began calling on Apple and Google to create backdoors in iOS 8 and Android Lollipop.

The encryption built for the two mobile operating systems is so tough, that the world’s best forensic scientists in all of computing wouldn’t be able to crack devices running the software in time for a seven-year statute of limitations.

While it’s possible to crack the encryption in less time, each misstep would push back the subsequent cool-down period before the software would allow for another go.

A few weeks before the Nov. 13 attacks on Paris, the DOJ employed a new strategy to coerce Apple into handing over the keys to iOS – and it’s a good one. The tech world is still awaiting Apple’s counterpunch.

Roughly a year ago, then U.S. Attorney General Eric Holder frame the debate on encryption and stated the DOJ’s stance while speaking at the Global Alliance Against Child Sexual Abuse Online.

“Recent technological advances have the potential to greatly embolden online criminals, providing new methods for abusers to avoid detection,” Holder said, adding that there are those who take advantage of encryption in order to hide their identities and “conceal contraband materials and disguise their locations.”

The Information Technology Industry Council, which speaks on behalf of the high-tech industry, sees all of the above issues as reasons everyone needs encryption.

“Encryption is a security tool we rely on everyday to stop criminals from draining our bank accounts, to shield our cars and airplanes from being taken over by malicious hacks, and to otherwise preserve our security and safety,” said Dean Garfield, president and CEO of ITI.

While stating the ITI’s deep “appreciation” for the work done by law enforcement and the national security community, Garfield said there is no sense in weakening the security just to improve it.

“[W]eakening encryption or creating backdoors to encrypted devices and data for use by the good guys would actually create vulnerabilities to be exploited by the bad guys, which would almost certainly cause serious physical and financial harm across our society and our economy,” he explained.

Paris as a Talking Point

In the wake of the recent Paris Attack, U.S. officials have again reissued their call for software developers – Apple, Google and others – to provide law enforcement agencies with keys to the backdoor of operating systems with government-grade encryption.

While there is still no evidence that law enforcement agencies, with encryption keys in hand, could have given police on the ground in Paris a game-changing heads up of the attacks. Nevertheless, Paris has been turned into a talking point said Michael Morell, a former deputy director of the CIA, who stated that the tragic events will reshape the encryption debate.

“We have, in a sense, had a public debate [on encryption],” said Morell. “That debate was defined by Edward Snowden.” Although, instead of what the former NSA contractor and leaker had done, the issue of encryption will now be “defined by what happened in Paris.”

Paris attacks reignite debate over encryption,surveillance and privacy

WASHINGTON — Friday’s terrorist attacks in Paris have revived the debate over whether U.S. tech companies should be required to build “backdoors” into encrypted phones, apps and Internet sites to let law enforcement conduct surveillance of suspected terrorists.

There has been widespread speculation among law enforcement authorities and the media that the Islamic State terrorists who attacked Paris were using some kind of encryption technology to communicate. However, American and French authorities have said there is no hard evidence to back up that assumption.

Still, the possibility has been enough to renew criticism of commercial encryption, putting pressure on U.S. companies that are increasingly using the technology to thwart hackers and reassure customers that their data will be kept private.

“When individuals choose to move from open means of communication to those that are encrypted, it can cause a disruption in our ability to use lawful legal process to intercept those communications and does give us concern about being able to gather the evidence that we need to continue in our mission for the protection of the American people,” Attorney General Loretta Lynch told the House Judiciary Committee Tuesday.

Lynch said the FBI and other Justice Department agencies work with Internet providers to try to find a way to enforce court orders to conduct surveillance of suspected terrorists. However, companies are increasingly employing encryption that even they cannot break to access their customers’ data.

In those cases, federal agents use other types of surveillance and intelligence-gathering tools, Lynch said.

“But it (encryption) does cause us the loss of a very valuable source of information,” she told the committee.

Despite strong criticism of encryption by the FBI, the White House announced in October that it would not seek legislation to force U.S. tech companies to build backdoors to let law enforcement get around the technology to access people’s messages and other information.

