79 comments

[ 3.2 ms ] story [ 146 ms ] thread
(comment deleted)
Is it productive for anyone here to track down the apk and look at it (and disclose findings)? This seems like an instance where the infosec community shouldn't shine a light on bad crypto. Let ISIS use (potentially) bad crypto if they want. Leave it to government(s) to identify and exploit weaknesses.
That is a good point...
...so I deleted the top comment.
> Apple and Google could easily kick apps used to organize violence out of their official app stores. But would they be willing to build further barriers to usage directly into their mobile operating systems?

This is a silly question for the Android side (and possibly the iOS side as well). That would be a monumental effort that would seem easily thwarted by simply installing your own version of the OS.

You wouldn't even need to install your own OS. You can just side-load
they are talking about restricting the OS from running third party or side loaded apps
> Apple and Google could easily kick apps used to organize violence out of their official app stores. But would they be willing to build further barriers to usage directly into their mobile operating systems?

Similarly car manufacturers should stop making models that are used as getaway vehicles for bank robberies...

It sounds silly now I put this like that doesn't it.

> and possibly the iOS side as well

This is exactly what jailbreaking fixes. By default, iOS does not allow you to install apps that are not published in the App Store.

Well, unfortunately jailbreaking "fixes" the problem by ruining code signing integrity on the device. Ideally, the jailbreaks would leave code signing enforcement in effect but just augment the default trusted CAs/CDHashes. I'm disappointed that AOSP never gained the code signing framework that iOS has, allowing people to have better Freedom and Security simultaneously.
Well, you can't update an app with the same app signed with another certificate.
Which I am sure the intelligence agencies are having a field day with.

Nothing like rolling your own encryption.

What are the chances it was created by one of the intelligence agencies?

Chances are 10/10
> What are the chances it was created by one of the intelligence agencies?

I came to the comment section to say that exact same thing. If I were one of those intelligence agencies it would be tempting to use the information right away but for it to be truly effective, you'd need to let it propagate pretty far. What a field day for intelligence agencies even if wasn't planned by them -- just one thing to bust and they have everything.

Is this story even serious?

Using modern smart phones for "business" at all doesn't seem like a good idea if you are in the cross hairs of a modern military force.

> Is this story even serious?

It will encourage potential criminals to communicate through a system that's just a honey trap, instead of using other more secure options.

I don't actually notice anything about them rolling their own encryption in the article (it doesn't even mention encryption other than that they use telegram to spread the link).

What are the chances if it is encrypted that they didn't actually roll their own encryption but used an open source implementation like PGP and made a wrapper around it? No reason to assume they're entirely dumb until the app has been dis-assembled and proven to be buggy (though I'd not make such a proof public, just let them continue to use it).

Would love a sample of this..
Alrawi can’t be downloaded from Google Play. Instead it must be installed from shady back alleys of the Internet.

Well, there's your obvious solution. Get a copy of the APK, wrap it with some spyware, then propagate the bugged version. If ISIS won't host the source or can't provide an "official" outlet to grab it, you've got no way of knowing whether your version is legit or not.

Who'd have thought the paradigms of shady Russian download sites could one day save the world?

I'd doubt users of an encryption app not using a simple checksum to verify its legitimacy before using it.
(comment deleted)
Probably not true. E.g., do you think the average user of Tor takes this precaution? Thinking back to the times I have downloaded Tor, I never did that.

It reminds me of a time when I wanted to get in touch with an HN user... they had their pgp key in their user page... I tried sending the email but it didn't work (formatting issues). Finally I reached this user and asked what was up with it... and he responded by saying, "Oh, noone in the past 10 years has made use of this!" And this is a pretty smart security guy.

I think there are very, very few people who actually take the trouble of verifying checksums and everything. I used to do it /sometimes/ years ago, but it gets to be a hassle pretty quickly and you start taking shortcuts everywhere. A lot of us sort of plan to start doing it, but never actually do it. Kind of like exercising or eating healthy or whatever. :)

Anyway, as for this news about ISIS having their own encrypted chat app - I'm happy to hear it. If they made it on their own, it's bound to have a good dozen holes that NSA will have no trouble poking through. :)

Well, differently from you and your friend, ISIS does have somebody out to get them.

It's very hard to think someone would get to the trouble of creating and using a secure chat application, but then fail to secure its distribution.

