Riot Web 1.6, RiotX Android 0.19 & Riot iOS 0.11 — E2E Encryption by Default & Cross-signing is here!!

Hi folks,

We are incredibly excited to present the biggest change in Riot ever: as of the last 24 hours we are enabling end-to-end encryption by default for all new non-public conversations, together with a complete rework of Riot’s user experience around E2E encryption, powered by a whole new suite of encryption features in Matrix. We have released this simultaneously on Web, Desktop, iOS and RiotX Android!

👉🏼 Web:
https://riot.im/app

👉🏼 Desktop:
https://riot.im/download/desktop/

👉🏼 iOS:
https://apps.apple.com/us/app/riot-im/id1083446067

👉🏼 RiotX Android:
https://play.google.com/store/apps/details?id=im.vector.riotx

💡 More info:
https://blog.riot.im/e2e-encryption-by-default-cross-signing-is-here/

#riot #matrix #messenger #e2e #encryption #android #iOS
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv

Facebook merges Messenger chat service with Instagram

http://telegra.ph/Facebook-merges-Messenger-chat-service-with-Instagram-10-01

via www.theguardian.com


#fb #Facebook #instagram #messenger

Five-Eyes intelligence services to help Europe circumvent encryption

Strongly secured chats annoy secret services and prosecutors worldwide. On this sensitive issue, the EU states are now to coordinate with the powerful Anglo-Saxon secret service alliance.

In future, the EU states are to work closely with the Anglo-Saxon secret service alliance of the "Five Eyes" to circumvent secure encryption in digital communications. This can be seen from documents sent to the member states by the German EU Council Presidency and available to the Süddeutsche Zeitung. As "Five Eyes", the secret services of the USA, Great Britain, Australia, New Zealand and Canada are cooperating with each other.

A report by the Austrian radio station ORF had already pointed out two weeks ago the similarity of the wording in the draft EU paper with a statement by the secret service alliance "Five Eyes" as well as India and Japan on October 11, which also demanded "lawful access to encrypted communication". Another paper from the EU Council of Ministers now substantiates this suspicion: The document called "Recommendations for the future handling of the encryption issue" is dated November 16 and has been submitted to the SZ.

The document is addressed to the EU member states and is a kind of handout. Point six states that governments should engage in a close dialogue on the topic with the initiators of the paper "End-to-End-Encryption and Public Safety". This is the declaration of the Five Eyes countries, as well as India and Japan, in which they call on companies such as Facebook to allow states access to encrypted content.

👀 👉🏼 Translated with DeepL
https://www.sueddeutsche.de/digital/geheimdienste-verschluesselung-crypto-wars-messenger-1.5131084

#fiveeyes #intelligence #eu #encryption #messenger #cryptowars #thinkabout
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
📡@NoGoolag

Threema boss: Master key for secret services "not possible at all

The head of the messenger service Threema has sharply criticized demands for access to private chat messages for state security authorities. "These demands for a master key testify to the inexperience of the authorities," Martin Blatter told Welt am Sonntag. Technically, he said, it was not even possible. "We don't have a master key that we could deposit. The encryption is done by the users and not by us.

"Criminals almost always already known to the authorities"

In mid-November, alleged plans by EU countries to ban the secure encryption of messages on channels such as WhatsApp caused a great stir. The German EU Council Presidency had drafted a resolution on the subject. However, the paper was vaguely formulated and did not go into detail about how security authorities should be able to decrypt encrypted messages. Nevertheless, civil rights activists and data protectionists strongly criticized the initiative.

Blatter also emphasized that in the case of terrorist attacks, the perpetrators were almost always already known to the authorities and on file. "This means that politicians have not managed to protect citizens". In the newspaper interview, he also spoke of U.S. secret services having forced manufacturers of routers to install back doors, which in the end were also used by China.

👀 👉🏼 Translated with DeepL
https://telegra.ph/Threema-Chef-Generalschl%C3%BCssel-f%C3%BCr-Geheimdienste-gar-nicht-m%C3%B6glich-11-29

via www.heise.de

#fiveeyes #intelligence #eu #encryption #messenger #threema #cryptowars #thinkabout
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
📡@NoGoolag

Whatsapp, Threema & Co.: Messenger must hand over personal data

A new telecommunications law provides new surveillance powers for security authorities. It also includes data retention.

