At a glance.
- US Senator blocks attempt to ban TikTok.
- CISA urges government agencies to patch newly discovered bugs.
- Are interoperable, secure, and user-friendly messaging apps even possible?
US Senator blocks attempt to ban TikTok.
As we’ve previously discussed, it seems the US government could be headed for a full ban of TikTok amidst allegations that the popular social media platform poses a threat to national security. A petition in support of the ban has been put forward by Republican Senator Josh Hawley and backed by a bipartisan group of Congressional lawmakers, but Quartz reports that Senator Rand Paul has blocked the petition, citing concerns that it would be a violation of freedom of speech. “I think we should beware of those who use fear to coax Americans to relinquish our liberties,” Paul stated. A Republican from Kentucky, Paul also says he feels the Chinese-owned video streaming platform is being unfairly singled out for activities that are also often carried out by many American tech companies. He stated, “Every accusation of data gathering that has been attributed to TikTok could also be attributed to domestic big tech companies.”
Indeed, much like TikTok, US tech companies like Meta and Google also have access to copious amounts of user data, but proponents of the ban say that because TikTok is owned by Beijing-based company ByteDance, its data could be demanded by the Chinese government and used to spy on American users. House speaker Kevin McCarthy confirmed that the chamber will vote on a bill to ban TikTok, but it's unclear when that will happen.
CISA urges government agencies to patch newly discovered bugs.
Yesterday the Cybersecurity and Infrastructure Security Agency (CISA) announced it is adding ten new vulnerabilities to its Known Exploited Vulnerabilities Catalog. Bleeping Computer notes that five of the bugs were abused as part of several exploit chains in two separate operations targeting Android and iOS users. Google's Threat Analysis Group (TAG) says the first campaign was detected last November and focused on iOS devices, and a month later a chain of multiple zero-days and n-days was exploited to target Android phones. Although patches had been released to resolve the bugs, Google TAG's Clément Lecigne says the attackers "took advantage of the large time gap between the fix release and when it was fully deployed on end-user devices.” Thus, CISA officials are urging organizations to patch the bugs as soon as possible, giving Federal Civilian Executive Branch Agencies agencies three weeks to secure the necessary updates. "These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA warned.
Are interoperable, secure, and user-friendly messaging apps even possible?
The EU's Digital Markets Act (DMA) states that by March 2024 European instant messaging and real-time media apps will be required to be interoperable, meaning they must communicate with other services. However, the Register notes, it’s unclear how exactly this can realistically be achieved. A paper from University of Cambridge doctoral candidate Jenny Blessing and security engineering professor Ross Anderson examines the mandate and what it would take for messaging services to comply. "Designing a system capable of securely encrypting and decrypting messages and associated data across different service providers raises many thorny questions and practical implementation compromises,” the paper reads. It goes on to say that in order to make encrypted end-to-end communication services interoperable, completely new, highly complicated protocols will have to be instituted.
The academics note, "The resulting complexity of the system may inherently compromise the level of security due to the increased number of moving parts, just as key escrow mechanisms endanger cryptography even if the escrow keys are kept perfectly secure." They offer two broad approaches. A common protocol is one option, but variations in implementation across popular messaging apps like Signal, WhatsApp, and Facebook Messenger would make standardization challenging. The second approach, platform API bridges, could be a better option, but large platform providers would be required to create different bridges for each message provider, which could present security issues. And of course, there’s still the hurdle of convincing users to switch from their favorite messaging platforms. The researchers conclude, "Giving users a choice between platforms without giving them a platform they would want to spend time on is no choice at all."