[HN Gopher] AWS acquires Wickr ___________________________________________________________________ AWS acquires Wickr Author : ramimac Score : 120 points Date : 2021-06-25 14:38 UTC (8 hours ago) (HTM) web link (aws.amazon.com) (TXT) w3m dump (aws.amazon.com) | borski wrote: | Wickr is great tech, and I'm glad to see them get a positive | outcome - but boy, I really am curious what AWS wants to do with | this. | dataminded wrote: | A replacement for Chime? | hughrr wrote: | Charge for it. | apozem wrote: | It's right there in the announcement. | | > With Wickr, customers and partners benefit from advanced | security features not available with traditional communications | services - across messaging, voice and video calling, file | sharing, and collaboration. This gives security conscious | enterprises and government agencies the ability to implement | important governance and security controls to help them meet | their compliance requirements. | | Wickr is going to be intertwined with AWS products so Amazon | can sell them to "security conscious enterprises and government | agencies." | borski wrote: | The devil is in the details, and I'm mighty curious as to | what those details end up looking like. | apozem wrote: | A great point. It's easy for an exec to say, "We should buy | Wickr to make it easier to land government contracts." You | still have to integrate Wickr in a way that makes sense and | actually adds value. | noir_lord wrote: | Amazon is pushing hard into government services. | | Wickr has a large contract already with the US military so I | guess this closes a gap they needed closed. | wolverine876 wrote: | > Wickr is great tech | | Isn't it closed source? What is known about their tech? | deadalus wrote: | So, what are some good Wickr alternatives? | tomcooks wrote: | xmmp, period. | t-lan wrote: | Great question. This is pretty unfortunate, data mining secure | communications removes much of the value. Signal sold out a | long time ago, not sure of another 'verified secure' platform. | egberts1 wrote: | Matrix protocol, or Element app for iOS | thanksforfish wrote: | Signal sold out? How so? | thefounder wrote: | Metadata stuff? They still require phone numbers(unlike | wickr) | wolverine876 wrote: | Signal is moving away from phone numbers, developing the | components needed to securely provide service via user | IDs. | | My understanding is that their intended audience is the | general public, not crypto-security geeks, and as part of | that they wanted integration with existing address books. | With a small team, developing all the security and | usability was more important than eliminating the phone | number piece. | | They apparently don't retain any data but the phone | number, and I think the registration date and last logon | date. | tptacek wrote: | Signal is entirely independent and hasn't been acquired by | Amazon or any other big tech company. It remains the gold | standard for security/privacy technology (whether it's | packaged acceptably for everyone on HN is a different | question, and I'm not saying you have to use it). | cblconfederate wrote: | At some point we should be forced to decentralize | smartbit wrote: | Last March c't tested some alternatives | https://www.heise.de/select/ct/2021/8/2106310351115657652 | App Security #users ease Functio- Price | & privacy Germany of use nality Element | o - - o Free Signal | + o + + Free Telegram | - + ++ ++ Free Threema | + o o o $3-$4 Whatsapp | o ++ + + Free Wire | + o - - Free | ++ very good + good o good enough - bad | INTPenis wrote: | You should test Briar. | olah_1 wrote: | it's only on one platform: android. | Forbo wrote: | I like to reference this table, although I wish it were hosted | in some sort of wiki somewhere instead... | | https://docs.google.com/spreadsheets/d/1-UlA4-tslROBDS9IqHal... | Trias11 wrote: | Will AWS collect govt fees for backdooring it? | | I can't beleive govt is not interested in spying on Wickr convos. | [deleted] | jedberg wrote: | Oh wow, my first boss after college is the cofounder of Wickr. | Congrats to him and his team! | ablekh wrote: | Never heard about this company before. Took a quick look at their | website and noticed that in the table on front page (located in | the section "Vetted by the NSA") Zoom is listed as a product | lacking "Full E2E Encrypted Functionality". I'm wondering about | whether this isn't true (considering Zoom's E2E being GA: | https://support.zoom.us/hc/en-us/articles/360048660871-End-t...) | - and the table should be fixed - or still true (due to aspects | that I might be missing). | dang wrote: | I'm surprised that there have been so few mentions on HN over the | years: | | https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que... | | https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que... | | This is a bit interesting: | https://news.ycombinator.com/threads?id=jwsec | thebeardisred wrote: | Knowing a bit about their history and having met some of the | principals, I'm not. | | Wickr's focus was never on the HN audience. Their "bullseye" | was the audience of DEF CON attendees who have some ties to | capital "e" Enterprise and/or US public