Encrypted WhatsApp Message Recovered From Westminster Terrorist's Phone

Bruce66423 brings word that a terrorist's WhatsApp message has been decrypted "using techniques that 'cannot be disclosed for security reasons', though 'sources said they now have the technical expertise to repeat the process in future.'" The Economic Times reports: U.K. security services have managed to decode the last message sent out by Khalid Masood before he rammed his high-speed car into pedestrians on Westminster Bridge and stabbed to death a police officer at the gates of Parliament on March 22. The access to Masood's message was achieved by what has been described by security sources as a use of "human and technical intelligence"...

The issue of WhatsApp's encrypted service, which is closed to anyone besides the sender and recipient, had come under criticism soon after the attack. "It's completely unacceptable. There should be no place for terrorists to hide. We need to make sure that organisations like WhatsApp, and there are plenty of others like that, don't provide a secret place for terrorists to communicate with each other," U.K. home secretary Amber Rudd had said.
Security sources say the message showed the victim's motive was military action in Muslim countries, while the article adds that though ISIS claimed responsibility for the attack, "no evidence has emerged to back this up."

Bullshit.

[Frosty+Piss]

The claim is dubious. Why would they inform all the Terrorists that they can decrypt WhatsApp with ease? They wouldn't. The reason for the "disclosure" is to influence Terrorists to use some other - perhaps less secure - means of communication because they CAN NOT decrypt WhatsApp.

Re:Bullshit.

It's possible that they didn't actually decrypt anything and, instead, managed to get into the phone. If the terrorist didn't secure his phone, then whatsapp could easily be opened and messages read. They had access to his phone, that was stated in the article.

Re:Bullshit.

[Jzanu+Syr]

This isn't a fucking TV drama, it is more important to get the psychological leverage over the terrorist groups who are reminded they can't use tech to hide. It is also more important to remind the public that terrorists can't do that.

Re:Bullshit.

[janoc]

That. Or simply retrieved the content from some temporary file/cache/whatever Whatsapp uses. Another possibility is that they simply got the content from whoever the message was sent to - which would explain the "human intelligence" (aka interrogating someone) part.

Re:Bullshit.

[thewolfkin]

exactly. physical security is the first security. given that was compromised. It seems more likely that was the vector they used.

Re: Bullshit.

"Using a chat program to hide " doesn't even make logical sense.

Re:Bullshit.

[thewolfkin]

This isn't a fucking TV drama, it is more important to get the psychological leverage over the terrorist groups who are reminded they can't use tech to hide. It is also more important to remind the public that terrorists can't do that.

no it isn't. If anything the past experience with government agencies is that they'll exploit the heck out of security holes they can find and use that to get whomever they want to get. Heck that was the whole point of Snowden. There's no incentive or historical trend of governmental agencies effectively shouting out that they've found a way to see through the door. Instead they keep looking through the door gathering and using intelligence until someone notices.

at best this suggests that "Oh we're so strong we cracked WhatsApp" but it does so completely at the cost of their loophole. It's a silly stunt that's only effective if they have a backup in place.

Re:Bullshit.

[Impy+the+Impiuos+Imp]

It's ironic that, if this kind of encryption existed during the US revolutionary war, the King of England would have outlawed it, and therefore the Founding Fathers would have included it as a right in the First Amendment. Government is the problem in the long run, the bigger picture, regardless of any short-term benefits.

Re:Bullshit.

[Impy+the+Impiuos+Imp]

Indeed, every time some politician in the West decries encryption for some teeny-tiny, transitory problem like terrorism, billions around the world's hearts sink a little more into despair as their governments break encryption using the same techniques precisely to catch political opposition.

Says the oppressed in China, Russia, Turkey, "Well, our nightmare continues but damn, we are glad you wern't hampered too much gleaning a useless iota of information on that guy who is one trillionth the plague on your society our governments are on ours."

Re:Bullshit.

They didn't even get his name right, Adrian Russell ...

if you want to be afraid of any one.

Re:Bullshit.

People are the problem in the long run. We cannot govern ourselves. We're prone to greed and avarice. Until we get past pursuit of wealth and power, we're doomed as a species. Another virus that will kill its host to stay alive.

Re: Bullshit.

[hey!]

"Using a chat program to hide " doesn't even make logical sense.

It does if the chat program using public key encryption between the users. In that case even the mediating servers don't have access to message contents.

The scheme is flawless -- but then it almost always is unless it's devised by a total ignoramus. What they get you on is implementation.

Re:Bullshit.

[monkeyzoo]

WTF Open Whisper?

Re:Bullshit.

[hey!]

While your reasoning as it applies to terrorists is impeccable, there are other applications for an exploit that a state might want to keep secret. And then people at a political level aren't always that sophisticated; they may know spy dramas better than game theory.

Re:Bullshit.

[monkeyzoo]

Lookup information on Open Whisper end-to-end encryption, which is what WhatsApp uses. You will see that the whole point of the system is to prevent police from "simply" doing what you have said. There are no unencrypted temporary files, caches, etc.

Getting the contents from the recipient is a valid possibility however without defeating the technology.

Re:Bullshit.

[110010001000]

How do you know that is what WhatsApp uses? It is closed source. They could be doing anything, no matter what they CLAIM they are using. They could be sending all of your messages directly to the NSA. Why do people trust closed source apps?

Re: Bullshit.

Don't assume humans are the only organisms which are like that.

Re:Bullshit.

[Patent+Lover]

He wasn't part of a terrorist group. He was a batshit psychopath who watched one too many terrorist videos. The terrorist groups don't hide behind tech, they broadcast it out in the open.

Re: Bullshit.

Wrong,most of you are driven by greed for more toys and avarice.
Some of us are not and realised there are more important things than more stuff or things..
Try doing without anything for a couple of years,then you may learn to appreciate a much simpler,less greedy lifestyle..
It doesn't mean going without toys,but do you realy need the latest toy from Samsung etc,apart from cameras and lte, smartphones,as an example have not really changed since 2000,my old Sony/Ericsson p910i can do 90% of what the latest Samsung's etc can do.
Cars still have 4 wheels and are limited to 70mph,houses still have walls and roofs etc etc..

