Browse > Home / Archive by category 'cybersecurity'

Several Security Pitfalls to Avoid in Software Design

February 6, 2025

Developers concerned about security should check out "Seven Types of Security Issues in Software Design" at InsBug. The article does leave out a few points we would have included. Using Microsoft software, for example, or paying for cyber security solutions that don’t work as licensees believe. And don’t forget engineering for security rather than expediency and cost savings. Nevertheless, the post makes some good points. It begins:

"Software is gradually defining everything, and its forms are becoming increasingly diverse. Software is no longer limited to the applications or apps we see on computers or smartphones. It is now an integral part of hardware devices and many unseen areas, such as cars, televisions, airplanes, warehouses, cash registers, and more. Besides sensors and other electronic components, the actions and data of hardware often rely on software, whether in small amounts of code or in hidden or visible forms. Regardless of the type of software, the development process inevitably encounters bugs that need to be identified and fixed. While major bugs are often detected and resolved before release or deployment by developers or testers, security vulnerabilities don’t always receive the same attention."

Sad but true. The seven categories include: Misunderstanding of Security Protection Technologies; Component Integration and Hidden Security Designs; Ignoring Security in System Design; Security Risks from Poor Exception Handling; Discontinuous or Inconsistent Trust Relationships; Over-Reliance on Single-Point Security Measures; and Insufficient Assessment of Scenarios or Environments. See the write-up for details on each point. We note a common thread—a lack of foresight. The post concludes:

"To minimize security risks and vulnerabilities in software design and development, one must possess solid technical expertise and a robust background in security offense and defense. Developing secure software is akin to crafting fine art — it requires meticulous thought, constant consideration of potential threats, and thoughtful design solutions. This makes upfront security design critically important."

Security should not be an afterthought. But after a breach, it is going to be fixed. Oh, the check is in the mail.

Cynthia Murrell, February 6, 2025

Written by Stephen E. Arnold · Filed Under cybersecurity, News | Leave a Comment 

Yo, MSFT-Types, Listen Up

January 23, 2025

Developers concerned about security should check out “Seven Types of Security Issues in Software Design” at InsBug. The article does leave out a few points we would have included. Using Microsoft software, for example, or paying for cyber security solutions that don’t work as licensees believe. And don’t forget engineering for security rather than expediency and cost savings. Nevertheless, the post makes some good points. It begins:

“Software is gradually defining everything, and its forms are becoming increasingly diverse. Software is no longer limited to the applications or apps we see on computers or smartphones. It is now an integral part of hardware devices and many unseen areas, such as cars, televisions, airplanes, warehouses, cash registers, and more. Besides sensors and other electronic components, the actions and data of hardware often rely on software, whether in small amounts of code or in hidden or visible forms. Regardless of the type of software, the development process inevitably encounters bugs that need to be identified and fixed. While major bugs are often detected and resolved before release or deployment by developers or testers, security vulnerabilities don’t always receive the same attention.”

Sad but true. The seven categories include: Misunderstanding of Security Protection Technologies; Component Integration and Hidden Security Designs; Ignoring Security in System Design; Security Risks from Poor Exception Handling; Discontinuous or Inconsistent Trust Relationships; Over-Reliance on Single-Point Security Measures; and Insufficient Assessment of Scenarios or Environments. See the write-up for details on each point. We note a common thread—a lack of foresight. The post concludes:

“To minimize security risks and vulnerabilities in software design and development, one must possess solid technical expertise and a robust background in security offense and defense. Developing secure software is akin to crafting fine art — it requires meticulous thought, constant consideration of potential threats, and thoughtful design solutions. This makes upfront security design critically important.”

Security should not be an afterthought. What a refreshing perspective.

Cynthia Murrell, January 23, 2025

Written by Stephen E. Arnold · Filed Under cybersecurity, News | Leave a Comment 

FOGINT: Are Secure Communications Possible? DekkoSecure Says, “Yes

January 15, 2025

fog from gifer 8AC8 small Prepared by the FOGINT research team.

