Encrypted Messaging Startup Wickr Offers $100K Bug Bounty

alphadogg writes "Two-year-old startup Wickr is offering a reward of up to $100,000 to anyone who can find a serious vulnerability in its mobile encrypted messaging application, which is designed to thwart spying by hackers and governments. The reward puts the small company in the same league as Google, Facebook and Microsoft, all of which offer substantial payouts to security researchers for finding dangerous bugs that could compromise their users' data. Wickr has already closely vetted its application so the challenge could be tough. Veracode, an application security testing company, and Stroz Friedberg, a computer forensics firm, have reviewed the software, in addition to independent security researchers."

Real Regulation

[mfwitten]

You'll get better regulation from this than from anything that could possibly be concocted by government bureaucrats.

Note: This requires the real threat of economic loss, so an organization that can demand payment regardless of its performance—i.e., the government—cannot implement something similar.

Re:Real Regulation

[Rosco+P.+Coltrane]

Government bureaucrats don't concoct regulations anymore. At least no regulations that doesn't serve their interests. In case you haven't noticed, it's pretty much we-the-people against them nowadays.

One way to bankrupt them

[Rosco+P.+Coltrane]

Wouldn't it be funny if the NSA came forward and claimed the prize money many times until the company went under? Because surely they have backdoors all over the place to walk right through these guys' security measures.

Re:One way to bankrupt them

[Pi1grim]

Maybe it would, but those backdoors are worth much more to NSA unpublished. As well as all the data that passes through the vulnerable services. So should you scenario come to life, it would be huge success for endusers, as many vulnerabilities would be closed.

Regarding the article: talk is cheap, show me the code. And let me host this server myself, with inter-server communication. Otherwise it's no better than hangouts, iMessage, Whatsapp, Viber and whatnot else is now trying to be the one and only messaging service. You can't even begin speaking of security if a) you can't audit the code b) you can't control the data.

Free Vulnerabilities:

I'd bet its susceptible to:
The phone you run it on is tracked, and the company that does so shares that data.
Timing attacks: if you send data at some time, and someone else gets a message then, that implies you communicated with them.
Visual surveillance. Camera sees you type, camera sees your message.
They claim "sender-based control over who can read messages, where and for how long". This is impossible. If the receiver can see the message, they can record it.
Boarder patrol requesting access.
Torturing you as an "enemy combatant"

And some likely others:
How do they handle key distribution? If you setup communication with someone via email, text or whatever, that can be compromised before you even start.

Looking through the tech they claim to be using, it seems like they lack defenses against Rubber-hose cryptanalysis. Is there any effort in the area of deniable encryption, or maintaining plausible deniability about having messages or particular contacts? I suspect not.

Its rather impractically expensive to provide sufficient random cover traffic on a phone to blind against timing correlation attacks on video messages. Given that we know the cell networks are heavily watched, even if the messages were routed through Tor that wouldn't be enough to reliably disassociate sender and receiver (You would want the ageing options planned for I2P for that). Then just get a warrant, and compel them to disclose the contacts and any pending messages. There are [partial] defenses that can be employed here (like TrueCrypt does with hidden volumes for example), its not unsolvable, just often ignored.

Security is hard. Security against a large scale threat such as governments is very hard. Securing the message contents is easy, securing that there was a message is the real challenge.

All that said, it looks like they likely do a pretty good job of making end to end encryption accessible. While thats not all one might want, its more than most of us get, so its still a good thing. Its progress, not a solution.

Re:Free Vulnerabilities:

[Pi1grim]

I'm pretty sure they omitted the part where users have to exchange keys over trusted channel (or at least a channel that prevents or makes it really hard to tamper with it). And this allows for a mitm attack, so all that fancy encryption is absolutely useless, since the attacker will have both keys and total control. What we need right now is not a gazillion of apps that create the illusion of privacy, but a protocol and a set of standards for federated communication channel (pretty much what XMPP is). Since many claim XMPP is not suitable for modern-day communications I would like to see more effort toward improving it (or creating something from a scratch, if it's so flawed). Because right now the only universal and secure way of communication is email with GPG or SMIME encryption slapped on top of it.

Re:Define serious

[Pi1grim]

My though exactly. Even if third-party researchers cannot find any vulnerability in the protocol itself, who says there isn't a backdoor in the server part, that will reduce security to 0? Pretty sure they won't open the server part to scrutinity (even if they do, how do we verify that it's the same version running on the actual server?)

Open source the code!

[spacefight]

It's 2014, after all.

It is an American Company.

What other vulnerability do you need ?

Re:It is an American Company.

[DuckDodgers]

Agreed. The NSA can a National Security Letter to demand that Wickr release an update to their software that forwards all of the plain text to the NSA. Wickr will be unable to challenge that directive in court or make public that it was received.

There are many good arguments for allowing proprietary software in the public sphere, but when it comes to privacy and encryption, I think we have no choice but to accept open source as the only way to go.

Re:It is an American Company.

[bill_mcgonigle]

What other vulnerability do you need ?

That's an excellent (and sad) point. Just to re-enforce it, and to perhaps defend the _intentions_ of the company's founders, they've already made public that their leader was approached, after giving a conference talk, by a man claiming to be from the FBI who asked nicely for her to cooperate on installing a back door. Apparently her microphone was still hot from giving the speech.

Focus on the host platform.

[dubist]

I support the sentiment of these guys but your code is going to be running on a platform that is largely exploitable by most English speaking foreign governments and possibly well funded crooks.

What this means is that no matter how good your software is it will be ultimately rendered useless by going after the host platform and memory.

Also anything that uses a public key exchange is only secure because certain reversals of transformation are 'hard'. There is no universality to hard, what is hard for me may not be hard for you.. Globally governments and crooks seek out and employ people who are good at working with hard.

Then there are all the other sources of issue, like suitable entropy, which is not to be scoffed if something is 20% less random than is should be then that is a huge advantage.

However most of the above is a bit unfair though because they will not be in a position to do much about it but it does need to be considered by the users though.