person:christopher soghoian

The Digital Security Divide

A TED talk by Christopher Soghoian about encrypted communication, the difference between the default of Apple and that of Android, and the impact on our society.

Apple iPhone messaging is end-to-end encrypted by default, (between two iPhones), and not Android messaging is not.

The default behaviour is important because given the expensive cost of an iPhone and the availability of cheap Android phones, social inequalities often lead to:
a) the purchase of cheap Android phones that do not protect your communication
b) lack of sufficient knowledge to protect your communication on cheap phones

The digital security divide: there is an increasing gap in security & privacy between the rich, who can afford devices that secure their data by default, and the poor, whose devices do little to protect them, by default.

"In the US, African-Americans are more likely to likely to be seen as suspicious, to be profiled, and more likely to be put under surveillance by the state. They are also disproportionately likely to use Android devices."

"We must remember that surveillance is a tool. It’s a tool used by those in power, against those who have no power."

This also becomes a problem for democracy. Many movements, such as “Black Live matters”, the Arab Spring etc, increasingly use smartphones. Obviously, governments that feel threatened by these movements will target those members, and their smartphones. And chances are, these people use a cheap Android phone.

▻https://www.youtube.com/watch?v=HmehNQzNsVU

#privacy #surveillance #social
#Christopher_Soghoian
#civil_right
#TED

Johns Hopkins researchers poke a hole in Apple’s encryption

Researcher Matthew Green from John Hopkins university claims to have found a way through iMessage to intercept messages, photos and encryption key, and this for iOS versions prior to 9.3. This is done by forging TLS certificates and intercepting traffic by pretending to be an Apple server.

The recently released iOS 9.3 is supposed to incorporate the mitigation advise proposed by the researchers and correct this problem.

The paper can be found here:

Dancing on the Lip of the Volcano: Chosen Ciphertext Attacks on Apple iMessage
▻https://isi.jhu.edu/~mgreen/imessage.pdf
▻http://docdro.id/0wPiqeJ

Our analysis shows that iMessage has significant vulnerabilities that can be exploited by a sophisticated attacker. In particular, we outline a novel chosen ciphertext attack on Huffman compressed data, which allows retrospective decryption of some iMessage payloads in less than 2^18 queries. The practical implication of these attacks is that any party who gains access to iMessage cipher texts may potentially decrypt them remotely and after the fact.

[...]

Specifically, we attempt to answer the following question: how secure is Apple iMessage?

[...]

To perform our analysis, we derived a specification for iMessage by conducting a partial black-box reverse engineering of the protocol as implemented on multiple iOS and OS X devices.

Also interesting statement in the paper:

Apple stores encrypted, undelivered messages on its servers and retains them for up to 30 days, such messages are vulnerable to any party who can obtain access to this infrastructure, e.g., via court order

Their long-term recommendation to Apple:
Replace the iMessage encryption mechanism. ;-)

The Washington Post wrote about this paper:

▻https://www.washingtonpost.com/world/national-security/johns-hopkins-researchers-discovered-encryption-flaw-in-apples-imessage/2016/03/20/a323f9a0-eca7-11e5-a6f3-21ccdbc5f74e_story.html

Christopher Soghoian, principal technologist at the American Civil Liberties Union, said that Green’s attack highlights the danger of companies building their own encryption without independent review. “The cryptographic history books are filled with examples of cryptoalgorithms designed behind closed doors that failed spectacularly,” he said.

Also funny is this quote from Green:

it scares me that we’re having this conversation about adding back doors to encryption when we can’t even get basic encryption right.

#iMessage
#FBI
#TLS #SSL
#backdoor
#MITM
APN - Apple Push Notification

Sous la Toile de tente des hackeurs
▻http://www.liberation.fr/economie/2015/08/16/sous-la-toile-de-tente-des-hackeurs_1364406

Créé en 1999, le Chaos Communication Camp réunit tous les quatre ans en Allemagne pirates et hacktivistes du monde entier.

[...]

« C’est un mélange de réseautage et de vacances », sourit Christopher Soghoian, spécialiste en sécurité des communications et analyste pour l’American Civil Liberties Union. Un peu trop d’ailleurs au goût de l’eurodéputée pirate Julia Reda, qui pointait vendredi sur Twitter la « gentrification » de la culture hacker et voyait dans cette édition du CCCamp « plus d’atmosphère de bien-être que de projets subversifs ».

