Encrypted Messaging Startup Wickr Offers $100K Bug Bounty 39
alphadogg writes "Two-year-old startup Wickr is offering a reward of up to $100,000 to anyone who can find a serious vulnerability in its mobile encrypted messaging application, which is designed to thwart spying by hackers and governments. The reward puts the small company in the same league as Google, Facebook and Microsoft, all of which offer substantial payouts to security researchers for finding dangerous bugs that could compromise their users' data. Wickr has already closely vetted its application so the challenge could be tough. Veracode, an application security testing company, and Stroz Friedberg, a computer forensics firm, have reviewed the software, in addition to independent security researchers."
Re:Real Regulation (Score:4, Insightful)
Government bureaucrats don't concoct regulations anymore. At least no regulations that doesn't serve their interests. In case you haven't noticed, it's pretty much we-the-people against them nowadays.
Re:One way to bankrupt them (Score:4, Insightful)
Maybe it would, but those backdoors are worth much more to NSA unpublished. As well as all the data that passes through the vulnerable services. So should you scenario come to life, it would be huge success for endusers, as many vulnerabilities would be closed.
Regarding the article: talk is cheap, show me the code. And let me host this server myself, with inter-server communication. Otherwise it's no better than hangouts, iMessage, Whatsapp, Viber and whatnot else is now trying to be the one and only messaging service. You can't even begin speaking of security if a) you can't audit the code b) you can't control the data.
Free Vulnerabilities: (Score:4, Insightful)
I'd bet its susceptible to:
The phone you run it on is tracked, and the company that does so shares that data.
Timing attacks: if you send data at some time, and someone else gets a message then, that implies you communicated with them.
Visual surveillance. Camera sees you type, camera sees your message.
They claim "sender-based control over who can read messages, where and for how long". This is impossible. If the receiver can see the message, they can record it.
Boarder patrol requesting access.
Torturing you as an "enemy combatant"
And some likely others:
How do they handle key distribution? If you setup communication with someone via email, text or whatever, that can be compromised before you even start.
Looking through the tech they claim to be using, it seems like they lack defenses against Rubber-hose cryptanalysis [wikipedia.org]. Is there any effort in the area of deniable encryption, or maintaining plausible deniability about having messages or particular contacts? I suspect not.
Its rather impractically expensive to provide sufficient random cover traffic on a phone to blind against timing correlation attacks on video messages. Given that we know the cell networks are heavily watched, even if the messages were routed through Tor that wouldn't be enough to reliably disassociate sender and receiver (You would want the ageing options planned for I2P for that). Then just get a warrant, and compel them to disclose the contacts and any pending messages. There are [partial] defenses that can be employed here (like TrueCrypt does with hidden volumes for example), its not unsolvable, just often ignored.
Security is hard. Security against a large scale threat such as governments is very hard. Securing the message contents is easy, securing that there was a message is the real challenge.
All that said, it looks like they likely do a pretty good job of making end to end encryption accessible. While thats not all one might want, its more than most of us get, so its still a good thing. Its progress, not a solution.
It is an American Company. (Score:5, Insightful)
What other vulnerability do you need ?