Slashdot Mirror
Top Security Researchers Ask The Guardian To Retract Its WhatsApp Backdoor Report (technosociology.org)
Earlier this month The Guardian reported what it called a "backdoor" in WhatsApp, a Facebook-owned instant messaging app. Some security researchers were quick to call out The Guardian for what they concluded was irresponsible journalism and misleading story. Now, a group of over three dozen security researchers including Matthew Green and Bruce Schneier (as well as some from companies such as Google, Mozilla, Cloudflare, and EFF) have signed a long editorial post, pointing out where The Guardian's report fell short, and also asking the publication to retract the story. From the story: The WhatsApp behavior described is not a backdoor, but a defensible user-interface trade-off. A debate on this trade-off is fine, but calling this a "loophole" or a "backdoor" is not productive or accurate. The threat is remote, quite limited in scope, applicability (requiring a server or phone number compromise) and stealthiness (users who have the setting enabled still see a warning; "even if after the fact). The fact that warnings exist means that such attacks would almost certainly be quickly detected by security-aware users. This limits this method. Telling people to switch away from WhatsApp is very concretely endangering people. Signal is not an option for many people. These concerns are concrete, and my alarm is from observing what's actually been happening since the publication of this story and years of experience in these areas. You never should have reported on such a crucial issue without interviewing a wide range of experts. The vaccine metaphor is apt: you effectively ran a "vaccines can kill you" story without interviewing doctors, and your defense seems to be, "but vaccines do kill people [through extremely rare side effects]."
http://technosociology.org/?page_id=1687
Rather than recursive links to other slashdot articles on the subject
Why the heck would they retract the truth?
If your threat model includes government spying, WhatsApp is not secure since the government can force WhatsApp to reissue your key and then scoop us the resulting messages.
The editorial spin on this story from slashdot is very disappointing.
WhatsApp is big money...and combined with the fact it's hard to prove that a vulnerability was intentional and thus a "back door" it's hard for Joe Average to tell who's right.
Don't worry about this stuff. Just keep using WhatsApp. It's just as secure as everything else, honest.
Telling people not to use WhatsApp is apparently "endangering people"...as it is a "crucial issue".
Summary; do not use Signal, ChatSecure, OTR or Telegram. Use WhatsApp, it's clearly safer #because_danger (??).
Personally I never thought WhatsApp was secure even after this (maybe backdoor-ed) end to end encryption - Consider many people use WhatsApp? it's the number one target IM. If it ever was secure it won't be so tomorrow.
A 'singular oddity' is an event that cannot be explained and only happens when you are alone.
Comment removed based on user account deletion
In these days of 24 hour news cycles and online publication, journalists and editors don't have time to do basic things like fact check with experts or even spell/grammar check. With no print deadlines they can throw up anything online at any time and easily edit it later, and preferably give it a nice clickbait title. It's the race to be first that journalism has always had but taken to an extreme combined with the fact that many journalists don't have the background or interest in the field the topic they are writing on is in.
The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
I guess because it is .001% harder to use...
I was going to say "because it isn't integrated into your FB contacts" but that might not be true... depending on how you sync your contacts.
My eyes reflect the stars and a smile lights up my face.
That's the problem with humanity vs security in a nutshell: We're hardwired to put our trust in people, instead of facts.
In sciences, who says something is not important, what is being said is.
Any scientist or security expert worth his salt should be the first to admit that they often make mistakes, and that nothing should be taken as gospel, but be verified.
"Telling people to switch away from WhatsApp is very concretely endangering people." -- err, what?!? How in the world is that "concretely endangering people?!?"
The list is a whos-who of the most reliable sources of information on security.
That's part of the problem. Real security people don't expose themselves to the public, much less talk to the press.
These people here just serve big business and have every reason to whitewash the report.
Nice bit of propaganda there:
*a defensible user-interface trade-off* The threat is remote, quite limited in scope, applicability (requiring a server or phone number compromise) and stealthiness (users who have the setting enabled still see a warning; "even if after the fact). The fact that warnings exist means that such attacks would almost certainly be quickly detected by security-aware users.... Telling people to switch away from WhatsApp is very concretely endangering people... (??!)
