Slashdot Mirror

← Back to Stories (view on slashdot.org)

Encrypted Messaging Startup Wickr Offers $100K Bug Bounty

Posted by samzenpus on from the getting-paid dept.

alphadogg writes "Two-year-old startup Wickr is offering a reward of up to $100,000 to anyone who can find a serious vulnerability in its mobile encrypted messaging application, which is designed to thwart spying by hackers and governments. The reward puts the small company in the same league as Google, Facebook and Microsoft, all of which offer substantial payouts to security researchers for finding dangerous bugs that could compromise their users' data. Wickr has already closely vetted its application so the challenge could be tough. Veracode, an application security testing company, and Stroz Friedberg, a computer forensics firm, have reviewed the software, in addition to independent security researchers."

39 comments

  1. Real Regulation by mfwitten · · Score: 2

    You'll get better regulation from this than from anything that could possibly be concocted by government bureaucrats.

    Note: This requires the real threat of economic loss, so an organization that can demand payment regardless of its performance—i.e., the government—cannot implement something similar.

    1. Re:Real Regulation by Rosco+P.+Coltrane · · Score: 3, Insightful

      Government bureaucrats don't concoct regulations anymore. At least no regulations that doesn't serve their interests. In case you haven't noticed, it's pretty much we-the-people against them nowadays.

      --
      "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
    2. Re:Real Regulation by mspohr · · Score: 1

      Most government regulations these days are written by industry in order to reduce competition and make their life easier and more profitable. They pay good money to bribe politicians to get these laws and regulations established. No surprise then that the regulations end up being against the interests of most people.

      --
      I don't read your sig. Why are you reading mine?
    3. Re:Real Regulation by mspohr · · Score: 1

      You'll get better regulation from this than from anything that could possibly be concocted by government bureaucrats.

      Note: This requires the real threat of economic loss, so an organization that can demand payment regardless of its performance—i.e., the government—cannot implement something similar.

      Freedom Industries just announced that it was declaring bankruptcy after contaminating drinking water for 300,000 people with it's unregulated toxic chemical storage leak. ... so much for accountability... taxpayers will be left paying for the cleanup as well as suffering the toxic effects...
      (I'll bet the bosses of this company got their money out early.)

      --
      I don't read your sig. Why are you reading mine?
    4. Re:Real Regulation by mfwitten · · Score: 1

      Bankruptcy is defined by the government.

      Corporate liability firewalls are defined by the government.

      Taxpayer cleanup is established by the government.

      Competition in regulation was destroyed when a monopoly on regulation was declared by the government.

      The existing regulation was establisehd by that government.

      I see one common element throughout all of the details you dislike. Can you spot it?

    5. Re:Real Regulation by mspohr · · Score: 1

      Did you read my message?
      The government is a tool of business. Corporations buy politicians to get the laws they want.
      FTFY:
      Bankruptcy is defined by the government... in response to corporate requests and bribes.

      Corporate liability firewalls are defined by the government.... in response to corporate requests and bribes.

      Taxpayer cleanup is established by the government.... in response to corporate requests and bribes.

      Competition in regulation was destroyed when a monopoly on regulation was declared by the government.... in response to corporate requests and bribes.

      The existing regulation was establisehd by that government.... in response to corporate requests and bribes.

      I see one common element throughout all of the details you dislike. Can you spot it?

      --
      I don't read your sig. Why are you reading mine?
    6. Re:Real Regulation by mfwitten · · Score: 1

      Corporations couldn't buy so much power if the government didn't have so much power to sell in the first place.

      In other words, either the problem is economic success through voluntary interaction, or the problem is a centralized monopoly on involuntary interaction for hire to the highest bidder. Which one is it?

  2. Define serious by mvar · · Score: 1

    That's a nice publicity stunt though

    1. Re:Define serious by Pi1grim · · Score: 2

      My though exactly. Even if third-party researchers cannot find any vulnerability in the protocol itself, who says there isn't a backdoor in the server part, that will reduce security to 0? Pretty sure they won't open the server part to scrutinity (even if they do, how do we verify that it's the same version running on the actual server?)

    2. Re:Define serious by Infiniti2000 · · Score: 1

      It's a scale. The more serious bug gets more money, with the typical being about $10K, per TFA.