For a project in 2023 and 2024, the FOGINT team worked on secure communications. We discovered that most of the alleged end-to-end messaging systems were not secure. The firm commissioning our report seemed surprised when we identified common points of vulnerability in existing E2EE systems. Furthermore, the FOGINT team itself was impressed with a handful of organizations resolving secure messaging issues in well-engineered ways. Furthermore, we noted that some of the most significant secure communication tools were drowned out by the consumer-centric solutions available. The idea that by making certain software available as open source was proof that these tools were indeed secure.

A telling example is the perception of Telegram Messenger as an end-to-end solution. It is not. And what about Zoom, a service which exploded during the Covid panic. Presumably hiring a “security guru” solved its problems of Zoom bombing and delivered “total security” addressed Zoom’s issues. That high profile hiring delivered PR, not security.

FOGINT wants to provide some information about a secure communications service that does provide a secure way to share content in image, audio, video, or text form. The solution was developed by Dmytro Bablinyuk and Jay Haybatov. In 2015 DekkoSecure began marketing its system. In the last decade DekkoSecure has emerged as a reliable provider of secure communication and collaboration tools, with a specialization in encrypted solutions tailored for the law enforcement, legal, healthcare, defense and government sectors. Their comprehensive platform seamlessly integrates four main product lines, each designed to address critical security and usability needs.

The firm’s Digital Signature Software offers robust features such as audit trails for document tracking, mobile signature support, customizable templates, automated reminder systems, and strong authentication protocols. This software ensures that document signing processes are both secure and efficient, meeting the stringent requirements of various industries. Key features of the solution include:

  • Secure File Sharing is another cornerstone of DekkoSecure’s platform, providing end-to-end encryption for files both in transit and at rest. It supports real-time collaboration, version control, integrated workflow management, and a user-friendly drag-and-drop interface. These features enable secure and efficient file management and collaboration across teams.
  • The company’s Cloud Storage Service boasts granular access controls, cross-device synchronization, compliant archiving and retention, and version history management. This service ensures that sensitive data is stored securely, accessible when needed, and meets regulatory compliance standards. The firm’s Zero Trust/Zero Knowledge encryption is new to the U.S. law enforcement market and provides clients comfort that only authorized and authenticated users can access files, which includes DekkoSecure not having access to the files.
  • Security Software — The company incorporates protection from bots, viruses and malware and incorporating a screening process for all files uploaded to the users system.

Key competitive advantages of DekkoSecure include its all-in-one platform integration, user-friendly interface, strong security focus, and a comprehensive feature set. These strengths make it an attractive option for various target markets, including small to medium-sized businesses, large enterprises, government agencies, and remote workforces.

However, DekkoSecure faces certain challenges. The system is tailored to the needs of law enforcement, courts, and healthcare. The company employs a data usage pricing structure and does not limit the number of users in an organization. Also, although the system is easy-to-use, the firm’s engineers work with clients to ensure that the platform has the processes, look and feel they require prior to implementation. And, looking ahead to 2025, DekkoSecure will benefit from the US FBI’s suggestion that encrypted communications become the standard for organizations and individuals.

Net net: DekkoSecure’s focus on encryption and user experience, combined with its broad feature set, makes it particularly appealing to organizations handling sensitive data. Despite the platform’s complexity posing challenges for some users, its integrated approach to secure communication and collaboration offers significant value for businesses seeking to consolidate their security tools.

Stephen E Arnold, January 15, 2025

Written by Stephen E. Arnold · Filed Under cybersecurity, Fogint, News | Leave a Comment 

FOGINT: A Shocking Assertion about Israeli Intelligence Before the October 2023 Attack

January 13, 2025

fog from gifer 8AC8 small A post from the FOGINT team.

One of my colleagues alerted me to a new story in the Jerusalem Post. The article is “IDF Could’ve Stopped Oct. 7 by Monitoring Hamas’s Telegram, Researchers Say.” The title makes clear that this is an “after action” analysis. Everyone knows that thinking about the whys and wherefores right of bang is a safe exercise. Nevertheless, let’s look at what the Jerusalem Post reported on January 5, 2025.