The new Telecommunications Act (TKG) has it all. On 465 pages, messengers and e-mail are declared to be telecommunications services, thus introducing surveillance powers similar to those for conventional telephones. Data retention and faster network expansion also appear in the bill. This is to be decided on a fast-track basis.

Whereas many of the provisions of the Telecommunications Act previously applied to Internet providers or telephone providers, they will now be extended to so-called over-the-top services such as e-mail providers or messengers like Whatsapp, Signal, Threema, Telegram or Wire. According to the so-called Gmail ruling of the European Court of Justice (ECJ), these are not telecommunications services, and accordingly the surveillance powers of the security authorities do not apply to them.

With the TKG amendment, messengers that collect inventory data such as name, address or an identifier such as phone number, user name or other ID are obliged to store this data and hand it over to security authorities upon request, even if the account has already been deleted.

👉🏼 Source 🇩🇪 👈🏼
https://www.golem.de/news/whatsapp-threema-co-messenger-sollen-bestandsdaten-herausgeben-muessen-2012-152770.html

#whatsapp #threema #telegram #personaldata #surveillance #authorities #messenger #netpolitics #thinkabout
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@NoGoolag
📡@BlackBox

Facebook and Instagram disable features in Europe

Facebook is disabling several features in its Messenger and Instagram apps for people in Europe, to make sure they comply with a change in privacy rules.

From 21 December, messaging apps will fall under EU rules known as the ePrivacy directive.

Facebook has decided to switch off several interactive options and offer just a core messaging service until it can add the extras back in.

Group chat polls on Messenger are among the tools to be switched off.

The ability to set nicknames for friends on Messenger will also be deactivated, while the sharing of augmented-reality face filters via direct message on Instagram will also be switched off in Europe.

Facebook said it had not published a list of all the features it was suspending in Europe because it would be quickly reactivating ones that it was confident complied with the rules.

The core text messaging and calling options on Instagram and Messenger will not be affected.

"We're still determining the best way to bring these features back. It takes time to rebuild products in a way that work seamlessly for people and also comply with new regulation," the company said in a statement.

The tools will be deactivated for users across Europe in stages, so some people may find they can still use them for a few more days.

https://www.bbc.co.uk/news/technology-55350795

#DeleteFacebook #facebook #eu #messenger #instagram #ePrivacy
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@NoGoolag
📡@BlackBox

Threema publishes source code and lowers prices

The messenger service has disclosed its complete source code and cut its app prices by half.

After the service had already revealed its cryptographic processes to the public for some time, the next step now follows. The entire source code of the apps can now be viewed. It is subject to the third version of the GNU Affero General Public License (AGPLv3). Using reproducible builds, specialists can check at any time whether it matches the source code of the sales apps. Due to Apple's app store policies, this is currently only possible via the Android versions.

https://telegra.ph/Open-Source-Threema-publishes-source-code-and-lowers-prices---Aroged-12-21

via www.aroged.com

Source Code and Documentation:
https://threema.ch/de/open-source

👉🏼 Criticism (in German)
https://mastodon.social/@larma/105417391165300578

#threema #messenger #opensource
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
📡@NoGoolag

Signal: New Signal groups use Google servers

Some readers have pointed out to me that Signal appears to be using the Google Data Center to create / manage new Signal groups. The domain storage.signal.org resolves to the IP addresses:

216.239.32.21
216.239.34.21
216.239.36.21
and 216.239.38.21

These addresses belong to Google, Mountain View. The host name of these servers or the Revese lookup also listens to the name any-in-2015.1e100.net.

The question now is, why the group function is linked to Google servers. Especially for privacy-sensitive users Google is a red flag - for a good reason: The sick WWW: Stop using Google Web-Services.

https://www.kuketz-blog.de/signal-neue-signal-gruppen-nutzen-google-server/

#signal #messenger #google #thinkabout #why
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
📡@NoGoolag

Signal: All communication takes place via tech giants like Amazon, Microsoft, Google and Cloudflare.