  3. One way to bankrupt them by Rosco+P.+Coltrane · · Score: 3, Funny

    Wouldn't it be funny if the NSA came forward and claimed the prize money many times until the company went under? Because surely they have backdoors all over the place to walk right through these guys' security measures.

    --
    "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
    1. Re:One way to bankrupt them by Pi1grim · · Score: 4, Insightful

      Maybe it would, but those backdoors are worth much more to NSA unpublished. As well as all the data that passes through the vulnerable services. So should you scenario come to life, it would be huge success for endusers, as many vulnerabilities would be closed.

      Regarding the article: talk is cheap, show me the code. And let me host this server myself, with inter-server communication. Otherwise it's no better than hangouts, iMessage, Whatsapp, Viber and whatnot else is now trying to be the one and only messaging service. You can't even begin speaking of security if a) you can't audit the code b) you can't control the data.

  4. Free Vulnerabilities: by Anonymous Coward · · Score: 4, Insightful

    I'd bet its susceptible to:
    The phone you run it on is tracked, and the company that does so shares that data.
    Timing attacks: if you send data at some time, and someone else gets a message then, that implies you communicated with them.
    Visual surveillance. Camera sees you type, camera sees your message.
    They claim "sender-based control over who can read messages, where and for how long". This is impossible. If the receiver can see the message, they can record it.
    Boarder patrol requesting access.
    Torturing you as an "enemy combatant"

    And some likely others:
    How do they handle key distribution? If you setup communication with someone via email, text or whatever, that can be compromised before you even start.

    Looking through the tech they claim to be using, it seems like they lack defenses against Rubber-hose cryptanalysis. Is there any effort in the area of deniable encryption, or maintaining plausible deniability about having messages or particular contacts? I suspect not.

    Its rather impractically expensive to provide sufficient random cover traffic on a phone to blind against timing correlation attacks on video messages. Given that we know the cell networks are heavily watched, even if the messages were routed through Tor that wouldn't be enough to reliably disassociate sender and receiver (You would want the ageing options planned for I2P for that). Then just get a warrant, and compel them to disclose the contacts and any pending messages. There are [partial] defenses that can be employed here (like TrueCrypt does with hidden volumes for example), its not unsolvable, just often ignored.

    Security is hard. Security against a large scale threat such as governments is very hard. Securing the message contents is easy, securing that there was a message is the real challenge.

    All that said, it looks like they likely do a pretty good job of making end to end encryption accessible. While thats not all one might want, its more than most of us get, so its still a good thing. Its progress, not a solution.

    1. Re:Free Vulnerabilities: by Pi1grim · · Score: 2

      I'm pretty sure they omitted the part where users have to exchange keys over trusted channel (or at least a channel that prevents or makes it really hard to tamper with it). And this allows for a mitm attack, so all that fancy encryption is absolutely useless, since the attacker will have both keys and total control. What we need right now is not a gazillion of apps that create the illusion of privacy, but a protocol and a set of standards for federated communication channel (pretty much what XMPP is). Since many claim XMPP is not suitable for modern-day communications I would like to see more effort toward improving it (or creating something from a scratch, if it's so flawed). Because right now the only universal and secure way of communication is email with GPG or SMIME encryption slapped on top of it.

    2. Re:Free Vulnerabilities: by Anonymous Coward · · Score: 1

      Sadly email, no matter what you do to the body, has unencrypted headers. There is no hope of hiding who messages who when with how much content.

      I agree that we to use a standard protocol over a federated network. Make easy to use apps the route it over Tor and use hidden services to locate each other (at least for text, and non realtime voice and video). I want an easy to install personal server (say, runs on my RaspberryPi) that lets me securely access it (via a Tor hidden service for example, since the work if the server is on a NATed LAN behind a firewall :) ) that can receive my messages when I'm offline, and run a mail server for legacy support (and migrate contacts automatically away from email as those users gain support for better options). I'd love it if my little home mail+message server could present a decent web interface too, since thats the handy feature that keeping me with spying old gmail.

      Anyone know a decent light weight single user mail server I can run on a RaspberryPi? Ideally one that can provide a web UI over https, but I can cope with imap or such.

    3. Re:Free Vulnerabilities: by angel'o'sphere · · Score: 1

      I assume the secure channel goes over the servie provider ... so unless he himself is the mitm or is "already cracked" .... you get the picture.