sector. | | Where there were overlapping users, great, but traction on HN | was unlikely to lead to organization wide enterprise license | agreements. | humbleMouse wrote: | There goes the last good safe messaging app :( | secfirstmd wrote: | What's wrong with Signal or Matrix/Element? | cblconfederate wrote: | Ah yes, AWS the three letter agency. Glad i never touched it | crmd wrote: | You can be sure there is already a team working on the | architectural changes needed to implement lawful intercept and | passive surveillance on Wickr. This is what happens when a secure | platform gets too big. The same thing happened to Skype. | colmmacc wrote: | I work on cryptography at AWS, and long before that I worked on | Skype a bit, so I can't resist commenting! Wickr features end | to end cryptography, https://wickr.com/wp- | content/uploads/2019/12/WhitePaper_Wick..., and I can't see why | we'd change that (and even that framing is a bit weird, I'm | sure Wickr will continue to be autonomous but maybe with access | to more resources from the rest of Amazon). | | Increasingly, end-to-end cryptography is what customers expect. | We also use end-to-end cryptography in other Amazon systems, | most recently including Ring doorbells - | https://support.ring.com/hc/en-us/articles/360054941511-Unde... | rapsey wrote: | As an american company, customers should absolutely be | distrustful of any claims of security. There is very little | in the way of the feds giving you a gag order and ordering | you to provide a backdoor. | | Amazon has zero recourse in this situation, neither would | they risk their gov contracts fighting it. | strictnein wrote: | Yeah, they definitely just invested $xxx millions in a | product that they know they won't be able to keep alive. | | Amazon has plenty of recourse, and they've been fighting | gag orders for years now. Ex: https://arstechnica.com/tech- | policy/2016/09/microsoft-amazon... | | The company leading that charge: Microsoft. The company | that got the huge JEDI DoD cloud contract: Microsoft. | Weird, huh? | dang wrote: | " _Don 't be snarky._" | | https://news.ycombinator.com/newsguidelines.html | rapsey wrote: | Nonesense. When they get a gag order they have zero | choice and recourse. Their options are shutting down the | company or comply. They can join a legal fight to stop | this practice, they however must comply with every order | they get. | dang wrote: | " _When disagreeing, please reply to the argument instead | of calling names. 'That is idiotic; 1 + 1 is 2, not 3' | can be shortened to '1 + 1 is 2, not 3._" | | https://news.ycombinator.com/newsguidelines.html | motohagiography wrote: | Appreciating the irony that we've gone to all this trouble to | create e2e crypto protocols so that now we can finally trust | products like Ring and Alexa to spy on us. | | The beauty of Wickr is it provided disposable identities and | relatively strong anonymity, and fended off bulk interception | using an end to end security protocol. The market for it was | smaller because while everyone says they want security, I | found that the risk/reward of anonymity is too risky for most | people. The people I knew who did use Wickr were political | staffers and operatives/activists on campaigns, law | enforcement, and other fields where they had official | recourse to protection. | | The reason for AMZN to buy Wickr is that it is a trustworthy | secure messenger product with a valuable and influential user | base, and an evolution of the product without anonymity is | probably the case for growth. | | I don't see it being backdoored so much as just adapted to | leverage its existing user base to fill out a feature need in | a suite of AWS collaboration tools that will compete against | Teams/Github, Zoom, Atlassian, etc. | INTPenis wrote: | End 2 end cryptography, to what end does Ring need e2ee? To | Amazon? Who is on the other end? | | Also, metadata. | rapsey wrote: | I have actually seen "secure" messengers claim e2e | encryption because they use https to their servers. The | ends are clients and their servers. | drenvuk wrote: | other enrolled devices. please check the provided links. | Bigpet wrote: | > I'm sure Wickr will continue to be autonomous but maybe | with access to more resources from the rest of Amazon | | To be fair, this is the fairy-tale that's told on every | acquisition. I'm pretty certain this same narrative was spun | even when facebook acquired occulus. | | Not saying this will be similar, but just hearing those words | is not assuring by itself. | bydo wrote: | Amazon's proven a much better steward than Facebook, | though. Twitch seems pretty independent other than some | Prime perks, Eero doesn't seem to have changed much, I'm | pretty sure they forgot that they even bought IMDB and | DPReview, etc. | askafriend wrote: | I didn't even realize they had bought DPReview... | realce wrote: | That's an odd glossy advertisement... Everyone here knows | what end-to-end encryption is. | | Regardless of any promise, professed dismay, warranty, or | other statement by Amazon, this product is no longer a | trustworthy interface for private communications. The mere | presence