[HN Gopher] AWS acquires Wickr
___________________________________________________________________
AWS acquires Wickr
Author : ramimac
Score : 120 points
Date : 2021-06-25 14:38 UTC (8 hours ago)
(HTM) web link (aws.amazon.com)
(TXT) w3m dump (aws.amazon.com)
| borski wrote:
| Wickr is great tech, and I'm glad to see them get a positive
| outcome - but boy, I really am curious what AWS wants to do with
| this.
| dataminded wrote:
| A replacement for Chime?
| hughrr wrote:
| Charge for it.
| apozem wrote:
| It's right there in the announcement.
|
| > With Wickr, customers and partners benefit from advanced
| security features not available with traditional communications
| services - across messaging, voice and video calling, file
| sharing, and collaboration. This gives security conscious
| enterprises and government agencies the ability to implement
| important governance and security controls to help them meet
| their compliance requirements.
|
| Wickr is going to be intertwined with AWS products so Amazon
| can sell them to "security conscious enterprises and government
| agencies."
| borski wrote:
| The devil is in the details, and I'm mighty curious as to
| what those details end up looking like.
| apozem wrote:
| A great point. It's easy for an exec to say, "We should buy
| Wickr to make it easier to land government contracts." You
| still have to integrate Wickr in a way that makes sense and
| actually adds value.
| noir_lord wrote:
| Amazon is pushing hard into government services.
|
| Wickr has a large contract already with the US military so I
| guess this closes a gap they needed closed.
| wolverine876 wrote:
| > Wickr is great tech
|
| Isn't it closed source? What is known about their tech?
| deadalus wrote:
| So, what are some good Wickr alternatives?
| tomcooks wrote:
| xmmp, period.
| t-lan wrote:
| Great question. This is pretty unfortunate, data mining secure
| communications removes much of the value. Signal sold out a
| long time ago, not sure of another 'verified secure' platform.
| egberts1 wrote:
| Matrix protocol, or Element app for iOS
| thanksforfish wrote:
| Signal sold out? How so?
| thefounder wrote:
| Metadata stuff? They still require phone numbers(unlike
| wickr)
| wolverine876 wrote:
| Signal is moving away from phone numbers, developing the
| components needed to securely provide service via user
| IDs.
|
| My understanding is that their intended audience is the
| general public, not crypto-security geeks, and as part of
| that they wanted integration with existing address books.
| With a small team, developing all the security and
| usability was more important than eliminating the phone
| number piece.
|
| They apparently don't retain any data but the phone
| number, and I think the registration date and last logon
| date.
| tptacek wrote:
| Signal is entirely independent and hasn't been acquired by
| Amazon or any other big tech company. It remains the gold
| standard for security/privacy technology (whether it's
| packaged acceptably for everyone on HN is a different
| question, and I'm not saying you have to use it).
| cblconfederate wrote:
| At some point we should be forced to decentralize
| smartbit wrote:
| Last March c't tested some alternatives
| https://www.heise.de/select/ct/2021/8/2106310351115657652
| App Security #users ease Functio- Price
| & privacy Germany of use nality Element
| o - - o Free Signal
| + o + + Free Telegram
| - + ++ ++ Free Threema
| + o o o $3-$4 Whatsapp
| o ++ + + Free Wire
| + o - - Free
| ++ very good + good o good enough - bad
| INTPenis wrote:
| You should test Briar.
| olah_1 wrote:
| it's only on one platform: android.
| Forbo wrote:
| I like to reference this table, although I wish it were hosted
| in some sort of wiki somewhere instead...
|
| https://docs.google.com/spreadsheets/d/1-UlA4-tslROBDS9IqHal...
| Trias11 wrote:
| Will AWS collect govt fees for backdooring it?
|
| I can't beleive govt is not interested in spying on Wickr convos.
| [deleted]
| jedberg wrote:
| Oh wow, my first boss after college is the cofounder of Wickr.
| Congrats to him and his team!