Paris attack stokes the flames in fight over US data encryption

Last week’s terrorist attack on Paris sounded a call to arms for hawkish U.S. officials seeking broad oversight of encrypted digital communications, some of whom used the opportunity to rekindle discussions with Silicon Valley technology companies.

In an interview with MSNBC on Monday, Senator Diane Feinstein (D-Calif.) said Silicon Valley companies, particularly those marketing secure Internet messaging services, should help government agencies protect the homeland by allowing controlled access to encrypted data.

“They have apps to communicate on that cannot be pierced even with a court order, so they have a kind of secret way of being able to conduct operations and operational planning,” Feinstein said of ISIS terrorists. She hammered the point home, reminding MSNBC’s Andrea Mitchell of recent video footage showing ISIS leaders giving potential sleeper cells the go ahead to carry out attacks on U.S. soil.

Last month the Senate passed the controversial Cybersecurity Information Sharing Act, a bill that effectively allows companies to legally share customer data with the Department of Homeland Security and other government agencies. Feinstein is a co-sponsor of the bill.

As iOS and Android dominate modern mobile communications, Apple and Google have been singled out as part of the problem for providing end-to-end encryption messaging services. For example, strong encryption in iOS 8 and above makes it virtually impossible to eavesdrop on iMessage conversations or gain physical device access, even with appropriate warrants.

“I have actually gone to Silicon Valley, I have met with the chief counsels of most of the big companies, I have asked for help and I haven’t gotten any help,” Feinstein said. “I think Silicon Valley has to take a look at their products, because if you create a product that allows evil monsters to communicate in this way, to behead children, to strike innocents, whether it’s at a game in a stadium, in a small restaurant in Paris, take down an airliner, that’s a big problem.”

Bloomberg reports other top-ranking U.S. officials, including CIA Director John Brennan, made similar comments, but fell short of asking that new laws be enacted.

“There are a lot of technological capabilities that are available right now that make it exceptionally difficult — both technically as well as legally — for intelligence security services to have insight that they need,” Brennan said today at an event in Washington, D.C.

For its part, Apple has been a vocal advocate of consumer privacy and pushed back against CISA alongside other tech companies in October. CEO Tim Cook has repeatedly warned of the detrimental effects a back door policy would have not only on individual users, but the tech industry as a whole.

Critics to Apple’s position argue CISA lets providers share data while still maintaining privacy, a proverbial win-win situation for everyone involved. Americans could find themselves putting to those claims to the test sooner rather than later, as the bill is headed to the House of Representatives and, if passed, to President Obama for ratification.

Microsoft releases encryption tech for bioinformatics

Allows researchers to work on data securely.

Microsoft has released tools that allow bioinformatics researchers to work on genome data sets securely to protect privacy.

Genomic data is becoming available in increasing amounts as gene sequencing becomes easier, cheaper and faster, and is used for several new applicaitons such as predicting the occurrence and survival of cardiovascular disease.

Hospitals, clinics, companies and other insitutions are faced with handling large amounts of such data securely, to ensure the privacy of subjects, but this carries risks.

Storing the data in a cloud is one solution to handle large amounts of information, but this is subject to legal orders, data misuse, theft and insider attacks, a team of six Microsoft researchers said.

Homomorphic encryption can protect people’s sensitive genetic information and still allow researchers to work with the data.

The technique allows an unlimited amount of two operations, addition and multiplication, on the scrambled material.

This means researchers are able to work on the data in encrypted form without having to decrypt it or have access to decryption keys.

Traditional encryption, in comparison, locks down data, making it impossible to use or compute on without decoding it first.

The Microsoft team of researchers have written a manual for how to use their homomorphic encryption solution, as a guide to using the technique for bioinformatics and genomic computations.

Along with the manual, Microsoft will also release the SEAL (simple encrypted arithmetic library) as a free download, to be used for experimentation and research purposes.