First, this statement:

“These [Telegram] channels were neither secret nor hidden — they were open and accessible to all.” — Lt.-Col. (res.) Jonathan Dahoah-Halevi

Telegram puts some “silent” barriers to prevent some third parties from downloading in real time active discussions. I know of one Israeli cyber security firm which asserts that it monitors Telegram public channel messages. (I won’t ask the question, “Why didn’t analysts at that firm raise an alarm or contact their former Israeli government employers with that information? Those are questions I will sidestep.)

Second, the article reports:

These channels [public Telegram channels like Military Tactics] were neither secret nor hidden — they were open and accessible to all. The “Military Tactics” Telegram channel even shared professional content showcasing the organization’s level of preparedness and operational capabilities. During the critical hours before the attack, beginning at 12:20 a.m. on October 7, the channel posted a series of detailed messages that should have raised red flags, including: “We say to the Zionist enemy, [the operation] coming your way has never been experienced by anyone,” “There are many, many, many surprises,” “We swear by Allah, we will humiliate you and utterly destroy you,” and “The pure rifles are loaded, and your heads are the target.”

Third, I circled this statement:

However, Dahoah-Halevi further asserted that the warning signs appeared much earlier. As early as September 17, a message from the Al-Qassam Brigades claimed, “Expect a major security event soon.” The following day, on September 18, a direct threat was issued to residents of the Gaza border communities, stating, “Before it’s too late, flee and leave […] nothing will help you except escape.”

The attack did occur, and it had terrible consequences for the young people killed and wounded and for the Israeli cyber security industry, which some believe is one of the best in the world. The attack suggested that marketing rather than effectiveness created an impression at odds with reality.

What are the lessons one can take from this report? The FOGINT team will leave that to you to answer.

Stephen E Arnold, January 13, 2025

Written by Stephen E. Arnold · Filed Under cybersecurity, Fogint, News, Text processing | Leave a Comment 

Identifying Misinformation: A Task Not Yet Mastered

January 8, 2025

Hopping Dino_thumb_thumb_thumb_thumb_thumb_thumb_thumb_thumb_thumb_thumbThis is an official dinobaby post. No smart software involved in this blog post.

On New Year’s eve the US Department of Treasury issued a news release about Russian interference in the recent US presidential election. Tucked into the document “Treasury Sanctions Entities in Iran and Russia That Attempted to Interfere in the U.S. 2024 Election” was this passage:

GRU-AFFILIATED ENTITY USES ARTIFICIAL INTELLIGENCE TOOLS TO INTERFERE IN THE U.S. 2024 ELECTION

The Moscow-based Center for Geopolitical Expertise (CGE), founded by OFAC-designated [Office of Foreign Asset Control — Editor] Aleksandr Dugin, directs and subsidizes the creation and publication of deepfakes and circulated disinformation about candidates in the U.S. 2024 general election. CGE personnel work directly with a GRU unit that oversees sabotage, political interference operations, and cyberwarfare targeting the West. Since at least 2024, a GRU officer and CGE affiliate directed CGE Director Valery Mikhaylovich Korovin (Korovin) and other CGE personnel to carry out various influence operations targeting the U.S. 2024 presidential election. At the direction of, and with financial support from, the GRU, CGE and its personnel used generative AI tools to quickly create disinformation that would be distributed across a massive network of websites designed to imitate legitimate news outlets to create false corroboration between the stories, as well as to obfuscate their Russian origin. CGE built a server that hosts the generative AI tools and associated AI-created content, in order to avoid foreign web-hosting services that would block their activity. The GRU provided CGE and a network of U.S.-based facilitators with financial support to: build and maintain its AI-support server; maintain a network of at least 100 websites used in its disinformation operations; and contribute to the rent cost of the apartment where the server is housed. Korovin played a key role in coordinating financial support from the GRU to his employees and U.S.-based facilitators. In addition to using generative AI to construct and disseminate disinformation targeting the U.S. electorate in the lead up to the U.S. 2024 general election, CGE also manipulated a video it used to produce baseless accusations concerning a 2024 vice presidential candidate in an effort to sow discord amongst the U.S. electorate. Today, OFAC is designating CGE and Korovin pursuant to E.O. 13848 for having directly or indirectly engaged in, sponsored, concealed, or otherwise been complicit in foreign malign influence in the 2024 U.S. election. Additionally, OFAC is designating CGE pursuant to E.O. 13694, as amended, E.O. 14024, and section 224 of the Countering America’s Adversaries Through Sanctions Act of 2017 (CAATSA) for being owned or controlled by, or having acted or purported to act for or on behalf of, directly or indirectly, the GRU, a person whose property and interests in property are blocked pursuant to E.O. 13694, as amended, E.O. 14024, and section 224 of CAATSA.  OFAC is also designating Korovin pursuant to E.O. 14024 for being or having been a leader, official, senior executive officer, or member of the board of directors of CGE, a person whose property and interests in property are blocked pursuant to E.O. 14024.