At Signal, all communication takes place via various tech giants such as Amazon, Microsoft, Google and Cloudflare. Broken down by domains, the following picture emerges:

❗️ Amazon: textsecure-service.whispersystems.org, cdn.signal.org, sfu.voip.signal.org
❗️ Google: storage.signal.org, contentproxy.signal.org
❗️ Microsoft: api.directory.signal.org, api.backup.signal.org
❗️ Cloudflare: cdn2.signal.org

Message exchange (textsecure-service.whispersystems.org) is done via Amazon AWS, for example, while Google Data Servers (storage.signal.org) are responsible for creating and managing the groups. This means that all communication is handled via central servers of the tech giants. Especially privacy-sensitive users may be put off by this, which I can understand. However, at least from an IT security perspective, I think the use of the rented servers is negligible, since Signal works with the zero-knowledge principle. Certainly, it would be desirable if the Signal Foundation hosted the servers itself. However, this would not necessarily mean a security gain. Nevertheless, this is a point of criticism, since this naturally also flushes money into the coffers of the tech data octopuses.

https://www.kuketz-blog.de/signal-jegliche-kommunikation-erfolgt-ueber-tech-giganten-wie-amazon-microsoft-google-und-cloudflare/

#signal #messenger #google #amazon #microsoft #thinkabout #why
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
📡@NoGoolag

Privacy and Messaging apps: Signal Vs Telegram 2021

https://www.youtube.com/watch?v=llgAfjpPEm8

#signal #telegram #messenger #privacy #video
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
📡@NoGoolag

Tencent has been caught spying on your web browsing history with QQ Messenger

QQ Messenger, a popular Chinese instant messaging app by Tencent, was caught scraping web browser history with their desktop client. The discovery was made by Chinese internet users on the Q and A platforum Zhihu. Here is a Chinese language thread that documents the QQ Messenger web browsing history scraping investigation. Basically, all Chromium based web browsers store your internet history in an sqlite file in local storage. QQ Messenger would seek out this file and scrape the information, comparing it to a list of keywords and then phoning home if any matches were found.

After the spying revelation, Tencent quickly released a new version of QQ Messenger without the web history scraping functionality and claimed that the Chinese company was only previously looking at its millions of users’ web browsing history as a way of ”checking whether malicious programs were using certain websites to access QQ.”

This isn’t the first time Tencent has spied on users for the Chinese government

Since last year, QQ messenger has lost 6% of its active users – possibly because users have already started distrusting QQ and Tencent. Over the years, similar revelations about Tencent’s anti-privacy and weak security practices have come out especially in regards to QQ products. Back in 2016, the University of Toronto’s CitizenLab revealed that Tencent’s QQ Browser regularly sent personal information back to Tencent unencrypted. Furthermore, it became known that this overt lack of encryption was likely explicitly requested by “higher powers.”

https://www.privateinternetaccess.com/blog/tencent-has-been-caught-spying-on-your-web-browsing-history-with-qq-messenger/

#tencent #china #spying #browsing #history #qq #messenger #thinkabout #why
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
📡@NoGoolag

Overview / comparison of the current messengers

Every WhatsApp message feeds Zuckerberg's data octopus - but there are alternatives that you can use. If you want to get rid of WhatsApp, you have to look very carefully, depending on your needs, to see whether an alternative actually brings an improvement or whether you just end up jumping out of the frying pan into the fire. As a user, you are literally spoiled for choice. There are now so many messengers that it is almost impossible to evaluate or present every single one.

#messenger #overview #comparison
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
📡@NoGoolag

Telegram 7.4 now allows import of WhatsApp chats (and others)

Telegram has a nice feature for users who want to switch from WhatsApp to Telegram, for example. With the new version 7.4, which is currently being distributed for iOS, you can quickly import messages from WhatsApp into Telegram. We have tested this and it works perfectly, at least for text messages.

In WhatsApp, you go to a chat and click on the contact at the top, which takes you to the contact info - where you will probably also find the item "Export chat". This can be done with or without media. This ensures that the chat can be exported - but if you select Telegram and the person in question as the storage location, the chat is imported from WhatsApp into Telegram.

What we noticed: Media is not displayed, only the file names. Text chats, on the other hand, are correctly ported from WhatsApp to Telegram. That could certainly help one or the other. And if not, you can export the chat and save it as a ZIP file locally - the archive will then contain the text file and the media. Telegram also mentions Line and Kakao Talk as possible export messengers in the changelog.

https://stadt-bremerhaven.de/telegram-7-4-erlaubt-import-von-whatsapp-chats-und-weiteren/

#telegram #tg #whatsapp #DeleteWhatsapp #messenger #importieren #chats
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
📡@NoGoolag

Why You Should Stop Using Your Facebook Messenger App

If you’re one of the 1.3 billion people using Facebook Messenger, then you need to switch to an alternative. Facebook has suddenly confirmed significant delays with much needed security enhancements to the platform, enhancements that its own executives say are “essential.” Here’s what you need to know.

