Let me start by saying that i do not have any knowledge of cryptology. My question regarding images etc in whatsapp arose because a developer friend said that its the messages which are encrypted. Images, video files which get saved in a whatsapp folder, can be seen by opening the local device folder anytime without going through whatsapp, can be forwarded to any contact not on whatsapp cannot be encrypted in the same sense as chats are.
Another point he said was that as whatsapp keeps images, video files for few days for meeting some 'legal requirements', if these were encrypted, irrespective of legal requirements, whatsapp would not be able to see those images and video. So keeping these images for sometime wouldnot help whatsapp in meeting those legal requirements.
May i request the brainy community here to enlighten me on
If images, videos, audios, docs shared through whatsapp and which get saved in local folder on device can be considered end to end encrypted?
What does the technical document shared on whatsapp website from signal whisper systems mean when it talks about end to end encryption of all attachments?
Insight would be helpful in devising an App where end to end encryption is needed.
CLARIFICATION
I think i could not put my question properly. Let me clarify.
I am not talking about MIM attach atall. I am aware of chats being E2EE. Thus you will not be able to locate chats in your device folder. And you will not be able to share chats to 3rd person outside whatsapp directly from folder. But images/videos in whatsapp get saved in a device whatsapp folder. And you can send those images/videos directly to 3rd person outside whatsapp directly from your folder. If images too were E2EE, these couldnt not be shared, just the way chats cant be shared from any folder.
Whatsapp saves images/video for sometime. What use is saving these if these are encrypted? Even if there were legal requirements, whatsapp cant decrypt them, if these were E2EE! So can E2EE attachments be saved outside the whatsapp in some local device folder and shared outside whatsapp directly?
Could i clarify myself?
Am new to stackoverflow. Pardon a few transgressions.
I haven't seen WhatsApp source code so cannot say for sure, but if they use E2EE the way it's supposed to be used, that would mean the data secrecy is protected while in transit. However, it is not encrypted before sending and decrypted after transmission. Otherwise the receipient wouldn't be able to open an image etc. Moreover, if you save received images/videos to photos outside of WhatsApp, this is where WhatsApp encryption has nothing to do with them any more.
Related
I am a young female developer, but currently i am building a project for a big client in our company,
I have a question, actually one of you can probablly lead me in the right direction:
I have a firebase account and an app with in app purchases - the thing is in app purchases will actually contain videos which i would like to store on firebase servers and download uppon purchase! Can someone lead me in the right direction on how to implement this the easiest way?
Ps., I know i am a rookie but i really do not want to look like an idiot on next months meeting ; )
Warm regards, Lana
Theres honestly no easy way to achieve protecting a file/folder for a specific group of users with firebase cloud storage. You can do checks by changing the folders metadata or using custom tokens, but then you need a server for that etc...
If you wish to remain in a firebase only environment, the easiest way would probably be to have the protected videos hosted in a protected folder from all clients. When the user purchases a video, then send a request a CloudFunction along the lines of..
userClaimsToHaveBoughtAccessToVideo(userId, sku, token, videoId){
// 1. use the googlePlay billing API to verify that the user did indeed purchase the item
// 2. if they did, then store that in read-only node of the database like: /purchasedVideos/userId/videoID/
}
Then if a user wants to download a video, create a function along the lines of...
userWantsToDownloadAVideo(userId, videoId){
// check the database to see if the user has the video
// if they do, copy the video file to a folder like /userId/videos/...
}
Then the video will appear in a personal folder for which the security rules are easy to setup.
When the user downloaded the video to their device send a call to a function along the lines of..
userDownloadedVideo(userId, videoId){
// delete video from the user's folder, to save space
}
Another option would be to host the videos on a different platform entirely, one that has an API and allows it's files to be password protected. (then simply store the access password after verifying IAP in the database, read only for the user), so they can use the other API to download the videos. For security you might want to have a daily job which regenerates the password every day and updates the database..
I have a telegram Broadcast channel in which I have uploaded all the work related documents that this publicly available all the members joined in the channel. However, I see that people who are not joined in the channel also will be able to download the uploaded contents in the channel without joining in the Telegram channel. I just want to make sure that people should join the channel first and then they will be able to download any contents so that I can track the members who are actually downloading and using the documents. Is that possible ?
With normal Telegram Channels interface, it's impossible to see which users are downloading the files.
As a possible solution, with Telegram Bots API you could make a bot that assigns to each file a deep link and track who clicks on the link.
But please keep in mind that when an user has a file he can share it anywhere and you can't control it.
I'm creating a service which sends audio files via Whatsapp to it's users daily.
The thing is that i want to prevent people from sharing the audio files, so i thought of password protection of each audio file sent, with passwords composed by the user's sensitive information (example: social security number or equivalent, so that the user would be discoraged to pass along his own password to strangers online).
