rene_mobile’s avatarrene_mobile’s Twitter Archive—№ 8,037

  1. …in reply to @maxzks
    @maxzks @matthew_d_green Congrats on the paper! However, I can't avoid a nitpick: Android backup has been fully E2EE with strong keys derived from HSMs locked with the user's LSKF (lockscreen knowledge factor) for 3 years (since Android 9), including insider attack resistance: research.nccgroup.com/wp-content/uploads/2020/07/Final_Public_Report_NCC_Group_Google_EncryptedBackup_2018-10-10_v1.0.pdf
    oh my god twitter doesn’t include alt text from images in their API
    On twitter.com Twitter logo rene_mobile’s avatar ♻️ 1 Retweets ❤️ 8 Favorites Mood +4 🙂
    1. …in reply to @rene_mobile
      @maxzks @matthew_d_green That is, Google cannot decrypt backups without knowledge of the user's LSKF, and the HSMs have brute force protection baked into their firmware. Forcibly overwriting this firmware will erase the stored keys, which is the insider attack resistance (IAR) part also used on-device.
      Permalink On twitter.com Twitter logo rene_mobile’s avatar ❤️ 2 Favorites Mood -1 🙁
      1. …in reply to @rene_mobile
        @maxzks @matthew_d_green Some more details can be found e.g. in security.googleblog.com/2018/10/google-and-android-have-your-back-by.html, usenix.org/conference/enigma2019/presentation/mayrhofer, and dl.acm.org/doi/10.1145/3448609
        Permalink On twitter.com Twitter logo rene_mobile’s avatar ❤️ 3 Favorites Mood 0