The Twitter hack, a case for E2EE
Hi everyone,
I'm still in the middle of moving houses, here are some quick personal updates:
My wife and I are expecting our first child, a baby boy coming in November. We decided to move back to Grenoble, where we met and closer to our friends and family. We've found a new place and are moving this week, so I've been trading making NPM packages with packing real boxes. 😅📦
I'm pausing the development of Chiffre for the rest of the summer holidays, to focus on my family and take a well-deserved rest after working on the MVP for a few months in the middle of COVID-lockdown. It gave me some purpose during difficult times, but when life is calling back, only a fool would miss out on it.
However, there's something I'd like to talk about in this short issue.
You may have heard of this story, but Twitter was hacked a few days ago.
The kind of attack used, social-engineering key players in an organization to gain access to admin tools and wreak havoc for all users, is a big issue, because there was nothing anybody using the service could have done to protect themselves.
In the case of Twitter, a bigger problem came from the fact that the Direct Messages (DMs) were not end-to-end encrypted, meaning that attacker could have seen "private" discussions between world leaders, CEOs and other important people.
This is why end-to-end encryption is so important. Even if you trust a company enough not to look into the data you give them, there's never a zero risk that someone will end up accessing this data, intentionally or not.
The only other way to protect against such attacks is not to have the data in the first place.
This means reducing the amount of data and metadata collected, scraping only what's necessary and dropping the rest as soon as possible.
However, lots of big companies have realised the power of data, and go the exact other way: collect and store as much as possible, in case it might be or become valuable. Throw in a team working on AI / BigData and you've got yourself a VC's wet dream.
Unfortunately, collecting enormous amounts of data only paints a giant target on your back. Not only for attackers, but also for rival companies that might want to expand their hegemony and acquire you. When one of those companies coming after your business and your data is a service provider such as Google, Facebook, Amazon or any of the tech giants, there's nothing you can do.
Reducing your data footprint, and encrypting whatever remains, is the best way to stay under the radar, while still providing value for your users and customers.
This is the approach I followed when designing Chiffre: I don't want to be responsible when a leak happens, so I'm using cryptography to make sure that whatever leaks is worthless.
See you soon, and stay safe.
François Best
Founder | Chiffre.io