A woman would normally produce this photo and write this caption. She is not here because of the International Womens Day strike.WIREDLeaks have plagued the Trump administration since he took office less than seven weeks ago. The presidents anger about these backchannels has grown, up to and including reported demands of an investigation into the source. Press secretary Sean Spicer has even apparently taken to doing random phone checks, supervised by White House attorneys, to see what staffers and aides are up to on their devices and whether they have secure communication apps.
In the midst of all of this, the end-to-end encrypted, disappearing messages app Confide has emerged as a popular choice among administration officials looking to discuss sensitive topics with coworkers, the press, or other groups. But in spite of Confides claims that it gives you the comfort of knowing that your private messages will now truly stay that way, researchers at security firm IOActive recently notified its developers of a number of critical vulnerabilities in the app. Those have since been resolved, but thats small consolation for White House staffers and general users who relied on Confide while it was exposed.
IOActive found vulnerabilities in numerous areas of the Confide app on Windows, macOS, and Android. By reverse-engineering the applications to see how they work and where they might have weaknesses and probing Confides public API to see what data could be accessible to anyone, the researchers discovered that they could alter messages and attachments in transit, decrypt messages, impersonate users, and reconstruct a database of all Confide users, their names, email addresses, and phone numbers. Its a concerning list of potential attacks for an app that touts security and privacy as its main offerings.
In total, the IOActive researchers laid out 11 vulnerabilities. For example, they were able to access over 7,000 records for users who joined Confide between February 22 and February 24, before Confide detected the intrusion. The database contains between 800,000 and 1 million user records in all. The app didnt have protection against brute-forcing account passwords and didnt even have strong minimum requirements for what a users password could be. It didnt notify recipients when senders sent unencrypted messages, and the system didnt require a valid web encryption certificate.
IOActive disclosed the bugs to Confide on February 28. Confide was already aware of some of the bugs after detecting the researchers probing, and by March 3 the company told IOActive that all the vulnerabilities had been patched. IOActive says that it was satisfied with Confides reaction. When our researchers connected with Confide to disclose the vulnerabilities, they were receptive to our research, quick to move on addressing critical issues found, and worked with us to share the information, IOActive CEO Jennifer Steffens said in a statement.
Confide has been around since 2014, though, so protecting the app going forward, while crucial, doesnt mitigate the risk its users have already faced. But Confide assures its users that the bugs were never exploited. Our security team is continuously monitoring our systems to protect our users integrity, says Confide president Jon Brod. IOActives attempt to gather account information was detected and stopped in real time. Not only has this particular issue been resolved, but we also have no detection of it being exploited by any other party. In addition, weve also ensured that the same or similar approaches will not be possible going forward.
Other researchers have piled on similar findings about the state of Confides security. Experts have also been calling the app out for a while for using proprietary cryptography and offering no evidence that it has invited independent code audits to check for vulnerabilities. Encrypted communication services that are open source, like Signal, garner more trust in the security community because of their transparency.
Public review of open source code can [reveal] such flaws, says Sven Dietrich, a cryptography researcher at CUNY John Jay College of Criminal Justice. He adds that code reviews allow experts to identify programming mistakes that jeopardize user messages or credentials, and protocol mistakes like improper exchange of keys or messages. Basically, all the issues Confide ran into.
Its difficult for consumers to know which security products to choose or even how to compare the options. This puts responsibility on software makers to secure their products. Encryption software assumes such an important role today. The only way to ensure that a piece of software does not contain back doors or gaping holes is to have independent trust experts audit the code. This is best practice, says Kevin Curran, a cybersecurity researcher at Ulster University and IEEE senior member. We all know that it is unreasonable to expect vulnerability-free software, but we need to look at risk mitigation.
Now that Confide has patched its vulnerabilities, users will have more protection. But without greater transparency, users may not have confidence that other flaws arent lurking in their favorite encrypted chat app. For a White House staffer leaking information critical to United States discourse and fearing retribution from a temperamental boss, theres no room for error.