As someone who works in infosec, this doesn't surprise me at all.

I've tested many applications which claim to be secure, designed for security/privacy sensitive tasks, yet are very easy to compromise (simple OWASP top 10 stuff).

Even if the app developers are great and know their stuff, I can still see them slipping up on the distribution. It's normally handled for most developers and is outside the realm of any secure development guidelines they might be following.

Interestingly secure distribution is a harder problem than encrypted messaging.

If both you and I have an shared app, then we have some shared data and protocols we can use to protect our communications and maintain security, but when you download an app you do not yet have any protection unless that protection is provided by an app store (and such app store protections disappear at the first court order).

Bootstrapping security over insecure channels against nation state threats is close to impossible, maintaining security you have already achieved over a brief window of time is still hard but achieve given existing technologies. I see no evidence ISIS is capable of doing either. As further evidence observe that the US just blew up their super secret cash reserve.

Where would you get a checksum from? How would you know to trust it?
But that's government surveillance, and HN comments are supposed to say that it's always bad and much worse than ISIS, right?
I am not pro survellience but, in my opinion, sort of surveiling terrorists using the official chat.ISIS distro is basically the narrow usecase where moderates find it acceptable.

Obviously, the problem is that it is not being used this narrowly and that the power to do a global sweep is a negatively skewed power imbalance.

That said, I wonder who Is going to fund the A round.

I'm pretty sure subverting ISIS' crypto falls under the legitimate purview of state intelligence agencies - mass domestic surveillance and backdooring consumer hardware and software are different.

If these were drug dealers, though, and not terrorists, HN would be in an uproar.

Nobody is against using technology against known foreign terrorists. We're against mass surveillance against our own people.
Well sometimes you cannot tell...
Since when it's better to assume that everybody is guilty?
I won't make a suggestion, because I don't have one.

However, I am against the circlejerk that we don't need to change anything to battle the seemingly rising terrorism.

"Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."
Here's an interesting historical fact I have dug up in some research for an essay I am writing about the relationship between liberty and security: That famous quote by Benjamin Franklin that “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety” does not mean what it seems to say. Not at all.

https://www.lawfareblog.com/what-ben-franklin-really-said

And maybe it doesn't matter so much what Franklin was actually trying to say because the quotation means so much to us in terms of the tension between government power and individual liberties. But I do think it is worth remembering what he was actually trying to say because the actual context is much more sensitive to the problems of real governance than the flip quotation's use is, often.

http://www.npr.org/2015/03/02/390245038/ben-franklins-famous...

from npr link:

>Far from being a pro-privacy quotation, if anything, it's a pro-taxation and pro-defense spending quotation.

>It is a quotation that defends the authority of a legislature to govern in the interests of collective security.

So if it were bombs instead of surveillance you would bomb the target when you're uncertain about its enemy status?

And since we're talking about mass surveillance... I guess carpet bombing?

... this is an obviously terrible argument. If you surveil someone secretly and then decide not to act on the intelligence, they aren't harmed in any way. They don't even know. The mistakenly assassinated are still dead.
Yes. They. Are.

EDIT For example the mere knowledge of surveillance changes how people interact. This has a chilling effect upon speech that is not compatible with a robust democracy.

As long as the data is discarded after the fact. People can be harmed if that data is kept and then repurposed in unforseen ways which are harmful to the surveiled non-terrorist.
so you're saying mass surveillance is victimless as long as nobody learns that they specifically have been spied upon?
Not that I’m speaking for everyone on HN, but the problem is generally with wide-ranging surveillance of the entire populace in the hopes that they can data-mine their way to victory. Figuring out techniques like this to surveil actual terrorists and criminals based on probable cause is what the police and intelligence community should be doing.
The app is developed, maintained, and used by a terrorist group where the primary purpose is to showcase terrorist activities and propaganda. There is a world of difference between monitoring citizens on tools primarily used for non-illegal purposes (though sometimes those tools are abused), and monitoring people using a tool with the explicit aim of displaying terrorist activities.
I don't and most people don't have a problem with signals intelligence. I do have a problem with the tools used, how they're used, and who they're used against.

Mainly, a dragnet gathering intelligence on the entire citizen population is scary and terrible. Sigint targeting pseudo-state terrorists? Who has a problem with that?