Several questions arise:

  1. Was the smart software open source or commercial? What model or models powered the misinformation effort?
  2. What functions could intermediaries / service providers add to their existing systems to identify and block the actions of an adversary’s operative? (Obviously existing software to identify “fake” content do not work particularly well.)
  3. What safeguard standards can be used to prevent misuse of smart software? Are safeguard standards possible or too difficult to implement in a “run fast and break things” setting?
  4. What procedures and specialized software are required to provide security professionals with a reliable early warning system? The fact of this interference illustrates that the much-hyped cyber alert services do not function in a way sufficiently accurate to deal with willful misinformation “factories.”

Stephen E Arnold, January 8, 2025

Written by Stephen E. Arnold · Filed Under cybersecurity, Government, News | Leave a Comment 

UK The Register Emits News of Chinese Cyber Excreta

January 8, 2025

Hopping Dino_thumb_thumb_thumb_thumbThis is an official dinobaby post. No smart software involved in this blog post.

I loved this write up from the UK’s The Register online information service: “China’s Cyber Intrusions Took a Sinister Turn in 2024.” The write up gathers together some notable cyber events and links them to the Middle Kingdom. Examples include:

  1. Router exploits
  2. Compromising infrastructure of major American cities
  3. The exfiltration of data from US telephony companies

The write up includes the zippy names cyber security researchers give these exploits and their perpetrators; for example, Volt Typhoon and Vanguard Panda.

Perhaps the most important statement in the article is, in my opinion:

“We cannot say with certainty that the adversary has been evicted, because we still don’t know the scope of what they’re doing,” Jeff Greene, CISA’s executive assistant director for cybersecurity, told reporters during a Salt Typhoon briefing in early December.

Several observations:

  1. The attacks are not confined to the estimable Microsoft software; more commercial software is providing warm, comfortable havens for attacking systems and stealing data
  2. The existing cyber security systems — no matter what the marketers say in sales material and at law enforcement / intelligence conferences — does not work very well
  3. Different cyber investigators discover novel, unknown, and possibly unique exploits unearthed and exploited by bad actors in China. Other countries enjoy the fruits of lousy security too I want to add.

So what? What happens if one shoots enough bullets at Butch Cassidy’s and the Sundance Kids’ adobe hideout? Answer: It falls down. Each exploit is a digital bullet hole. Without remediation — serious remediation — the US may suffer some structural collapses. PR, smarmy talk, and excuses won’t do the job.

Stephen E Arnold, January 8, 2025

Written by Stephen E. Arnold · Filed Under Business strategy, cybersecurity, Government, News | Leave a Comment 

China Smart, US Dumb: The Deepseek Interview

January 6, 2025

Hopping Dino_thumb_thumb_thumbThis is an official dinobaby post. I used AI to assist me in this AI. In fact, I used the ChatGPT system which seems to be the benchmark against which China’s AI race leader measures itself. This suggests that Deepseek has a bit of a second-place mentality, a bit of jealousy, and possibly a signal of inferiority, doesn’t it?

Deepseek: The Quiet Giant Leading China’s AI Race” is a good example of what the Middle Kingdom is revealing about smart software. The 5,000 word essay became available as a Happy New Year’s message to the US. Like the girl repairing broken generators without fancy tools, the message is clear to me: 2025 is going to be different.

image

Here’s an abstract of the “interview” generated by a US smart software system. I would have used Deepseek, but I don’t have access to it. I used the ChatGPT service which Deepseek has surpassed to create the paragraph below. Make sure the summary is in line with the ChinaTalk original and read the 5,000 word original and do some comparisons.

