WhatsApp Security Vulnerability

Back in March, Rolf Weber wrote about a potential vulnerability in the WhatsApp protocol that would allow Facebook to defeat perfect forward secrecy by forcibly change users' keys, allowing it -- or more likely, the government -- to eavesdrop on encrypted messages.

It seems that this vulnerability is real:

WhatsApp has the ability to force the generation of new encryption keys for offline users, unbeknown to the sender and recipient of the messages, and to make the sender re-encrypt messages with new keys and send them again for any messages that have not been marked as delivered.

The recipient is not made aware of this change in encryption, while the sender is only notified if they have opted-in to encryption warnings in settings, and only after the messages have been re-sent. This re-encryption and rebroadcasting effectively allows WhatsApp to intercept and read users' messages.

The security loophole was discovered by Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley. He told the Guardian: "If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys."

The vulnerability is not inherent to the Signal protocol. Open Whisper Systems' messaging app, Signal, the app used and recommended by whistleblower Edward Snowden, does not suffer from the same vulnerability. If a recipient changes the security key while offline, for instance, a sent message will fail to be delivered and the sender will be notified of the change in security keys without automatically resending the message.

WhatsApp's implementation automatically resends an undelivered message with a new key without warning the user in advance or giving them the ability to prevent it.

Note that it's an attack against current and future messages, and not something that would allow the government to reach into the past. In that way, it is no more troubling than the government hacking your mobile phone and reading your WhatsApp conversations that way.

An unnamed "WhatsApp spokesperson" said that they implemented the encryption this way for usability:

In WhatsApp's implementation of the Signal protocol, we have a "Show Security Notifications" setting (option under Settings > Account > Security) that notifies you when a contact's security code has changed. We know the most common reasons this happens are because someone has switched phones or reinstalled WhatsApp. This is because in many parts of the world, people frequently change devices and Sim cards. In these situations, we want to make sure people's messages are delivered, not lost in transit.

He's technically correct. This is not a backdoor. This really isn't even a flaw. It's a design decision that put usability ahead of security in this particular instance. Moxie Marlinspike, creator of Signal and the code base underlying WhatsApp's encryption, said as much:

Under normal circumstances, when communicating with a contact who has recently changed devices or reinstalled WhatsApp, it might be possible to send a message before the sending client discovers that the receiving client has new keys. The recipient's device immediately responds, and asks the sender to reencrypt the message with the recipient's new identity key pair. The sender displays the "safety number has changed" notification, reencrypts the message, and delivers it.

The WhatsApp clients have been carefully designed so that they will not re-encrypt messages that have already been delivered. Once the sending client displays a "double check mark," it can no longer be asked to re-send that message. This prevents anyone who compromises the server from being able to selectively target previously delivered messages for re-encryption.

The fact that WhatsApp handles key changes is not a "backdoor," it is how cryptography works. Any attempt to intercept messages in transmit by the server is detectable by the sender, just like with Signal, PGP, or any other end-to-end encrypted communication system.

The only question it might be reasonable to ask is whether these safety number change notifications should be "blocking" or "non-blocking." In other words, when a contact's key changes, should WhatsApp require the user to manually verify the new key before continuing, or should WhatsApp display an advisory notification and continue without blocking the user.

Given the size and scope of WhatsApp's user base, we feel that their choice to display a non-blocking notification is appropriate. It provides transparent and cryptographically guaranteed confidence in the privacy of a user's communication, along with a simple user experience. The choice to make these notifications "blocking" would in some ways make things worse. That would leak information to the server about who has enabled safety number change notifications and who hasn't, effectively telling the server who it could MITM transparently and who it couldn't; something that WhatsApp considered very carefully.

How serious this is depends on your threat model. If you are worried about the US government -- or any other government that can pressure Facebook -- snooping on your messages, then this is a small vulnerability. If not, then it's nothing to worry about.

Slashdot thread. Hacker News thread. BoingBoing post. More here.

EDITED TO ADD (1/24): Zeynep Tufekci takes the Guardian to task for their reporting on this vulnerability. (Note: I signed on to her letter.)

EDITED TO ADD (2/13): The vulnerability explained by the person who discovered it.

This is a good explanation of the security/usability trade-off that's at issue here.

Posted on January 17, 2017 at 6:09 AM • 121 Comments

Comments

Michael SchaapJanuary 17, 2017 7:00 AM

But isn't there a risk of a MITM attack? It seems to me like government organizations don't need to pressure Facebook, as long as they have control over the network.
They could filter out Bob's message confirmations to Alice so that her WhatsApp client can still resend these messages, then pretend to be Bob's new phone and initiate a key exchange.
Wouldn't that work?