| ablekh wrote:
| Never heard about this company before. Took a quick look at their
| website and noticed that in the table on front page (located in
| the section "Vetted by the NSA") Zoom is listed as a product
| lacking "Full E2E Encrypted Functionality". I'm wondering about
| whether this isn't true (considering Zoom's E2E being GA:
| https://support.zoom.us/hc/en-us/articles/360048660871-End-t...)
| - and the table should be fixed - or still true (due to aspects
| that I might be missing).
| dang wrote:
| I'm surprised that there have been so few mentions on HN over the
| years:
|
| https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...
|
| https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...
|
| This is a bit interesting:
| https://news.ycombinator.com/threads?id=jwsec
| thebeardisred wrote:
| Knowing a bit about their history and having met some of the
| principals, I'm not.
|
| Wickr's focus was never on the HN audience. Their "bullseye"
| was the audience of DEF CON attendees who have some ties to
| capital "e" Enterprise and/or US public sector.
|
| Where there were overlapping users, great, but traction on HN
| was unlikely to lead to organization wide enterprise license
| agreements.
| humbleMouse wrote:
| There goes the last good safe messaging app :(
| secfirstmd wrote:
| What's wrong with Signal or Matrix/Element?
| cblconfederate wrote:
| Ah yes, AWS the three letter agency. Glad i never touched it
| crmd wrote:
| You can be sure there is already a team working on the
| architectural changes needed to implement lawful intercept and
| passive surveillance on Wickr. This is what happens when a secure
| platform gets too big. The same thing happened to Skype.
| colmmacc wrote:
| I work on cryptography at AWS, and long before that I worked on
| Skype a bit, so I can't resist commenting! Wickr features end
| to end cryptography, https://wickr.com/wp-
| content/uploads/2019/12/WhitePaper_Wick..., and I can't see why
| we'd change that (and even that framing is a bit weird, I'm
| sure Wickr will continue to be autonomous but maybe with access
| to more resources from the rest of Amazon).
|
| Increasingly, end-to-end cryptography is what customers expect.
| We also use end-to-end cryptography in other Amazon systems,
| most recently including Ring doorbells -
| https://support.ring.com/hc/en-us/articles/360054941511-Unde...
| rapsey wrote:
| As an american company, customers should absolutely be
| distrustful of any claims of security. There is very little
| in the way of the feds giving you a gag order and ordering
| you to provide a backdoor.
|
| Amazon has zero recourse in this situation, neither would
| they risk their gov contracts fighting it.
| strictnein wrote:
| Yeah, they definitely just invested $xxx millions in a
| product that they know they won't be able to keep alive.
|
| Amazon has plenty of recourse, and they've been fighting
| gag orders for years now. Ex: https://arstechnica.com/tech-
| policy/2016/09/microsoft-amazon...
|
| The company leading that charge: Microsoft. The company
| that got the huge JEDI DoD cloud contract: Microsoft.
| Weird, huh?
| dang wrote:
| " _Don 't be snarky._"
|
| https://news.ycombinator.com/newsguidelines.html
| rapsey wrote:
| Nonesense. When they get a gag order they have zero
| choice and recourse. Their options are shutting down the
| company or comply. They can join a legal fight to stop
| this practice, they however must comply with every order
| they get.
| dang wrote:
| " _When disagreeing, please reply to the argument instead
| of calling names. 'That is idiotic; 1 + 1 is 2, not 3'
| can be shortened to '1 + 1 is 2, not 3._"
|
| https://news.ycombinator.com/newsguidelines.html
| motohagiography wrote:
| Appreciating the irony that we've gone to all this trouble to
| create e2e crypto protocols so that now we can finally trust
| products like Ring and Alexa to spy on us.
|
| The beauty of Wickr is it provided disposable identities and
| relatively strong anonymity, and fended off bulk interception
| using an end to end security protocol. The market for it was
| smaller because while everyone says they want security, I
| found that the risk/reward of anonymity is too risky for most
| people. The people I knew who did use Wickr were political
| staffers and operatives/activists on campaigns, law
| enforcement, and other fields where they had official
| recourse to protection.