In the four tumultuous weeks since President Donald Trumps inauguration, the White House has provided a steady stream of leaks. Some are mostly innocuous, like how Trump spends his solitary hours. Others, including reports of national security adviser Michael Flynns unauthorized talks with Russia, have proven devastating. In response, Trump has launched an investigation, and expressed his displeasure in a tweet: Why are there so many illegal leaks coming out of Washington?
The answer may have to do with uncertainty and unrest inside the administration, as well as the presidents ongoing attacks against the intelligence community. But it doesnt hurt that every White House and Congressional staffer has tools to facilitate secure communication in their pocket or bag. Specifically, multiple reports indicate that Republican operatives and White House staffers are using the end-to-end encrypted messaging app Confide, which touts disappearing messages and anti-screenshot features, to chat privately without a trace.
The ability to communicate without fear of reprisal may have helped illuminate the Trump administrations darkest corners. But that same time, anonymity rings alarms for transparency advocates. The same technology that exposes secrets also enables them, a tension thats not easy to resolve.
Confide launched in 2013 as a secure app for executives looking to trade gossip and talk shop without creating a digital trail. The service uses a proprietary encryption protocol, what the company describes as military-grade end-to-end encryption. Its marquee feature, self-destructing messages, appears on similar services like Snapchat, but Confides appeal lies in its promise of more robust protections.
Its worth noting, though, that unlike other secure messaging apps, like standard-bearer Signal, Confides encryption is closed source and proprietary, meaning no one outside the company knows whats going on under the hood of the app. Company president Jon Brod says that Confide bases its encryption protocol on the widely used PGP standard, and that the apps network connection security relies on recommended best practices like Transport Socket Layer (TLS). Brod did not respond to questions, though, about whether Confide has ever opened its code base to be independently audited by a third party.
One key is always, do you make code publicly available thats been audited where features have been inspected by the security community so that it can arrive at some consensus, says Electronic Frontier Foundation legal fellow Aaron Mackey. My understanding with Confide, at least right now, is that its not clear whether thats occurred.
Confides also not the only option in play; EPA workers have reportedly turned to Signal to discuss how to cope with an antagonistic Trump administration, to the agitation of Republican representatives.
No matter what the method, though, encrypted chat appears to have become a staple among political operativeswhich happens to raise a whole host of legal questions.
Using an app like Confide for personal communications, like keeping in touch with family members or coordinating gym trips with coworkers, is within bounds. It also, according to a recent Washington Post report, has enabled vital leaks to the media.
At this point its still possible that politicos are legitimately using Confide for personal purposes. I know people who use [Confide], but I dont know anyone whos using it who shouldnt be using it, says Scott Tranter, a founder of the political data consultancy Optimus. The people who I know use it because its secure messaging.
Its sometimes not easy, though, to separate personal conversations from those that are work-related. Where those lines blur, legal concerns arise.
If these apps are being used by White House staff, it raises very disturbing questions about compliance with the Presidential Records Act specifically, and more broadly the Federal Records Act, says David Vladeck, a communications and technology law researcher at Georgetown Law School. The whole point of these statutes is to assure that our nations history is neither lost nor manufactured, and the kinds of apps that obliterate the messages are completely incompatible with that and at odds with the law.
Confide puts the onus on its users to walk a legal line. We expect people to use Confide in a way that complies with any regulation that may be relevant to their particular situation, says Brod.
Encryption itself isnt the issue. End-to-end encrypted communication can coexist with the goals of public disclosure laws, so long as someone retains the decryption key. Using strong security for sensitive government communications makes sense and is appropriate if the parties sending and receiving the communications can still archive them.
But disappearing messages are definitionally communications that are difficult, if not impossible, to record. Plus, its hard to assess how people are using a communication service like Confide if theres no record of anything they ever sent. Since Confide is explicitly designed to eliminate a paper trail, its use creates at least the appearance of misconduct, if not the reality, says Allison Stanger, a cybersecurity fellow at the New America Foundation. Those who wanted to lock up Hillary Clinton for the use of a private email server should be very concerned about this practice.