WmJanuary 17, 2017 7:54 AM

Because the vulnerability exist, I eschew WhatsApp and do not trust it. I will also never trust anyone of the likes of Mark Zuckerberg, who has been outed many times in the past concerning dubious snooping behavior.

RonKJanuary 17, 2017 7:55 AM

@ Michael Schaap

It's not clear to me what you are worried about. If a government filters out the confirmations, then Alice knows that those messages were resent after the key change (I'm assuming she cares).

That is, unless the client was "updated" to a special version designed to enable the government in question to, well, do whatever it wants (or whatever it wants for specific users, or...). That is probably a more serious problem with WhatsApp security in this case.

aeonJanuary 17, 2017 8:06 AM

Bruce, and everyone:Tobi's blog is currently down due to traffic (which might be a good thing: some people take note).

Please read his explanation, and his response to Moxie Marlinspike, at The Guardian.

https://www.theguardian.com/technology/2017/jan/16/whatsapp-vulnerability-facebook

I am quite glad there is a discussion, and I sincerely hope that Bruce, Moxie, Tobi and others who deal with cryptography and usability on a professional level will continue discussing this issue in public.

With the current political situation in many parts of the world, we desperately need people who explain to the general public, including your and my mom, why this matters.

PeteJanuary 17, 2017 8:37 AM

Usability trumps security again.
OTOH, lacking usability can effectively be a fatal problem. Just look at using GPG for email. It is too hard for most people.

DragonlordJanuary 17, 2017 9:20 AM

I personally think that if you've got security notifications on, then you can easily check to see if you're being intercepted by starting your conversations with something innocuous like "Hi"

If that comes back with a change then give them a call and see what's going on.

Other than that, the fact that your mobile number is the address is more problematic as it allows the authorities to do metadata queries on your messages (who sent to who when) without touching the content of your messages.

Sok PuppetteJanuary 17, 2017 9:21 AM

It's not just pressure. If I'm worried about anybody, government or otherwise, who can crack or infiltrate Facebook, then this is a fairly serious vulnerability. It's also a serious vulnerability if I'm worried about Facebook itself attacking me as a matter of intentional policy.

It's true that most people don't (or shouldn't) have that threat model. Governments aren't going to exercise that kind of pressure for any normal case, and other actors aren't going to care to attack most users. But if somebody did legitimately have that threat model, I don't see how you could call the vulnerability "small".

Of course, the fact that I can't reproducibly compile the WhatsApp code from source already makes it unfit for any serious use if such people are in my worry-about list.

No, it's not a back door. But people do need to understand that the cost of "usability" is real.

folexJanuary 17, 2017 9:27 AM

I didn't quite grasp why attacking entity (e.g. government) has the ability to read messages.
What does "WhatsApp has the ability to force the generation of new encryption keys for offline users" mean? Does it mean that WhatsApp backend has the ability to force sender to use pregenerated compromised key provided by attacker?
In terms of WhatsApp security whitepaper, does that mean that attacker can force sender to use newly generated (by attacker) S_recipient, O_recipient and the main one, I_recipient?
I'm asking because "force the generation of new _encryption_ keys" doesn't really specify who would generate keys, or what about identity key that signs everything.

Dirk PraetJanuary 17, 2017 9:37 AM

Although I found @Moxie's initial reply reasonably reassuring, I'm not so convinced anymore since Signal seems to handle it in an entirely different way than WhatsApp does.

@ Bruce

@Rolf Weber was hardly the first to point out this specific type of vulnerability/attack vector. Matthew Green and others already did so as far back as 2013, and I would even argue that the Google+ post you're referring to was actually based on @Nicholas Weaver's Lawfare Blog article from August 4th 2015.

For what it's worth, and unless you're trying to send us some sort of subliminal message, I find it a bit odd that you're specifically crediting a person whom quite some folks (including myself) here have a long-standing history of animosity with due to his almost religious anti-Snowden crusade and the less than civil way he went about it.

ThothJanuary 17, 2017 10:39 AM

@all

Maybe my approach is abit too harsh as per usual but I classify ALL Signal and derived applications that includes WhatsApp (note that I did not say classify the Axolotl protocol as compromised) for the fact that the creator of Signal has an aversion to userbase forking and other variants and for the fact that WhatsApp is under the control of Facebook which is known to be secretly in bed with the ICs selling off all it's users.

As I and @Clive Robinson and possibly many others have repeatedly mentioned in the past, relying on a so-called secure chat's E2E capability is not going to work. What is need is a separate encryptor running on a reasonably trusted platform. This will anticipate that the "secure chat" might turn against you.

