The Guardian and Cambridge University's Department of Computer Science unveil new secure technology to protect sources
Technology
64
Beiträge
23
Kommentatoren
303
Aufrufe
-
Academic paper: https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-999.pdf
The Guardian launches Secure Messaging, a world-first from a media organisation, in collaboration with the University of Cambridge
Secure Messaging is a new innovation for confidential story-sharing and source protection, underpinning the Guardian’s commitment to investigative journalism.
The Guardian has published the open source code for this important tech to enable adoption by other media organisations.the Guardian (www.theguardian.com)
Technical summary: it seems OK against an observer who can see the network traffic but hasn't infiltrated the phone of the source or the computer of the news organization.
Any real message is stored locally on the smartphone by the CoverDrop module and sent as the next CoverDrop message, i.e. replacing the dummy message which would otherwise have been sent. Consequently a network observer cannot determine whether any communication is taking place and CoverDrop therefore provides the potential source with plausible deniability.
The CoverNode and each journalist has their own public-private key pair. These keys are published by the news organization and available to the CoverDrop module directly so the user does not need know about them. When the CoverDrop module is used for the first time, it generates a new, random public-private key pair
for the user.All real CoverDrop messages sent by the CoverDrop module to the CoverNode include the text written by the potential source as well as their own public key. The message is first encrypted using the public key of the journalist who will ultimately receive the message, then encrypted a second time using the public key of the CoverNode. All dummy CoverDrop messages are encrypted using the public key of the CoverNode. All messages, real or dummy, are arranged to be the same, fixed length. Encryption and length constraints ensure that only the CoverNode can distinguish between real and dummy messages.
-
Technical summary: it seems OK against an observer who can see the network traffic but hasn't infiltrated the phone of the source or the computer of the news organization.
Any real message is stored locally on the smartphone by the CoverDrop module and sent as the next CoverDrop message, i.e. replacing the dummy message which would otherwise have been sent. Consequently a network observer cannot determine whether any communication is taking place and CoverDrop therefore provides the potential source with plausible deniability.
The CoverNode and each journalist has their own public-private key pair. These keys are published by the news organization and available to the CoverDrop module directly so the user does not need know about them. When the CoverDrop module is used for the first time, it generates a new, random public-private key pair
for the user.All real CoverDrop messages sent by the CoverDrop module to the CoverNode include the text written by the potential source as well as their own public key. The message is first encrypted using the public key of the journalist who will ultimately receive the message, then encrypted a second time using the public key of the CoverNode. All dummy CoverDrop messages are encrypted using the public key of the CoverNode. All messages, real or dummy, are arranged to be the same, fixed length. Encryption and length constraints ensure that only the CoverNode can distinguish between real and dummy messages.
To sum it up even more : this looks like standard end-to-end encryption, but any app user have the same network traffic, completed with fake data if no communication is needed.
-
Yeah but contrary to these listed, the judge know the guardian is a newspaper, they shouldn't be able to make him/her afraid in the same way they did.
Yeah but contrary to these listed, the judge know the guardian is a newspaper
The logic does not check out. Signal isn't going to integrate a news section and then suddenly be exempt from this regulation.
-
Yeah but contrary to these listed, the judge know the guardian is a newspaper
The logic does not check out. Signal isn't going to integrate a news section and then suddenly be exempt from this regulation.
It show you didn't read, I am explaining the article piece by piece. They used the lost a gave you to convince a judge it was a terrorist behavior. It is not forbidden to crypt things. And they would not have been able to convince a judge the news application guardian is a terrorist tool.
And I am bad a English so I am trying to resume a English article to you in broken English. I am sure I use the wrong word and as long as you don't read you can keep playing me. You are taking more time debating things I have an hard time explain than reading the article.
Do you wan me to copy paste in entirely here so you can avoid one click ? -
It show you didn't read, I am explaining the article piece by piece. They used the lost a gave you to convince a judge it was a terrorist behavior. It is not forbidden to crypt things. And they would not have been able to convince a judge the news application guardian is a terrorist tool.
And I am bad a English so I am trying to resume a English article to you in broken English. I am sure I use the wrong word and as long as you don't read you can keep playing me. You are taking more time debating things I have an hard time explain than reading the article.
Do you wan me to copy paste in entirely here so you can avoid one click ?I read the entire thing. I don't need it explained to me. It's clear just by looking at it that they're targeting all encrypted communications.
And they would not have been able to convince a judge the news application guardian is a terrorist tool.
I think it's pretty obvious that they could.
-
Except that signal is blocked by many companies Mobile Device Management. The one that don’t can typically see who has the app installed. This provides a new clever way to maybe whistleblow
Why would you expect any form of privacy on a device you don't own?
-
Why would you expect any form of privacy on a device you don't own?
I never said I did?
-
I never said I did?
Not "you" necessarily, "one".
I bring it up because you mentioned company MDM blocking signal. The fact that company MDM is active indicates its a company device (if it's not that's an entirely different conversation).
So why would one expect privacy on a device they don't own?
-
Not "you" necessarily, "one".
I bring it up because you mentioned company MDM blocking signal. The fact that company MDM is active indicates its a company device (if it's not that's an entirely different conversation).
So why would one expect privacy on a device they don't own?
Well more I’m pointing to the idea that you may be trying to whistleblow on said company and this may provide a more succinct way to do so
-
Well more I’m pointing to the idea that you may be trying to whistleblow on said company and this may provide a more succinct way to do so
I get that, but it's more logical to me that of I'm going to whistleblow on a company to not use one of their devices to do it. That way it doesn't matter what apps are or are not secure, you're not using their device that can potentially track you.