Deepseek, a Chinese AI startup, has emerged as an innovator in the AI industry, surpassing OpenAI’s o1 model with its R1 model on reasoning benchmarks. Backed entirely by High-Flyer, a top Chinese quantitative hedge fund, Deepseek focuses on foundational AI research, eschewing commercialization and emphasizing open-source development. The company has disrupted the AI market with breakthroughs like the multi-head latent attention and sparse mixture-of-experts architectures, which significantly reduce inference and computational costs, sparking a price war among Chinese AI developers. Liang Wenfeng, Deepseek CEO, aims to achieve artificial general intelligence through innovation rather than imitation, challenging the common perception that Chinese companies prioritize commercialization over technological breakthroughs. Wenfeng’s background in AI and engineering has fostered a bottom-up, curiosity-driven research culture, enabling the team to develop transformative models. Deepseek Version 2 delivers unparalleled cost efficiency, prompting major tech giants to reduce their API prices. Deepseek’s commitment to innovation extends to its organizational approach, leveraging young, local talent and promoting interdisciplinary collaboration without rigid hierarchies. The company’s open-source ethos and focus on advancing the global AI ecosystem set it apart from other large-model startups. Despite industry skepticism about China’s capacity for original innovation, Deepseek is reshaping the narrative, positioning itself as a catalyst for technological advancement. Liang’s vision highlights the importance of confidence, long-term investment in foundational research, and societal support for hardcore innovation. As Deepseek continues to refine its AGI roadmap, focusing on areas like mathematics, multimodality, and natural language, it exemplifies the transformative potential of prioritizing innovation over short-term profit.

I left the largely unsupported assertions in this summary. I also retained the repeated emphasis on innovation, originality, and local talent. With the aid of smart software, I was able to retain the essence of the content marketing propaganda piece’s 5,000 words.

You may disagree with my viewpoint. That’s okay. Let me annoy you further by offering several observations:

  1. The release of this PR piece coincides with additional information about China’s infiltration of the US telephone network and the directed cyber attack on the US Treasury.
  2. The multi-pronged content marketing / propaganda flow about China’s “local talent” is a major theme of these PR efforts. From the humble brilliant girl repairing equipment with primitive tools because she is a “genius” to the notion that China’s young “local talent” have gone beyond what the “imported” talent in the US has been able to achieve are two pronged. One tine of the conceptual pitchfork is that the US is stupid. The other tine is that China just works better, smarter, faster, and cheaper.
  3. The messaging is largely accomplished using free or low cost US developed systems and methods. This is definitely surfing on other people’s knowledge waves.

Net net: Mr. Putin is annoyed that the European Union wants to block Russia-generated messaging about the “special action.” The US is less concerned about China’s propaganda attacks. The New Year will be interesting, but I have lived through enough “interesting times” to do much more than write blogs posts from my outpost in rural Kentucky. What about you, gentle reader? China smart, US dumb: Which is it?

Stephen E Arnold, January 6, 2025

Written by Stephen E. Arnold · Filed Under AI, Business strategy, cybersecurity, Government, News | Leave a Comment 

MUT Bites: Security Perimeters May Not Work Very Well

December 26, 2024

Hopping Dino_thumb_thumb_thumb_thumb_thumb_thumb_thumb_thumb_thumb_thumbThis blog post is the work of an authentic dinobaby. No smart software was used.

I spotted a summary of an item in Ars Technica which recycled a report from Checkmarx and Datadog Security Labs. If you want to read “Yearlong Supply Chain Attack Targeting Security Pros Steals 390,000 Credentials.” I want to skip what is now a soap opera story repeated again and again: Bad actors compromise a system, security professionals are aghast, and cybersecurity firms license more smart, agentic enabled systems. Repeat. Repeat. Repeat. That’s how soap operas worked when I was growing up.

Let’s jump to several observations:

  1. Cyber defenses are not working
  2. Cyber security vendors insist their systems are working because numerous threats were blocked. Just believe our log data. See. We protected you … a lot.
  3. Individual cyber security vendors are a cohort which can be compromised, not once in a mad minute of carelessness. No. Compromised for — wait for it — up to a year.