Re:Bullshit.

nah, its just the faggot brits trying to pass legislation so all programs give them the means to do the decrypting

its basically faggot speach right then and there. they can go suck a big one, they would not have muslim terrorism if they had no muslims (duh), sooo i guess the problem doesnt involve software at all but a bunch of politicians that got their own people killed

Re:Bullshit.

[gweihir]

Or alternatively, a moron politician that cannot be punished for an exceptionally stupid mistake was told by accident and then thought it was a good idea to tell the whole world. But outside of that, giving away a valuable source like the ability to decrypt WhatsApp is not likely to happen, I completely agree. The only other reason I see is because that ability was already about to become public.

Re:Bullshit.

It's ironic that, if this kind of encryption existed during the US revolutionary war, the King of England would have outlawed it,

It would have been more of a problem than you seem to realise. If the king had passed legslation to do that, he would have to remove parliament to do it and would have effectively staged a royal revoluton.

Much more a problem than a few colonials shooting each other in some remote locaton.

Re:Bullshit.

[thegarbz]

Why do you trust open source apps? No really, do you read all the code and then compile it yourself?

Just because something leaves an audit trail doesn't make it impervious to fraud.

Re:Bullshit.

[thegarbz]

The terrorist groups don't hide behind tech, they broadcast it out in the open.

What a load of garbage. Terrorist groups most definitely do hide behind tech and generally do so quite well. What they do out in the open is lay claim their successful attack.

Re:Bullshit.

[markdavis]

>"Why do you trust open source apps? No really, do you read all the code and then compile it yourself?"

At least it is POSSIBLE. With closed source, it is absolutely impossible for the end user to know what the program is doing. It means watchdog organizations can audit it and anyone can verify it. I don't look at much of my open source code, but you can bet someone is, and all it takes is one person to blow the whistle. And someone can compile it and compare the hashsum on distributed binaries to ensure it hasn't been tampered with downstream.

Re: Bullshit.

[boundary]

I think I found the vegan.

Re: Bullshit.

[DavidDoleman]

Whatsapp is proven insecure and it is also not identical to whisper but in fact a derivative... Do not use it for secure messaging, only signal remains confidently secure end to end https://www.schneier.com/blog/...

Re:Bullshit.

[TheOuterLinux]

WhatsApp is owned by Facebook. It's encryption is a joke when the right people are asked nicely, hence the "using techniques that 'cannot be disclosed for security reasons.' What they mean is they can't tell you how they did it because it would look REALLY bad if people realized how stupid it is to put your faith in a company that specializes in profiling and biometric data collection; https://www.whatsapp.com/faq/g.... If you're using WhatsApp on Google anything (Android, Chrome, etc.), you're in even worse shape because it's Google for Christ's sake. Remember Dirty COW? Google waited until after the election to fix it while every other Linux-based OS did months ahead of them.

But anyway, Facebook also invests huge amounts of money into cloud computing and AI. That combination one day will make all encryption and anonymity useless because we will all be digitally fingerprinted whether you have an account or not, especially if quantum computing advances, and you can assume your government will get a copy, just like they get copies of your DNA when you fall for the "fun and easy" TV advertised "ancestry" services. This "profile" is going to replace social security numbers. If you want real encryption (at least for now), use Signal (similar to Telegram but better) or a Tox client (similar to OpenVPN but for messaging). More importantly, use your brain. Both are free and open source and support text, talk, video, and file sharing. I would never use anything that important that I couldn't look at the code for. If you could look at WhatsApp's source code, I think security researchers would be horrified. And, Facebook gets caught spying on their mobile app all the time, so I don't see how WhatsApp would be any different. And just because a lot of people use it, doesn't make it the best. Matter of fact, that would make more of a target.

• https://finance.yahoo.com/news...
• https://www.theregister.co.uk/...
• https://www.thememo.com/2017/0...
• https://arstechnica.com/tech-p...
• https://www.pcworld.com/articl...

Some of the above links are kind of old, but note the ISP one. Legally, your internet service provider in the U.S. can sell your browsing information. Because of this, intelligence agencies can just purchase your data for cheap rather than getting a warrant and paying a government employee to waste their time. I'm mentioning ISP because Facebook has been trying for over a year now to bring the Internet to all kinds of places. They would become an "Internet Service Provider." In any case, if the app has an advertisement, you can be tracked.

The real note to take away from this is to realize data can be created and never destroyed and don't put anything on the internet you don't want found. I wish people would realize privacy settings are a joke; they only protect you from the average person. Anytime you see "convenient" or "secure" for a service, just assume it's complete BS because your government doesn't have the time or resources to actually physically search and seize everyone so they have software for it, contrary to "Martial Law" conspiracies; cloud computing makes it easier.

And since this news regarding terrorism, do you know why it was so hard to find Osama? It's because so far as we know, the most technologically advanced thing he ever personally used was a kidney dialysis machine or the Cold War weapons the U.S. gave him. The wor

Re:Bullshit.

They probably just captured him inputting the PIN on one of the 2 million CCTV cameras in the UK.

Re:Bullshit.

"Open Whisper"

After reading the code, I literally discovered a line of drool running down my face. It’s really nice -- Matt Green, Cryptographer, Johns Hopkins University

Re:Bullshit.

[johanw]

Accessing WhatsApp messages on a phone is easy when you have access to the device, even if it's locked (but not encrypted). Or they managed to get access to the unencrypted backup WhatsApp wants to make on Google Drive if you allow it (and have a Google account active on the phone). Assuming it was Android, I don't know how well that works with Apple.

Re:Bullshit.

[johanw]

At least their Signal does not allow Google to make a backup in the cloud. Unfortunately thet means you can't backup it yourself unless you've rooted your device or run a version that includes a decent backup (the standard backup does only the simple text messages).

Re:Bullshit.

[johanw]

However, WhatsApp tries to persuade you to make an unencrypted backup in the Google cloud if you run Android. And it won't take no for an answer, after refusing it tries again after some time.

Re:Bullshit.

[johanw]

In the case of Signal, I do build it myself from source because I want to make some changes, like adding a decent backup function that Moxie won't do in Signal for some reason he doesn't want to explain. But apart from that, they have reprodcable builds so you can check a self compiled version is the same as the one you download (except for the signature of course).

Re:Bullshit.

[johanw]

For Android apps you can run it through a decompiler and check, although that is a lot more work.

Re:Bullshit.