Apple’s Encryption Fight Turns To The UK

After a major victory in the United States, Apple is facing an another threat to its encryption efforts on a different front: the United Kingdom.

The Cupertino-based tech giant typically shies away from taking firm stances on specific legislation and works through lobbying groups representing technology companies’ interests. Apple’s CEO Tim Cook today told students in Dublin that the company is opposed to a new British proposal that would require it to provide law enforcement with access to encrypted data.

Cook said creating a so-called backdoor for law enforcement would expose personal data to hackers.

“If you leave a back door in the software, there is no such thing as a back door for good guys only,” Cook said, according to Reuters. “If there is a back door, anyone can come in the back door.”

Cook’s statements have been backed up by privacy and technology experts. This summer, a group at MIT reported government limits on encryption would present risks.

Cook also said the British bill in its current form is vague. He said at the same event that it is not clear how Apple has to comply.

The Brtish bill, known as the Investigatory Powers Bill, would make explicit in law for the first time that law enforcement can hack and bug computers and phones, and it obliges companies to help officials bypass encryption.

Apple began encrypting its smartphones by default in 2014 with the introduction of iOS 8. Law enforcement in the United States has rallied against the update, claiming it would prevent them from obtaining information key to solving investigations.

However the White House has said it will not take a firm stance against encryption. Though the debate has continued heavily in the Capitol Hill hearing rooms, the U.S. Congress has not proposed any legislative solutions to the encryption debate.

The danger of the U.K.’s current proposal does not lie just in the privacy and security risks it presents to British citizens, but in the global precedent such a law would set. If the U.K. passes a law that requires that law enforcement be able to access encrypted data with a warrant, what’s to stop China or Russia from passing a similar law?

Apple hasn’t backed down on encryption since this issue first bubbled up last year. Though it’s been able to hold its own in the debate over encryption, this is the first time it will have to fight a bill targeting this practice.

Snowden Never Told Us About Ransom Encryption

While Edward Snowden is the source behind the largest scandal on the internet, he sure didn’t warn us that hackers would put ransoms onto their spyware. A special ransomware virus was discovered which targets Linux-based systems specifically, and it’s telling us hackers are expanding to web browsers for their vicious attacks.

This specific malware, labeled Lunix.Encoder.1, it breakes all files and goes through specific directories, encrypting home directories, the MySQL server directory, logs, and Web directories of Apache and the Ngnix web servers. It leaves a ransom note in every directory that contains encrypted files, and they are next to impossible to recover without appropriate backups or if users don’t pay the ransom.

This specific virus encrypts archives that contain the very word ‘backup’, so getting out of the pinch without paying the ransom is extremely difficult. The team behind the discovery urge users to keep active backups and make sure their information is as secure as possible. The team also revealed that it’s likely that the malware uses brute force guessing of remote access credentials or Web application exports combined with local privilege escalations, and it probably gives Snowden himself a warm feeling in the heart.

It’s an interesting development in how we are willing to pay to keep our information secure, as anti-virus software continues to grow, perhaps ransoms will start getting more aggressive and more lethal. Could this have been something Snowden missed or failed to inform the world about?

Investigatory Powers Bill could allow Government to ban end-to-end encryption, technology powering iMessage and WhatsApp

The new Investigatory Powers Bill could ban WhatsApp and iMessage as they currently exist and lead to the weakening of security.

Introducing the Bill this week, Home Secretary Theresa May said that it didn’t include a controversial proposal to ban the encryption that ensures that messages can’t be read as they are sent between devices. But it does include rules that could allow the Government to force companies to create technology that allows those messages to be read, weakening encryption.

The Bill gives wide-ranging powers to the Home Secretary to force companies to make services that that can be more easily read by intelligence agencies.

Section 189 of the law allows the Government to impose “obligations” on companies that provide telecommunications services. That can include “the removal of electronic protection”, as well as a range of others.

It isn’t clear how that law would be used in practice. But it could allow for the breaking of encryption so that messages can be read.