The engineering of software and systems is, one might conclude, rife with vulnerabilities. If the cyber security professionals cannot protect themselves, who can?

Stephen E Arnold, December 26, 2024

Written by Stephen E. Arnold · Filed Under cybersecurity, News | Comments Off on MUT Bites: Security Perimeters May Not Work Very Well 

FReE tHoSe smaRT SoFtWarEs!

December 25, 2024

animated-dinosaur-image-0062No smart software involved. Just a dinobaby’s work.

Do you have the list of stop words you use in your NLP prompts? (If not, click here.) You are not happy when words on the list like “b*mb,” “terr*r funding,” and others do not return exactly what you are seeking? If you say, “Yes”, you will want to read “BEST-OF-N JAILBREAKING” by a Frisbee team complement of wizards; namely, John Hughes, Sara Price, Aengus Lynch, Rylan Schaeffer, Fazl Barez, Sanmi Koyejo, Henry Sleight, Erik Jones, Ethan Perez, and Mrinank Sharma. The people doing the heavy lifting were John Hughes (a consultant who does work for Speechmatics and Anthropic) and Mrinank Sharma (an Anthropic engineer involved in — wait for it — adversarial robustness).

The main point is that Anthropic linked wizards have figured out how to knock down the guard rails for smart software. And those stop words? Just whip up a snappy prompt, mix up the capital and lower case letters, and keep sending the query to a smart software. At some point, those capitalization and other fixes will cause the LLM to go your way. Want to whip up a surprise in your bathtub? LLMs will definitely help you out.

The paper has nifty charts and lots of academic hoo-hah. The key insight is what the many, many authors call “attack composition.” You will be able to get the how-to by reading the 73 page paper, probably a result of each author writing 10 pages in the hopes of landing an even more high paying, in demand gig.

Several observations:

  1. The idea that guard rails work is now called into question
  2. The disclosure of the method means that smart software will do whatever a clever bad actor wants
  3. The rush to AI is about market lock up, not the social benefit of the technology.

The new year will be interesting. The paper’s information is quite the holiday gift.

Stephen E Arnold, December 25, 2024

Written by Stephen E. Arnold · Filed Under AI, cybercrime, cybersecurity, News | Comments Off on FReE tHoSe smaRT SoFtWarEs! 

Apple and Google Texting Bad. So What Are the Options?

December 17, 2024

animated-dinosaur-image-0049_thumb_thumb_thumb_thumb_thumb_thumb_thumbThis blog post flowed from the sluggish and infertile mind of a real live dinobaby. If there is art, smart software of some type was probably involved.

This headline caught my attention: “FBI Warns iPhone and Android Users to Stop Texting Each Other for a Disturbing Reason.” What is that disturbing reason? According to the online article cited:

Both the FBI and US Cybersecurity and Infrastructure Security Agency are warning users to use a messaging app instead and one that uses end-to-end encryption. The warning comes amid a major cyberattack that has been called ‘unprecedented’ by the press. The attack has impacted telecommunications companies such as AT&T and Verizon. By using encrypted messaging apps, texters can keep their messages hidden from hackers. The hacking campaign has been nicknamed Salt Typhoon by Microsoft and it has not been fully solved. NBC News called it ‘one of the largest intelligence compromises in US history’.

Interesting. I recall that AT&T was not particularly chatty when information about a security compromise floated around. T-Mobile has experienced a few security issues as well. And Verizon? Same boat.

image

It is interesting that a sinking boat is an image several art generators refuse to produce. Anyway, Midjourney — after a lot of semantic wrangling spit out this good enough image.

After reading the article, I decided to navigate to X.com and ask Grok what the options were for a person who has muscle memory for texting folks from an Apple or Android mobile device? To use Grok, navigate to the tweeter, log in, and look for the Grok word on the displayed page. I went through these hoops slowly because when I queried Google about “how to use Grok”, the Google told me I had to sign up for a premium membership. That was wrong. No wonder Google is a service I find a bit short of the target.