|
| The reason for AMZN to buy Wickr is that it is a trustworthy
| secure messenger product with a valuable and influential user
| base, and an evolution of the product without anonymity is
| probably the case for growth.
|
| I don't see it being backdoored so much as just adapted to
| leverage its existing user base to fill out a feature need in
| a suite of AWS collaboration tools that will compete against
| Teams/Github, Zoom, Atlassian, etc.
| INTPenis wrote:
| End 2 end cryptography, to what end does Ring need e2ee? To
| Amazon? Who is on the other end?
|
| Also, metadata.
| rapsey wrote:
| I have actually seen "secure" messengers claim e2e
| encryption because they use https to their servers. The
| ends are clients and their servers.
| drenvuk wrote:
| other enrolled devices. please check the provided links.
| Bigpet wrote:
| > I'm sure Wickr will continue to be autonomous but maybe
| with access to more resources from the rest of Amazon
|
| To be fair, this is the fairy-tale that's told on every
| acquisition. I'm pretty certain this same narrative was spun
| even when facebook acquired occulus.
|
| Not saying this will be similar, but just hearing those words
| is not assuring by itself.
| bydo wrote:
| Amazon's proven a much better steward than Facebook,
| though. Twitch seems pretty independent other than some
| Prime perks, Eero doesn't seem to have changed much, I'm
| pretty sure they forgot that they even bought IMDB and
| DPReview, etc.
| askafriend wrote:
| I didn't even realize they had bought DPReview...
| realce wrote:
| That's an odd glossy advertisement... Everyone here knows
| what end-to-end encryption is.
|
| Regardless of any promise, professed dismay, warranty, or
| other statement by Amazon, this product is no longer a
| trustworthy interface for private communications. The mere
| presence of the company brings such high probability of
| capitulation to government or corporate eavesdroppers that
| it's basically a useless asset to own IMPO.
| arpinum wrote:
| AWS hired the architect behind the NSA's attempt at breaking
| commercial crypto, according the Matthew Green [0].
|
| I can't trust AWS will be truthful about their crypto systems
| and lack of backdoors.
|
| [0] - https://twitter.com/matthew_d_green/status/135714356000
| 55091...
| rainonmoon wrote:
| Green's conviction about this is tantalizing but it's also
| melodramatic in a way that makes it easy to believe
| something not quite true (or provable, anyway.) In fact if
| you look down the thread, you'll see Green admitting that
| correlating Salter is basically speculation and other
| people providing plausible alternatives to Green's claims
| for Salter's motives at AWS. tptacek has a more measured
| history of what actually happened and it is very different
| than what you'd glean from Green's tweets.[0] Personally in
| this case I'd be more worried about touting Ring's end-to-
| end encryption with one hand while the other hand points
| one of those ends to your police department[1].
|
| [0] https://sockpuppet.org/blog/2015/08/04/is-extended-
| random-ma...
|
| [1] https://www.theguardian.com/commentisfree/2021/may/18/a
| mazon...
| LordDragonfang wrote:
| To be fair, if you were interested in _hardening_ your
| system and evaluating attack surfaces, that is also what
| you would do.
| arpinum wrote:
| Great! invite someone into the building who has lied to
| the entire crypto community to undermine global security.
| They will surely know how to spot bad actors!
|
| Invite a bad actor into the building in order to keep bad
| actors out.
|
| Invite bad actor into the building?
|
| Hmm, maybe not.
| staticassertion wrote:
| You've just described a decades-long strategy of the
| strongest information security teams, which has turned
| into the industry of red teaming.
| tiagod wrote:
| >Wickr features end to end cryptography
|
| You can make it weaker without getting rid of it. Whatsapp
| also has E2EE on the message contents, does it stop Facebook
| from sharing all your contacts, call metadata, message times
| etc with the authorities? Very unlikely.
| thinkingkong wrote:
| Did hell just freeze over? AWS has _acquired_ technology instead
| of simply copying someone elses? Im flabbergasted.
