RHUL Cyber CDT Blog

The messaging app has been advertised for use by people across the world during large-scale protests when normal forms of communication are down, for example due to a government mandated internet shutdown. The developers of the app reported increased uptake from several sites of protest such as Hong Kong, India, Iran, Lebanon, Zimbabwe, and the US. The academics from the  Information Security Group  (ISG) at Royal Holloway found that Bridgefy did not design and implement their application with security in mind and have proposed that Bridgefy should make use of an established cryptographic library. The main flaws found by the researchers in the ISG, Lenka Mareková (CDT student), Jorge Blasco, Rikke Bjerg Jensen and Martin R. Albrecht, were that Bridgefy did not implement some necessary cryptographic protections and some cryptographic protections were implemented incorrectly. They also found that the protocol wasn’t designed in a way to minimise information leaking, and its robu...

  As a young technical researcher starting my CDT, I was working on detection of synthetic bugs. All went well, but when presenting this work to my peers at Royal Holloway, I received an unexpected question: What is a "[computer] bug"? Even though the work I presented had clear boundaries to what I was searching for (SEGFAULT crashes), it alluded to the more fundamental question. When is something considered a bug, or a vulnerability? I had hoped for a quick and insightful Duckduckgo search but even Google did not have a satisfying answer. But how can we really understand these concepts if nobody succeeded to properly define them? A few brilliant pieces have been written around that time, referring to weird machines. Weird machines are conceptually the state a computer program is in when a bug or vulnerability is triggered. This notion was introduced to try and reason about the abuse of bugs more generally. The idea here is that a weird machine might be easier defined or mo...