Some of those powers were already available. But the new legislation repeats them – despite the suggestion that the ban on encryption has been dropped – as well as strengthening some of the ways that Government can impose such obligations.

At the moment, services including WhatsApp and Apple’s iMessage use end-to-end encryption. That means that the phones that are sending each other use keys to ensure that nobody else – including WhatsApp and Apple themselves – can’t read messages.

When end-to-end encryption is used, it isn’t possible to set up a system so that it only allows for the breaking of messages from a specific phone, or of messages sent between two specific people. Instead, allowing for the viewing of just two messages would entail entirely re-engineering the system so that WhatsApp and Apple had the keys to unlock any message, sitting in the middle of all messages.

Technology companies are understood to be concerned about that setup, because if they are able to read through messages then the same system could be used by members of staff or hackers to read through the messages of all of a services’ users.

Earlier this year, a report from some of the world’s leading computer experts said that weakening encryption “will open doors through which criminals and malicious nation states can attack the very individuals law enforcement seeks to defend”.

“If law enforcement’s keys guaranteed access to everything, an attacker who gained access to these keys would enjoy the same privilege,” the report argued.

Apparently partly in response to that criticism, the US Government has mostly walked back its attempts to weaken encryption.

New U.K. online surveillance proposal could have international reach

A new surveillance proposal in the United Kingdom is drawing criticism from privacy advocates and tech companies that say it gives the government far-reaching digital surveillance powers that will affect users outside the nation’s borders.

The Draft Investigatory Powers Bill released by British Home Secretary Theresa May Wednesday would force tech companies to build intercept capabilities into encrypted communications and require telecommunications companies to hold on to records of Web sites visited by citizens for 12 months so the government can access them, critics allege.

Policy changes are necessary to maintain security in a changing digital landscape, the government argued. “The means available to criminals, terrorists and hostile foreign states to co-ordinate, inspire and to execute their plans are evolving,” May wrote in a forward to the bill. “Communications technologies that cross communications platforms and international borders increasingly allow those who would do us harm the opportunity to evade detection.”

The bill has some new judicial oversight mechanisms, but the response from privacy advocates was largely negative, with some arguing that those changes aren’t enough to compensate for the expanse of new powers.

“The law would apply to all companies doing business with the UK, which includes basically all companies that operate over the internet,” said Nathan White, senior legislative manager at digital rights group Access. “This means that even wholly domestic encrypted communications in the United States, France, or South Africa would be put at risk.”

Some tech companies themselves also raised alarm bells. “Many aspects of the draft Bill would directly impact internet users not just in the UK, but also beyond British borders,” Yahoo said in a blog post. “Of most concern to us at this stage is the UK Government’s proposal to affirm extraterritorial jurisdiction over foreign service providers.”

The U.K. government says some of the controversial aspects of the draft, including the requirement to unlock encrypted communications, date back to laws already on the books and it replaces a patchwork of powers which go back to the early days of the Web. However, while a Code of Conduct for Interception Capabilities released by the British government earlier this year said communications companies were required to maintain a “permanent interception capability,” it made no mention of decrypting such content.

Privacy advocates say the government is reinterpreting earlier laws in problematic ways. “This is a major change” that would effectively outlaw end-to-end encryption, a form of digital security where only the sender and the recipient of a message can unlock it, White said.

In meetings before the draft was released, the government pressed at least one tech company to build in backdoors into encrypted communications, according to a person familiar with the issue who requested anonymity because he was not authorized to comment on the issue.

Apple’s iMessage system uses end-to-end encryption as do an increasingly number of standalone messaging and calling apps including Signal. If the proposal becomes law, critics warn, such services may be forced to alter their systems to include such “backdoors” to allow the government to access encrypted content — something encryption experts say would undermine security by making the underlying code more complex and giving hackers something new to target — or exit the market. Apple declined to comment on the bill, but chief executive Tim Cook has been a vocal opponent of government-mandated backdoors in the past.

