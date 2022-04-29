Placeholder while article actions load

The first edition of Roget's Thesaurus was published on this day in 1852. Or maybe you'd call it the initial printing? Premier dissemination? Below: GOP activists and officials fueled by false stolen election claims have breached or tried to breach voting systems in at least eight states, and NSO Group's owners tried to undermine researchers reporting on the company's spyware scandals.

Musk wants end-to-end encryption for direct messages on Twitter

Elon Musk started the cyber and privacy world buzzing this week with a tweet suggesting he might raise encryption protections for Twitter direct messages if and when he takes control of the company.

It’s a popular proposal among cyber pros, who have long warned that the lack of end-to-end encryption on DMs makes them more vulnerable to being stolen and leaked by hackers or snooped on by government intelligence agencies.

Musk tweeted that Twitter DMs “should have end to end encryption like Signal, so no one can spy on or hack your messages.” That would essentially ensure DMs are always encoded except on the devices of the sender and recipient.

Twitter DMs should have end to end encryption like Signal, so no one can spy on or hack your messages — Elon Musk (@elonmusk) April 28, 2022

However, it would be exceedingly hard to implement end-to-end encryption on DMs and it would almost certainly require some trade-offs that will irk customers, technologists say.

It’s an idea Twitter has already considered – and abandoned.

“Twitter has looked at encrypting DMs in the past, but there are these consequences and externalities when you follow the idea to its technical extent,” cyber researcher Matt Tait, who supports end-to-end encrypting DMs, told me in an interview. “The question is … whether he does what other executives have in the past, which is to say, ‘it’s harder than I thought’ and stay with the status quo or does he say, ‘it’s really important so let’s do it anyway.’ ”

Context: The vast majority of the public and media focus on Musk’s Twitter purchase has been on his plans to loosen restrictions on what counts as acceptable speech on the platform. Yet, his encryption tweet suggests Musk’s ownership of the company could produce a far broader slate of changes both positive and negative.

Extending DM encryption could also raise some hackles in Congress, where some lawmakers are already in an uproar over the billionaire wielding control over a highly influential platform for news and discourse.

Lawmakers including Sens. Richard Blumenthal (D-Conn.) and Lindsey Graham (R-S.C.) have taken aim at a similar plan to make Facebook direct messages end-to-end encrypted, warning it could make it easier to share child pornography on the sites or for predators to try to lure underage victims.

Justice Department officials have long railed against end-to-end encryption in general, warning the protections make it easier for terrorists and criminals to plan operations online.

But technologists nearly uniformly say those risks are worth the trade-off of added cybersecurity safeguards, and Congress has never made significant moves to limit the protection.

Musk also has a history of making bold and sometimes inflammatory statements on Twitter but not following through. After tweeting about expanding encryption, his two subsequent tweets satirically pondered buying Coca-Cola and dosing it with cocaine and pledged “Let’s make Twitter maximum fun!”

“I think his tweet is worth the paper it’s printed on,” Riana Pfefferkorn, a Stanford University research scholar and encryption advocate, told me. “The anti-encryption crowd won’t love Musk’s statement, but it’s so far from becoming actual reality that anyone in Congress with concerns about the deal will have a lot of other things to latch on to.”

The technical barriers to end-to-end encryption for Twitter DMs fall into three main categories.

1. End-to-end encryption systems function most effectively when messages are being sent between two devices that can verify each other using security keys. It’s far more complicated and less secure with a system like Twitter’s in which people can access the same DMs from multiple devices such as a phone and a browser or multiple browsers that are logged onto the same Twitter account.

Here are more details from Ben Adida, executive director at VotingWorks, a voting technology nonprofit:

3/ because the point of end-to-end encryption is that the Twitter servers should never have access to your DMs. That means the ability to decrypt must always be kept on the client, say your Twitter app or web browser. — Ben Adida (@benadida) April 28, 2022

5/ or it means the decryption key is derived from your password. Which is doable, but means that the encryption is weaker because a password is not as strong as a random full-strength decryption key. — Ben Adida (@benadida) April 28, 2022

2. For end-to-end encrypted messaging systems like Signal and WhatsApp, users who lose access to their devices also lose access to all their messages — a change that may irk many Twitter customers.

From Adida:

7/ so, say you're ready to tackle this, you're good with these limitations.



How do you upgrade existing users?



Users who forget their password occasionally, or lose their phone sometimes and log into a new one. Or use third-party apps to manage their DMs? — Ben Adida (@benadida) April 28, 2022

9/ And if that's the path forward, will users understand? Will they suddenly worry about the insecurity of their old DMs (some would say that's good) ? Will they even use the new feature?



These are the tradeoffs. They're real and particularly tricky to manage. — Ben Adida (@benadida) April 28, 2022

3. If Twitter can’t view DMs, it will become far harder for the company to police claims of harassment, abuse and attempted child predation that happen on the messaging service.

