Slashdot Mirror
Top Security Researchers Ask The Guardian To Retract Its WhatsApp Backdoor Report (technosociology.org)
Earlier this month The Guardian reported what it called a "backdoor" in WhatsApp, a Facebook-owned instant messaging app. Some security researchers were quick to call out The Guardian for what they concluded was irresponsible journalism and misleading story. Now, a group of over three dozen security researchers including Matthew Green and Bruce Schneier (as well as some from companies such as Google, Mozilla, Cloudflare, and EFF) have signed a long editorial post, pointing out where The Guardian's report fell short, and also asking the publication to retract the story. From the story: The WhatsApp behavior described is not a backdoor, but a defensible user-interface trade-off. A debate on this trade-off is fine, but calling this a "loophole" or a "backdoor" is not productive or accurate. The threat is remote, quite limited in scope, applicability (requiring a server or phone number compromise) and stealthiness (users who have the setting enabled still see a warning; "even if after the fact). The fact that warnings exist means that such attacks would almost certainly be quickly detected by security-aware users. This limits this method. Telling people to switch away from WhatsApp is very concretely endangering people. Signal is not an option for many people. These concerns are concrete, and my alarm is from observing what's actually been happening since the publication of this story and years of experience in these areas. You never should have reported on such a crucial issue without interviewing a wide range of experts. The vaccine metaphor is apt: you effectively ran a "vaccines can kill you" story without interviewing doctors, and your defense seems to be, "but vaccines do kill people [through extremely rare side effects]."
These are the sellouts you should ignore in the future. Schneier has no excuse.
http://technosociology.org/?page_id=1687
Rather than recursive links to other slashdot articles on the subject
Why the heck would they retract the truth?
If your threat model includes government spying, WhatsApp is not secure since the government can force WhatsApp to reissue your key and then scoop us the resulting messages.
The editorial spin on this story from slashdot is very disappointing.
Back doors are NOT SECRETS!!!
WhatsApp is big money...and combined with the fact it's hard to prove that a vulnerability was intentional and thus a "back door" it's hard for Joe Average to tell who's right.
Don't worry about this stuff. Just keep using WhatsApp. It's just as secure as everything else, honest.
Telling people not to use WhatsApp is apparently "endangering people"...as it is a "crucial issue".
Summary; do not use Signal, ChatSecure, OTR or Telegram. Use WhatsApp, it's clearly safer #because_danger (??).
Personally I never thought WhatsApp was secure even after this (maybe backdoor-ed) end to end encryption - Consider many people use WhatsApp? it's the number one target IM. If it ever was secure it won't be so tomorrow.
A 'singular oddity' is an event that cannot be explained and only happens when you are alone.
Comment removed based on user account deletion
In these days of 24 hour news cycles and online publication, journalists and editors don't have time to do basic things like fact check with experts or even spell/grammar check. With no print deadlines they can throw up anything online at any time and easily edit it later, and preferably give it a nice clickbait title. It's the race to be first that journalism has always had but taken to an extreme combined with the fact that many journalists don't have the background or interest in the field the topic they are writing on is in.
The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
APPS on phones are a treat to all. EULA makes it worst.
The issue with the vaccine metaphor is that there is an element of truth to the anti-vax argument and people hold onto the spectre of it because they distrust the reporting around the issue, pointing to past failures in medicine, food, consumer product disclosures, etc. Yes, some people are killed by vaccines. Some kids are crippled. Bad things do indeed happen on occasion, and the rarity of these things IS sometimes in question. Anyone with a brain can look at the extremely remote chance of a bad outcome and still select for the greater good, but that doesn't fully eradicate the underlying issue : distrust based on conjunctiva and history.
In the case of whatsapp it's irresponsible reporting to use the term 'backdoor' regardless of the chance of compromise using the vector. So really the underlying issue is non-technical reporting on a technical concern, which again can serve to lower trust and fuel speculative paranoia. That's not to say all paranoia is wrong, because MANY apps DO contain backdoors or dubious security that amounts to it. Certainly that doesn't seem to be the case here, though. How journalists categorize and present information is a greater responsibility than a reader's to understand technical issues, statistical risk, etc, obviously.
it's not an option for google and facebook to keep control of your messages
I guess because it is .001% harder to use...
I was going to say "because it isn't integrated into your FB contacts" but that might not be true... depending on how you sync your contacts.
My eyes reflect the stars and a smile lights up my face.
"Telling people to switch away from WhatsApp is very concretely endangering people." -- err, what?!? How in the world is that "concretely endangering people?!?"
I wonder how much WhatsApp paid for their fealty?
Read the article. The people they are concerned about are journalists and activists in repressive countries who use WhatsApp because it provides encrypted messaging. If they switch to Signal, which almost no one uses, just being observed using it may be enough cause for the government to pick them up. If they are able to use WhatsApp, however, they are hiding among the millions of other people that use it for no special reason other than it is a good messaging app.
A hole in the ground is a hole, and may be dangerous upon face value whether or not its pointed out. IT still may b a danger.
why is this different?
A gun is dangerous in any hands for any task its designed for.
Just because we are warned by this, educated by it and or bombarded by the bs, duz that make it any less dangerous?
Things like whats-app cater to those millennials that just don't care. Placate, placate but fuck the time taken to research its legitimacy.