of the company brings such high probability of | capitulation to government or corporate eavesdroppers that | it's basically a useless asset to own IMPO. | arpinum wrote: | AWS hired the architect behind the NSA's attempt at breaking | commercial crypto, according the Matthew Green [0]. | | I can't trust AWS will be truthful about their crypto systems | and lack of backdoors. | | [0] - https://twitter.com/matthew_d_green/status/135714356000 | 55091... | rainonmoon wrote: | Green's conviction about this is tantalizing but it's also | melodramatic in a way that makes it easy to believe | something not quite true (or provable, anyway.) In fact if | you look down the thread, you'll see Green admitting that | correlating Salter is basically speculation and other | people providing plausible alternatives to Green's claims | for Salter's motives at AWS. tptacek has a more measured | history of what actually happened and it is very different | than what you'd glean from Green's tweets.[0] Personally in | this case I'd be more worried about touting Ring's end-to- | end encryption with one hand while the other hand points | one of those ends to your police department[1]. | | [0] https://sockpuppet.org/blog/2015/08/04/is-extended- | random-ma... | | [1] https://www.theguardian.com/commentisfree/2021/may/18/a | mazon... | LordDragonfang wrote: | To be fair, if you were interested in _hardening_ your | system and evaluating attack surfaces, that is also what | you would do. | arpinum wrote: | Great! invite someone into the building who has lied to | the entire crypto community to undermine global security. | They will surely know how to spot bad actors! | | Invite a bad actor into the building in order to keep bad | actors out. | | Invite bad actor into the building? | | Hmm, maybe not. | staticassertion wrote: | You've just described a decades-long strategy of the | strongest information security teams, which has turned | into the industry of red teaming. | tiagod wrote: | >Wickr features end to end cryptography | | You can make it weaker without getting rid of it. Whatsapp | also has E2EE on the message contents, does it stop Facebook | from sharing all your contacts, call metadata, message times | etc with the authorities? Very unlikely. | thinkingkong wrote: | Did hell just freeze over? AWS has _acquired_ technology instead | of simply copying someone elses? Im flabbergasted. | cle wrote: | AWS has acquired many companies in the past. Off the top of my | head, Biba (turned into Chime), Elemental, Cloud9, Annapurna, | CloudEndure...I'm sure there's more. | waynesonfire wrote: | A9 | WoahNoun wrote: | Alexa is basically 3 tech acquisitions glued together. Ivona | (TTS), Evi (Knowledge graph), and Yap (speech recognition). | [deleted] | ENOTTY wrote: | There's definitely room in the e2e messaging space that is more | corporate oriented. Think centralized administration, key escrow, | etc. | cbsmith wrote: | I kind of want to say "Stop trying to make Chime happen" with my | best Clueless impersonation. | surge wrote: | Probably going to use it to replace Chime. | | Edit: For those that have never heard of it, its their own IM, | that while publicly available, is mostly used internally for | company communications, similar to Slack or Skype for Business. | | https://aws.amazon.com/chime/ | ignoramous wrote: | Chime itself is an acquisition (which also has the dubious | reputation of being the poorest execution of any AWS product) | at a time when UCaaS companies like urbanconference and dialpad | were going strong, and AWS wanted in on that action: | https://techcrunch.com/2016/11/23/justin-biba-amazon-video/ | dumbfounder wrote: | Ugh, they used chime for every meeting we did with them, so | annoying. | x0x0 wrote: | Chime is a (crappy) zoom clone. | | Our AWS account manager pushed us hard to use it for our | checkins. | p0rkbelly wrote: | AWS uses Slack Internally. | dragosmocrii wrote: | I think Chime is also used internally, and for virtual | interviews. | hughrr wrote: | It is. I spend about 2 hours a week arguing with AWS staff | over chime. It's quite decent. | txru wrote: | Amazon _allows_ people to use Slack internally. Chime is | still at least the back end for all meetings. And in | practice, because Chime chat is still supported, many | managers tell their teams to always keep Chime open in case | someone messages them there. There's no way to tell who is on | Slack vs on Chime. | derefr wrote: | In other words, Chime is to Amazon as Sametime is to IBM. | vxNsr wrote: | Sametime is/was great, it had all the functionality | teams/Skype/slack are still working on implementing. It | was just tied to a dying email client. | manquer wrote: | There is no difference, Slack itself tied up with AWS to | use chime for their own voice/video calling [1] | | [1] https://www.theverge.com/2020/6/4/21280829/slack- | amazon-aws-... | dingusthemingus wrote: | I feel like every company is like this, keep slack and | gchat open at my work... | vwem wrote: | For chat yes, but not for video calls (and like others | pointed out, some still avoid Slack depending on the user. | Devs seem to universally use Slack thankfully) | manquer