      --
      Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
    4. Re:Free Vulnerabilities: by tramp · · Score: 1

      Any linuxdistro does have several mailservers to choose from which can be combined with Roundcube webmail.

  5. Found it! by Anubis350 · · Score: 1

    A serious vulnerability? The people using it of course, always the most serious vulnerability

    --
    "goodbye and hello, as always" ~Prince Corwin, from Zelazny's Amber series
  6. Open source the code! by spacefight · · Score: 2

    It's 2014, after all.

    1. Re:Open source the code! by Anonymous Coward · · Score: 0

      Agreed! It is utterly contemptible that a company wants us to believe that messages through its service are secure based on their promises alone. If I do not have the right to review the code and compile the software myself, it cannot be trusted; at best, I could have "faith" in their good will towards us, and "faith" that there has not been a secret court order which forces them to compromise any type of security they allegedly have set up for us. It is particularly bad that a US based company explicitly states that all data sent through the service will absolutely pass through their US data centers, and that they reserve the right to update their privacy policy at any moment. I hardly believe that they'd have never heard of decentralized routing/P2P/onion routing/etc, so that can only mean that they value their own control over your data more than they value your actual security and privacy.

      Furthermore, this despicable company has software patents pending related to this software, which means they will be equipped to use the heavy arm of the law to prevent others from making less farcical software in the domain. Additionally, when their terms of service explicitly prohibit things like reverse engineering, doesn't that basically make it illegal under their terms to pursue their bug-bounty-publicity-stunt?

      RED HERRING. I hope this company fails tremendously and everyone who invested in this loses that money. This is basically the worst possible way to create anything that could remotely be considered secure or private. I found the security bug; it is called WICKR.

  7. It is an American Company. by Anonymous Coward · · Score: 5, Insightful

    What other vulnerability do you need ?

    1. Re:It is an American Company. by Anonymous Coward · · Score: 0

      A Red Chinese-owned "company"?

    2. Re:It is an American Company. by DuckDodgers · · Score: 2

      Agreed. The NSA can a National Security Letter to demand that Wickr release an update to their software that forwards all of the plain text to the NSA. Wickr will be unable to challenge that directive in court or make public that it was received.

      There are many good arguments for allowing proprietary software in the public sphere, but when it comes to privacy and encryption, I think we have no choice but to accept open source as the only way to go.

    3. Re:It is an American Company. by Anonymous Coward · · Score: 1

      Not being Chinese, I would trust that far more since there is nothing they could do that would affect me.

    4. Re:It is an American Company. by bill_mcgonigle · · Score: 2

      What other vulnerability do you need ?

      That's an excellent (and sad) point. Just to re-enforce it, and to perhaps defend the _intentions_ of the company's founders, they've already made public that their leader was approached, after giving a conference talk, by a man claiming to be from the FBI who asked nicely for her to cooperate on installing a back door. Apparently her microphone was still hot from giving the speech.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  8. Think Skynet People! Decouple Decentralize Delete! by Anonymous Coward · · Score: 0

    If they wanted to impress, they would have figured out how to implement this without any servers. Think big people, Skynet did.

  9. Focus on the host platform. by dubist · · Score: 2

    I support the sentiment of these guys but your code is going to be running on a platform that is largely exploitable by most English speaking foreign governments and possibly well funded crooks.

    What this means is that no matter how good your software is it will be ultimately rendered useless by going after the host platform and memory.

    Also anything that uses a public key exchange is only secure because certain reversals of transformation are 'hard'. There is no universality to hard, what is hard for me may not be hard for you.. Globally governments and crooks seek out and employ people who are good at working with hard.

    Then there are all the other sources of issue, like suitable entropy, which is not to be scoffed if something is 20% less random than is should be then that is a huge advantage.

    However most of the above is a bit unfair though because they will not be in a position to do much about it but it does need to be considered by the users though.

    1. Re:Focus on the host platform. by Pi1grim · · Score: 1

      >> Also anything that uses a public key exchange is only secure because certain reversals of transformation are 'hard'.
      Nope, it's also only secure as long as you verify that the key you have in front of your eyes corresponds to the person you want it correspond to.

      >> There is no universality to hard, what is hard for me may not be hard for you..