Ine example of the so-called Box-in-a-Box encryption method I spoke off in the past and now refresh it here is to have a XMPP chat (either hand coded or have API interfaces) where you have an encryptor running on another hardware. The encryptor can be connected via USB link at the very least to inject the ciphertext into the XMPP chat for outbound messages and to receive inbound ciphertext from the XMPP chat and decrypted and display on the encryptor's secure display.

A ready alternative could be to modify an XMPP chat software and load it to a communication device (smartphones). A Raspberry Pi can be equipped with a LCD touchscreen and be used as the encryptor and over GPIO to USB or even over WiFi or Bluetooth with encryption between the two devices, the Raspberry Pi can be used to encrypt outbound messages and decrypt inbound messages while using the attached LCD screen for display and interaction. This essentially increases security aince the encryptor software runs on Raspberry Pi which allows you to inspect the crypto codes. It is more difficult to inspect smartphone binaries as theybare distributed over their dubious App Store models and thus should be relegated as mere communication gateways only.

Spaceman SpiffJanuary 17, 2017 11:23 AM

Real secure communications is difficult, isn't it? WhatsApp is much better than most. Its popularity in Latin America indicates how much this privacy of communication means for the people there. My family in Mexico and I use it constantly for even trivial communications. Practice makes perfect!

CuriousJanuary 17, 2017 11:34 AM

@bruce write, If you are worried about the US government -- or any other government that can pressure Facebook -

But this ignores another threat vector, the possibility that Facebook could be hacked. In which case a private entity or foreign government could be involved. One can debate the liklihood of a sucessful attack on FB key exchange server but lets not forget the FBI found its way into an iPhone without Apples help. So the odds of such a successful hack are greater than zero.

DevinJanuary 17, 2017 11:53 AM

From the article:

Note that it's an attack against current and future messages, and not something that would allow the government to reach into the past.

That isn't quite my understanding. The protocol seems to support out-of-order messages and WhatsApp will resend unack'ed messages after rekeying. Thus, if the attacker eats the read receipts before rekeying, they can get all those old messages delivered to the new device.

MartinJanuary 17, 2017 11:57 AM

While I agree that it is unfortunate that you are not asked if you want to accept the key-change, it cannot be used to read old messages that have been ACKed. And you see in the application, which messages have already been ACKed.

So I do think that it is a sensible approach of usability vs. security for the broad masses.

I'd like more if there is some visual indication if I have verified the key with someone already (scanning the QR-code). That would be a _real_ improvement.

hawkJanuary 17, 2017 12:15 PM

Let me get this right..

The same person who was huddled in his basement on an airgapped machine warning others they couldn't be too careful NOW says "no big deal".

AnuraJanuary 17, 2017 12:31 PM

@hawk

Well, he was worried about government attackers, which he says this is no big deal *unless you are worried about them*. I'm not that worried about Facebook going after WhatsApp users, and in the bigger picture of vulnerabilities on the internet I'd say this would be towards the bottom of the list in terms of severity. It's a matter of how much you distrust Facebook, and I don't expect Facebook to attack WhatsApp users as part of their business - I do expect them to do so as part of an NSL, and there is a possibility that they will get attacked by a non-government actor that allows them to compromise users, but I would expect it would only be used for targeted attacks as it's too obvious if done on a wide scale.

hawkJanuary 17, 2017 2:31 PM

@Anura
An airgapped machine is a defense against a very very targeted attack. I don't know what you're talking about.

There have been countless discussions here about mitigating emissions, the most extreme defenses against flaws in BIOS and how to shore up defenses against the unlikeliest of targeted attacks, some requiring elaborate HW and firmware changes.

But now, don't worry. It's OK.

It looks to me like, if you're in the right clique everything you say and do is good. And if you're not then everything you say and do is snake oil, wrong, bad. I've seen this crap at conferences too. It's stupid.

AnuraJanuary 17, 2017 2:46 PM

@hawk

That's exactly my point. He had specific reason to be worried about a targeted attack from a government actor. Most people are not worried about targeted attacks and the encryption still protects you against the passive attacks that most people are concerned about when it comes to corporations and the government. It's not elitism, it's just that people should understand what this threat means before they start ditching it for another app that might be less secure in practice for their needs just because of the poor usability (leading them to develop their own hacks such as using email to exchange keys when they can't meet face to face).

hawkJanuary 17, 2017 2:58 PM

I would bet everything I own that, if WhatsApp was run by a couple of guys in Indiana they would get body-slammed then run out of town. I wasn't born yesterday. This kid treatment is about money.

hawkJanuary 17, 2017 3:47 PM

I'm still looking for anyone else who got a FREE PASS on usability. Oh wait, this time it's Mark Zuckerberg.