| cle wrote:
| AWS has acquired many companies in the past. Off the top of my
| head, Biba (turned into Chime), Elemental, Cloud9, Annapurna,
| CloudEndure...I'm sure there's more.
| waynesonfire wrote:
| A9
| WoahNoun wrote:
| Alexa is basically 3 tech acquisitions glued together. Ivona
| (TTS), Evi (Knowledge graph), and Yap (speech recognition).
| [deleted]
| ENOTTY wrote:
| There's definitely room in the e2e messaging space that is more
| corporate oriented. Think centralized administration, key escrow,
| etc.
| cbsmith wrote:
| I kind of want to say "Stop trying to make Chime happen" with my
| best Clueless impersonation.
| surge wrote:
| Probably going to use it to replace Chime.
|
| Edit: For those that have never heard of it, its their own IM,
| that while publicly available, is mostly used internally for
| company communications, similar to Slack or Skype for Business.
|
| https://aws.amazon.com/chime/
| ignoramous wrote:
| Chime itself is an acquisition (which also has the dubious
| reputation of being the poorest execution of any AWS product)
| at a time when UCaaS companies like urbanconference and dialpad
| were going strong, and AWS wanted in on that action:
| https://techcrunch.com/2016/11/23/justin-biba-amazon-video/
| dumbfounder wrote:
| Ugh, they used chime for every meeting we did with them, so
| annoying.
| x0x0 wrote:
| Chime is a (crappy) zoom clone.
|
| Our AWS account manager pushed us hard to use it for our
| checkins.
| p0rkbelly wrote:
| AWS uses Slack Internally.
| dragosmocrii wrote:
| I think Chime is also used internally, and for virtual
| interviews.
| hughrr wrote:
| It is. I spend about 2 hours a week arguing with AWS staff
| over chime. It's quite decent.
| txru wrote:
| Amazon _allows_ people to use Slack internally. Chime is
| still at least the back end for all meetings. And in
| practice, because Chime chat is still supported, many
| managers tell their teams to always keep Chime open in case
| someone messages them there. There's no way to tell who is on
| Slack vs on Chime.
| derefr wrote:
| In other words, Chime is to Amazon as Sametime is to IBM.
| vxNsr wrote:
| Sametime is/was great, it had all the functionality
| teams/Skype/slack are still working on implementing. It
| was just tied to a dying email client.
| manquer wrote:
| There is no difference, Slack itself tied up with AWS to
| use chime for their own voice/video calling [1]
|
| [1] https://www.theverge.com/2020/6/4/21280829/slack-
| amazon-aws-...
| dingusthemingus wrote:
| I feel like every company is like this, keep slack and
| gchat open at my work...
| vwem wrote:
| For chat yes, but not for video calls (and like others
| pointed out, some still avoid Slack depending on the user.
| Devs seem to universally use Slack thankfully)
| manquer wrote:
| Lol. Slack uses Chime SDK for voice/video calls [1]. That is
| partly why Amazon uses Slack in the first place.
|
| [1] https://www.theverge.com/2020/6/4/21280829/slack-amazon-
| aws-...
| Spivak wrote:
| Which is amazing because Slack calls are so bad that they
| pushed us to pay for Zoom licensing. It can bring a brand
| new $2k laptop to a sputtering halt. Which is bad but
| honestly fine for meetings. Where it lost us was that we
| couldn't use it for pair/group work because our tools would
| become so slow as to be unusable.
| mataug wrote:
| Amazon internally uses Slack for chats, while Chime is mostly
| used for video conferencing.
|
| My guess would be that this could augment Chime, and position
| it to be a useful part of GovCloud offering from Amazon.
| zoover2020 wrote:
| Slack is not used by operations as much unfortunately,
| running in hybrid mode since last August...
| distribot wrote:
| Unless this changed in the last year, this is incorrect.
| Everyone was pushed to Chime after it was released.
| Exmoor wrote:
| Amazon rolled out Slack in summer 2020.