Encryption was at the heart of a U.S. policy debate over the last year. The dialogue was triggered when Apple moved to automatically protect iOS devices with encryption so secure the company itself cannot unlock data stored on an iPhone even if faced with a warrant, assuming that a user turns off automatic back-ups to the company’s servers.

Some law enforcement officials warn that criminals and terrorists are “going dark” due to such technology. But the Obama administration decided not to press for a legislative mandate that would require companies to build ways to access such content into their products, although it has not yet come out with a full policy position on the issue.

Critics argue that has led to ambiguity which emboldened British officials. “This draft proposal from the U.K. government demonstrates the lack of leadership on encryption policy from the Obama Administration” and could lead to similar proposals in other parts of the world, said White.

If one country is able to force companies to unlock encrypted data it will be hard to fend off such requests from others including China and Russia, some inside tech companies fear.

When asked about the British proposal by The Post, National Security Council spokesperson Mark Stroh declined to weigh in. “We’d refer you to the British government on draft British legislation,” he said via e-mail.

This Snowden-Approved Encrypted-Communication App Is Coming to Android

Since it first appeared in Apple’s App Store last year, the free encrypted calling and texting app Signal has become the darling of the privacy community, recommended—and apparently used daily—by no less than Edward Snowden himself. Now its creator is bringing that same form of ultra-simple smartphone encryption to Android.

On Monday the privacy-focused nonprofit software group Open Whisper Systems announced the release of Signal for Android, the first version of its combined calling and texting encryption app to hit Google’s Play store. It’s not actually the first time Open Whisper Systems has enabled those features on Android phones; Open Whisper Systems launched an encrypted voice app called RedPhone and an encrypted texting program called TextSecure for Android back in 2010. But now the two have been combined into a Signal’s single, simple app, just as they are on the iPhone. “Mostly this was just about complexity. It’s easier to get people to install one app than two,” says Moxie Marlinspike, Open Whisper Systems’ founder. “We’re taking some existing things and merging them together to make the experience a little nicer.”

That streamlining of RedPhone and TextSecure into a single app, in other words, doesn’t actually make Open Whisper System’s encryption tools available to anyone who couldn’t already access them. But it does represent a milestone in those privacy programs’ idiot-proof interface, which in Signal is just as straightforward as normal calling and texting. As Marlinspike noted when he spoke to Wired about Signal’s initial release last year, that usability is just as important to him as the strength of Signal’s privacy protections. “In many ways the crypto is the easy part,” Marlinspike said at the time. “The hard part is developing a product that people are actually going to use and want to use. That’s where most of our effort goes.”

Open Whisper Systems’ encryption tools already have a wide footprint: According to Google Play’s stats, TextSecure had been downloaded to at least a million Android phones, all of which will now receive the Signal app in a coming update. Since 2013, TextSecure has also been integrated by default in the popular CyanogenMod version of Android. And last year WhatsApp gave it an enormous boost by integrating it by default into its Android app for Android-to-Android communications—a move that put Open Whisper Systems’ code on at least a half-billion Android users’ devices.

The security of those apps has been widely applauded by cryptographers who have audited them: As Johns Hopkin professor Matthew Green wrote in a 2013 blog post, “After reading Moxie’s RedPhone code the first time, I literally discovered a line of drool running down my face. It’s really nice.”

Open Whisper Systems, which is funded by a combination of personal donations and grants from groups like the U.S. government’s Open Technology Fund, likely doesn’t enjoy the same popularity among law enforcement agencies. FBI Director James Comey has repeatedly warned Congress over the last year of the dangers of consumer encryption programs, and British Prime Minister David Cameron even threatened to ban WhatsApp this summer based on its use of TextSecure.

All of that enmity has only bolstered Signal’s reputation within the privacy community—an affection that’s now been extended to its new Android app, too. “Every time someone downloads Signal and makes their first encrypted call, FBI Director Jim Comey cries,” wrote American Civil Liberties Union lead technologist Chris Soghoian on Twitter. “True fact.”