“The lessons of the past five years make it absolutely clear that technology companies and governments must prioritize private and secure communication.” So said senior Facebook exec Will Cathcart in a Wired opinion piece this week.

Cathcart currently heads WhatsApp, and his article focuses on the need for end-to-end encryption to be protected. He’s absolutely right. Such encryption is “essential,” there is “serious pressure to take it away,” and it “should not be taken for granted.”

I have warned users before to quit Facebook Messenger for alternatives. Beyond its lack of encryption, the platform is also open to content monitoring by Facebook itself, and I have also reported on other serious issues with its handling of your private data.

Now, this week, we have seen three separate events, all of which should give you every reason you need to make that change, to quit Messenger. First Cathcart’s rallying cry for users to use platforms with end-to-end encryption in place. Second, Facebook admitting that such security will not come to Messenger until some time in 2022, at the earliest. And, finally, another story on Facebook’s data mishandling.

https://www.forbes.com/sites/zakdoffman/2021/04/10/stop-using-facebook-messenger-on-your-apple-iphone-or-google-android-phone/

#facebook #DeleteFacebook #messenger #android #google #apple #smartphone #thinkabout
📡 @nogoolag 📡 @blackbox_archiv

Messenger Matrix (German / English)

The following matrix provides an overview of the different (technical) features of various messengers. Click on the matrix to open a larger view - the current status is noted at the top left

👉🏼 English:
https://www.messenger-matrix.de/messenger-matrix-en.html

👉🏼 German:
https://www.messenger-matrix.de/messenger-matrix.html

#security #privacy #sustainability #messenger #kuketz
📡 @nogoolag 📡 @blackbox_archiv

All the Numbers are US: Large-scale Abuse of Contact Discovery in Mobile Messengers

Contact discovery allows users of mobile messengers to conveniently connect with people in their address book.
In this work, we demonstrate that severe privacy issues exist in currently deployed contact discovery methods.

Our study of three popular mobile messengers (WhatsApp, Signal, and Telegram) shows that, contrary to expectations, largescale crawling attacks are (still) possible. Using an accurate database of mobile phone number prefixes and very few resources, we have queried 10 % of US mobile phone numbers for WhatsApp and 100 % for Signal. For Telegram we find that its API exposes a wide range of sensitive information, even about numbers not registered with the service.

https://www.ndss-symposium.org/wp-content/uploads/ndss2021_1C-3_23159_paper.pdf

#contact #messenger #telegram #whatsapp #signal #crawling #attacks #study #pdf
📡 @nogoolag 📡 @blackbox_archiv

All the Numbers are US: Large-scale Abuse of Contact Discovery in Mobile Messengers (Interesting quotes and conclusion)

💡 All the Numbers are US: Large-scale Abuse of Contact Discovery in Mobile Messengers (PDF)
https://t.me/BlackBox_Archiv/2042

Both WhatsApp and Telegram transmit the contacts of users in clear text to their servers (but encrypted during transit), where they are stored to allow the services to push updates (such as newly registered contacts) to the clients. WhatsApp stores phone numbers of its users in clear text on the server, while phone numbers not registered with WhatsApp are MD5-hashed with the country prefix prepended (according to court documents from 2014 [2]).

Signal does not store contacts on the server. Instead, each client periodically sends hashes of the phone numbers stored in the address book to the service, which matches them against the list of registered users and responds with the intersection. The different procedures illustrate a trade-off between usability and privacy: the approach of WhatsApp and Telegram can provide faster updates to the user with less communication overhead, but needs to store sensitive data on the servers.

