I remember when Wickr first started on iOS, the founder said at the time that she wanted an app her kids could use safely. I never met anyone who used Wickr though. Pretty good job on their part that it went from a niche app to an Amazon acquisition.
Now that it will have a corporate implementation people should remember that corporately administered clients (e.g. Teams) save and record a copy of everything you say and do and AWS Wickr is likely to be no different.
As Signal is mentioned in this comment thread, I don't see the hit on Signal about the phone number piece as being a big downside. The app is about privacy not anonymity and a phone number is a pretty unique UID. I never installed Signal to talk to anonymous strangers, everyone on my list is someone I know because of the phone number UID. True, I don't know everyone's phone number but I'm probably also not talking to them often or ever.
It's very hard to get people to try a different messenger. People are very wedded to the Facebook corporation (FB, Instagram, Whatsapp). It bothers me when I talk about something and then see ads for it shortly after. Obviously not only is it bot-mined for ad purposes, but rather, I don't believe FB ever deletes the data. They are the administrator and likely keep it forever. This is why I personally think Google is better, they mine it with bots, but unlike FB they don't sell data to third parties.
Signal is probably at the current time the last non-corporate messenger that is secure and is easy enough to setup and use (other suggestions like Matrix have a barrier to entry that is too high because it requires both technical knowledge and the ability to find your correspondents). It can't be acquired due to it being a non-profit foundation so it's likely to be around for a long time to come.
Skype has a little known feature called private conversations. This uses the Signal protocol and even lets you delete the metadata afterwards.
I don't think many people noticed at the time, that BillG took being prosecuted by the government very hard indeed. William H Gates III "Trey"to his oldest friends, is American establishment : daddy was Nixon's attorney and mom sat on the board of IBM.
Neither do I remember many people who ostensibly cared a great deal about the Microsoft anti trust case, following the actual litigation when it was happening. I read every word and watched as much as I could of the trial. Gates was a disaster on the witness box but nothing least because the allegations - charges and basis of charges - were so universally preposterous in their formation. The New Old Thing blog basically tells you what Justice should have found out in their discovery process and consequently narrowed the case to something other than a massive spite bomb. Reportedly Gates underwent a nervous breakdown of some serious nature midway through his epic examination on the stand. Microsoft were the last I looked the only major not to have backed away from a agreement to enforce the minimum of legality requirements for LEO access to personal information and accounts and Microsoft was spending close to one billion dollars annually merely to reject ludicrous illicit and unfounded demands for access to accounts. I don't know any other cloud computing company who will let me hold the only hardware key to my infrastructure across their cloud and using the same infrastructure and integrations (Thales, a major French defence contractor is the supplier and the solutions pretty good in my experience). At least I'm not surprised that few hail Microsoft for their efforts - advertising flipping fingers at the most self righteous authority establishment for generations isn't probably the best idea.
Here's the pdf description of Skype Private Conversations:
> Signal is probably at the current time the last non-corporate messenger that is secure and is easy enough to setup and use (other suggestions like Matrix have a barrier to entry that is too high because it requires both technical knowledge and the ability to find your correspondents). It can't be acquired due to it being a non-profit foundation so it's likely to be around for a long time to come.
Threema exists does e2ee, does not require a phone number (but in practice it is much easier to use it), is fairly easy to setup and has been around for 9 years now.
The only downside compared to Signal is that backups are slightly more cumbersome because the password is required to be 9 characters instead of four digits as in Signal. But I don't trust Intel SGX so that is a win in my book.
Since Signal currently seems to live off of the loan from Brian Acton, I wouldn't assume the future to be quite as rosy as you paint it to be. Group video calls and everything Intel SGX must be quite expensive.
Yes. In Denmark, Wickr is the chat-app of choice for dealers alongside Snapchat. My non-tor skilled friends use it for that. I don't think anyone uses it for anything else.
Why Wickr, I don't know. It's not to protect the buyers because the police does not care about them.
The working study group for the International League of Criminals after conducting a comprehensive evaluation of various messengers that resisted compromise by law enforcement agencies settled upon Wickr because it had the necessary components of both privacy and anonymity. In addition, the niche appeal of it made it more likely to be spread by whispered word of mouth in the community.
I wonder if this will be used in a more positive way than what most people would assume initially.
There are tons of legal situations where confidentiality is absolutely necessary, for example when dealing with medical or legal records. I imagine Amazon's GovCloud might incorporate this as a potential cloud hosted chatting solution.
With telemedicine and remote legal proceedings becoming more and more common, secure chatting while complying with HIPAA and confidentiality rules is going to be an important market.
Having implemented HIPAA compliant software, the technical requirements arent very difficult. If you're following developments beat practices, you have 99% of technical requirements covered. The challenge with HIPAA is building process and documentation that demonstrates compliance.