| wolverine876 wrote:
| To give a sense of Wickr's direction (before the acquisition, at
| least):
|
| Wickr as of 10/2020 "has created a federal advisory board that
| includes Matt Olsen, chief trust and security officer, Uber
| (former director of the National Counterterrorism Center); Vince
| Stewart, chief innovation and business intelligence officer of
| Ankura (a former deputy commander of U.S. Cyber Command and
| former Defense Intelligence Agency Director); Jan Tighe, former
| deputy chief of naval operations for information warfare and
| director of naval intelligence; and Joanne Isham, former deputy
| director of the National Geospatial Intelligence Agency."
|
| https://www.defenseone.com/business/2020/10/global-business-...
| malchow wrote:
| Increasingly clear that, at Amazon, the most passionate path to
| getting bigger is obtaining access to tax dollars.
|
| ... but Amazon's stock would be 1/4 the price if it were valued
| like Lockheed Martin.
| twoodfin wrote:
| Perhaps the strategy is to pull more conservative, bureaucracy-
| bound organizations into AWS. Lots of IT dollars in banking,
| healthcare, ...
|
| Focusing on the US Government, they're jumping right in to the
| deep end of the pool.
| counternotions wrote:
| Certainly one unexpected way for the government to scare off and
| shut down nefarious communications happening on Wickr. Note this
| platform has been popular amongst the darkest underbelly of the
| web (e.g. carders, drug dealers).
| AndrewUnmuted wrote:
| Though true, this is just about entirely irrelevant given where
| Wickr has gone since 2016. It may surprise you to learn that
| Wickr was awarded a large US Airforce contract last year. [0]
|
| [0] https://wickr.com/wickr-awarded-us-air-force-contract/
| wkrthrow wrote:
| Why is it irrelevant post-2016? Wickr was still a preferred
| choice of drug dealers well up to 2018 (and probably beyond).
| I know this because I was using it to communicate with them.
| wolverine876 wrote:
| Why not WhatsApp or Signal or something similar?
| sibane wrote:
| You don't need a phone number to register on Wickr.
| That's probably a big one.
| AndrewUnmuted wrote:
| Sure, there's a subset of DarkNetMarket dealers who use
| Wickr. There's a subset of all sorts of underground/niche
| communities out there using it.
|
| You get purchased by Amazon after securing a military
| contract, not by being an awesome way for online drug
| vendors to chat with customers. Though perhaps that's what
| got them the US Air Force contract to begin with...
| skzrskzr wrote:
| What's a "carder"? Never heard the term and a google search
| turns up a bunch of benign things.
| tiagod wrote:
| People that steal credit card numbers to sell online (among
| other things).
|
| https://en.wikipedia.org/wiki/Carding_(fraud)
| rainonmoon wrote:
| Oh if only stolen credit cards and drugs were the darkest
| underbelly of the web! Note that it's also popular with former
| Australian Prime Ministers and plenty of other people for
| ethical and legitimate reasons (some of them also legal), not
| just "nefarious communications."
| vmception wrote:
| I don't trust Wickr solely because it is closed source and a US
| team
|
| The government contracts don't give me confidence in their
| technology, it gives me the impression they sell snake oil to
| "security conscious" organizations just like that article says.
| Its like worded specifically to avoid any liability in the
| eventual lawsuit where people complain that it didn't offer what
| they expected.
|
| The AWS acquisition gives me even less confidence.
|
| The standard for less skepticism for me is distributed end to end
| encryption where handshakes are done between the specific parties
| communicating
|
| This is common (but often ignored) knowledge on darknet forums
| and markets, where Wickr also doesnt have a good client for
| darknet operating systems - further pointing to it having an
| intended purpose of not offering privacy by not prioritizing it
| for Whonix and Tails
|
| Most of the literature about this trepidation and solutions are
| not on clearnet but you can get a glimpse of sentiment in comment
| replies here:
|
| https://www.reddit.com/r/tails/comments/4z182s/does_tails_wi...
|
| The rest of the literature would be on Tor onion services like
| Dread, or forums in existing or defunct darknet marketplaces
| motohagiography wrote:
| Huge congratulations to them. I hope the terms were favorable.