Take for example, whats going on with the MJ dispensaries on the west coast. Some are hit because most chose not to look @ the bigger picture with regard to disaster recovery (millennials), and are thus placed into a difficult position due to the lack of forethought/hindsight..
bottomline is,, If it's not local, produced from a secure org, and or it has to many unanswered questions about it's operations, is it really worth it?
Signal stopped working on my android phone about 2 months ago, and they whom produce it, even after it was pointed out not installing, wil do nothing to fix it.
or atleast have not since its breaking
The story may be different if Signal was a federated protocol with entirely decentralized servers (like email).
However, it's not, and there's a single point of failure that can be blocked.
WhatsApp became popular and widespread before many repressive governments realized what it could do, so they can't block it without widespread outcry.
Not so with Signal, which is blocked, and therefore not an option.
-- Sometimes you have to turn the lights off in order to see.
What's the point of being on an Instant Message service if none of the people you actually want to message are on it?
Avantslash - View Slashdot cleanly on your mobile phone.
... including the comment section, is like using a fucking elephant gun to kill a piss ant.
It little behooves the best of us to comment on the rest of us.
The point is that if WhatsApp is not blocked and Signal is, using WhatsApp is better than other options. You say yourself that the single block-able route is not the difference, its that one is blocked and the other isn't. As for the article, I would say that if someone's life or freedom depends on whether WhatsApp is secure -- they better well understand how this vulnerability applies to them based on their specific usage pattern, not based on some generalization from a newspaper article.
From the letter.
How serious this is depends on your threat model. If you are worried about the US government -- or any other government that can pressure Facebook -- snooping on your messages, then this is a small vulnerability. If not, then it's nothing to worry about.
[Rent This Space]
Educating the public to privacy and security issues is a worthwhile exercise. Maybe it isn't a backdoor but people seem to be increasingly concerned when it is suggested that their messages can be intercepted and read by third parties. This can only be a good thing. Our privacy has been eroded by several large corporations and a weird fascination with social media. Several companies want access to all of our data but the number of high profile breaches illustrate a significant risk in trusting others with anything particularly sensitive.
If people want their messaging to be secure and private, they need to understand that end to end encryption is required and the standard for this method must be that it is not exploitable, through poor security implementation or backdoors. Sending commercially sensitive business information through an insecure communications method is just stupid and might not be legal in some circumstances. We also have our own sensitive financial or personal information that could be misused in the wrong hands. Getting people to Consider security and privacy issues a little more is a positive.
Would you link to the bug report? Thanks in advance.
> The story may be different if Signal was a federated protocol with entirely decentralized servers (like email).
> However, it's not, and there's a single point of failure that can be blocked.
You should read the "Censorship circumvention" section from this post from 2016-12-21: https://whispersystems.org/blog/doodles-stickers-censorship/
Specifically:
"With today's release, domain fronting is enabled for Signal users who have a phone number with a country code from Egypt or the UAE. When those users send a Signal message, it will look like a normal HTTPS request to www.google.com. To block Signal messages, these countries would also have to block all of google.com."
I respectfully ask the "OMG, Google will use this to traffic analyze your cat to direct you to Google Branded Catfoods and advance their Sinister Plans!" hysterics to please move on to some other comment. You simply don't have a coherent threat model. :)
Honestly, why would anyone use Facebook software and not be concerned? I think Mark Z is in trouble from all ends at the moment and is butt buddies with those he shouldn't be. They even said in the post to not incurage people to stop using Whatsapp because Signal isn't available to everyone. That right there should tell you if that's the best argument they can give to the average nontechnical person, that Signal should be the preferred choice anyway. If a country is blocking Signal then they are blocking Whatsapp and if they are blocking one and not the other, then it's compromised. That is just common sense. People don't like to hear it because there is a difference between a privacy advocate and the paranoid, and I think the paranoid are reacting to the realization that their cool app doesn't work like they want. People should use Tox clients anyway. You get encrypted texting, calling, webcam, and file sharing. And there's no signup or phone number verification at all. It's available for all platforms like Windows, Mac, Linux, Android, and iOS. The client names aren't the same for all though, but the protocol or whatever is still Tox. https://www.ostechnix.com/tox-... TheOuterLinux.com
...we need the ability to disable permissions right upon installation of the app. When android says the app requires wifi password, camera, SD card access, your firstborn, address book access and more, there should be a box next to the permission to disable right then. I know there are apps that allow you to do that, but you need to remember to run them afterwards, you need root, and you need to redo it in case of upgrade.
Non-Linux Penguins ?
A public "back door" is still bad. People in the know use Signal, the shhwp, use the culls.
What WhatsApp does is reducing their E2E security to the security level of TLS. This means nobody can read the content except the server. With TLS, because its plaintext there, with WhatsApp because they can change the crypto keys and nobody cares (and most people do not even the the message).
When you accept, that it's only transport security but not end-to-end anymore, you can use a lot more messengers, as most use TLS (i.e. because apple forces them to do).
Guardian, do not retract your story. These people are not trustworthy, and neither is Slashdot management. The description they use on the likelihood of the backdoor of being used is dishonest. The US government will use any backdoor possible, as they have completely abandoned their responsibility to protect their own constitution.
"WhatsApp has enough security for those who don't need any."
Yeah, sure. I can’t for the life of me understand who could get worried about this.
No, your children are not the special ones. Nor are your pets.