#Allemagne #Berlin #Chaos_Communication_Camp #Chaos_Computer_Club #Hacker #Numérique

La #NSA et le #GCHQ auraient piraté le plus important fabricant de #cartes_SIM au monde

Des espions américains et britanniques se seraient introduit dans le réseau informatique interne du plus grand fabricant de cartes #SIM au monde, dérobant les clés utilisées pour chiffrer un nombre important de communications cellulaires à travers le monde.

▻http://branchez-vous.com/2015/02/19/la-nsa-le-gchq-auraient-pirate-le-plus-important-fabricant-de-cartes-
#piratage

The Problem of Anonymous Vanity Searches
(Christopher Soghoian)

This paper explores privacy problems related to search behavior conducted using public search engines. Specifically it exposes problems related to unintentional information leakage through a vanity search - which is a search for information about one’s self. We begin by discussing recent events which have made this problem extremely topical. [./.] We show that technologies such as TrackMeNot may expose their users more through their attempts to create cover traffic than if they had not been used in the first place. We further identify how anonymizing proxies such as Tor are themselves not enough to protect vanity searches, and discuss several other potential solutions, none of which are ideal or 100% foolproof. [./.] We highlight the inherent information asymmetry in the relationship between search engines and their users which makes it almost impossible to create cover traffic good enough to blend into. We conclude by exploring other avenues for protecting user privacy online.

[...]

it was possible for journalists from the New York Times to reveal the identity of user 4417749 to be Thelma Arnold, a 62-year-old widow from Lilburn, Georgia after linking together all of her vanity searches contained in AOL’s pseudonymized records.

[...]

Users have struck a Faustian bargain of sorts with the major search engines. They seem to be willing to put up with advertising and a wholesale loss of privacy, assuming that they are even aware that it is happening, for free access to the services that search engines offer.

[...]

– Primary: ▻http://papers.ssrn.com/sol3/papers.cfm?abstract_id=953673
– Backup: ▻http://www.docdroid.net/9wzv/ssrn-id953673.pdf.html

#Privacy
#Identity
#Anonymity #Anonymous
#Google #search
#vanity
#TrackMeNot
#Tor

L’heure de la revanche pour les lanceurs d’alerte
▻http://www.lemonde.fr/technologies/article/2013/12/11/l-heure-de-la-revanche-pour-les-lanceurs-d-alerte_3529000_651865.html

Jacob Appelbaum

Que faire face à la NSA quand on est un simple citoyen ?

Au niveau personnel, pas grand-chose. Se protéger tout seul dans son coin, c’est comme recycler trois déchets pour sauver la planète.

...

Je prédis que les Etats-Unis vont étendre leur programme d’attaques de drones, y compris dans des pays qui, aujourd’hui, se croient totalement à l’abri.

...

Tout le monde parle de « cyberguerre » comme si elle était inéluctable. Il faudrait arrêter un peu, et parler plutôt de « cyberpaix ». Notre rôle est de pacifier Internet.

Christopher Soghoian

un pays qui est incapable de fabriquer ses propres équipements de communication est dans une posture d’infériorité fondamentale face aux pays fournisseurs de matériels.

Jérémie Zimmermann

Tout ce qui vient des grandes sociétés américaines est irrécupérable au niveau sécurité : poubelle direct.

Même chose pour les logiciels propriétaires fermés, dont on ne peut pas inspecter le fonctionnement interne. Mais cela va plus loin. Il faut aussi examiner les logiciels libres et les systèmes de cryptage, pour voir si certains n’ont pas été compromis. Ensuite, nous devrons concevoir des solutions alternatives – imposer les logiciels libres un peu partout, construire des réseaux décentralisés, installer des systèmes de cryptage automatique pour toutes les communications…

Pour finir, il faudra appliquer nos solutions dans le monde réel, ce sera l’affaire de la société tout entière. Nous devrons commencer par les pays ayant la volonté politique de lancer ce chantier.
Nous devrons aussi combler notre retard dans le domaine du « matériel libre ». Jusqu’à présent, les hackers se sont concentrés sur les logiciels libres, et n’ont pas su proposer une alternative crédible en ce qui concerne les appareils. C’est une erreur.

Terms and Conditions May Apply Official Trailer (2013) - Documentary Movie HD - YouTube #documentaire #TOS #données_personnelles #tech_companies
▻https://www.youtube.com/watch?v=fzDgBITDaRY