Importance of Security in Communications

If any of you know me personally, you know one of my main investments in the ideals behind GWOB are those of propagating security. Being in Berlin this past week for Chaos Communications Camp was a true joy – European hackers, specifically those from Berlin – tend to have a highly-tuned sense of geek social responsibility. I could go into (at great length) my theories on the historical basis for this, but let’s just dive right in.

At-risk populations using telecommunications systems must be secure in doing so. If a tool is created which further jeopardizes their well-being, kittens die. And so I was filled with joy when people I have the honor of knowing stood up for those at-risk populations and broke something — fast. In fact, they broke it before breakfast. Fluid Nexus is (was) a tool specifically designed for activists to use for off-grid communications. While a noble idea, it completely failed to shield its target user base from security attacks.

Additionally, the ownership of a message is attributable when the client’s database is dumped.  On an Android phone, *any* application with access to the SD card can dump the database in this way, making trojans trivial to implement.  Further, this database column does nothing to benefit the users of the software, putting them at risk for no reason.

pro% sqlite3 ~/.FluidNexus/FluidNexus.db
SQLite version 3.7.4
Enter “.help” for instructions
Enter SQL statements terminated with a “;”
sqlite> select title from messages where mine;
Run
Martians know cryptography!
Things change.
Evidence against me.
sqlite>

The full (incredibly snarky) write-up can be found on pastebin, I highly encourage the read.

That said, it is incredibly important that people continue working on creating and improving tools for situations in which communications break down. It is equally important to request feedback from people who live in this discipline – will your tool use more power than readily available? Is it possible to use with a different native language? Is it secure? It’s better that people who care break things and help to improve them than The Bad GuysTM doing it live. Get started with this Software for Activists overview.

Credit/Mad Props and Mate to Eleanor Saitta (@dymaxion), Meredith Patterson (@maradydd), and Travis Goodspeed (@travisgoodspeed) for the break; Stephan Urbach (@herrurbach) for the overview; Fabienne Serriere (@fbz) and Skytee Haas (@skytee) for the Hacker Hostel (@hackerhostel); and my own self (@willowbl00) for the crepes.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.