[gnasher719]

At least it is POSSIBLE. With closed source, it is absolutely impossible for the end user to know what the program is doing.

Double bullshit. For example, with Apple's iMessage it would be absolutely possible to detect if Apple was performing a MitM attack instead of just encrypting the sender's message with the receiver's public key.

Re:Bullshit.

[MichaelSmith]

No really, do you read all the code and then compile it yourself?

Thats what I would do if I had a particular need for security. But its really hard to do. Software I control on top of a kernel I don't control is no real help to me. I am seriously thinking about a micro controller solution.

Re:Bullshit.

I feel like once you manage to escape the scene, you can pretty much get away with just about any crime as long as you didn't have your phone on you and don't brag about it later on facebook.

Re:Bullshit.

[AHuxley]

To heard interesting people to all kinds of other waiting networks that are security service fronts.
A fancy new app everyone is talking about, that nice GUI, local language support, readable fonts, lawyers and statements about protecting all users rights. Vast funding that never stops.

It's like buying crypto for an embassy or company in the 1950-80's. So many private sector options for a nation, gov or company to select from. Go with US, UK, NATO quality to keep the Soviet Union out?. Something from a more "neutral" nation with good banking security that just works as installed? It has a great reputation and is so trusted globally.
NSA and GCHQ had it all covered.
The Falklands war was the public testing of many mil grade systems sold globally. The GCHQ had the plain text to almost all of the UK, US, NATO export grade systems in real time. South Africa was the only nation that provided any real mil spec design quality that slowed the UK down a bit.

Re: Bullshit.

[easyTree]

Of which, none capture video of abuse of power by police.

Re:Bullshit.

retard

Re:Bullshit.

[AmiMoJo]

The BBC reported that they simply got it from the phone of the recipient (which they knew from metadata) who cooperated with them. That person was innocent and uninvolved in the attack so simply gave them the message in plain text.

Sorry no link, the BBC search engine is crap.

Re: Bullshit.

[RubberDogBone]

Tell that to the idiots using the forgotten social messaging app Whisper, which has nothing to do with the Whisper protocol or Whatsapp.

Nope, it's just a sort of Twitter clone that pretends to be anonymous, and tons of idiots fall for it and post for sale or want to buy messages for "contraband substances" as if nobody can trace them.

The app records the user's IP address, the IMEI of their phone, their GPS (which it uses to set a "nearby messages" group feature), their phone number, and none of this is encrypted in any way AND the developers proudly declare in the TOS that they will happily respond to any requests from law enforcement. The app also inserts ads from the Facebook network so anything you look at on FB may in turn spawn "related" ads in the app. So not only does the app know who you are, we can presume FB in turn knows a lot about which ads are seen when and perhaps even which content the user was looking at.

So it is completely NOT anonymous. And yet idiot users post their messages every day. I had NO idea there were even so many different words for pot.

The app has other major issues, such as a general lack of users -potheads and gays seeking gays seem to be the main users, but they don't add up to very many. So the developer hires workers to make fake posts, uses bots to repost and repost the same messages day after day after day, all in a bid to fake the place into looking like people use it. A lot of the Indian contractors don't even bother to hide that they are posting from Indian call centers.

The app also has a "Popular Posts" feature which presents those items when users first open the app. But what determines what is "popular" is not popularity but the whimsy of one of those Indian workers who decides to promote a particular post to the Popular page, which then gets a lot of views and so forth. So they are manufacturing popularity, not seeking what is naturally popular. It's fraud. The anonymity is fraud.

But very few users bother with this thing and nobody would really notice if it blew away.

Re:Bullshit.

[Pi1grim]

How do you verify that iMessage is not sending your message to both the intended sender and someone else? How do you check whether the public key the message has been encrypted to is actually that one of your contact's? Oh, you trust the information that iMessage gives you...

Re:Bullshit.

[thegarbz]

At least it is POSSIBLE.

No it's not. For all but a tiny handful of people auditing the source is not possible as they lack the requisite skill or funding to get it done. How many open source programs out there actively get audited? And no, someone looking contributing to the code is not an audit. Many eyes are able to glaze over even the most simple of bugs.

but you can bet someone is

A bet that has been proven false over and over again in the past 5 years. From huge bugs discovered in very widely used software, to distrust in security software in general. We have recently gotten a great view into what it takes to actually look for code. Truecrypt wasn't a large program, yet it took a team of people 2 years to audit it. The end result of someone auditing something will be out of date on the day of release. Also what happened the day of the audit findings? Some people questioned who the auditors were and if their findings can also be trusted.

And someone can compile it and compare the hashsum on distributed binaries

No they can't. The chance of creating hash identical binaries to the ones the publisher created are next to none with subtle differences in build environment creating wildly differing outputs. At best you could beg the publisher to let you audit the machine and process which he used to create the binary. THEN you may get a hash comparable output and can compare the source used. But you're as much at mercy as letting the publisher do that for open source and closed source software.

In general the trust level goes up when source code is available but only slightly. We are not living in a world of obvious and obtuse bugs instantly highlighting a lack of trust. The NSA leaks have shown that quite clearly.

Re:Bullshit.

[thegarbz]

Did you audit the code base line for line as you went?

The point is that few people have the technical ability to do that. Even fewer would catch underhanded code. e.g. Truecrypt. Not a massively complicated program yet took a team 2 years to actually audit.

You can trust open source a bit more than closed source in that you can be sure actively underhanded backdoors are likely to be marginally obfuscated, and that's about it.

Re:Bullshit.

[maroberts]

What puzzles me is why they didn't get it from Khalid Masood's phone. Unless he deleted the log, the message he sent is sitting on there.

Re:Bullshit.

[Xest]

I know that this is a novel concept in this day and age, but some of us are still capable of understanding that closed source doesn't prevent reverse engineering of the product, it merely makes it harder.

Something being closed source doesn't mean it's a closed book, that's why we've had everything from DVD Jon to hacked Playstations over the years.