Someone should notify the Cloud Security Alliance Quantum-safe Computing Working Group at once, not to worry about the security. Just so long as it's easy to use.

AnuraJanuary 17, 2017 4:16 PM

@hawk

The same vulnerability exists in TLS, and it's inherent and unrelated to the use of certificate authorities. Changing public keys when you do not have constant communication or a second, independently secured communication method to exchange them is an extremely difficult problem.

xyzJanuary 17, 2017 4:43 PM

Let's take a step back. The point of end-to-end encrypted chat in the first place was that even if the chat servers are compromised, your messages cannot be decrypted.

It's bad enough having keys exchanged with minimal ID verification (through NFC in person, or via Pidgin OTR style where one verifies identity by asking questions). But automatically trusting a key change is significantly worse. No mistake about it, it provides a mechanism by which WhatsApp can break encrypted chats & be compelled to do so. That's the very definition of a backdoor - whether it's intentional or not is besides the point (I assume not)

TedJanuary 17, 2017 4:53 PM

A similar thread on this forum this last November opened a discussion on the matter of encryption and law enforcement, with a particular mention of the the EU’s efforts to create an acceptable balance between security and sanctioned legal access to electronic communications and data (assuming the WhatsApp security vulnerability is present for approved law enforcement access.)
https://www.schneier.com/blog/archives/2016/11/securing_commun.html

To add to the Bits of Freedom information request link in that post, here is a progress report on the EU’s encryption questionnaire and framework building process. The report is titled “Encryption: Challenges for criminal justice in relation to the use of encryption - future steps.” The report summarizes the questionairre responses received from the 25 member states and Europol; future steps recommended to the Council are also outlined.
http://data.consilium.europa.eu/doc/document/ST-14711-2016-INIT/en/pdf

This report was discussed at the December 2016 EU Council Meeting.
http://www.consilium.europa.eu/register/en/content/out/?&typ=ENTRY&i=ADV&DOC_ID=ST-15391-2016-INIT

Here are thoughts from the EU’s tech policy chief:
http://www.euractiv.com/section/social-europe-jobs/news/ansip-no-black-and-white-fix-to-help-police-crack-encryption/

dragonfrogJanuary 17, 2017 5:13 PM

@Michael Schaap

You're missing something here in your MiTM attack scenario:

How is Eve going to filter out only Bob's 'message received' confirmations to Alice? The whole protocol is encrypted, Eve can't tell which messages are what. Eve can see

- Bob sent something to WhatsApp
- Alice received something from WhatsApp
- Alice sent something back to WhatApp (at best, timing analysis may suggest it is likely a read receipt)
- Bob received something from WhatsApp

The volume of traffic in and out of WhatsApp means Eve is going to have an extremely hard, likely impossible, time determining which messages in match to which messages out.

Unless Eve is WhatsApp, or is forcing their hand through court order. Which is what this is about.

Bernd PaysanJanuary 17, 2017 5:30 PM

Technically, it's correct that this is not an actual backdoor, but a design flaw. Practically, it doesn't matter if it is a backdoor, a 0day, or a design flaw, that just describes how it came there; once it is widely known, it has to be fixed one way or the other. I think state of the art backdoors are design flaws, the more obvious backdoors don't provide plausible deniability. And that is a must-have for any NSA-ordered backdoor since June 2013.

The real problem IMHO is that WhatsApp changes the key needlessly. Why change the key when the SIM changes? There's absolutely no need to do that. Why change the key when people buy a new phone? Transfer it from the old phone (sufficiently secured, there is a similar QR scan protocol step when you want to use WhatsApp Web, so the procedure is actually already implemented).

Once the number of key changes is minimized, you can notify everyone (not just those with the setting activated) on a key change, and WhatsApp could also use Threema's traffic light scheme to show how well established the trust in a particular contact is. WhatsApp users need to be nudged into doing necessary things, so just nudge them.

GabrielJanuary 17, 2017 5:59 PM

Changing public keys when you do not have constant communication or a second, independently secured communication method to exchange them is an extremely difficult problem.

If you have the old key, it's easy enough: sign the new key with the old. This handles things like periodic key rollover. And if the user wants to add a second device, same thing: ask them to open up their usual device and approve the request (i.e. sign the new key with the old).

The more difficult case is when they've lost their key, but it's not extremely difficult. The client software can generate a key-signing-key on account creation and upload it to the server, encrypted with the password. And if someone wants to register a new device (new key), they just need to type in that password, pull down the encrypted KSK, and use it to sign a new key.