You got a few answers. I'm curious, did you change your mind on the subject of mass surveillance?
Most objections to surveillance are not to all forms of government surveillance, instead people are objecting to extra-legal, and arguably illegal, mass surveillance. Those opposing mass surveillance tend to argue along some subset of following lines:

1. it is ineffective compared with other techniques,

2. it is government graft to favored contractors,

3. mass surveillance databases and collection points provide an excellent target for foreign intelligence agencies and others,

4. it is harmful to privacy and liberty,

5. it is rife for government abuse and blackmail,

6. it undermines the rule of law.

I have yet to see anyone argue against lawful and warranted targeted surveillance of known terrorists. I claim that none of the above objections hold in the targeted surveillance case.

ISIS has a list of "allowed" devices, that can be used bye its members, iOS was banned long time ago for privacy invasions. I bet they forked Android and you can install only apps signed with a key and Android validates them before installation. If I did it with my Paranoid ROM and F-Droid key, why can't them?
ISIS IT must get the most irritating tech support calls. I'd hate to manage their Exchange server.
No, the obvious solution is to prevent people on Android from installing their own apps and then forcing Google (a private company) to play police for the whole world according to USA law. We shall then continue by discontinuing production of all cars that ISIS drives and demanding that they have killswitches enabled so Toyota can be forced to disable them when they detect a terrorist driving. Windows and OS X will need to have terrorist killswitch ("kill laptop if arabic word bomb is entered by keyboard into any textview") built in as well.

Logical isn't it? At least according to our lovely politicians.

(The first paragraph is sarcasm by the way.)

And there go the arguments for putting back doors into commercial encrypted messaging platforms. When encryption is outlawed, only outlaws will have privacy.
(comment deleted)
Surely it can't be that hard to create a chat app with end to end encryption these days with all the open source libraries freely available for all kinds of applications...this is why I've always said banning encryption on major platforms like iOS/Android/Windows will get you nowhere when terrorists can just make their own encrypted chat apps if they really want to.
Sure, it's not hard, then you get into side channel, first-use-trust/update, MITM, etc territory.
I don't think anything good can come from the HN community publicly analyzing this.
That's never stopped us before.
Did I miss something? The article says the app can be downloaded via existing encrypted apps ... the app itself sounds like an RSS reader ... with the ground breaking feature of being able to adjust font size. Seriously???
> It can even be automatically updated whenever the app’s developers send out new versions of the program.

This is another potential vulnerability. If the app does not check a good signature, then it may be vulnerable to malicious update delivery.

This is really stupid, surely? Even if it's not distributed via Google Play, Android will look at the package names of all installed apps. Therefore it's not difficult to find all the users with a subpoena to Google for these records.
That assumes a phone-home feature that cannot be turned off.
Strictly speaking I guess a phone-home feature that isn't turned off would do just fine.

Would be interesting to know how good the fighting parties are with that...

One would assume that all mobile cell towers would be a priority target. Given that they are not I think it's safe to assume that it's a goldmine for the intelligence services.

Just imagine all the side channels they have access to if they get access to the cell network. Doesn't really matter if messages are encrypted on the wire if all phones in a certain area is backdoored through a trusted network.

It's not hard to locate a cell tower from a safe distance.

I thought they can chat in Arabic and western intelligence agencies will have no clue what is going on.

There is very very little knowledge of Arabic language (with slang and such) in western intelligence agencies. As far as I now, there is less than 2,500 Americans are studying Arabic at colleges across the country right now. And 80% of them will be kicked out from country by "Trumps" as terrorists :-)

(comment deleted)
It's time to ban encryption, so ISIS can't communicate safely.
The title is wrong. It is not a chat app.

At least the article does not mention "chat" at all. More like a news app for propaganda videos.

Elaborate honeypot operation?
Where does the article say this is an encrypted chat app? The description of the app says that it features news and videos, and the only discussion of chat that I can find is about using third-party encrypted services like Telegram (which gets three separate mentions) to communicate.
This article... 10/10 would click again...

Here's the real story, the app is a mediocre app that you can download from an archive.org link from a news website supporting ISIS, I don't have time to try the app but I assume that it get RSS from the said website (one of those enter RSS link here and we give you an app probably). Well by a website I mean something.wordpress.com, yeah that's real hard to shut down I know...

The policy makers are always wrong if they assume terrorists will be like normal people, agreeing to follow the laws, they will always find a way to circumvent the rules, that only the good people freedom that will suffer.