TeleGuard, an app that markets itself as a secure, end-to-end encrypted messaging platform which has been downloaded more than a million times, implements its encryption so poorly that an attacker can trivially access a user’s private key and decrypt their messages, multiple security researchers told 404 Media. TeleGuard also uploads users’ private keys to a company server, meaning TeleGuard itself could decrypt its users’ messages, and the key can also at least partially be derived from simply intercepting a user’s traffic, the researchers found.

The news highlights something of the wild west of encrypted messaging apps, where not all are created equal.

“No storage of data. Highly encrypted. Swiss made,” the website for TeleGuard reads. The site also says, “The chats as well as voice and video calls are end-to-end encrypted.”

In March an anonymous security researcher, who didn’t provide their name, told 404 Media about a series of vulnerabilities in TeleGuard. They included the fact the TeleGuard app uploads users’ private encryption keys to the company’s server upon account registration. 

Often when implementing encrypted messages, apps will assign users a public and private key. The public key is what other users use to encrypt messages for them, and the private key is what a user uses to decrypt messages meant for them. If this key falls into someone else’s hands, they may be able to read a users’ messages.

In true end-to-end encryption, this encryption happens on a user’s phone, and the key should never leave that device. With TeleGuard, the app is transmitting that highly sensitive key to the company’s servers. Technically, the app uploads an encrypted version of the private key, but it also transmits other information that allows the server to decrypt it, the researcher explained. That includes the user’s unique ID, which is also uploaded along with the key; a hardcoded salt (which in cryptography is supposed to be a random string of characters, but in this case is constant); and a hardcoded nonce (which is also supposed to be random for every communication to stop certain attacks, but is constant with TeleGuard). “The server can decrypt every user's private key. It has everything,” the researcher wrote in their findings shared with 404 Media.

That series of design decisions means TeleGuard, the company, receives users’ private keys. But the keys are also accessible to other attackers. The researcher found it’s possible to retrieve a specific user’s private key by simply plugging their user ID into TeleGuard’s API. Many people share their user ID publicly so they can be contacted, opening them up to this attack.

404 Media asked Dan Guido, CEO and co-founder of cybersecurity firm Trail of Bits, whether his team was able to verify the findings. Guido said the company found much the same thing, and added the app’s encryption “is meaningless,” because of the app uploading the private keys and the server’s ability to decrypt them.

Trail of Bits then found multiple other security issues with TeleGuard, including being able to at least partially extract users’ private keys from simply intercepting their traffic. Trail of Bits said it then successfully decrypted one of the shoddily encrypted private keys from that capture.

Guido sent 404 Media this meme: 

The researcher who initially reached out also said TeleGuard’s metadata—when someone sent a message, and to whom—is in plaintext, meaning that could be exposed to attackers too.

TeleGuard launched in around 2021, according to archives of the app’s page on the Wayback Machine. It is made by Swisscows, a company that also makes what it describes as an anonymous search engine, a VPN, and an email service. In a promotional video, TeleGuard claims to have “one of the strongest encryptions available.”

Neither TeleGuard nor Swisscows responded to multiple requests for comment, nor gave any indication or timeline of when they might fix the issues. 

TeleGuard has been recommended to cam models as a way to communicate, according to a post on a  subreddit for models. The app has also repeatedly been linked to child abusers, with one local media outlet reporting TeleGuard is “notorious” among prosecutors for child sexual abuse material. The FBI previously obtained data about a TeleGuard user through push notifications sent to their phone. A foreign law enforcement agency had TeleGuard hand over push notification-related data, which the FBI then took to Google to obtain email addresses linked to that alleged pedophile, The Washington Post reported.

Do you find yourself involuntarily salivating for Twin Snakes or Starmix? Are you standing tippy-toe for a handful of Sour Patch Watermelons? Is there a nonstop conveyer belt of tart treats going down your gullet? There is another way. I want to open a muscadine clinic for all the Haribo loyalists in the world. Nature's gummy candy could fill the void as summer turns to fall.

The muscadine is a grape, but not the kind that populates fruit salads and Ziploc baggies. Those are mushy, easily yielding to the teeth, tossed into the mouth and eaten whole. Instead, the muscadine is an imposing orb that forces the eater to meditate upon its structure. Its skin might be a dull green with a purplish blush, or a wine-dark purple with a pinkish blush; it might have a dusty metallic sheen. It might be rough and speckled on the surface, a little leathery, and strangely taut. If that doesn't sound like a pleasant bite of fruit, that's fine—you won't actually be eating that part. Think of the muscadine as an individually packaged treat.

Enlarge / Let's see, you landed on my "Google Ads" space, and with three houses... that will be $1,400. (credit: Ron Amadeo / Hasbro)

Google's war on ad blockers is just gearing up, with YouTube doing its best to detect and block ad blockers and Chrome aiming to roll out the ad block-limiting Manifest V3 extension platform in June 2024. A new article from Engadget detailing the "arms race" over ad blocking brings up an interesting point regarding the power that YouTube and Chrome have in this battle: a dramatic update advantage over the ad blockers.

In addition to hamstringing Chrome's extension platform with no real user-centric justifications, Manifest V3 will also put roadblocks up before extension updates, which will delay an extension developer's ability to quickly respond to changes. YouTube can instantly switch up its ad delivery system, but once Manifest V3 becomes mandatory, that won't be true for extension developers. If ad blocking is a cat-and-mouse game of updates and counter-updates, then Google will force the mouse to slow down.

Chrome's "Manifest V3" makes dramatic changes to the Chrome extension platform. The current platform, Manifest V2, has been around for over ten years and works just fine, but it's also quite powerful and allows extensions to have full filtering control over the traffic your web browser sees. That's great for protecting privacy, speeding up the web, and blocking ads, but it also means you can download a browser from the world's biggest ad company and use it to block ads—and that was only going to last for so long.

Read 10 remaining paragraphs | Comments

One would think that after a full week of terrible, hazardous air, I would have had my fill of all things smokey, but something about the change in season has me craving a smoked cocktail. I feel badly about it, but my (dumb, perverted) heart wants what it wants.

Read more...

AdamDavenport shares:

This helps make quick work of feeding the string from your hoodie back into your hood.
demonstration here!

The model is fairly large as is; the width of the knot holder is about 12mm. If your hoodie has smaller knots and/or smaller eyelets, you might want to scale the model smaller when you print. Enjoy!

download the files on: https://www.thingiverse.com/thing:4345572

Every Thursday is #3dthursday here at Adafruit! The DIY 3D printing community has passion and dedication for making solid objects from digital models. Recently, we have noticed electronics projects integrated with 3D printed enclosures, brackets, and sculptures, so each Thursday we celebrate and highlight these bold pioneers!

Have you considered building a 3D project around an Arduino or other microcontroller? How about printing a bracket to mount your Raspberry Pi to the back of your HD monitor? And don’t forget the countless LED projects that are possible when you are modeling your projects in 3D!