wrote: | Lol. Slack uses Chime SDK for voice/video calls [1]. That is | partly why Amazon uses Slack in the first place. | | [1] https://www.theverge.com/2020/6/4/21280829/slack-amazon- | aws-... | Spivak wrote: | Which is amazing because Slack calls are so bad that they | pushed us to pay for Zoom licensing. It can bring a brand | new $2k laptop to a sputtering halt. Which is bad but | honestly fine for meetings. Where it lost us was that we | couldn't use it for pair/group work because our tools would | become so slow as to be unusable. | mataug wrote: | Amazon internally uses Slack for chats, while Chime is mostly | used for video conferencing. | | My guess would be that this could augment Chime, and position | it to be a useful part of GovCloud offering from Amazon. | zoover2020 wrote: | Slack is not used by operations as much unfortunately, | running in hybrid mode since last August... | distribot wrote: | Unless this changed in the last year, this is incorrect. | Everyone was pushed to Chime after it was released. | Exmoor wrote: | Amazon rolled out Slack in summer 2020. | wolverine876 wrote: | To give a sense of Wickr's direction (before the acquisition, at | least): | | Wickr as of 10/2020 "has created a federal advisory board that | includes Matt Olsen, chief trust and security officer, Uber | (former director of the National Counterterrorism Center); Vince | Stewart, chief innovation and business intelligence officer of | Ankura (a former deputy commander of U.S. Cyber Command and | former Defense Intelligence Agency Director); Jan Tighe, former | deputy chief of naval operations for information warfare and | director of naval intelligence; and Joanne Isham, former deputy | director of the National Geospatial Intelligence Agency." | | https://www.defenseone.com/business/2020/10/global-business-... | malchow wrote: | Increasingly clear that, at Amazon, the most passionate path to | getting bigger is obtaining access to tax dollars. | | ... but Amazon's stock would be 1/4 the price if it were valued | like Lockheed Martin. | twoodfin wrote: | Perhaps the strategy is to pull more conservative, bureaucracy- | bound organizations into AWS. Lots of IT dollars in banking, | healthcare, ... | | Focusing on the US Government, they're jumping right in to the | deep end of the pool. | counternotions wrote: | Certainly one unexpected way for the government to scare off and | shut down nefarious communications happening on Wickr. Note this | platform has been popular amongst the darkest underbelly of the | web (e.g. carders, drug dealers). | AndrewUnmuted wrote: | Though true, this is just about entirely irrelevant given where | Wickr has gone since 2016. It may surprise you to learn that | Wickr was awarded a large US Airforce contract last year. [0] | | [0] https://wickr.com/wickr-awarded-us-air-force-contract/ | wkrthrow wrote: | Why is it irrelevant post-2016? Wickr was still a preferred | choice of drug dealers well up to 2018 (and probably beyond). | I know this because I was using it to communicate with them. | wolverine876 wrote: | Why not WhatsApp or Signal or something similar? | sibane wrote: | You don't need a phone number to register on Wickr. | That's probably a big one. | AndrewUnmuted wrote: | Sure, there's a subset of DarkNetMarket dealers who use | Wickr. There's a subset of all sorts of underground/niche | communities out there using it. | | You get purchased by Amazon after securing a military | contract, not by being an awesome way for online drug | vendors to chat with customers. Though perhaps that's what | got them the US Air Force contract to begin with... | skzrskzr wrote: | What's a "carder"? Never heard the term and a google search | turns up a bunch of benign things. | tiagod wrote: | People that steal credit card numbers to sell online (among | other things). | | https://en.wikipedia.org/wiki/Carding_(fraud) | rainonmoon wrote: | Oh if only stolen credit cards and drugs were the darkest | underbelly of the web! Note that it's also popular with former | Australian Prime Ministers and plenty of other people for | ethical and legitimate reasons (some of them also legal), not | just "nefarious communications." | vmception wrote: | I don't trust Wickr solely because it is closed source and a US | team | | The government contracts don't give me confidence in their | technology, it gives me the impression they sell snake oil to | "security conscious" organizations just like that article says. | Its like worded specifically to avoid any liability in the | eventual lawsuit where people complain that it didn't offer what | they expected. | | The AWS acquisition gives me even less confidence. | | The standard for less skepticism for me is distributed end to end | encryption where handshakes are done between the specific parties | communicating | | This is common (but often ignored) knowledge on darknet forums | and markets, where Wickr also doesnt have a good client for | darknet operating systems - further pointing to it having an | intended purpose of not offering privacy by not prioritizing it | for Whonix and Tails | | Most of the literature about this trepidation and solutions are | not on clearnet but you can get a glimpse of sentiment in comment | replies here: | | https://www.reddit.com/r/tails/comments/4z182s/does_tails_wi... | | The rest of the literature would be on Tor onion services like | Dread, or forums in existing or defunct darknet marketplaces | motohagiography wrote: | Huge congratulations to them. I hope the terms were favorable. | It's a small personal vindication to have seen the value early on | because I recommended to another (Bezos backed) company look into | acquiring Wickr some years ago, but I lacked the cred to make it | happen. While it feels a bit small to taint a congratulations | with smugness about being right - a hearty and sincere well done | to the Wickr team. A success absolutely earned. | [deleted] | thayne wrote: | > an innovative company that has developed the industry's most | secure, end-to-end encrypted, communication technology | | that's a pretty bold claim. | dijit wrote: | The lawyer brain in me is asking me to define "the industry". | | If "the industry" is one that currently uses POTS then it is | the most secure, yes- because they sell enterprise software to | various industries. | | The thing is: they use different protocols on their consumer | apps than their enterprise ones; only the enterprise ones have | an open (or, released) protocol specification. | loudtieblahblah wrote: | And now any trust you ever had in wickr should vanish. | | You think a company enabling the police state through Ring | doorbells gives a rats ass about privacy? | knaik94 wrote: | I wonder if this will be used in a more positive way than what | most people would assume initially. | | There are tons of legal situations where confidentiality is | absolutely necessary, for example when dealing with medical or | legal records. I imagine Amazon's GovCloud might incorporate this | as a potential cloud hosted chatting solution. | | With telemedicine and remote legal proceedings becoming more and | more common, secure chatting while complying with HIPAA and | confidentiality rules is going to be an important market. | SkyPuncher wrote: | Having implemented HIPAA compliant software, the technical | requirements arent very difficult. If you're following | developments beat practices, you have 99% of technical | requirements covered. The challenge with HIPAA is building | process and documentation that demonstrates compliance. | | It's particularly challenging at the edges of your engineering | org where people tend to use tools that abstract the technical | details. | staticassertion wrote: | This is the case with all compliance, as far as my experience | has shown. The technical controls are far second to the | documentation and story telling. | azinman2 wrote: | It also requires you to actually think about these problems. | As you said, it's not necessarily hard to do, but if you're a | small startup all these best practices are usually shortcut | to get product market fit. If you're a health care startup, | it really slows you down (but for good reason). It also | creates criminal/financial reinforcement behind it, something | not even Equifax has to be accountable to (which is insane). | nijave wrote: | >If you're following developments beat practices | | Yeah, that tends to be where you run into issues... | [deleted] | kovek wrote: | Some data we treat we care. Other data we do not. I wonder if | that creates a different culture and risk than if we treated | all data with care. What do you think? | lukeschlather wrote: | In order to treat all data with care, you have to define what | you mean by "care." In security we talk about the tradeoffs | between integrity, confidentiality, and availability. In | terms of integrity, the most careful treatment is to place | many signed copies of the data publicly on the internet. This | also is the most careful treatment for availability. Of | course it is the least careful treatment for confidentiality. | But no scheme with any care for confidentiality can match it | for integrity and availability. | | Signal illustrates swinging far in the "confidentiality" | direction - most messaging services don't forget anything you | say, while Signal makes it rather hard for you to retain your | messages, and also offers ways to delete them automatically. | I find it unfortunate there are no secure, open messaging | platforms that offer similar integrity/availability | guarantees to services like Slack. | [deleted] | habibur wrote: | Feeling like I need to build my own end-to-end secure channel | communication web app on my server. | | As every other is getting sold. With current level of browser | support, assuming that might not take too much time. | INTPenis wrote: | A friend does coding work for Briar and he's of a similar mind | as myself. If he trusts Briar, I trust Briar. | drenvuk wrote: | why build your own? just use element and matrix. | jodrellblank wrote: | So they can sell it for easy money, is how I read their | comment. | iaml wrote: | Wouldn't making a tinder clone and selling it to match be | even easier money? ___________________________________________________________________ (page generated 2021-06-25 23:00 UTC)