Re:Bullshit.

because we're not loser nerds who think themselves more important than we are. we don't have depressing lives like you so we don't need to make up a reality to live in. same reason we use a simple swipe gesture to unlock a phone. same reason we leave the laptop bag in the back seat in the suburbs yet put it in the trunk in the city. same reason we use a bike lock that can be cut easily instead of carrying around an industrial chain. same reason we get laid and live happy non-loser lives. same reason drm works perfect and as intended.

if i need to send info on bombing a building i won't use whatsapp. if i ever become a big druglord i won't use whatsapp. but for 100% of my life - it's fine. you have no life, so you wouldn't know. yours is so shitty that you spend your time on bullshit for a world where you are important. fact is, you are literally nothing, nor will you ever be, so you need open source and strong encryption to boost the self esteem caused by physical ugliness. we don't.

any more bright questions loser?

Re: Bullshit.

"human and technical intelligence" means "we guessed his password". It's not hard to parse when you think about it.

Re: Bullshit.

Repeatable builds are becoming a trend for applications of great security importance

Re:Bullshit.

You do realize there are programs that allow you to analyze traffic coming in and out of a device over a network, right? They've existed for years, in fact? www.wireshark.org is pretty much an industry standard, how did you miss that one exactly?

Oh, you trust the information that X company you're actually shilling for gives you...

Re:Bullshit.

For reference -- I work at a company where if there's any chance of what we're building impacting anything related to billing at all, or going to a public facing application -- we do exactly that.

All software we build is reviewed and tested -- libraries included. Kernel included. Compiler included. We build the compiler, we deploy the compiler, we build our software with this compiler -- and it's something we couldn't do without open source.

I won't name us for obvious reasons -- but we have contributed bugfixes to things upstream.

I understand it's hard for individuals to do this, but it is again one of the great benefits of FOSS -- we can honestly say we have conducted audits.

Re:Bullshit.

unless they know the terrorists will see through this, and continue to use whats app, while all along they DO have the means. unless, they know the terrorists will see through THAT, and switch to other methods. unless..

Re: Bullshit.

I can reverse that argument into pointing out examples of people that blindly trust every open source application just because it's open source. Recent trends of privacy sites blankly stating "always use open source" only reinforced the belief that open source = can't ever be bad, right?

Have some nuance, man. How about researching myself and then deciding what I am going to use depending in my needs and threat factor?

Re:Bullshit.

[naranek]

Whoa. Way to completely miss the point. Facebook messenger and WhatsApp are completely different apps. WhatsApp is using the Signal protocol which is pretty much the best there is at the moment. All the messages and calls are end-to-end encrypted with the kind of crypto nerds used to only dream about. Mass surveillance is not possible (even for Facebook) with WhatsApp, because the attacker would need to do a MitM attack on all the discussions, which is easily detectable. Another option is to install malware on the phones and read the messages there, but that would be a targeted attack anyway.

There haven't been any proven breaches of the Signal protocol and I dare you to prove me wrong. "Facebook is evil so WhatsApp must be broken" just doesn't fly.

As far as the security community is concerned, the biggest weakness in WhatsApp is that MitM notifications aren't on by default. Otherwise the app and the crypto is solid. It's easy to say that WhatsApp is compromized because of $reasons, but if you have actual proof of a breach, it will absolutely be headline news, so cough it up. You'll be a infosec rockstar (for at least a week).

Also - open source doesn't automatically mean that the application is safer than closed source. Implementing crypto is hard. You can mess it up in bunch of different ways. It doesn't help one bit that your source is available if nobody with decent qualifications has ever checked it.

Re:Bullshit.

[TheOuterLinux]

Then why not just use Signal? It already supports text, talk, and video. Using a privacy app owned by Facebook seems like an oxymoron.

Re:Bullshit.

[peawormsworth]

Are you the same guys who added NSA modules into the Linux kernel? Because I would like to here more about your audit process on that.

https://en.wikipedia.org/wiki/Security-Enhanced_Linux

Re:Bullshit.

Last few years companies have started to finance security-audits of software used by them..

Sure there is loads of crap out there that never will get an audit... But on the other hand.. From experience i have noticed that closed-source software receives even less scrutiny because it costs money.. And management thinks that just because it's a binary, without any source-code available, being distributed it's impossible to abuse....

Look at windows, linux, osx... stuff is found all the time, but the more problematic issues have been on windows and osx..
I see anything as problematic if it's not fixed in a reasonable time (1-2 weeks) after being made public knowledge.. With public knowledge i refer to anyone that's not the researcher that found the issue or the developers writing the code.

Re:Bullshit.

[Patent+Lover]

Any examples?

Re:Bullshit.

Your phrasing implies that Truecrypt contains underhanded code which was not what the audit team found.

Re:Bullshit.

[monkeyzoo]

Oh, so that's not just me? I always wondered why sometimes I would open WhatsApp and it was on the backup settings page. I always figured I had fat fingered it. ANNOYING!

Re: Bullshit.

[monkeyzoo]

True. Open Whisper apparently partnered with WhatsApp on the implementation though. Other than the dubious decision regarding handling of key changes, there hasn't been any discussion of problems in the implementation of WhatsApp for end-to-end encryption. So this new finding is troubling!

Re:Bullshit.

[mjwx]

What puzzles me is why they didn't get it from Khalid Masood's phone. Unless he deleted the log, the message he sent is sitting on there.

Allegedly, WhatsApp does not keep local files.

However unless he actually logged out of the app, they would have been able to retrieve it from the server.

Re:Bullshit.

every successful terrorist attack committed worldwide since ~ 1980

Re:Bullshit.

[RockDoctor]

Another possibility is that they simply got the content from whoever the message was sent to

My first suspicion too.

Re:Bullshit.

[naranek]

I do, but most of my friends don't. Pretty much everyone has whatsapp these days though.

WhatsApp is not a privacy app. It's a messaging app which also happens to have a hard core crypto implementation under the hood. That's a huge win for normal people who think they don't have anything to hide and don't know or care about encryption. They still have all their messages end-to-end encrypted and they don't have to do anything about it.

Human and tech intel?

[bazmail]

WhatsApp backdoor. Can be nothing else.

Re:Human and tech intel?

[gweihir]

Can be a lot of other things, including plain old misdirection. For example, the phone may have been compromised long before.

idiot

[ooloorie]

"It's completely unacceptable. There should be no place for terrorists to hide. We need to make sure that organisations like WhatsApp, and there are plenty of others like that, don't provide a secret place for terrorists to communicate with each other,"

It is completely unacceptable that history majors like Amber Rudd, who evidently has not the slightest understanding of technology, end up in positions like Home Secretary. or "Secretary of State for Energy and Climate Change". Rudd seems to be an object lesson in how money and political connections trump competency and skill.