It's particularly challenging at the edges of your engineering org where people tend to use tools that abstract the technical details.
Exactly, as someone who recently helped finish a HITRUST (which focuses on HIPAA compliance) audit, the real work is in proving that the org has policies, procedures and actually follows them.
Technical controls are the easy part. I've often dreamed of some type of way to streamline the policy --> process --> documentation pipeline.
It also requires you to actually think about these problems. As you said, it’s not necessarily hard to do, but if you’re a small startup all these best practices are usually shortcut to get product market fit. If you’re a health care startup, it really slows you down (but for good reason). It also creates criminal/financial reinforcement behind it, something not even Equifax has to be accountable to (which is insane).
Some data we treat we care. Other data we do not. I wonder if that creates a different culture and risk than if we treated all data with care. What do you think?
In order to treat all data with care, you have to define what you mean by "care." In security we talk about the tradeoffs between integrity, confidentiality, and availability. In terms of integrity, the most careful treatment is to place many signed copies of the data publicly on the internet. This also is the most careful treatment for availability. Of course it is the least careful treatment for confidentiality. But no scheme with any care for confidentiality can match it for integrity and availability.
Signal illustrates swinging far in the "confidentiality" direction - most messaging services don't forget anything you say, while Signal makes it rather hard for you to retain your messages, and also offers ways to delete them automatically. I find it unfortunate there are no secure, open messaging platforms that offer similar integrity/availability guarantees to services like Slack.
Huge congratulations to them. I hope the terms were favorable. It's a small personal vindication to have seen the value early on because I recommended to another (Bezos backed) company look into acquiring Wickr some years ago, but I lacked the cred to make it happen. While it feels a bit small to taint a congratulations with smugness about being right - a hearty and sincere well done to the Wickr team. A success absolutely earned.
Edit: For those that have never heard of it, its their own IM, that while publicly available, is mostly used internally for company communications, similar to Slack or Skype for Business.
Chime itself is an acquisition (which also has the dubious reputation of being the poorest execution of any AWS product) at a time when UCaaS companies like urbanconference and dialpad were going strong, and AWS wanted in on that action: https://techcrunch.com/2016/11/23/justin-biba-amazon-video/
Maybe? Although Amazon recently started using Slack as its primary internal messaging platform. Seems that if Wickr was designed to replace Chime, Amazon wouldn't have rolled out Slack internally.
Which is amazing because Slack calls are so bad that they pushed us to pay for Zoom licensing. It can bring a brand new $2k laptop to a sputtering halt. Which is bad but honestly fine for meetings. Where it lost us was that we couldn’t use it for pair/group work because our tools would become so slow as to be unusable.
My guess is they got a pretty good deal on Voice/Video from AWS, or perhaps a better deal for entire AWS infra.
Kind of sad as video is a extra paid feature!. It is very limited in functionality, no screen share or view on mobile, no easy way to do audio/phone bridge.
The connections or bad that my org disabled audio/video calling on slack and encourage users to use Teams only.
Amazon allows people to use Slack internally. Chime is still at least the back end for all meetings. And in practice, because Chime chat is still supported, many managers tell their teams to always keep Chime open in case someone messages them there. There’s no way to tell who is on Slack vs on Chime.
For chat yes, but not for video calls (and like others pointed out, some still avoid Slack depending on the user. Devs seem to universally use Slack thankfully)
Never heard about this company before. Took a quick look at their website and noticed that in the table on front page (located in the section "Vetted by the NSA") Zoom is listed as a product lacking "Full E2E Encrypted Functionality". I'm wondering about whether this isn't true (considering Zoom's E2E being GA: https://support.zoom.us/hc/en-us/articles/360048660871-End-t...) - and the table should be fixed - or still true (due to aspects that I might be missing).
The lawyer brain in me is asking me to define “the industry”.
If “the industry” is one that currently uses POTS then it is the most secure, yes- because they sell enterprise software to various industries.
The thing is: they use different protocols on their consumer apps than their enterprise ones; only the enterprise ones have an open (or, released) protocol specification.
The post is written by an AWS VP of technology. They probably plan to deploy this as an enterprise service, or use the tech, so you really have to hype during acquisition the aspects you intend to sell.
The big sell for enterprises is actually what probably invalidates the statement you highlighted. Compliance, administrative controls, and audit almost always are significant threat surfaces that are exposed deliberately. Ideally to only the right people, but it's basically the equivalent of a cryptographic back door. It's less secure by design, but for a purpose.
Certainly one unexpected way for the government to scare off and shut down nefarious communications happening on Wickr. Note this platform has been popular amongst the darkest underbelly of the web (e.g. carders, drug dealers).
Though true, this is just about entirely irrelevant given where Wickr has gone since 2016. It may surprise you to learn that Wickr was awarded a large US Airforce contract last year. [0]
Why is it irrelevant post-2016? Wickr was still a preferred choice of drug dealers well up to 2018 (and probably beyond). I know this because I was using it to communicate with them.
