Slashdot Mirror
Top Security Researchers Ask The Guardian To Retract Its WhatsApp Backdoor Report (technosociology.org)
Earlier this month The Guardian reported what it called a "backdoor" in WhatsApp, a Facebook-owned instant messaging app. Some security researchers were quick to call out The Guardian for what they concluded was irresponsible journalism and misleading story. Now, a group of over three dozen security researchers including Matthew Green and Bruce Schneier (as well as some from companies such as Google, Mozilla, Cloudflare, and EFF) have signed a long editorial post, pointing out where The Guardian's report fell short, and also asking the publication to retract the story. From the story: The WhatsApp behavior described is not a backdoor, but a defensible user-interface trade-off. A debate on this trade-off is fine, but calling this a "loophole" or a "backdoor" is not productive or accurate. The threat is remote, quite limited in scope, applicability (requiring a server or phone number compromise) and stealthiness (users who have the setting enabled still see a warning; "even if after the fact). The fact that warnings exist means that such attacks would almost certainly be quickly detected by security-aware users. This limits this method. Telling people to switch away from WhatsApp is very concretely endangering people. Signal is not an option for many people. These concerns are concrete, and my alarm is from observing what's actually been happening since the publication of this story and years of experience in these areas. You never should have reported on such a crucial issue without interviewing a wide range of experts. The vaccine metaphor is apt: you effectively ran a "vaccines can kill you" story without interviewing doctors, and your defense seems to be, "but vaccines do kill people [through extremely rare side effects]."
http://technosociology.org/?page_id=1687
Rather than recursive links to other slashdot articles on the subject
Why the heck would they retract the truth?
If your threat model includes government spying, WhatsApp is not secure since the government can force WhatsApp to reissue your key and then scoop us the resulting messages.
The editorial spin on this story from slashdot is very disappointing.
WhatsApp is big money...and combined with the fact it's hard to prove that a vulnerability was intentional and thus a "back door" it's hard for Joe Average to tell who's right.
Don't worry about this stuff. Just keep using WhatsApp. It's just as secure as everything else, honest.
Telling people not to use WhatsApp is apparently "endangering people"...as it is a "crucial issue".
Summary; do not use Signal, ChatSecure, OTR or Telegram. Use WhatsApp, it's clearly safer #because_danger (??).
Personally I never thought WhatsApp was secure even after this (maybe backdoor-ed) end to end encryption - Consider many people use WhatsApp? it's the number one target IM. If it ever was secure it won't be so tomorrow.
A 'singular oddity' is an event that cannot be explained and only happens when you are alone.
Comment removed based on user account deletion
In these days of 24 hour news cycles and online publication, journalists and editors don't have time to do basic things like fact check with experts or even spell/grammar check. With no print deadlines they can throw up anything online at any time and easily edit it later, and preferably give it a nice clickbait title. It's the race to be first that journalism has always had but taken to an extreme combined with the fact that many journalists don't have the background or interest in the field the topic they are writing on is in.
The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
The list is a whos-who of the most reliable sources of information on security.
That's part of the problem. Real security people don't expose themselves to the public, much less talk to the press.
These people here just serve big business and have every reason to whitewash the report.
Nice bit of propaganda there:
*a defensible user-interface trade-off* The threat is remote, quite limited in scope, applicability (requiring a server or phone number compromise) and stealthiness (users who have the setting enabled still see a warning; "even if after the fact). The fact that warnings exist means that such attacks would almost certainly be quickly detected by security-aware users.... Telling people to switch away from WhatsApp is very concretely endangering people... (??!)
Say whaaa? A little dramatic and self serving, no?
The problem that it exists.
“He’s not deformed, he’s just drunk!”
Read the article. The people they are concerned about are journalists and activists in repressive countries who use WhatsApp because it provides encrypted messaging. If they switch to Signal, which almost no one uses, just being observed using it may be enough cause for the government to pick them up. If they are able to use WhatsApp, however, they are hiding among the millions of other people that use it for no special reason other than it is a good messaging app.
What are you even talking about. A bunch of people that signed the editorial are academic cryptographers who work for universities. What big business are you talking about now? Mozilla is the biggest business represented in the list, do we hate them now too? The EFF? Do we hate them? I can't keep up with things around here.
Good question that can be immediately answered by reading the actual editorial.
Dude, take a look at what's happening here.
The "security hole" in question here is basically the same deal as you have with every other service where you can transfer your service to a new device. You know, you buy a new phone, then want to continue using your IM or whatever on the new phone... but with the new phone you'd also get to negotiate new encryption keys. And that means that all messages still in the queue would be lost, because they have been encrypted with your old key.
That's the whole "exploit" here.
There's plenty of reasons to distrust WhatsApp and even more reasons to avoid it like the plague, not the least of which being that it hands all data over to FB despite first claiming and vowing that it would never do that.
If THIS is your reason to distrust WhatsApp, you have bigger problems.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Yes, but even in the area of science you'll notice that who says something still has some meaning.
If I say that at the center of every black hole there is a little pink teapot, you'll call me a crackpot and be done with it.
If Stephen Hawking made this claim, I bet you would want to know his reasoning.
At the very least this meant for me that I would want to see why Bruce considers it a non-issue.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Because they want the IP and engineers to make their messaging better?
Honestly, why would anyone use Facebook software and not be concerned? I think Mark Z is in trouble from all ends at the moment and is butt buddies with those he shouldn't be. They even said in the post to not incurage people to stop using Whatsapp because Signal isn't available to everyone. That right there should tell you if that's the best argument they can give to the average nontechnical person, that Signal should be the preferred choice anyway. If a country is blocking Signal then they are blocking Whatsapp and if they are blocking one and not the other, then it's compromised. That is just common sense. People don't like to hear it because there is a difference between a privacy advocate and the paranoid, and I think the paranoid are reacting to the realization that their cool app doesn't work like they want. People should use Tox clients anyway. You get encrypted texting, calling, webcam, and file sharing. And there's no signup or phone number verification at all. It's available for all platforms like Windows, Mac, Linux, Android, and iOS. The client names aren't the same for all though, but the protocol or whatever is still Tox. https://www.ostechnix.com/tox-... TheOuterLinux.com