💡Signal:

Our script for Signal uses 100 accounts over 25 daysto check all 505 million mobile phone numbers in the US. Our results show that Signal currently has 2.5 million users registered in the US, of which 82.3 % have set an encrypted user name, and 47.8 % use an encrypted profile picture. We also cross-checked with WhatsApp to see if Signal users differ in their use of public profile pictures, and found that 42.3 % of Signal users are also registered on WhatsApp (cf. Tab. IV), and 46.3 % of them have a public profile picture there. While this is slightly lower than the average for WhatsApp users (49.6 %), it is not sufficient to indicate an increased privacy-awareness of Signal’s users, at least for profile pictures.

💡Telegram:

For Telegram we use 20 accounts running for 20 days on random US mobile phone numbers. Since Telegram’s rate limits are very strict, only 100,000 numbers were checked during that time: 0.9 % of those are registered and 41.9 % have a non-zero importer_count. These numbers have a higher probability than random ones to be present on other messengers, with 20.2 % of the numbers being registered with WhatsApp and 1.1 % registered with Signal, compared to the average success rates of 9.8 % and 0.9 %, respectively. Of the discovered Telegram users, 44 % of the crawled users have at least one public profile picture, with 2 % of users having more than 10 pictures available.

💡 Comparison WhatsApp | Signal | Telegram:

With its focus on privacy, Signal excels in exposing almost no information about registered users, apart from their phone number. In contrast, WhatsApp exposes profile pictures and the About text for registered numbers, and requires users to opt-out of sharing this data by changing the default settings. Our results show that only half of all US users prevent such sharing by either not uploading an image or changing the settings. Telegram behaves even worse: it allows crawling multiple images and also additional information for each user. The importer_count offered by its API even provides information about users not registered with the service. This can help attackers to acquire likely active numbers, which can be searched on other platforms.

💡 Conclusion:

Mobile contact discovery is a challenging topic for privacy researchers in many aspects. In this paper, we took an attacker’s perspective and scrutinized currently deployed contact discovery services of three popular mobile messengers: WhatsApp, Signal, and Telegram. We revisited known attacks and using novel techniques we quantified the efforts required for curious serv[...]

#contact #messenger #telegram #whatsapp #signal #crawling #attacks #comment #conclusion
📡 @nogoolag 📡 @blackbox_archiv

Off the Grid Messenger

Off The Grid (OTG) Messenger is an easy way for people to communicate through text messages when in remote areas. With a theoretical transmission range of 10 miles (16kms), OTG messenger can be used by groups of people to stay connected when they are in areas not serviced by mobile connectivity.

For portability and low power purposes, the device was created by re-purposing an old Nokia e63 phone I had laying around. The enclosure, LCD, keypad, backlighting and speaker have been re-used however the motherboard was re-designed from the ground up with low power components, a modern STM32 H7 microcontroller, an ISM LoRA radio and expanded flash memory.

https://github.com/TrevorAttema/OTGMessenger

Comments
https://news.ycombinator.com/item?id=27659105

https://hackaday.com/2021/06/26/lora-messenger-in-nokias-shell/

#otg #offthegrid #grid #im #messenger #alternatives #cellphone #mobile #nokia

simplex@mastodon.social - SimpleX Chat v5.1-beta.1 is released!

New in v5.1-beta.1:
- message reactions - finally!🚀
- self-destruct passcode.
- voice messages up to 5 minutes.
- custom time to disappear - can be set just for one message.
- message editing history.
- a setting to disable audio/video calls per contact.
- group welcome message visible in group profile.

Install the apps via the links here: https://github.com/simplex-chat/simplex-chat#install-the-app

More details: https://simplex.chat/blog/20230523-simplex-chat-v5-1-message-reactions-self-destruct-passcode.html

#privacy #security #messenger

KryptEY - Secure E2EE communication


An Android keyboard for secure end-to-end-encrypted messages through the Signal protocol in any messenger. Communicate securely and independent, regardless of the legal situation or whether messengers use E2EE. No server needed.
https://github.com/amnesica/KryptEY

F-Droid
https://f-droid.org/packages/com.amnesica.kryptey/
IzzyOnDroid
https://android.izzysoft.de/repo/apk/com.amnesica.kryptey

Reminder : new apps available in F-Droid app may not emmediatly show on the F-Droid web site ( ie when you share the link app it returns a 404 error ) some extra time is needed for both to be available
https://gitlab.com/fdroid/wiki/-/wikis/FAQ#how-long-does-it-take-for-my-app-to-show-up-on-website-and-client

#encryption #keyboard #E2EE
#messenger #security #Signal