Sure, there's a subset of DarkNetMarket dealers who use Wickr. There's a subset of all sorts of underground/niche communities out there using it.
You get purchased by Amazon after securing a military contract, not by being an awesome way for online drug vendors to chat with customers. Though perhaps that's what got them the US Air Force contract to begin with...
It can go both ways, right? Maybe he thought that the war on drugs was dumb, so quit investigating drug crimes and developed technology that made it impossible for a successor to do that job.
Oh if only stolen credit cards and drugs were the darkest underbelly of the web! Note that it's also popular with former Australian Prime Ministers and plenty of other people for ethical and legitimate reasons (some of them also legal), not just "nefarious communications."
> With Wickr, customers and partners benefit from advanced security features not available with traditional communications services – across messaging, voice and video calling, file sharing, and collaboration. This gives security conscious enterprises and government agencies the ability to implement important governance and security controls to help them meet their compliance requirements.
Wickr is going to be intertwined with AWS products so Amazon can sell them to "security conscious enterprises and government agencies."
A great point. It's easy for an exec to say, "We should buy Wickr to make it easier to land government contracts." You still have to integrate Wickr in a way that makes sense and actually adds value.
Knowing a bit about their history and having met some of the principals, I'm not.
Wickr's focus was never on the HN audience. Their "bullseye" was the audience of DEF CON attendees who have some ties to capital "e" Enterprise and/or US public sector.
Where there were overlapping users, great, but traction on HN was unlikely to lead to organization wide enterprise license agreements.
Anyone that has ever set foot on Reddit or 4chan knows that Wickr is heavily used to share child pornography, and revenge pornography. Entire subreddits have disappeared for this reason [1]. I wonder how AWS is going to deal with this. Unfortunately due to the nature of the app, they can probably safely say that they were "no aware of it"...
You can be sure there is already a team working on the architectural changes needed to implement lawful intercept and passive surveillance on Wickr. This is what happens when a secure platform gets too big. The same thing happened to Skype.
I work on cryptography at AWS, and long before that I worked on Skype a bit, so I can't resist commenting! Wickr features end to end cryptography, https://wickr.com/wp-content/uploads/2019/12/WhitePaper_Wick..., and I can't see why we'd change that (and even that framing is a bit weird, I'm sure Wickr will continue to be autonomous but maybe with access to more resources from the rest of Amazon).
Great! invite someone into the building who has lied to the entire crypto community to undermine global security. They will surely know how to spot bad actors!
Invite a bad actor into the building in order to keep bad actors out.
Green's conviction about this is tantalizing but it's also melodramatic in a way that makes it easy to believe something not quite true (or provable, anyway.) In fact if you look down the thread, you'll see Green admitting that correlating Salter is basically speculation and other people providing plausible alternatives to Green's claims for Salter's motives at AWS. tptacek has a more measured history of what actually happened and it is very different than what you'd glean from Green's tweets.[0] Personally in this case I'd be more worried about touting Ring's end-to-end encryption with one hand while the other hand points one of those ends to your police department[1].
As an american company, customers should absolutely be distrustful of any claims of security. There is very little in the way of the feds giving you a gag order and ordering you to provide a backdoor.
Amazon has zero recourse in this situation, neither would they risk their gov contracts fighting it.
Nonesense. When they get a gag order they have zero choice and recourse. Their options are shutting down the company or comply. They can join a legal fight to stop this practice, they however must comply with every order they get.
"When disagreeing, please reply to the argument instead of calling names. 'That is idiotic; 1 + 1 is 2, not 3' can be shortened to '1 + 1 is 2, not 3."
Appreciating the irony that we've gone to all this trouble to create e2e crypto protocols so that now we can finally trust products like Ring and Alexa to spy on us.
The beauty of Wickr is it provided disposable identities and relatively strong anonymity, and fended off bulk interception using an end to end security protocol. The market for it was smaller because while everyone says they want security, I found that the risk/reward of anonymity is too risky for most people. The people I knew who did use Wickr were political staffers and operatives/activists on campaigns, law enforcement, and other fields where they had official recourse to protection.
The reason for AMZN to buy Wickr is that it is a trustworthy secure messenger product with a valuable and influential user base, and an evolution of the product without anonymity is probably the case for growth.
I don't see it being backdoored so much as just adapted to leverage its existing user base to fill out a feature need in a suite of AWS collaboration tools that will compete against Teams/Github, Zoom, Atlassian, etc.
> I'm sure Wickr will continue to be autonomous but maybe with access to more resources from the rest of Amazon
To be fair, this is the fairy-tale that's told on every acquisition. I'm pretty certain this same narrative was spun even when facebook acquired occulus.
Not saying this will be similar, but just hearing those words is not assuring by itself.