WhatsApp has set up systems to ensure users can report bad behavior on DMs while still maintaining end-to-end encryption, but that took a lot of work to establish and created some confusion.

GOP activists in at least eight jurisdictions have breached or tried to breach voting systems

The incidents, which spanned five states, all involved local Republican officials or activists who have advanced former president Donald Trump’s baseless claims that the election was stolen or that voting machines were rigged against him, Reuters’s Alexandra Ulmer and Nathan Layne report. Four election law experts told Reuters that the breaches were unprecedented in the history of U.S. elections.

“The incidents examined by Reuters all took place in states that have been competitive in recent elections: Two occurred in Colorado, three in Michigan and one each in Ohio, Pennsylvania and North Carolina,” Ulmer and Layne write. “At least five of the cases are under investigation by local or federal law enforcement, with three arrests and one conviction, according to state and local officials. Four of the breaches forced election officials to decertify or replace voting equipment that was no longer secure.”

NSO’s owner tried to undermine researchers who exposed misuse of their hacking tools

Executives at private equity firm Novalpina, which owned NSO at the time, worked to discredit Citizen Lab’s research that found NSO Group’s Pegasus spyware was frequently used to target journalists and activists, the Guardian’s Stephanie Kirchgaessner and Harry Davies report. Here are the details:

In February 2019, NSO and Novalpina hired lawyer Vivek Krishnamurthy officially as a “specialist external adviser.” But documents obtained by Citizen Lab director Ron Deibert and senior researcher John Scott-Railton suggest that he was hired because he had previously worked as a research assistant for Deibert.

Deibert declined to take a meeting with Krishnamurthy. Krishnamurthy told the Guardian that he regrets his “brief time advising Novalpina in 2019,” and added that NSO’s “record of complicity in gross human rights violations” shows how wrong he was in believing that Novalpina was serious about making “real changes at NSO.”

Novalpina partner Stephen Peel also tried to discredit Citizen Lab in emails to billionaire philanthropist George Soros that called Citizen Lab “an organization unknown except for its attack on NSO.” It’s not clear what Peel’s aim was, but a person familiar with the matter told the Guardian that they thought Peel wanted Soros to stop funding Citizen Lab.

Peel’s lawyers told the Guardian that the allegations were “tenuous and unsubstantiated” and that Peel is committed to “good governance and human rights.”

A firm called Berkeley Research Group began managing the fund that owns NSO after a leadership dispute between Novalpina executives.

Russia-linked hackers have stolen vast amounts of data on Ukrainians

Ukraine’s automotive insurance database and Interior Ministry have been breached in recent months, potentially giving Russia’s military an enormous amount of sensitive information that would be useful in the event of an occupation of the country, the Associated Press’s Frank Bajak reports.

Information gathered about Ukrainian citizens could have pinpointed where Russia critics live and who would be most likely to protest the occupation. Ukrainian cybersecurity officials say that Russian hackers accelerated their aggressive data collection as Russia was preparing its invasion.

Ukrainian officials say they’ve amassed data on Russians as well. The country knows “exactly where and when a particular serviceman crossed the border with Ukraine, in which occupied settlement he stopped, in which building he spent the night, stole and committed crimes on our land,” Serhii Demediuk, the deputy secretary of Ukraine's National Security and Defense Council, told the AP. “We know their cellphone numbers, the names of their parents, wives, children, their home addresses,” and the names of their teachers, schools and neighbors, he said.

It’s not clear how Ukraine obtained such data or whether the claims are being exaggerated.

A top Justice Department cybersecurity official plans to step down

Principal associate deputy attorney general John Carlin has played a key role in investigations focused on ransomware, cryptocurrency and the Jan. 6 riot. He is expected to step down this summer, the New York Times’s Katie Benner reports. During the Obama administration, Carlin led the Justice Department’s National Security Division, which announced indictments of hackers backed by China and Iran.

Google and Microsoft executives testify at a Senate Armed Services Committee panel’s hearing on artificial intelligence applications in cyberoperations on Tuesday at 2:30 p.m.

Jen Easterly , Rep. Jim Langevin (D-R.I.) and cybersecurity officials CISA Director, Rep.(D-R.I.) and cybersecurity officials speak at the Hack the Capitol conference on Wednesday.

Alejandro Mayorkas Homeland Security Secretary testifies before the Senate Homeland Security Committee on Wednesday at 2:30 p.m.

Today’s first @washingtonpost TikTok feature’s Russia’s state controlled gas company, Gazprom, shutting off the supply of natural gas to Poland and Bulgaria: https://t.co/vzalI4PSh4 pic.twitter.com/dEPMgpSs8B — Carmella Boykin (@carmellaboykin) April 28, 2022

Original promulgation. Yeah, that's the one! Thanks for reading. See you Monday.

