back to article Facebook has open-sourced encrypted group chat

Facebook has responded to governments' criticism of cryptography by giving the world an open source encrypted group chat tool. It's hardly likely to endear the ad-farm to people like FBI Director Christopher Wray, who yesterday told an international infosec conference it was “ridiculous” that the Feds have seized nearly 8,000 …

Bronze badge

No thanks

That is all.

4
16
Anonymous Coward

Re: No thanks

Why?

3
0
Anonymous Coward

Re: No thanks

Because they are looking at the brand, seeing Facebook and assuming the worst. It's the stupid reverse of fanboi behaviour. Shouldn't we as adults keep an open mind to developments and assess each as it comes?

12
1
Silver badge

Re: No thanks

Actually "looking at the brand, seeing Facebook and assuming the worst" has been right in the past about 99% of the time, so I'd go with that.

8
2
Silver badge
Facepalm

Re: No thanks

Except that the source code has been released to the public, so it can be inspected for flaws. If Facebook has slipped some nasty code into the public domain, people will be able to tell. Bitching about Facebook employees originating the code is therefore both pointless and counter-productive.

3
0
Bronze badge

No Thanks

Perhaps I should elaborate before I get deservedly downvoted into oblivion..

I do believe that it is great for ANY company to open source their software.

Especially if that software enables users to communicate over a (supposedly) secure, encrytped way.

I am a staunch supporter of open source software especially any software that helps with security and/or privacy.

But trust is earned not given.

Zuck and Co. are well known for collecting as much personal, private information from as many people as possible and aggragating all that data into graphs and selling it or even giving it away freely to anyone with a FB developer account.

Facebook has the technology, money and manpower to create powerful software that could help keep communications secure but it goes 180 degrees from what their current format is all about.

So pardon me when I have an knee jerk reaction to any software that is supposed to be private and secure with the Facebook name attached.

12
23
Silver badge

Re: No Thanks

Then why publish it open-source on Github? Any backdoor Facebook would want to include would have to be included in that code, wouldn't it, meaning they could be found out and pretty easily, too?

Not that I like Facebook, mind you, but in this case we're talking about an Enemy of My Enemy situation. Facebook hates The Man as much as you do.

37
1
Silver badge

Re: No Thanks

A lot of the modern tech companies make extensive use of open source and participate actively in projects including making their own stuff available. The logic behind this seems largely to be a continuation of IBM's EWS (employee written software) rules: if you can't sell it then you might as well give it away. You get peer review and possibly investment in the project from others. For free. It's also cheap but targeted advertising for companies looking for developers.

ART looks at first glance to be a proof of concept implementation of something that Facebook itself is not yet using in either WhatsApp or Facebook Messenger, ie. it wants peer review of the technology because secure, serverless group chat is hard.

16
0
Silver badge

Re: No Thanks

Then why publish it open-source on Github? Any backdoor Facebook would want to include would have to be included in that code, wouldn't it, meaning they could be found out and pretty easily, too?

Needle, haystack.

You're right of course, except that "pretty easily" might be the rose-tinted specs speaking (how long could a needle lurk undetected)? I'd put more faith in Facebook's motivations: namely the kudos of giving the world something useful vs the very obvious likelihood of reputational damage from even the hardest-to-find needle in there.

6
0
Silver badge

Re: No Thanks

Thing is, with things like Shellshock and Heartbleed fresh on everyone's minds, security boffins are more alert to "hiding in plain sight" tactics. To use your metaphor, they're coming at the haystack with more than just magnets now.

7
0
Silver badge

Re: No Thanks

Shellshock and Heartbleed (not to mention meltdown) are bugs. And they're historic, from an era when security simply wasn't a concern the way it is today (we all know Unix shells are full of bizarre idiosyncracies). That's fundamentally different to a deliberate backdoor which some commentards here seem to see.

Bottom line: no-one was looking for shellshock. Contrast, lots of people will be looking hard for backdoors in an app promoting itself as offering cryptographic security.

6
0
Anonymous Coward

Facebook hates The Man as much as you do.

Facebook is The Man.

2
1

Re: Facebook hates The Man as much as you do.

Facebook is the world’s sixth largest company. It is more powerful than most governments and answerable to a small clique of large shareholders. It IS the man, indeed.

1
0

This post has been deleted by its author

Anonymous Coward

Re: No Thanks

Then why publish it open-source on Github? Any backdoor Facebook would want to include would have to be included in that code, wouldn't it, meaning they could be found out and pretty easily, too?

1 - origin and motives. As it's Facebook, suspect by default given how they make their money.

2 - who is going to review it?

3 - why do we need this? Plenty of alternatives.

4 - ever heard of the Obfuscated C contest?

5 - is that really all the functionality? What about downloading address books in full? Has that been fixed?