Re:idiot

[gweihir]

Indeed. The whole statement is so utterly stupid and disconnected from reality _and_ misses what states that tried to get where she wants to go were like (Stalinism, 3rd Reich, etc.) that she cannot be any good at understanding history either. So they have a _bad_ history major as Home Secretary.

Re:idiot

[matbury6017]

OK, let's play with Rudd's statement for a little while. Since any weakening of internet security applies to everyone who uses the internet, not just the people Rudd would like it to affect, how substituting the keyword "terrorist" for something else and see how it sounds then?

"It's completely unacceptable. There should be no place for [PLACEHOLDER] to hide. We need to make sure that organisations like WhatsApp, and there are plenty of others like that, don't provide a secret place for [PLACEHOLDER] to communicate with each other,"

Investment bankers? Grassroots political organisers? MI5 and MI6 agents? Any more ideas?

Encrypt Everything!

[Murdoch5]

Regardless if the claim is true or not, all your data and messaging should be encrypted at all times PERIOD! I will gladly accept terror acts for the right to have my data protected and safely stored. Across all my computers and my phone, everything is encrypted when possible, including my emails, which are sent from a encrypted provider, my SMS messages, which are sent encrypted and almost everything else I do. Encryption is a right to not have your data / personal information exposed and one that must be protected, even if that means acts of terror are untracable / untrackable.

Re: Encrypt Everything!

Why.
I'm still waiting on an answer to why folk think A) that they NEED to encrypt everything.
B) what are you up to that you think you NEED to encrypt anything.
C) that there are nearly always methods for getting at data before or after encryption.
D) you don't think folk like yourself are the ones the spooks will spend resources on to answer the above questions.
Me,I don't give a toss if the authorities realy want to know what I'm up to,they will find out one way or the other,I've been under almost constant watch since I was 16,that's over 40 YEARS,why,because I said no to multiple attempts to recruit me for the same spooks,I have/had abilities that they find useful,but their not used to folk saying no to what is a very cushty life style,right up until you stop being useful or know one small bit of knowledge that they want no risk of it ever leaking outside their very small group..work for them just once and they have you for life..

Re: Encrypt Everything!

Since you asked...

A. I don't. But the more of my data that is encrypted, the less noticeable data that I critically need to be encrypted will be to would-be eavesdroppers. No sense in drawing any further attention to the occasions when I really do require it. Plus if I am always using it, then I don't have to especially remember to do anything out of the ordinary when I do actually need it.

B. Anything that requires some security against malicious eavesdroppers who might use the information to cause harm to myself if others. If it is technically feasible for the Feds to decrypt it, no matter how benign they may claim to be (and there is some cause to he sceptical of that already), then so can someone with much more nefarious intentions.

Re: Encrypt Everything!

Different AC.

A. Because we believe the government, (or anyone else for that matter), has no business monitoring every little thing we do, regardless of the reason. If the government wants to monitor us, prove to a judge that we may have done something illegal and get a warrant. It's basic due process, one of the things promised to us by the U.S. Constitution and the Bill of Rights as citizens. For everyone else, too bad get over it and find something else to do other than attempting to frame others so you can get that righteousness high.

B. Absolutely nothing. Rather, why does the government think that Terrorism, (or whatever excuse they want to use), gives them the moral right, ethical right, and legal authority to just ignore their own laws, rules, and promises, and do whatever the fuck they want? Especially to people who are their own citizens, and not currently under investigation of a crime? There is supposed to be a presumption of innocence until proven guilty in a court of law. The mass surveillance, and your acceptance of it, is the exact opposite. It's guilty until proven innocent. All that does is create a society where everyone is afraid of each other, constantly on edge, and ready to kill anyone at the slightest infraction. Which, is not the way to run a society. At least, it's not unless your intent is to destroy said society.

C. Yes, there are. Given access to a device, you could install a hidden keylogger, bake in monitoring firmware, brute force it's password, plant evidence, modify the encryption method to weaken it, etc. Given access to the person using the device, you can kill them, lock them up and torture them, hit them with a $5 wrench until they talk, trick them into disclosure, use them as a double agent, etc. There are plenty of ways to get at information before or after encryption. People are aware of this, (or they should be), and need to take precautions for them.

D. On the contrary, we do think that they will spend the resources. Why? Because they want to, and have no-one to hold them accountable, when after all of that effort and time / resources wasted, they only find our receipts for the grocery store, whatever movie we've bought on Amazon, and our latest posts which have as much to do with terrorism as a rock. It's stupid, their time and resources are better spent elsewhere, but they can't help themselves. After all, the real reason they do it isn't terrorism. The real reason is power and control. They want to be able to make someone disappear if they become inconvenient. They want to be able to bury you in your own crap if they want to. They want to know so if they need to poison you, they'll know exactly which fast food joint, at what time of day, who should give it to you, and what food to poison, to kill you and only you. They want to be able to ensure you'll never be a threat to their donors, so they'll use that surveillance, to make sure you never come up with a competing product. ("Oh I'm sorry sir, your package was lost in the mail, someone just bought the last of our supplies, we haven't gotten a shipment in yet, and your card isn't being accepted for some reason.") If you're the political type, they will use it to make sure you never get into office by leaking the details of anything that someone may find upsetting to the public. (You had best watch your porn consumption, you never experimented in college right?, ever been labeled gay by the public education system?, ever make a comment that could be taken out of context and turned into a 30 second sound clip?)

I'm sorry you've been monitored for so long. But if anything, you'd think that would give you a reason to help support efforts to reign them in, not passively support them by saying "all is lost".

Re: Encrypt Everything!

"I will gladly accept terror acts for the right to have my data protected and safely stored." But the vast majority of us will not. We deem life to be more important than your stupid data on your stupid computer, so you will change your tune or... You will change your tune. One way or another. You will bow.

Re: Encrypt Everything!

Please go stick a gun barrel down your throat. Choke on it for a bit and feel the power of cold hard steel on your lips and tounge. Then just when you think of the people you love, pull the fucking trigger and get it over with. You worthless scumbag. Just because you have given up and are a traitor, doesn't mean we all are.

Re: Encrypt Everything!

