Feeds

back to article WhatsApp crypto snafu drops trou on users' privates

Mobile messaging service WhatsApp came for criticism over the robustness of its cryptography last week after a fix for a January security snafu was slammed for not being robust enough. Back at the beginning of the year WhatsApp was investigated in Canada and the Netherlands for indefinitely retaining users' email address book …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

Easy fix: don't use it.

WhatsApp and Viber are one of the most successful attempts at global intercept ever.

The problem with SMS intercept is that you need access to all the service providers to collect information, which is a real pain outside the US because of those pesky privacy laws and the annoying need to have to explain yourself or having to share with local intelligence buddies.

The solution: make something "free" that just s happens to have its core service in a country where the population has been manipulated into accepting that such trivial things as human rights should be discarded in the fight for, well, what exactly? I've lost track..

Viber: ditto for voice.

As general rule, don't run "free" services that refuse to work unless you give them access to all your very personal data such as your address book. Yes, Apple, that includes the iCrap which exports all this data to good ol' USA without the ability to control that upfront.

5
0
Anonymous Coward

Re: Easy fix: don't use it.

@AC 11:51

"The problem with SMS intercept is that you need access to all the service providers to collect information, which is a real pain outside the US because of those pesky privacy laws and the annoying need to have to explain yourself or having to share with local intelligence buddies."

Dead wrong. There are NSA / NRO satellites in space that do nothing but continuously collect cell and Wi-Fi signals from phones. They do not need access to the providers and SMS messages are not encrypted. The cell phone itself broadcasts it directly to their antenna. US Gov has collected radio signals from space since the 60's. There is no privacy law stopping them as you are a foreigner in a foreign country to them. The original NSA charter allows the US to spy on foreign radio signals since the 1950's.

"As general rule, don't run "free" services that refuse to work unless you give them access to all your very personal data such as your address book. Yes, Apple, that includes the iCrap which exports all this data to good ol' USA without the ability to control that upfront."

Huh? This is contradictory and inane. You say don't use free services, then point out it doesn't matter because your phone will upload it to them anyway? WhatsApp is no safer than Blackberry Messenger. You will recall India, Saudi Arabia and a few other countries who refused to let BBM work in their country unless the govs had back door entry into the data stream. The ones who didn't ask, already had access.

Your grasp of technology, to be frank, is lacking. Your ignorance, more than obvious. Try not to comment on things you neither understand nor comprehend. It interrupts the adults when they're talking.

0
9
Anonymous Coward

Re: Easy fix: don't use it.

The original NSA charter allows the US to spy on foreign radio signals since the 1950's.

Interesting fallacy there: because the US government says it's OK for the NSA to spy on me as a foreigner it's "allowed"? AFAIK they still break local (read: non US) law if they do so. Of course, nothing can be done about it, but it ain't legal because the US says so (thankfully).

Huh? This is contradictory and inane. You say don't use free services, then point out it doesn't matter because your phone will upload it to them anyway?

Umm, no - read again. Use your finger and slowly follow the words on the screen. Spell them loudly if that helps.

What I said was that certain apps refuse to work at all unless you give them access to your address book, so don't use those (whatsapp is one of them, btw). I added that iCrap (the cloud thingy) also has a habit of first wholesale grabbing every scrap of contact and calendar data on an iPhone when you enable it, you can only deselect services AFTERWARDS (and you then have to zap the already collected data from the web interface). Do you get it now or do you need words with fewer syllables?

WhatsApp is no safer than Blackberry Messenger. You will recall India, Saudi Arabia and a few other countries who refused to let BBM work in their country unless the govs had back door entry into the data stream. The ones who didn't ask, already had access.

BS. BBM was reasonably well encrypted, so even server side you did not have access to the messages. Said keys are only in the hands of governments, whereas access to WhatsApp information is completely undefined. I presume you carefully omitted Viber because that would completely annul your observations: they will actually confirm it's all unencrypted if you ask them nicely.

Your grasp of technology, to be frank, is lacking. Your ignorance, more than obvious. Try not to comment on things you neither understand nor comprehend. It interrupts the adults when they're talking.

Your need for invective suggests frustration. It's not my fault she was laughing loudly when she rejected you, but that may correlate with your clearly demonstrated habit of reaching the wrong conclusions.

0
0
Anonymous Coward

Re: Easy fix: don't use it.

Your grasp of technology, to be frank, is lacking. Your ignorance, more than obvious. Try not to comment on things you neither understand nor comprehend. It interrupts the adults when they're talking.

Bwahahah!

Oh po-o-ot... come over here and meet my good friend Mr. Kettle.

Intercept cellular data and wifi from space indeed can "they"? Clearly showing no respect for the laws of physics then. This behaviour must be discouraged!

0
0
Silver badge

Cool ...