Its a tough act to balance. Encryption-enabled leaks help hold administrations accountable, a clear public good. The challenge is preserving that level of secrecy without creating black holes where public records should be.
Read more:
Judicial Watch Can FOIA the EPA Over Signal Chat, But They May ... - WIRED
- WhatsApp overhauling status tab with encrypted Snapchat Stories-like feature - 9 to 5 Mac [Last Updated On: February 21st, 2017] [Originally Added On: February 21st, 2017]
- GOP demands inquiry into EPA use of encrypted messaging apps - CNET [Last Updated On: February 21st, 2017] [Originally Added On: February 21st, 2017]
- Encryption Apps Help White House Staffers Leakand Maybe Break the Law - WIRED [Last Updated On: February 21st, 2017] [Originally Added On: February 21st, 2017]
- World Wide Web Creator Calls for Internet Decentralization & Encryption - The Data Center Journal [Last Updated On: February 21st, 2017] [Originally Added On: February 21st, 2017]
- What It Means to Have an 'Adult' Conversation on Encryption - Pacific Standard [Last Updated On: February 21st, 2017] [Originally Added On: February 21st, 2017]
- Confide in me! Encryption app leaks sensitive info from Washington DC - SC Magazine UK [Last Updated On: February 21st, 2017] [Originally Added On: February 21st, 2017]
- Gmail v7.2 Prepares to Add Support for S/MIME Enhanced Encryption - XDA Developers (blog) [Last Updated On: February 26th, 2017] [Originally Added On: February 26th, 2017]
- Top 6 Data Encryption Solutions - The Merkle [Last Updated On: February 26th, 2017] [Originally Added On: February 26th, 2017]
- Your Guide to the Encryption Debate - Consumer Reports - ConsumerReports.org [Last Updated On: February 26th, 2017] [Originally Added On: February 26th, 2017]
- Google helps put aging SHA-1 encryption out to pasture - Engadget [Last Updated On: February 26th, 2017] [Originally Added On: February 26th, 2017]
- Decipher your Encryption Challenges - Infosecurity Magazine [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- How the Politics of Encryption Affects Government Adoption - Freedom to Tinker [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- How Encryption Makes Your Sensitive Cloud-Based Data an Asset, Not a Liability - Security Intelligence (blog) [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- Set up VMware VM Encryption for hypervisor-level security - TechTarget [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- How The Media Are Using Encryption Tools To Collect Anonymous Tips - NPR [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- Encryption patent that roiled Newegg is dead on appeal | Ars Technica - Ars Technica [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- Research proposes 'full-journey' email encryption - The Stack [Last Updated On: March 1st, 2017] [Originally Added On: March 1st, 2017]
- Database-as-a-service platform introduces encryption-at-rest - BetaNews [Last Updated On: March 1st, 2017] [Originally Added On: March 1st, 2017]
- Encrypted Messaging Service 'Signal' Adds Video Call Option - Top Tech News [Last Updated On: March 2nd, 2017] [Originally Added On: March 2nd, 2017]
- Germany, France lobby hard for terror-busting encryption backdoors ... - The Register [Last Updated On: March 2nd, 2017] [Originally Added On: March 2nd, 2017]
- How to Send Encrypted Nudes, a Guide for the Discerning Lover - Inverse [Last Updated On: March 2nd, 2017] [Originally Added On: March 2nd, 2017]
- Ironclad Encryption Corporation Announces New Ticker Symbol OTCQB: IRNC - Yahoo Finance [Last Updated On: March 2nd, 2017] [Originally Added On: March 2nd, 2017]
- The Best Email Encryption Software of 2017 | Top Ten Reviews [Last Updated On: March 2nd, 2017] [Originally Added On: March 2nd, 2017]