| It's a small personal vindication to have seen the value early on
| because I recommended to another (Bezos backed) company look into
| acquiring Wickr some years ago, but I lacked the cred to make it
| happen. While it feels a bit small to taint a congratulations
| with smugness about being right - a hearty and sincere well done
| to the Wickr team. A success absolutely earned.
| [deleted]
| thayne wrote:
| > an innovative company that has developed the industry's most
| secure, end-to-end encrypted, communication technology
|
| that's a pretty bold claim.
| dijit wrote:
| The lawyer brain in me is asking me to define "the industry".
|
| If "the industry" is one that currently uses POTS then it is
| the most secure, yes- because they sell enterprise software to
| various industries.
|
| The thing is: they use different protocols on their consumer
| apps than their enterprise ones; only the enterprise ones have
| an open (or, released) protocol specification.
| loudtieblahblah wrote:
| And now any trust you ever had in wickr should vanish.
|
| You think a company enabling the police state through Ring
| doorbells gives a rats ass about privacy?
| knaik94 wrote:
| I wonder if this will be used in a more positive way than what
| most people would assume initially.
|
| There are tons of legal situations where confidentiality is
| absolutely necessary, for example when dealing with medical or
| legal records. I imagine Amazon's GovCloud might incorporate this
| as a potential cloud hosted chatting solution.
|
| With telemedicine and remote legal proceedings becoming more and
| more common, secure chatting while complying with HIPAA and
| confidentiality rules is going to be an important market.
| SkyPuncher wrote:
| Having implemented HIPAA compliant software, the technical
| requirements arent very difficult. If you're following
| developments beat practices, you have 99% of technical
| requirements covered. The challenge with HIPAA is building
| process and documentation that demonstrates compliance.
|
| It's particularly challenging at the edges of your engineering
| org where people tend to use tools that abstract the technical
| details.
| staticassertion wrote:
| This is the case with all compliance, as far as my experience
| has shown. The technical controls are far second to the
| documentation and story telling.
| azinman2 wrote:
| It also requires you to actually think about these problems.
| As you said, it's not necessarily hard to do, but if you're a
| small startup all these best practices are usually shortcut
| to get product market fit. If you're a health care startup,
| it really slows you down (but for good reason). It also
| creates criminal/financial reinforcement behind it, something
| not even Equifax has to be accountable to (which is insane).
| nijave wrote:
| >If you're following developments beat practices
|
| Yeah, that tends to be where you run into issues...
| [deleted]
| kovek wrote:
| Some data we treat we care. Other data we do not. I wonder if
| that creates a different culture and risk than if we treated
| all data with care. What do you think?
| lukeschlather wrote:
| In order to treat all data with care, you have to define what
| you mean by "care." In security we talk about the tradeoffs
| between integrity, confidentiality, and availability. In
| terms of integrity, the most careful treatment is to place
| many signed copies of the data publicly on the internet. This
| also is the most careful treatment for availability. Of
| course it is the least careful treatment for confidentiality.
| But no scheme with any care for confidentiality can match it
| for integrity and availability.
|
| Signal illustrates swinging far in the "confidentiality"
| direction - most messaging services don't forget anything you
| say, while Signal makes it rather hard for you to retain your
| messages, and also offers ways to delete them automatically.
| I find it unfortunate there are no secure, open messaging
| platforms that offer similar integrity/availability
| guarantees to services like Slack.
| [deleted]
| habibur wrote:
| Feeling like I need to build my own end-to-end secure channel
| communication web app on my server.
|
| As every other is getting sold. With current level of browser
| support, assuming that might not take too much time.
| INTPenis wrote:
| A friend does coding work for Briar and he's of a similar mind
| as myself. If he trusts Briar, I trust Briar.
| drenvuk wrote:
| why build your own? just use element and matrix.
| jodrellblank wrote:
| So they can sell it for easy money, is how I read their
| comment.
| iaml wrote:
| Wouldn't making a tinder clone and selling it to match be
| even easier money?
___________________________________________________________________
(page generated 2021-06-25 23:00 UTC)