"Dutch mathematics and computer science student Thijs Alkemade" ... has an encrypted name

0
0
Silver badge

Re: Cool ...

So do a lot of the best CS guys - I'm thinking of Djikstra (dare you to assert that you could pronounce his name properly from the first time you saw it, without being from a country where it's a popular name).

1
0
Bronze badge
Headmaster

Djikstra, Dijkstra, what's in a name...

Erm yes, Dijkstra.

I'd think Djikstra would be slightly more easily pronounceable than Dijkstra for native English speakers.

Just think of it as Dykstra - or even Dykestra ;) - and maybe that will make pronouncing it easier.

0
0

Nothing to see here, move on...

Why do people seem to get so wound up about this stuff? Are you sending national security secrets around the place? Are you involved in terrorism? Do you send your bank account details and passwords to your friends via this app, even? No, 99.999% of you, like me, live very 'normal' lives and no-one in their right mind is going to want to bother wasting their efforts hacking us (possibly bar some real edge cases like extreme stalkers). So sure, be a bit careful what you send over these apps. Like you always should have been anyway! Otherwise, calm the fcuk down, put away the tin foil hats, cancel your membership of that Survivalist movement in Montana, NEVER tell anyone that you sold all your shares and had a great big party because you thought the end of the world was nigh and carry on living your life in peace.

Complacent? Possibly. You can tell me I was wrong when I see you in Hell.

2
8
Big Brother

Re: Nothing to see here, move on...

Perhaps, one fine day, when the G4S National Health Awareness Community Outreach Police come knocking at your door to invite you away for the Alimentary Re-Education Internment Programme, just because you organised a meet-up of your mates to eat pizza, you'll realise what was wrong.

7
1

Re: Nothing to see here, move on...

My thoughts exactly.... this is a throw away messaging system for inane chit chat, not the exchange of sensitive data.

I don't believe it has ever advertised itself on the security of its message transport and even though the odds of someone hacking your message is so slim I do wonder what percentage of random messages are intercepted and then the percentage actually compromised.

If you have metallic headwear or have something to hide, discuss it in person, in the middle of a wasteland, or swimming pool, or somewhere equally un monitored...

0
6
Anonymous Coward

Re: Nothing to see here, move on...

My thoughts exactly.... this is a throw away messaging system for inane chit chat, not the exchange of sensitive data.

As various twitter cases over the past few years have shown, your inane chitchat can and will be held against you. There's no such thing as "perfect forward inanity".

3
1
Anonymous Coward

Re: Nothing to see here, move on...

If a service encrypts its communications then users have a quite reasonable expectation that their messages can't be listened to. Otherwise, why even bother to encrypt in the first place?

And given that you've decided to encrypt, why not employ someone who knows how to do it, rather than some school kid that makes these kinds of errors?

When errors this elementary crop up, it does make you think that perhaps they weren't genuine errors at all.

2
0
Bronze badge
Devil

Re: Nothing to see here, move on...

Fool.

"If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him." - the seventeenth century called, Cardinal Richelieu wants his quote back. It clearly hasn't taught anyone anything in the twenty-first.

1
0
Anonymous Coward

Re: Nothing to see here, move on...

"Fool."

Paranoid fool.

0
1
Silver badge
Facepalm

Hey, guys! There is this thing called TLS!

Let's not use it and develop our home-brew crypto. That's bound to be safer

Encryption 101: don't think your roll-you-own solution is going to be better than strong ones others have already thought about; 999 times out of 1000 you are dead wrong. Sure, there may be weaknesses in existing crypto, but who says there aren't worse weaknesses (not to mention gaping holes) in yours. When you develop something new, it is up to you to prove it is better.

4
0
Bronze badge

Re: Hey, guys! There is this thing called TLS!

Never understood why people try to write their own systems when the underlying OS's manufacturer will ship crypto libraries with the phone's IDE anyway. Or failing that, use one of the numerous libraries already out there. Unless the point of your app is dependent on a specific encryption system (Like BBM) there is no point in making your own system.

0
0
Anonymous Coward

Haha

Gawd, the internal emails on the WhatApp dev team must have been a joy to read. Dev to manager: "Why aren't we initialising our IV from /dev/random? Why in gods name do you want me to use the MAC address? Don't you realise how insecure that'll be?" Manager back to dev: "I can't tell you why, just do it."

Yeah, the NSA have got their hooks -deep- into WhatsApp. Unless anyone here genuinely believes these were all 'coding mistakes'. The NSA seems to be operating a policy of tolerating apps using encryption, as long as they fuck up the implementation exactly as they're told to...

9
0
Bronze badge
Devil

Re: Haha

...or otherwise put "because it was decided we'll follow the Playstation Reference Implementation, and therefore random() shall be defined as 4. They guarantee it was chosen by a fair roll of dice, what is your problem?!?"

0
0
This topic is closed for new posts.