- No, you shouldn't delete Signal or other encrypted apps - TechCrunch [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Best encryption software: Top 5 - Computer Business Review [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Encryption Backdoors, Vault 7, and the Jurassic Park Rule of Internet Security - Just Security [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- That Encrypted Chat App the White House Liked? Full of Holes - WIRED [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- What the CIA WikiLeaks Dump Tells Us: Encryption Works - New York Times [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Snake-Oil Alert Encryption Does Not Prevent Mass-Snooping - Center for Research on Globalization [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Customer Letter - Apple [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Don't Let WikiLeaks Scare You Off of Signal and Other Encrypted Chat Apps - WIRED [Last Updated On: March 12th, 2017] [Originally Added On: March 12th, 2017]
- BT to offer customers encryption service for data - Capacity Media (registration) [Last Updated On: March 12th, 2017] [Originally Added On: March 12th, 2017]
- Encryption - technet.microsoft.com [Last Updated On: March 12th, 2017] [Originally Added On: March 12th, 2017]
- Use FileVault to encrypt the startup disk on ... - Apple Support [Last Updated On: March 12th, 2017] [Originally Added On: March 12th, 2017]
- Viber launches secret chats to go beyond encryption - SlashGear [Last Updated On: March 13th, 2017] [Originally Added On: March 13th, 2017]
- Zix wins 5-vendor email encryption shootout - Network World [Last Updated On: March 13th, 2017] [Originally Added On: March 13th, 2017]
- A lesson from the CIA WikiLeaks dump: Encryption works - The Seattle Times [Last Updated On: March 13th, 2017] [Originally Added On: March 13th, 2017]
- What the CIA WikiLeaks Dump Tells Us: Encryption Works - NewsFactor Network [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Panicked Secret Service Says It Lost Encrypted Laptop But It's Fine, Everything's Fine - Gizmodo [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Google Cloud adds new customer-supplied encryption key partners ... - ZDNet [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Preseeding Full Disk Encryption - Linux Journal [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Bypassing encryption: 'Lawful hacking' is the next frontier of law enforcement technology - Boston Business Journal [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- SecurityBrief NZ - Gemalto introduces on-prem encryption key solution for 'highly regulated' organisations - SecurityBrief NZ [Last Updated On: March 21st, 2017] [Originally Added On: March 21st, 2017]
- 'Always Be Concerned': US Court Slaps Down Fifth Amendment Defense of Encryption - Sputnik International [Last Updated On: March 21st, 2017] [Originally Added On: March 21st, 2017]
- Quantum Key System Uses Unbreakable Light-Based Encryption to Secure Data - Photonics.com [Last Updated On: March 21st, 2017] [Originally Added On: March 21st, 2017]
- Wikileaks Only Told You Half The Story -- Why Encryption Matters More Than Ever - Forbes [Last Updated On: March 21st, 2017] [Originally Added On: March 21st, 2017]
- EPA Sued For Withholding Info On Encrypted Text Messages | The ... - Daily Caller [Last Updated On: March 22nd, 2017] [Originally Added On: March 22nd, 2017]
- Opinion Data encryption efforts ramp up in face of growing security threats - Information Management [Last Updated On: March 22nd, 2017] [Originally Added On: March 22nd, 2017]
- Bypassing encryption: Lawful hacking is the next frontier of law enforcement technology - Salon [Last Updated On: March 22nd, 2017] [Originally Added On: March 22nd, 2017]
- NeuVector Announces Container Visualization, Encryption, and Security Solution for NGINX Plus - DABCC.com [Last Updated On: March 23rd, 2017] [Originally Added On: March 23rd, 2017]
- Is encryption one of the required HIPAA implementation specifications? - TechTarget [Last Updated On: March 23rd, 2017] [Originally Added On: March 23rd, 2017]
- Paper Spells Out Tech, Legal Options for Encryption Workarounds - Threatpost [Last Updated On: March 23rd, 2017] [Originally Added On: March 23rd, 2017]