Say whaaa? A little dramatic and self serving, no?
The problem that it exists.
“He’s not deformed, he’s just drunk!”
I wonder how much WhatsApp paid for their fealty?
Read the article. The people they are concerned about are journalists and activists in repressive countries who use WhatsApp because it provides encrypted messaging. If they switch to Signal, which almost no one uses, just being observed using it may be enough cause for the government to pick them up. If they are able to use WhatsApp, however, they are hiding among the millions of other people that use it for no special reason other than it is a good messaging app.
What are you even talking about. A bunch of people that signed the editorial are academic cryptographers who work for universities. What big business are you talking about now? Mozilla is the biggest business represented in the list, do we hate them now too? The EFF? Do we hate them? I can't keep up with things around here.
Dude, take a look at what's happening here.
The "security hole" in question here is basically the same deal as you have with every other service where you can transfer your service to a new device. You know, you buy a new phone, then want to continue using your IM or whatever on the new phone... but with the new phone you'd also get to negotiate new encryption keys. And that means that all messages still in the queue would be lost, because they have been encrypted with your old key.
That's the whole "exploit" here.
There's plenty of reasons to distrust WhatsApp and even more reasons to avoid it like the plague, not the least of which being that it hands all data over to FB despite first claiming and vowing that it would never do that.
If THIS is your reason to distrust WhatsApp, you have bigger problems.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Yes, but even in the area of science you'll notice that who says something still has some meaning.
If I say that at the center of every black hole there is a little pink teapot, you'll call me a crackpot and be done with it.
If Stephen Hawking made this claim, I bet you would want to know his reasoning.
At the very least this meant for me that I would want to see why Bruce considers it a non-issue.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
There's plenty of reasons to distrust WhatsApp and even more reasons to avoid it like the plague, not the least of which being that it hands all data over to FB [gizmodo.com] despite first claiming and vowing that it would never do that.
They might do that eventually, but they currently don't and never have, FYI. The plans were scrapped after some legal conflict in the UK.
Real security people don't expose themselves to the public, much less talk to the press.
Are you kidding? Nobody listens to you if your name doesn't ring bells. Publish or perish IS pretty much what makes or breaks your career as a security expert these days. You think any of them have a problem getting a speaker slot at any security conference if they so please? Or get any contract they'd want?
It's sad, but yes, security has become a spectacle. Welcome to the show, watch our CSI-esque presentation of how we penetrate your defenses with style...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Find a way to convince me to actually believe that they complied.
Why would FB acquire WA? Because they really loved to have a messenger service in the portfolio but without any interest in leeching the data? C'mon.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Because they want the IP and engineers to make their messaging better?
The story may be different if Signal was a federated protocol with entirely decentralized servers (like email).
However, it's not, and there's a single point of failure that can be blocked.
WhatsApp became popular and widespread before many repressive governments realized what it could do, so they can't block it without widespread outcry.
Not so with Signal, which is blocked, and therefore not an option.
-- Sometimes you have to turn the lights off in order to see.
What's the point of being on an Instant Message service if none of the people you actually want to message are on it?
Avantslash - View Slashdot cleanly on your mobile phone.
... including the comment section, is like using a fucking elephant gun to kill a piss ant.
It little behooves the best of us to comment on the rest of us.
Um, Facebook (the company) owns whatsapp, so facebook owns their data. Transfer complete. The rest is just a shell game subject to how much money they want to spend on litigation.
The point is that if WhatsApp is not blocked and Signal is, using WhatsApp is better than other options. You say yourself that the single block-able route is not the difference, its that one is blocked and the other isn't. As for the article, I would say that if someone's life or freedom depends on whether WhatsApp is secure -- they better well understand how this vulnerability applies to them based on their specific usage pattern, not based on some generalization from a newspaper article.
The question is whether Facebook shares it with third parties. Of course Facebook "owns" the data, no one is arguing that.
The fact that warnings exist means that such attacks would almost certainly be quickly detected by security-aware users. This limits this method
... shows that there's either more a play here, or they are f*cking retards. And yes, both Mozilla and EFF belong on the list of assholes if they agree with this statement.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
What don't you agree with in that quote? This is not a scenario where every person has to be security aware, if only ONE person ever catches WhatsApp doing this then it would break the whole thing wide open. You don't have to rely on every user being security-aware, only that at least one person will notice if they are actually using this attack on anything approaching a broad scale.