[easyTree]

why does the government think that Terrorism, (or whatever excuse they want to use), gives them the moral right, ethical right, and legal authority to just ignore their own laws, rules, and promises, and do whatever the fuck they want?

Because the spectre of terrorism (in the media) exists for precisely this reason.

Re: Encrypt Everything!

[easyTree]

Template email sent when switching mobile providers.

Re: Encrypt Everything!

[Brockmire]

Can't stop laughing.. You win the Internet for today.

Re: Encrypt Everything!

Given up what? Unlike two-bit wannabe rebels like you I don't fight against my own democratically elected government. Traitor to whom? I do not subscribe to any deluded "cause" you keyboard guerrillas claim to fight for. Your reaction is amusing and had me chuckling at your naivete and obsessive self-aggrandizing fantasies. You're not a rebel. There is no revolution (thankfully). We're not in the Matrix and you are not Neo. Seek help.

Re: Encrypt Everything!

Guessing the op has no family, no kids, no wife, and no life. And he's worried about the Feds seeing his internet porn habits. Which are probably a bit grubby and involve subservience, but he'll be the one videoing, not taking part. PoS.

Re: Encrypt Everything!

Google "Don't Talk To Cops". The Innocent have the most to hide.

Huh? crooks in brazil do this all the time

(OBNOTE: they might have done something far different, but this is one way it could be done -- and it is being done in Brazil):

1. Clone the victim's phone line (not chip, not iemsi, you just need to reassign its phoneline. Costs about US$100 in Brazil to get a sleazy, disgruntled phone-company-cellphone-outlet employee to do it for you).

2. Using the rogue SIM that has the victims' phone number active for a while, install whatsup. Do the SMS verification, it will pass. And yes, that *does* mean you could use the same !@#$@#$ trick to invade banking accounts, steal accounts with SMS verification enabled, etc. Say, like google, microsoft, or DNS registrar (and from there, anything else, such as US$ 200k-worth twitter identities, etc).

==> IT IS NO JOKE that the newest US gov regulations *strongly recommends against* (read: FORBID) the use of anything phone-carrier-routed (SMS, voice, phone number, etc) for security id/validation.

3. Whatsup will download the message history and contacts database, and you have access to the information.

Now, if the target is not an imbecile, he has whatsup 2FA enabled. That means step (2) is a lot more difficult, *but not impossible*. Here's where human intelligence can help, phone hacking can help, and even a court order for whatsup to NOT nuke the account no matter how many failed tries (assuming this does not run afoul of whatever protections did not allow them to order whatsup to shell out the history directly) can help.

IOW: have you removed the insanely dangerous "phone-number-based" recovery options of every account you treasure? If you did not, you better do now. It is quite possible to add defensive layers to SMS-based and voice-based recovery options, but all of them are of the "force several successful attempts over a *large* period of time, with random factors involved" so that the victim will notice what is happening, recover his phone number, and engage defensive measures. NOBODY implements this.

Re:Huh? crooks in brazil do this all the time

[ezdiy]

Here, telcos are not *that* corrupted to reroute a number, however social engineering tricks are to be played with PNM. It is also why banks raise a fraud alert when you port your number to Google Voice, because you cut off the SIMtoolkit pairing. You need the original STK applet key to decode the bank's 2FA SMS handshake. Without it, the SMS will be delivered normally, and the bank will be notified it went somewhere where it shouldn't.

As for police, they simply ask the telco to tee pipe SMS to them, or use an (authorized) IMSI catcher, both as a part of ongoing investigation when they have a probable cause.

They use that to routinely snoop on whatsapp and telegram accounts, at least in europe.

Re:Huh? crooks in brazil do this all the time

"==> IT IS NO JOKE that the newest US gov regulations *strongly recommends against* (read: FORBID) the use of anything phone-carrier-routed (SMS, voice, phone number, etc) for security id/validation."

Tell that to google, it's constantly asking me to put in a phone # for recovery... Never mind I don't even have one but yes it would be stupid to use this for security

Re:Huh? crooks in brazil do this all the time

Yeah this is an old trick. I never understood why people thought SMS or callerid was "two factor." It isn't. It's just random stranger bits. /shrug

Embarrassing typo

[mean+pun]

I must assume that the phrase 'the victim's motive' in the summary should be 'the terrorist's motive'.

Re:Embarrassing typo

[monkeyzoo]

LOL! Maybe the meant the victim of the hacking. :-D

If there's no place for terrorists to hide

[HalAtWork]

If there's no place for terrorists to hide then there's no place for *anyone* to hide, and that is unacceptable considering how valuable it is to hide from oppression or the abusers of the system used to ensure there are no hiding spots, those who operate the system are disproportionately advantaged and with access comes the capability of concealing themselves, censoring, framing content and concealing context, etc.

This idea is ridiculous and imbalanced off the bat.

Re: If there's no place for terrorists to hide

Try convincing the plebs of that.

Re:If there's no place for terrorists to hide

There is a very, very small chance that you'll ever encounter, let alone be killed by, a terrorist.

There is a huge chance that people like Amber Rudd will intrude on and screw up your lives if they are left unchecked to carry out their statist power grabs.

Terrorists are relatively easy to deal with, if one has the courage to simply not let terrorists into one's territory. Power grabbing cop-worshipping statists on the other hand are a purely domestic problem in pretty much every country, but they need dealing with as well. The most important method of dealing with them is to keep them the hell out of power and anything approaching the ability to control the lives of others. They actively seek such things, so it is difficult, but it must be done.

Re:If there's no place for terrorists to hide

[gweihir]

Alternatively, she just asked knowingly for full-blown Fascism. I really would not rule that out anymore. George Orwell seems to have had the number of the British political class.

Re:If there's no place for terrorists to hide

[gweihir]

Indeed. Terrorists you can typically just ignore with no significant adverse consequences. Fascist politicians are a lot harder to deal with.

Re:If there's no place for terrorists to hide

[Wootery]

As a Brit: annoyingly, she's not the only one of our leaders who has no idea about technology. This probably won't be the last time they try to screw with the nuts and bolts of modern technology.

We also had that stupid cookie law. Rather than ruling that, say, e-commerce sites be required to provide the option to delete your credit-card details on request (something websites still aren't required to do), they forced websites to show a warning if they used cookies. Perhaps in some alternate universe, people actually wanted that. In that alternate universe, it was no doubt implemented as a browser extension, and the law was still pointless.