None of that is perfect. An adversary might send an NSL to the provider to ask them to log the password the next time someone logs into a web site, or to deliver compromised software that logs it; then they steal the old phone and wait. Or maybe someone forgets the password and loses the device (if they had the old key, we could use that to allow a password reset); if it's rare enough, the server can force a new key and let their correspondents see a warning.

Maybe with zero-knowledge proofs and an offline secret we could do a bit better, for advanced users: have them write down some secret data on account creation, and deliver a token that allows them to anonymously store a key recovery block—encrypted with the password and the written secret, and recoverable by providing both. Then even if the provider gets the password, they don't know what key recovery block it corresponds to and they never had the written secret anyway. (And then, make sure software updates are delivered as anonymously as possible to prevent compelled-backdoor attacks.) This starts to get complicated for the software developers (but fun! I might like to experiment with Shamir secret-sharing too)—still, the user experience remains reasonable.

williamJanuary 17, 2017 6:43 PM

It is a TERRIBLE security issue, means totally vulnerable to MITM.
Same as signal which is the worst encryption product with marketing

WaelJanuary 17, 2017 6:51 PM

@Rolf Weber,

Basically all of the so-called “technical experts” did either

Something tells me you're talking about us!

It’s their first exchange, so Bob sends Alice his public key, and Alice to Bob hers

Such eloquence, Ma Mann! You're using Syllepsis now! Wish my German could improve to that level!

HTTPS is also end-to-end encryption. To be able to see the content and scan for viruses, the proxy needs to perform exactly the same man-in-the-middle attack. Where there is a will, there is a way.

Well, that's how it's supposed to work! Two TLS sessions terminating from the torso to either limbs!

Where have you been mann! I hear @Dirk Praet misses you sick!

rJanuary 17, 2017 7:29 PM

Whatever algo's they're using with services such as this are almost guaranteed to be hardware optimized somewhere - even if there is some sort of upper limit on what they can decrypt (with hardware) at any given point in time.

WaelJanuary 17, 2017 7:38 PM

@william,

It is a TERRIBLE security issue

No (exclusive) total assured control, no security. Plain and simple. We've been saying that for a long time.

Follow the link at the bottom of this post again...

Want a secure messaging app? This is how you do it:

Star-date, supplementary... Continuing our mission into planet C-v-P...

GrauhutJanuary 17, 2017 7:49 PM

The only secure way to implement end to end encrypted messaging is a local message spooler that directly delivers to the actually connected device of the recipient (and all of the reciepients devices using the same account have to share the messages themselves afterwards).

Should be workable with a dns based directory service, stun like upd port resolution for nat traversal and some lightweight status signaling with keepalives.

rJanuary 17, 2017 8:05 PM

@Grauhut, all

I hear X-Tunnel/X-Agent already has great nat punching support, copy/pasta.

rJanuary 17, 2017 8:08 PM

This is what happens when you give people your weapons of war, they repurpose them irrespective of you. Information is like air or water we breathe it, we drink it, there is no control only diversion and retention.

All good intentions aside, your stalwart position will continually erode away in the face of this truth.

AnuraJanuary 17, 2017 9:52 PM

@Gabriel

You've been compromised, your key is no longer secure, and you need a secure way to get a new one. At that point, the person on the other end can't trust that it's you signing the key, and you have the exact same problem that you have except now it's the not known to be secure entity you have to trust instead of the known to be insecure key.

ThothJanuary 17, 2017 9:58 PM

@all

The more important question to be is:

- Does the WhatsApp/Signal software(s) always check that the new keys are valid (via some signature attestation) and how does the WhatsApp/Signal software(s) (not the protocol paper) in reality check for malicious injection of new keys ? If faulty/malicious keys are sent, does the WhatsApp/Signal software(s) continue to allow these bad keys in reality or are they deleted ?

- Can the WhatsApp/Signal software(s) be trusted since WhatsApp is technically closed source while the Signal software is open source on Github, the distributed version over some AppStore maybe tampered with by "The Powers That be" since the AppStore owners are the ones who hold the root attestation keys and have the power to do anything to the app binaries in the AppStore ?

GabrielJanuary 17, 2017 10:18 PM

You've been compromised, your key is no longer secure

A good reason to support revocation certificates.

and you need a secure way to get a new one. At that point, the person on the other end can't trust that it's you signing the key

If you had a non-compromised key-signing key it could be done, but unless someone comes up with a really nice UI, only the paranoid are likely to use this option.

and you have the exact same problem that you have except now it's the not known to be secure entity you have to trust instead of the known to be insecure key.