Amazon's proven a much better steward than Facebook, though. Twitch seems pretty independent other than some Prime perks, Eero doesn't seem to have changed much, I'm pretty sure they forgot that they even bought IMDB and DPReview, etc.
That's an odd glossy advertisement... Everyone here knows what end-to-end encryption is.
Regardless of any promise, professed dismay, warranty, or other statement by Amazon, this product is no longer a trustworthy interface for private communications. The mere presence of the company brings such high probability of capitulation to government or corporate eavesdroppers that it's basically a useless asset to own IMPO.
You can make it weaker without getting rid of it.
Whatsapp also has E2EE on the message contents, does it stop Facebook from sharing all your contacts, call metadata, message times etc with the authorities? Very unlikely.
I don't trust Wickr solely because it is closed source and a US team
The government contracts don’t give me confidence in their technology, it gives me the impression they sell snake oil to “security conscious” organizations just like that article says. Its like worded specifically to avoid any liability in the eventual lawsuit where people complain that it didn't offer what they expected.
The AWS acquisition gives me even less confidence.
The standard for less skepticism for me is distributed end to end encryption where handshakes are done between the specific parties communicating
This is common (but often ignored) knowledge on darknet forums and markets, where Wickr also doesnt have a good client for darknet operating systems - further pointing to it having an intended purpose of not offering privacy by not prioritizing it for Whonix and Tails
Most of the literature about this trepidation and solutions are not on clearnet but you can get a glimpse of sentiment in comment replies here:
To give a sense of Wickr's direction (before the acquisition, at least):
Wickr as of 10/2020 "has created a federal advisory board that includes Matt Olsen, chief trust and security officer, Uber (former director of the National Counterterrorism Center); Vince Stewart, chief innovation and business intelligence officer of Ankura (a former deputy commander of U.S. Cyber Command and former Defense Intelligence Agency Director); Jan Tighe, former deputy chief of naval operations for information warfare and director of naval intelligence; and Joanne Isham, former deputy director of the National Geospatial Intelligence Agency."
Probably good for Wickr founders, but else? Amazon is facing growing antitrust issues, why add to this with more and more acquisitions? Do they want to own the whole web?
App Security #users ease Functio- Price
& privacy Germany of use nality
Element o - - o Free
Signal + o + + Free
Telegram - + ++ ++ Free
Threema + o o o $3-$4
Whatsapp o ++ + + Free
Wire + o - - Free
++ very good + good o good enough - bad
Great question. This is pretty unfortunate, data mining secure communications removes much of the value. Signal sold out a long time ago, not sure of another 'verified secure' platform.
Signal is entirely independent and hasn't been acquired by Amazon or any other big tech company. It remains the gold standard for security/privacy technology (whether it's packaged acceptably for everyone on HN is a different question, and I'm not saying you have to use it).
Signal is moving away from phone numbers, developing the components needed to securely provide service via user IDs.
My understanding is that their intended audience is the general public, not crypto-security geeks, and as part of that they wanted integration with existing address books. With a small team, developing all the security and usability was more important than eliminating the phone number piece.
They apparently don't retain any data but the phone number, and I think the registration date and last logon date.
AWS has acquired many companies in the past. Off the top of my head, Biba (turned into Chime), Elemental, Cloud9, Annapurna, CloudEndure…I’m sure there’s more.
Former A9 employee here. A9 was not an acquisition - it was bootstrapped as a Bay Area subsidiary. Initially A9 focused on web search, then pivoted to doing product search for Amazon retail.
Scroll to the bottom of the “my account” page for example and you’ll see a list of dozens of wholly owned subsidiaries and websites, many of which were purchases.
Now that it will have a corporate implementation people should remember that corporately administered clients (e.g. Teams) save and record a copy of everything you say and do and AWS Wickr is likely to be no different.
As Signal is mentioned in this comment thread, I don't see the hit on Signal about the phone number piece as being a big downside. The app is about privacy not anonymity and a phone number is a pretty unique UID. I never installed Signal to talk to anonymous strangers, everyone on my list is someone I know because of the phone number UID. True, I don't know everyone's phone number but I'm probably also not talking to them often or ever.
It's very hard to get people to try a different messenger. People are very wedded to the Facebook corporation (FB, Instagram, Whatsapp). It bothers me when I talk about something and then see ads for it shortly after. Obviously not only is it bot-mined for ad purposes, but rather, I don't believe FB ever deletes the data. They are the administrator and likely keep it forever. This is why I personally think Google is better, they mine it with bots, but unlike FB they don't sell data to third parties.
Signal is probably at the current time the last non-corporate messenger that is secure and is easy enough to setup and use (other suggestions like Matrix have a barrier to entry that is too high because it requires both technical knowledge and the ability to find your correspondents). It can't be acquired due to it being a non-profit foundation so it's likely to be around for a long time to come.