What are you even talking about. A bunch of people that signed the editorial are academic cryptographers who work for universities. What big business are you talking about now?
Universities, in general, do not fund themselves. I'm sure that "big business" has some influence on where research funds are allocated.
Not really. The huge majority of research funding comes from the government (NSF, DoD, DARPA, NIH, DoE, etc.)
Seriously? You are so wrong it's not a joke. "If only one person realizes that an email is a phishing scam, it would break the whole thing wide open." "If only one person realized that a major news site hosted malware, it would break the whole thing wide open." "If only one person realized the app they downloaded was malware, it would break the whole thing wide open." "If only one person realized that Microsoft was forcing unwanted upgrades on them it would break the whole thing wide open." (It took millions ...)
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
How serious this is depends on your threat model. If you are worried about the US government -- or any other government that can pressure Facebook -- snooping on your messages, then this is a small vulnerability. If not, then it's nothing to worry about.
[Rent This Space]
Educating the public to privacy and security issues is a worthwhile exercise. Maybe it isn't a backdoor but people seem to be increasingly concerned when it is suggested that their messages can be intercepted and read by third parties. This can only be a good thing. Our privacy has been eroded by several large corporations and a weird fascination with social media. Several companies want access to all of our data but the number of high profile breaches illustrate a significant risk in trusting others with anything particularly sensitive.
If people want their messaging to be secure and private, they need to understand that end to end encryption is required and the standard for this method must be that it is not exploitable, through poor security implementation or backdoors. Sending commercially sensitive business information through an insecure communications method is just stupid and might not be legal in some circumstances. We also have our own sensitive financial or personal information that could be misused in the wrong hands. Getting people to Consider security and privacy issues a little more is a positive.
Honestly, why would anyone use Facebook software and not be concerned? I think Mark Z is in trouble from all ends at the moment and is butt buddies with those he shouldn't be. They even said in the post to not incurage people to stop using Whatsapp because Signal isn't available to everyone. That right there should tell you if that's the best argument they can give to the average nontechnical person, that Signal should be the preferred choice anyway. If a country is blocking Signal then they are blocking Whatsapp and if they are blocking one and not the other, then it's compromised. That is just common sense. People don't like to hear it because there is a difference between a privacy advocate and the paranoid, and I think the paranoid are reacting to the realization that their cool app doesn't work like they want. People should use Tox clients anyway. You get encrypted texting, calling, webcam, and file sharing. And there's no signup or phone number verification at all. It's available for all platforms like Windows, Mac, Linux, Android, and iOS. The client names aren't the same for all though, but the protocol or whatever is still Tox. https://www.ostechnix.com/tox-... TheOuterLinux.com
...we need the ability to disable permissions right upon installation of the app. When android says the app requires wifi password, camera, SD card access, your firstborn, address book access and more, there should be a box next to the permission to disable right then. I know there are apps that allow you to do that, but you need to remember to run them afterwards, you need root, and you need to redo it in case of upgrade.
Non-Linux Penguins ?
What WhatsApp does is reducing their E2E security to the security level of TLS. This means nobody can read the content except the server. With TLS, because its plaintext there, with WhatsApp because they can change the crypto keys and nobody cares (and most people do not even the the message).
When you accept, that it's only transport security but not end-to-end anymore, you can use a lot more messengers, as most use TLS (i.e. because apple forces them to do).
Duly noted. But do you believe that big business has nothing to do with those organizations? No influence on those organizations?
I'm not trying to flame or start a big argument, but I'm just curious.
Having a lot of personal experience with the NSF, I can confidently say no. Businesses have nothing to do with the NSF. All the leadership are academics, all the grants go to academic institutions, and almost all of the money comes directly from the federal government. At no point are any business interests substantially involved.
"WhatsApp has enough security for those who don't need any."
Yeah, sure. I can’t for the life of me understand who could get worried about this.
No, your children are not the special ones. Nor are your pets.