Yup, that's what I mean when I say it's imperfect (still an improvement I'd say). The user would have to convince the server to publish a new key and revoke the old, and then everyone they talk to would see a warning the next time they talk. And maybe it wasn't the really the user who pushed that, maybe a government forced the operator to change it. But as soon as any friend asks what happened, did you lose your phone, the adversary has at least lost their secrecy. (Actually, with anonymous key lookups, the user's own client could warn them there's a "new" key.)

I believe it was Bruce who pointed out that the risk of discovery weighs heavily on the NSA et al. If they think they such a thing will be revealed, they may not do it. (Given the state of Android security I reckon they'll hack your phone directly.)

ab praeceptisJanuary 18, 2017 1:50 AM

R. Weber quite sometimes behaved like a clueless idiot here but he has a point there.

One core problem is that the whole thing is virtually always self-contained, i.e. keys are not exchanged out of band.
So: One does not even need a tainted client software. It would be sufficient if the MITM could play something like "While you were away Alice created a new pubkey. Here it is". Actually one might even decorate that with some security theater like "So, Bobs system sends a test message to Alices system which then signs it using her private key and then Bob verifies it" - only that potentially even both, Alice and Bob got f*cked by the MITM server who gave pubkeys under *his* control to both.

If there is *trustworthy* 3rd party signing the keys and not out-of-band kex (oob meaning outside the whatsapp or whatever channels) one may well end up with the impression of lots of security while actually being cooked.

I think we should also concentrate more on another question: If you are a state agency and ever more people communicate encrypted (which state agencies, of course, dislike) then what can you do? One classical answer for that kind of problem is to offer and establish your own systems which, besides some security theater and big names actually is under your control.

Signal is clearly a candidate and shouldn't be trusted.

NoNameJanuary 18, 2017 6:21 AM

Dear Bruce, the Whatsapp Insecurity is much simpler (and nobody talks about it):
On your iPhone Whatsapp asks you to save all your conversations in an iCloud Backup (default setting) which is cleary available to government institutions. Even if you decide not to save your conversionations in the iCloud Backup, your insecure friends do it for you! ;) - Could you please make a blog post about that!? Thank you!

sidelobe January 18, 2017 6:34 AM

Let's not lose sight of the goal. WhatsApp, Signal, and other secure messaging systems are useful because they provide reasonable security (Pretty Good, if you will) for general users. They are, finally, the equivalent of putting your paper mail in an envelope before dropping it in a mailbox.

People automatically put mail in envelopes and lock their cars and homes because it's easy and good enough. WhatsApp and Signal are definitely good enough. Their strength is that they are so easy to use that they will actually get used. Instead of complaining that they're not perfect, let's instead demand that every computer on the Internet be protected at least as well as this. (IoT folks: I'm talking right straight at you!)

Sure, we need bank vaults, and some folks need much more secure communications.

Dirk PraetJanuary 18, 2017 6:50 AM

@ ab praeceptis

I think we should also concentrate more on another question ...

I believe the proverbial elephant in the room here is why Signal uses a "blocking" approach to mitigate a well-known, intrinsic E2E encryption vulnerability, whereas WhatsApp goes with a non-blocking one. When people either for privacy or other reasons choose an IM like Signal, WhatsApp or Telegram, they WANT their exchanges to be as secure as possible and in general will be prepared to live with some additional nuisances degrading the overall UX. At the very least, there should be a user setting they can either enable or disable. Those who either have nothing to hide or cannot be bothered with notifications they don't understand anyway can just as easily switch to Skype or ordinary SMS.

So either this decision is driven by questionable marketing considerations, or it's a deliberate foot in the door for law enforcement, all kudos for which go to the folks originally pointing out the vulnerability and to Tobias Boelter for dissecting the concerned WhatsApp internals.

@NoName

On your iPhone Whatsapp asks you to save all your conversations in an iCloud Backup (default setting) which is cleary available to government institutions.

This was equally pointed out by @Nicholas Weaver in the Lawfare blog post I referenced earlier, and IIRC to some extent discussed on this forum.

@ Gabriel

(but fun! I might like to experiment with Shamir secret-sharing too)

You can find a simple Python GUI for it on Github.

@ Thoth

Can the WhatsApp/Signal software(s) be trusted since WhatsApp is technically closed source while the Signal software is open source on Github

At a more fundamental level: do you trust anything coming from Facebook? For me, that's a clear no.

@ Wael

I hear @Dirk Praet misses you sick!

As @Clive's son would say: "snot fair" 8-)

mike~ackerJanuary 18, 2017 7:38 AM

whoever generates and validates the keys controls access

for security with asymmetric (PGP/GPG) keys -- the user generates and validates the keys.

it's not hard to do,-- but,-- to use PGP/GPG -- yes -- "You've go it to do"

there a lot of folks around wishing they had got to it.