      Actually you might want to refresh your memory a little bit about cryptography. To crack a decent asymmetric cypher it would take more than visible universe working as a computer for time longer than said universe exists. So, there is universality to hard.

      >> I support the sentiment of these guys but your code is going to be running on a platform that is largely exploitable by most English speaking foreign governments and possibly well funded crooks.

      I don't support their sentiment. If they really wanted to create a secure platform - they could. I'm pretty sure that it's not that hard to check out best practices and analyze the situation before coming up with solutions. a) The only good security - is end-to-end (i.e. data is only unencrypted on endpoints and only people wielding the keys are on the endpoints) b) You verify the keys via a secure channel to prevent tampering (I'm quite convinced NSA is not good enough to fake a live video stream with you holding up a QR code in real time and on a mass scale) c) you should be able to host your own server and have access to both client and server (because otherwise the software might actually be leaking the information).

      So, with all that in mind we have people who just want to cash in a check on public outcry about privacy violation and make a quick buck exploiting mass hysteria. For example The Guardian Project are actually doing a secure open source IM, with code available for audit and allowing for end-to-end perfect-forward-secrecy (OTR) encryption and key verification. Now that is the right direction, not cloning yet another IM and telling everyone "Trust us, we're the good guys, we'll protect your privacy, unlike those other guys".

  10. /en/myapp.php by Anonymous Coward · · Score: 0

    Reading ../en/myapp.php in the URL of the official website (plus things like "military-grade encryption" etc.) makes me think this might be a worthwhile challenge.. But maybe I'm just again too prejudicial

  11. Obligatory XKCD by Dareth · · Score: 1

    Would the 100k cover lawyers expenses if you used this method?

    XKCD:Security

    --

    I only look human.
    My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
  12. Badly commented code... by Anonymous Coward · · Score: 0

    ... 5K please.

  13. ummm... by buddyglass · · Score: 1

    I guess it wouldn't count to run their app on a rooted phone that presents compromised APIs to the apps? Or crack it open, inject logging code, repackage and resign it then submit it to a third-party marketplace? That is to say, the standard security problems all apps face as opposed to a flaw specific to the Wickr app?

  14. why not hire some QA to do stuff like that full ti by Joe_Dragon · · Score: 1

    why not hire some QA to do stuff like that full time and they also get some in house beta testing that is not just the coders testing there own code.

  15. Re:why not hire some QA to do stuff like that full by Shados · · Score: 1

    Yeah, because the average QA is a master of cryptography. You need to hire security specialists for this....and they did.

    Now, after all of that, they want to make sure nothing slipped.

  16. Usually this sort of thing is a SCAM! by Anonymous Coward · · Score: 0

    Usually this sort of thing is a SCAM, offering crappy security and a contest that lacks key parts necessary for fair testing. For example, I've seen many a contest where only an encrypted message is provided. You have to provide the original plaintext. Of course, there are a great many possibly valid plaintexts, not infinite but close enough for practical purposes, and no way to distinguish which is the correct one.

    Now this project is talking about security software. Software, not Hardware. Running over an unsecured data channel on emulated hardware if you so wish. Clearly it can be compromised for any individual system. It may require running secondary software to spy on the original software, or compromising the device (or kernel). But it can be done. Whether it can be done wholesale is another question.

  17. Where do the keys get generated? by Anonymous Coward · · Score: 0

    It doesn't actually say that the keys are generated on the device.

  18. Here's some serious vulnerabilities by Anonymous Coward · · Score: 1

    1. American company
    2. Software is not open source
    3. Reliance on the company's servers, not peer to peer
    4. I can't run my own server
    5. Susceptible to traffic analysis
    6. Runs on a mobile platform I cannot fully control

    What more do you want?

    It is no point to discuss details like buffer overflows when the whole premise is, quoting Doge: such flaw, much hot air.

    The whole thing revolves around an illusion of trust. The company wants to create an image of trustworthiness so that you trust their ability to offer privacy. That's not how it works, guys. Privacy has to be provided via proven mathematical methods and good technical practises, not through a fluffy soft idea like trust.

  19. 100k? How about 200k by Anonymous Coward · · Score: 1

    A competing app did just that, and a guy from Russia won the $100k. Now they're offering $200k.

    Still no article on Telegram in /.