I've been looking for a solution (without success so far) with 4 requirements in mind:
1) It needs to encrypt the file itself, not a folder that contains it
2) Audios must be easily sent and accessed via Whatsapp
3) Audios must be opened by customers without requiring the installation of apps. Just tap in the password and that's it.
4) It needs to work offline.
If there are other solutions to prevent or at least make file sharing more difficult without getting in the way of the user experience, please point out. Just keep in mind that it has to work in a Whatsapp broadcasting context, both in Android and IOS.
I know that everything online can and will be pirated, but i want to just make an effort to protect the product.
I have an thing to create Internet shop to sell video views. And there are some rules, which I don't know how to do. The rules is:
Loggined client can only view one video 3 times per day.
I read somewhere that I need to generate virtual links to video and server must hold it, for example, 3 hours OR until client looked up to the end the video, and then delete this virtual link and refresh player state to "start video position and waiting for start". Like on youtube but client shouldn't have a way to rewind the video.
I need to hold situation that client who buy 'video01' give another client him page address or all attributes data from player tag. If second client don't buy 'video01' he shouldn't load it. (I think it's can be solved by cookies).
After 180 video views, client's subscription must be stopped.
And finally question from me is how to play video from my website? Can anyone explain me how to make asp.net site with rules that I wrote the above? What technology I need to use?
I will be grateful if someone advise me a literature that I need to read to know how to do this? Perhaps for a start I need to know how to play video on asp.net webpages.
What free flash player I should use for my solution, any examples please? Really need help.
P.S.: I need to use a free flash player to play videos, not silverlight.
The videos are on the remote servers, not on the local server where I hold the site.
To limit the video as per your requirement you need to use GenericHandlers in asp.net. It must be designed in such a way that the url must expire after reaching the above condition.
For Example, you can generate a random key that should append with the url (ie, QueryString) and store it in Database along with the time of generation. You can make the key expire after 3 hours then.
To play the video on your website you can add jQuery plugin videojs. The documentation will help you to add that simple HTML5+Flash video player.
I have been asked by my (pananoid!) boss to do two things
1. Detect when a user uploaded files to the net using HTTP. So for example how can I detect if a user uploads fire to a free webserver somewhere and can hense steal company data
Detect that a user is copying files to a USB device and what the name of these files are. Also if they copy a zip file to log the contents of the zip file, in case someone just zips up some company files and takes it like that.
Firstly is number 1 possible? and for number 2 can i detect the file names that are copied?
Secondly, any likes to software that does this?
Note that I am the network admin and everyone who I will monitor has local admin rights on their computer and we do not want to further restrict users access.
Thanks a lot
"Note that I am the network admin and
everyone who I will monitor has local
admin rights on their computer and we
do not want to further restrict users
access."
You can have liberty or security, but not both. The number of paths to get data out of an unlocked box are too many to enumerate. Someone zipped up the files and put them on a thumb drive? What if they used tar or shar or pasted them into a Word document, or printed them to a PDF file and sent it out via e-mail steganographically embedded in pornography?
Yeah, a former coworker was stupid enough to send a huge set of huge, logged e-mails to his future employer a couple of days prior to leaving, but you can't count on people being quite that stupid.
What your boss wants isn't possible given a moderately motivated thief and not wanting to "further restrict" access.
Given freely available cryptographically secure tools like OpenSSH (ssh, scp) are usable by almost anyone, what he's asking for is not possible.
I agree with all of you, websense, a DLP, a proxy, a network monitoring, can help you to identify and stop activities not permited by your policies. By the way, a tech should be sustained by a policy on information security and an awareness program. So you have two fields to build-up. one way people must be warned because of the information security policy and constantly informed by the awareness program, then (second) if someone breaks the policy, the technology has to do its work. warn you.
There's basically no way to prevent a malicious employee from stealing and exporting data, short of strip searches when entering and leaving the building and no outside network access whatsoever.
Your boss should be more concerned with accidental data leakage (ie, mistyped email address or mistaken reply alls) and breach containment. The series of technologies dedicated to the former are called Data Leakage Prevention. I'm not hip to all their jive, but I bet more than a few companies would be willing to promise you the world if you showed interest.
The latter is mostly done by closely following the "least privilege" mindset. A guy from sales should not be able to use CVS to check out the source code to the product, and a developer shouldn't be able to access the payroll database. Always only grant the minimum amount of access required to someone in order for them to do their job.
Short answer: No. Not unless you're willing to "further restrict access".
The access restriction for http uploads would be a filtering internet proxy. Make everyone go through Websense or something, and you have a log of everything they did online.
For the USB devices, no. Your option there, and how companies with security needs of that magnitude deal with that issue, is to tightly lock down the clients and disable USB key use. (as well as CD burners, floppy drives if you still have those, etc) Again, that's going to require intrusive software, something like Landesk, + removing local admin so users can't take the software off.