Notes

-- you can incorporate PGP/Desktop (Symantec) into MSFT/Outlook;
-- You can adopt Thunderbird/ENIGMAIL -- on either a MKSFT or Linux platform;
-- Echelon and CLAWS also work with GPG in the Linux environment

-- you must use a secure O/S

-- a secure O/S will not allow itself to be altered (compromised, "pwned") by the activity of an application program -- such as a phishing message or malvertising in a web page

ab praeceptisJanuary 18, 2017 2:08 PM

Dirk Praet (et al.)

Sure, thanks to [whoever looked closer at it or even disected it]-

But I was by far not the only one here expressing solid distrust. I'm too lazy to look it up but I mean to remember that Clive Robinson and others here shared their unfavourable views and their reasoning, too.
To be honest, the reason for me to not look any deeper, i.e. to not invest any time and work was that it seemed so obvious to be smelly that it simply wasn't worth any more efforts.

I just had a closer look at the newest incarnation of the hyper-super-awfully-specially security crap pile above all crap piles: TLS 1.3

And I saw ome young exited italian pulling off yet another round of oh, we are so exited sales talk, not noticing that he basically said that all ssl/tls version before it were crappy with plenty of gaping holes - but, of course, this time with 1.3 everything is great! Just like it was with every version before ...

I'm *soooo* pissed off by the neverending line of incapable "security experts" creating crap pile after crap pile, who blissfully ignore pretty every holy rule about security we know of - the first of those being "keep it simple and do 1 thing well".

Which leads me back to signal and accomplices.

It's not in any way new that PK crypto has some issues or critical points that must be properly considered and taken care off. One example is the mother of all security crap piles, PKI, which is rotten to the core for many reasons, a prominent one being making-loads-of-money was the priority (CAs).

To add insult to injury, we **do have** all the needed blocks. Mankind had ways to confirm identity since thousands of years; we just ignorantly chose to make that into a money making machine without even minimally performing the core job. We *do have* distribution mechanisms and the other building blocks needed but we chose to let greedy imbeciles design the "solution" we have and which is worthless crap.

Similarly, it just so happened that signal and accomplices were designed with major flaws (one of which you concentrated on).

I like the term "security theater" created (afaik) by our host Bruce Schneier. What I do not like is that *major parts* of today security community are actors in that theater. As far as I'm concerned moxie is one of them and in my view a grossly overrated one who doesn't seem to have all the good intentions the theater makes people believe.

I do not trust signal. Not at all. Not even a bit.

CzernoJanuary 18, 2017 2:40 PM

@Ab Praeceptis [shouldn't it be : A præceptis ?], @all :

What are your recommendations for simple no-frills but secure, end-to-end encrypted, 1-to-1 instant messaging (TTY-like text, not voice) between pairs of trusted parties ? Windows must be a supported OS, even better if your proposition is cross-OS. With or without a central server (as long as end-to-end encryption is guaranteed against such shenanigans as seen in the blog-post we are commenting.

By simple here I meam some software combo that after setting-up and experimenting for myself I can write-up a set of instructions and persuade less technical friends and correspondents to install it following said instructions... Free as in beer seems a preliminary to adoption, free-libre being a plus, of course.

WaelJanuary 18, 2017 2:59 PM

@Czerno,

By simple here I meam some software combo

Infeasible at best. Impossible is the likely answer.

Ross SniderJanuary 18, 2017 3:11 PM

"In that way, it is no more troubling than the government hacking your mobile phone and reading your WhatsApp conversations that way."

Couldn't you say the same about an attack against TLS with ephemeral keys?

Seems to me that there are some crucial legal, discoverable, forensic and scalability differences.

CzernoJanuary 18, 2017 3:17 PM

@Wael :
" Infeasible at best. Impossible is the likely answer. "

Uh ? Infeasible/impossible are very big claims !

First I must admit of no - or very little - prior experience with instant messaging myself. Having said that, what's wrong in principle with something like : standard instant messaging app (using some protocol like "Jabber"), choosing a relatively trustable public server, and wrapping the whole within a layer of encryption (preliminary research found that popular messaging applications can do "OTR" either natively or thru the use of plugins).

My question was merely seeking advice for tested setups. Your unexpected here reply begs the additional : how, why and to which degree is it infeasible ?

Clive RobinsonJanuary 18, 2017 3:41 PM

@ Czerno,

What are your recommendations for simple no-frills but secure, end-to-end encrypted,

You've not said what level of security you want... Which makes the answer easy for either end of the line as, "any or none".

The problem is the App is the security end point for the message content only.