Anyway, that's just a short list to start with. I'm sure others will add many more.

0
2
Silver badge

Re: No Thanks

"why do we need this? Plenty of alternatives."

Care to name some? At least one that allows re-establishing a secure group channel when you need to evict a client?

1
1
Silver badge

Re: Facebook hates The Man as much as you do.

No, it ain't the man until they can vanish people MiniLuv-style. Only States can do that and get away with it. Facebook isn't at THAT level yet.

2
0
Silver badge

Bastard Facebook again!

Oh . . .

9
1
Silver badge
Thumb Down

Sorry but this is like the otherwise faultless sports car the Mythbusters buried (?) a few pig carcasses in then dug up and attempted to clean up and sell - it might all be level in theory, but the stench of the attached brand is just so nauseating I'd never touch this in a billion years, no matter how many times it gets confirmed as completely legit. Also, Greeks and gifts. No. Fuck off, Facebook.

7
9
Silver badge

"Also, Greeks and gifts."

I counter with "Don't look a gift horse in the mouth."

1
1
Silver badge

Bollocks

The government love the encrypted group chat provided by Facebook. All they need is to compromise one member and voila - the whole group is compromised.

For an example of how people tried to use encrypted group chat and how the government went to leverage it against them see the analysis of the recent Turkish coup. It was on el reg somewhere, too lazy to search.

3
5
Anonymous Coward

Re: Bollocks

So did you read the article at all, where it discussed how this group chat was different from the other group chats (including the ones currently offered by facebook) in that this algorithm has Post Compromise Security?

Guess the urge to come directly to the comments and shout obscenities was just too great.

8
4
Silver badge

Re: Bollocks

Post Compromise Security?

Post Compromise Security is useless if you do not know that a member has been compromised and it is the adversary listening to the chat instead. That is one lesson from the Turkish putch analysis - governments actually LOVE group chats instead of various person-to-person relay methods. All it takes is one application of a rubber hose for them to get in and sit and listen for a sufficient amount of time to pick up everyone.

Nothing new in this too - no insurgency or resistance with "large distribution" channels has ever succeeded. There is a reason why WW2 resistance always used the principle of cells and deliberate fragmentation. It is easier to detect compromise and cut-off a compromised branch than in a flat large distribution group.

6
2
tfb
Silver badge
Boffin

Re: Bollocks

Anything is useless if one of the people you are talking to turns out to be the enemy (whether they started out as the enemy or became the enemy after application of RH). That does not mean that you should just give up: it's still possible to reduce the problems, even if they can't be made to vanish completely.

3
0
Silver badge

Re: Bollocks

From various reporting over the last year, it seems like the UK government at least does love group chat, because it allows all sorts of members of the government to chat to each other in a way which is very unlikely to to be readable by either the press, or FoI requests.

5
0
Silver badge
Stop

"it was “ridiculous” that the Feds have seized nearly 8,000 phones they can't access"

What seems ridiculous to me is that the Feds have seized 8000 phones and have no other clue as to the culpability of the suspects.

Do your job : gather suspicions, follow the suspects, inquire about their lives, and THEN swoop in with reasonable cause and gather all the rest.

If you have nothing but the phones to go on, you're not doing your job and you have no right to complain about it.

No backdoor access for the lazy.

7
0

Who really needs level of secrecy?!

As above, who really needs this level of secrecy? You shouldn't have your messages snooped through but if you're putting this much effort into keeping your conversation secret then I struggle to see what you're doing that isn't nefarious.

0
7
Silver badge
Windows

Re: Who really needs level of secrecy?!

@Richard1:

Hints:

Cat videos become the social equivalent of child porn

Climate Change becomes the new Nazi Manifesto

The concept of one citizen one vote becomes the equivalent of a panel van with Free Candy painted on the side.

You fail to see that you suffer from the privilege of at least moderate freedom, relative wealth, and some individuality. For the moment.

2
0
Anonymous Coward

"FB" and "FBI"

FB

FBI

Coincidence?

I don't think so...

0
2
Anonymous Coward

Re: "FB" and "FBI"

given what I see on facebook Intelligence is one of the last things I would append to their name

1
0
Silver badge

Re: "FB" and "FBI"

But.... But... The "I" stands for Investigation, not Intelligence.

On the other hand, as others have noted, the FBI seems to be sat on 8000 phones with no other evidence of the "perp's" guilt. So maybe they shouldn't have that last letter either, given they don't seem to be doing any actual investigating

2
0

See also: Group Messaging in WhatsApp and Signal

"due to flaws in both Signal and WhatsApp...it’s theoretically possible for strangers to add themselves to an encrypted group chat"

from Matthew Green's blog: https://blog.cryptographyengineering.com/2018/01/10/attack-of-the-week-group-messaging-in-whatsapp-and-signal/

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018