Re:If there's no place for terrorists to hide

[grumpy_old_grandpa]

As far as I can tell, Amber Rudd is trying to force her policy through by appealing to emotions and fear. She is willing to use the act of violence (admittedly, somebody else took care of the dirty work for her) to further her agenda. Now, isn't that the very definition of a terrorist?

Then again, perhaps it's a moot point. The word "terrorist" has lost most of its meaning, and simply means enemy or opponent by now. So you could call her an enemy of the people, I suppose. That goes for a lot of people in power in our so called democracies these days, though.

Re: If there's no place for terrorists to hide

If it saves one life it's worth it: ban all non state-approved encryption, fine users and imprison developers who refuse to obey. We demand to be safe.

Re: If there's no place for terrorists to hide

That's easy, all we have to do is put them in a position where they can really appreciate that sentiment. Basically just wait a little bit and do nothing.

Unacceptable

We need encryption to ensure that no third party, especially government and investigators cannot see our messages.

I require protected communications, and if that helps the terrorists then so be it.

Android

'nuff said

riddled with security weaknesses you could drive a truck through

Re: Android

And apparently, open ports.

xD

WHAT is the point of this news?

Other than to declare quite publicly, "WHATSAPP IS KILL!" to anybody who might otherwise trust it?

Original article:

[Gravis+Zero]

Here's the original article that this is all based on.

Then quit voting for statist control freaks

And quit voting to give those statist control freaks more money and power.

You don't want the government to read your email or listen in on your phone calls? Then quit pining for single-payer health care

Do you REALLY think you can safely give a government that's already trying to watch your every move that much power and still retain any liberty or privacy?

REALLY?!?!?!

That't what they want you to think.

[goombah99]

They want you to think that they think they can trick you to using what's app by saying they can decrypt it when they can so that you will think they are saying they can decrypt it so you will think they can't because they are saying they can.. And yes that also makes no sense, just like your post.

Re:The Liberals' war on vaginas

[hey!]

I am personally insulted by the ineptitude of this troll. Please try again. This time with feeling.

Re:The Liberals' war on vaginas

Totally agree! But you made a typo. That is the Republicans' social platform.

More racism from white people

They hate us so they constantly lie. This was an accident but they hate us so they lie.

Re:More racism from white people

And in Seattle we only get dialup, right?

Re: More racism from white people

Appers ApP APP Appy AppPz.

Yu fa1l it!

I call bulls**t

The main UK newspaper reports say the security services/police have interviewed the person he sent the message to, so have probably just looked at that persons phone, or used the dead terrorist's hand to unlock the phone.

The police did what I would want them to do

[93+Escort+Wagon]

They had a specifically targeted phone, they used "human and technical intelligence" to get into it. No broad request (specifically from them, anyway, in this case) to compromise everyone else's personal privacy and financial security in pursuit of their goal.

On the face of it, at least, this seems to be what I would want them to do.

Re:The police did what I would want them to do

[wvmarle]

As pointed out above, and what I suspected already, most likely there is no encryption broken: they asked the recipient (one of the suspect's contacts) nicely, and recipient simply gave them the message. A much more likely scenario than breaking the encryption of a single message that happens to be of utmost importance.

I for one mostly trust WhatsApp to put effort in working encryption. Why? It's their selling point, and the moment it's shown they're giving their messages to the NSA or whatnot it's on to the Next Great Thing, whatever that may be, and WhatsApp lost all its billions in one big swoop. WhatsApp has economical reason to make sure their encryption is pretty decent at the very least.

Then another thing: apparently a single message has been recovered, and that one message happens to clearly show the motives of the suspect. What a coincidence! Just one message, and that's the one that matters. Looking at my WhatsApp most single messages have little to no meaning. Heck, most conversations don't have much meaning. So the coincidence to pick out and decrypt just the right message is about as great as picking the right decryption key randomly. It even starts to sound like "one of the suspect's contacts came to the police and volunteered the clue".

And finally, why could they only decrypt that one message, and not the rest of the conversation? I forgot how WhatsApp's encryption is supposed to work but I don't remember separate keys for each and every message. At least a unique key per contact it was. Anyway it's not likely that they are limited to just one message. If they can decrypt that one, they can (and presumably would - part of the investigation after all) decrypt the rest.

Not suprising

[110010001000]

You don't know what the WhatsApp "app" is doing. It is closed source. It could be sending all your messages directly to the NSA. Why would you trust your communications to closed source running on a megacorporations system?

Re:Not suprising

[thegarbz]

What's your alternative? An open source messaging app that no one uses and therefore can't be used to send messages at all to anyone?

Even if I could convince people to use it, who has audited the code? That's beyond my capability. How do I know the compiled result I downloaded from an app store is the same as the compiled result from the code, I can't MD5 the app store. How do I know the compiled binaries published by the programmer actually represent the original code that is currently under review?

If you have something to hide you can't trust anything, not closed source, not open source.

Re:Not suprising

How many times per article do you post the same post? I've noticed it for a week now. You take an article, pick one talking point and then repeat repeat repeat. It's not insightful at all, and clearly shows that you actually don't give two shits about anything, you're simply trolling to troll.

Re:Not suprising

Signal is open source, and has passed an audit.

It's really not that hard.

https://threatpost.com/signal-audit-reveals-protocol-cryptographically-sound/121892/

Re:Not suprising

I only see Signal downloads for Android and iOS. Where are the Windows, Mac and Linux versions?

I think I'll just stick with Tox. It's available everywhere and it's peer-to-peer.

Re:Not suprising

that's easy. because I'm not a fucking loser moron whose brain has to overcompensate for low self esteem. it's also why I lock my door despite the police being able to open it, why I lock a bike using a light chain pliers can snap instead of carrying a heavy industrial one.

it's called society of normal people - that group that rejects you for being an buttfuckingugly loser who's stuck on autism. we also all say the sky is blue despite you arguing that on rainy days it's not so it's not technically always blue.

our chat system is irrelevant and we have other important shit to do. if it makes the information 50% harder to access that's high enough of a bar to guarantee casual privacy. you, you can make yourself feel important by focusing on irrelevant shit. we got other things going on you're not a part of. and please stay the fuck indoors. you smell and you make us lose our appetite with how you look. this new fucking nerd generation.

fucking a. nerds who are stupid. who would have thunk. you, creamer, and that apk tardnut. although you might be schizo-people in the same body. who the fuck knows.