Here are the services Grok (Mr. Musk’s smart software designed to compete in the Big Boy AI dodgeball contest). I quote the tweet thing’s smart output:

  • “Signal: Known for its strong privacy features, Signal offers end-to-end encryption for texts, voice calls, and video calls. It’s open-source, which adds to its credibility for privacy-conscious users. Signal is available on both Android and iOS, making it a great cross-platform option.
  • WhatsApp: With over 2 billion users, WhatsApp is a popular choice for cross-platform messaging. It supports text, voice, and video calls with end-to-end encryption. However, it’s worth noting that WhatsApp is owned by Meta (formerly known as Facebook), which might be a concern for privacy.
  • Telegram: Offers a wide range of features like large group chats, channels, bots, and self-destructing messages. While it provides end-to-end encryption in its “Secret Chat” mode, not all chats are encrypted by default, which could be a privacy concern for some users. Telegram is available on both Android and iOS.
  • Facebook Messenger: Another Meta-owned service, it’s widely used due to its integration with the social network. It supports free calls, video chats, and even has features like payment options in some regions. However, its privacy policies are often scrutinized.
  • Google Chat: Part of Google Workspace, this app provides a platform for both personal and work-related communications with features like spaces for team collaboration. It’s integrated well with other Google services, although its adoption outside of Google’s ecosystem is less widespread.
  • Viber: Offers free calls and messages, including stickers, GIFs, and public chats. Its user base is significant in certain regions but less so globally compared to WhatsApp or Telegram. Viber also has end-to-end encryption for calls and messages.
  • Spike: Described as an email-based messaging app, Spike combines email and chat functionality, making it suitable for both personal and professional use. It’s noted for its cross-platform capabilities and privacy focus.
  • SimpleX Chat: An open-source, privacy-focused chat app that doesn’t require phone numbers for registration, focusing on decentralization and user privacy.
  • Element (formerly Riot.im): Based on the Matrix protocol, it’s an open-source, decentralized platform that supports secure, encrypted communication. It’s good for those looking for privacy with the flexibility of self-hosting.
  • Beeper: An all-in-one messaging app that aims to unify various messaging services into one platform, although it has limitations like no official iMessage support due to Apple’s policies.”

Each of these apps is allegedly an E2EE or end-to-end encrypted messaging service. These are not presented in alphabetical order. I assume that Grok is providing the names in a rank ordering based on some criteria not explained to me. But that’s the future of smart software. Just do something and say, “Good enough.”

I noted several things about this list:

  1. There are no Chinese messaging apps. Is this censorship from an outfit seemingly concerned about free speech. I was surprised at the omission of QQ and WeChat with appropriate surveillance notices from Grok.
  2. One approach is for messaging clients to rely on Extensible Messaging and Presence Protocol. Conversations for Android and ChatSecure for iOS were at one time options.
  3. Inclusion of Telegram is definitely interesting because Pavel Durov has reversed course and now cooperates with law enforcement. Telegram has even played nice with anti-CSAM organizations. The about face coincided with his detainment by French authorities.
  4. The Grok listing does not include new and possible interesting services like PrivateLine.io., which illustrates the shallow nature of the knowledge exposed to these smart systems. (Even Yandex.com lists this service in its search results.)
  5. Alphabetizing lists is just not part of the 2024 world it seems.

There are some broader questions about encrypted messaging which are not addressed in the cited write up or the Grok “smart” output; for example:

  1. Are other messaging apps encrypted end to end or are there “special” operations which make the content visible and loggable once the user sends the message?
  2. Is the encryption method used by these apps “unbreakable”?
  3. Are the encryption methods home grown or based on easily inspected open source methods?
  4. What entities have access to either the logged data about a message or access to the message payload?

The alarm has been sounded about the failure of some US telecommunications companies to protect their own systems and by extension the security of their customers. But numerous questions remain with partial or no answers. Answers are, from my point of view, thin.

Stephen E Arnold, December 17, 2024

Written by Stephen E. Arnold · Filed Under cybersecurity, News, Privacy | Comments Off on Apple and Google Texting Bad. So What Are the Options? 

« Previous PageNext Page »

  • Archives

  • Recent Posts

  • Meta