- Encryption debate needs to be nuanced, says FBI's Comey - TechTarget [Last Updated On: March 25th, 2017] [Originally Added On: March 25th, 2017]
- Comey Renews Debate Over Encryption - 550 KTSA [Last Updated On: March 25th, 2017] [Originally Added On: March 25th, 2017]
- UK minister says encryption on messaging services is unacceptable - Reuters [Last Updated On: March 28th, 2017] [Originally Added On: March 28th, 2017]
- The why and how of encrypting files on your Android smartphone - Phoenix Sun [Last Updated On: March 28th, 2017] [Originally Added On: March 28th, 2017]
- UK targets WhatsApp encryption after London attack - Yahoo News [Last Updated On: March 28th, 2017] [Originally Added On: March 28th, 2017]
- Critical flaw alert! Stop using JSON encryption | InfoWorld - InfoWorld [Last Updated On: March 28th, 2017] [Originally Added On: March 28th, 2017]
- SecureMyEmail is email encryption for everyone - TechRepublic - TechRepublic [Last Updated On: March 28th, 2017] [Originally Added On: March 28th, 2017]
- Apple iOS 10.3 will introduce encryption which makes it MORE difficult for cops and spooks to crack into ISIS nuts ... - The Sun [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- How to Analyze An Encryption Access Proposal - Freedom to Tinker [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- Questions for the FBI on Encryption Mandates - Freedom to Tinker [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- Justice Department anti-terror chief keeps pressing on encryption - Politico (blog) [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- UK government can force encryption removal, but fears losing, experts say - The Guardian [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- Encryption FAQs [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- Why isn't US military email protected by standard encryption tech? - Naked Security [Last Updated On: April 9th, 2017] [Originally Added On: April 9th, 2017]
- How have ARM TrustZone flaws affected Android encryption? - TechTarget [Last Updated On: April 9th, 2017] [Originally Added On: April 9th, 2017]
- Keeping the enterprise secure in the age of mass encryption - Information Age [Last Updated On: April 9th, 2017] [Originally Added On: April 9th, 2017]
- Lack of encryption led to Dallas siren hack - WFAA [Last Updated On: April 12th, 2017] [Originally Added On: April 12th, 2017]
- Internet Society tells G20 nations: The web must be fully encrypted - The Register [Last Updated On: April 12th, 2017] [Originally Added On: April 12th, 2017]
- Make Encryption Ubiquitous, Says Internet Society - Infosecurity ... - Infosecurity Magazine [Last Updated On: April 12th, 2017] [Originally Added On: April 12th, 2017]
- Can we encrypt the web while giving governments a backdoor to snoop? - SC Magazine UK [Last Updated On: April 12th, 2017] [Originally Added On: April 12th, 2017]
- Why we need to encrypt everything - InfoWorld [Last Updated On: April 12th, 2017] [Originally Added On: April 12th, 2017]
- Hacked Dallas sirens get extra encryption to fend off future attacks - Computerworld [Last Updated On: April 12th, 2017] [Originally Added On: April 12th, 2017]
- SHA-1 Encryption Has Been Broken: Now What? - Forbes [Last Updated On: April 14th, 2017] [Originally Added On: April 14th, 2017]
- Hewlett Packard Enterprise touts encryption tool for federal clients - The Hill [Last Updated On: April 14th, 2017] [Originally Added On: April 14th, 2017]
- Encryption on the Rise in Age of Cloud - Infosecurity Magazine - Infosecurity Magazine [Last Updated On: April 14th, 2017] [Originally Added On: April 14th, 2017]
- Lawmaker Pushes Bill That Requires Encryption by Pennsylvania State Employees - Government Technology [Last Updated On: April 14th, 2017] [Originally Added On: April 14th, 2017]
- Disk encryption - Wikipedia [Last Updated On: April 14th, 2017] [Originally Added On: April 14th, 2017]
- The apps to use if you want to keep your messages private - Recode [Last Updated On: April 15th, 2017] [Originally Added On: April 15th, 2017]