We _Totally_ Decrypted It

We can't tell you how we did it, but trust us, we totally decrypted this message. And it named these people as accomplices. What's that? Those were the same people who organized some innocuous protest against government overreach last week? Huh, must be a coincidence.

Re:We _Totally_ Decrypted It

It's much more likely they could read the messages without breaking the encryption. Reading temporary or cache files, or just opening the app and reading the messages once they got into the phone.

Re:We _Totally_ Decrypted It

So totally missing the point. If they can't say how they acquired the message, then there is no proof that it actually says what they claim it says.

Stop using "encrypted" apps on proprietary phones

[Traverman]

In the US anyway, freedom is worth dying for. The best way to fuck the terrorists is to show them that they can't change anything about our social norms. As far as I'm concerned, Whatsapp should be considered an in-the-clear messenger which is only "encrypted" because the government happens not care about the sender at this particular moment. What this sort of "pretend encryption" approach does is let the terrorists know that we're willing to give up our core values so they won't kill anymore of us. Heck, why stop there? We all might as well convert to their perverted brand of Islam. Of course, this is all misguided because eventually they'll find out how to do more damage, encryption or not. Which means we'll still have terror attacks a century from now, but what we won't have is private messaging.

What do we need in order to reclaim the freedom that our ancestors (in America, at least) literally died for? Open source everything, from the circuit diagrams in our chips all the way to the app layer. Is this happening? I hope I'm just ignorant, but the answer would seem to be "no". There's no "real money" in open source anything, and things are getting exponentially more complicated with time. So maybe there's something to be said for building a truly dumb "combox" for private messaging and nothing else, which actually could make money for the people behind it, and therefore be economically viable. Does anyone know of anything like this? And no, I'm not talking about some "brilliant" encryption app running on top of swiss cheese dogshit like Android.

Impossibility of access

[AcidPenguin9873]

Before encrypted electronic communications, criminals and terrorists had to use things like in-person meetings or unsecure communications methods (like analog telephony) to communicate. These were obviously vulnerable to being listened to for a determined party, but that was simply how it was, there was no other option. Law enforcement could use various human-powered means to target specific individuals or organizations, like tapping a particular phone line and having a human listen to it when it went active, or maybe stake out a particular meeting place with some high-power microphones. For the general non-criminal population, while it was technically possible for the government to listen to everyone all the time, it was realistically impractical because of the vast amount of manpower it would require.

Today we're in the opposite situation. Law enforcement can now get ahold of all electronic communications through various taps, but if criminals and terrorists use the proper technology and best practices, it is *impossible* for law enforcement to know what is being said. (Yes, deep-cover operatives are still possible but are impractical for all but the absolute highest-priority things for reasons of time, risk, and the same old manpower problem).

I don't have a great answer. Anything is either too insecure or seems too vulnerable to corruption. The only thing I've come up with is third-party escrow of encryption keys, but who is the third party and how do we know they aren't corrupt?

Re:Impossibility of access

And how do you propose forcing terrorists to submit to the "third-party escrow of encryption keys"? Encryption is mathematics. Mathematics can't be regulated.

Rubber hose cryptanalysis?

https://blogs.spectator.co.uk/2017/04/terrorism-teaches-lesson-still-refuse-learn/

"These messages, sent to a friend, reveal that the 52-year old convert:
‘Declared that he was waging jihad in revenge against Western military action in Muslim countries in the Middle East’"

That's not what I read

How odd. I read that it was the recipient of the message who went to the police and gave them his phone.

Re:That's not what I read

[gweihir]

Naa, that would be the obvious explanation. Too simple and plausible.

Re: The Liberals' war on vaginas

Stay on topic, Donnie. It's your 100th day on the job.

Data at rest

[adam.voss]

I understood WhatsApp covered the communication of the data (message) in motion (transit). If they have recovered a message from the phone, that is data at rest and WhatsApp's encryption seem to have little to do with it. Even if WhatsApp does encrypt the message locally, the keys are on the device, rendering the encryption moot.

Here are the techniques available to do this

1. bruteforce (will not happen) and 2. the maker of the app and/or the phone will say the messages are encrypted, but lie, and will eventually hand the contents over when asked to.

Don't think your communications are secure if you use iPhone or Android.

Hardly news, whatsapp is proven broken

[DavidDoleman]

Whatsapp is proven insecure and it is also not identical to whisper but in fact a derivative... Do not use it for secure messaging, only signal remains confidently secure end to end https://www.schneier.com/blog/...

"A secret place for terrorists to communicate"

[TheDarkener]

I know a sure-fire legal way to ensure apps like this don't allow terrorists to communicate:

When you install it, it will ask, "Are you a terrorist? [Y/N]"

You're welcome.

Do your job

... There should be no place for terrorists to hide.

Then have the police/military spy on them, which is easy because you're not letting the terrorists hide. Right?

It's completely unacceptable.

It's also unacceptable that terrorists have cars for making self-propelled bombs, or knives for killing unarmed police officers. How about banning those tools too?

Can also be read like...

[rholtzjr]

There should be no place for terrorists to hide. We need to make sure that organisations like WhatsApp, and there are plenty of others like that, don't provide a secret place for terrorists to communicate with each other," U.K. home secretary Amber Rudd had said.

This can also be read by replacing "terrorists" with "government" with respect to harming the people they are supposed to be representing. Because naturally neither EVER lies to us nor do they have secret communications that only they are privy.

The WhatsApp exploit revealed on BBC Radio

[RDW]

Clearly our Home Secretary Amber Rudd has now found some people who "understand the necessary hashtags": http://mashable.com/2017/03/27...

Unverifiable

Without disclosure of how they achieved the result, it is just another unverifiable assertion.

No place to hide

[SwashbucklingCowboy]

If there's no place for terrorists to hide then there's no place for anyone to hide.

Re:Stop using "encrypted" apps on proprietary phon

You assume that our uneducated mass care. Our degrading schools and education system is making our republic and democracy a complete and utter failure because no one understands what it means anymore. This would all work when you have a majority intelligent population.

Hmm

[Meski]

So, security by obscurity, but in reverse.