Because on a commodity OS, the security is compromised effectively "by design". Which means the SigInt agencies will be more likely to attack the device OS than the App.

So you need to look at moving the security end point beyond the communications end point device to mitigate the problem (seperate crypto token).

But as has been said many times before, "It's not the message but the traffic that tells all over time". As far as I'm aware none of the messaging apps do anti "traffic analysis" and they all use a central point directory for either client or peer address discovery.

So messaging apps are problematic security wise even if the message encryption and encapsulation is secure in the comms channel.

There are ways to fix these problems but... The last time I looked it was "not yet implemented" by any.

Then there is the issue of what the app does with plaintext, often it gets stored on the end point device or worse in memory that can end up in cloud storage. Which obviates the use of the communications security.

There are other features such as address books etc that weaken the overall security to quite a low level in many applications not just those for messaging.

Thus if you are a journalist or similar coming up against State level or above attackers, the first thing you should realy consider is the security of the hardware platform and the OS, then look for an app...

WaelJanuary 18, 2017 3:49 PM

@Czerno,

Uh ? Infeasible/impossible are very big claims !

Given the constraints you imposed, I maintain my stance of big claims.

Having said that, what's wrong in principle with something like : standard instant messaging app (using some protocol like "Jabber"),...

Suppose your protocol is bullet-proof, your application is bug free, no side channel attacks exist, and your server and it's operators are trusted, and text saved on the server is encrypted with the reciepients key.

  • What's to stop the OS provider from extracting keys at rest or in use?
  • You'll need to make sure your communication partner operates with an acceptable OPSEC.
  • What goes on at the hardware layer is beyond the scope of pure software.

This isn't an exchastive list, but something to give you an idea that pure software on a commercial grade OS and CPU's that are not proven to be trustworthy is not feasible. You don't control any of the lower layers. Someone else has the power to do things that you cannot detect, let alone stop! It's the whole reason why @Nick P, @Clive Robinson, @Thoth and others are looking at HW.

Look at this again. I said I won't link to it again, so forgive me for reneging... it does explain things from principles going down.

Dirk PraetJanuary 18, 2017 4:05 PM

@ Czerno

What are your recommendations for simple no-frills but secure, end-to-end encrypted, 1-to-1 instant messaging

It depends on your threat model. If targeted attacks by state actors are involved, re-read @Thoth's and @Clive's recommendations, more in particular about separate devices for crypt operations and communications and reverting to pen & paper solutions. Even when using the most securely designed and implemented of products, you don't control your hardware and your opponent will just work his way around them by attacking the endpoint(s).

For anything below that, Signal is still your best pick. Available on iOS, Android and as a Chrome desktop app (beta and pairing with Android devices only). An alternative cross-platform solution is XMPP/OTR through the likes of Pidgin/Adium and ChatSecure on iOS/Android. You can optionally add transparent torification using Tor Messenger (beta) instead, available on Windoze, MacOS and Linux, and also supported by ChatSecure. If no mobile support is required, check out Ricochet. Pond looked really promising, but for unknown reasons was abandoned by its developer.

Generally speaking: stay away from anything closed source by known data harvesters, PRISM inductees and other entities under direct 5 Eyes jurisdiction (Skype, Google Chat, WhatsApp, iMessage). It's either already backdoored or will be in some foreseeable future. Everything else you use: RTFM at least twice, properly educate your correspondents and consult some expert OPSEC guidelines such as those published by @thegrugq. Last but not least: monitor this and other forums when we gut yet another snake oil product.

albertJanuary 18, 2017 4:13 PM

@Sok Puppette,

"...It's not just pressure. If I'm worried about anybody, government or otherwise, who can crack or infiltrate Facebook, then this is a fairly serious vulnerability...."

I wouldn't think so. The Internet Culture we have had created for us has led to this. Too many folks will believe anything read, see, or hear online. The big players, like Facebook, Twitter, Google, Apple, etc. have a vested interest in maintaining Positive Security Theatre about their products. Don't want any scare-mongering. Our users are decent, law-abiding citizens. No fear from the govt'. Don't worry, be happy.

PST works well for the LE/IC/MIL. The often illegal/immoral subcultures that exist in those communities make them closed to the outside world, unless spoilers like Snowden, Assange and Manning screw them up. (BTW, congrats to Manning for her pardon. Does Obama really think Assange will turn himself in? I've got my pig-poop parka ready...)

Does anyone know folks who use the aforementioned sites for private communications? -That- would be an interesting survey.

In closing, has anyone seen the commercial about the lady in the airline terminal posting about her upcoming vacation trip? One of the replies is someone in a ski mask saying; "Have a nice trip!"

. .. . .. --- ....

CzernoJanuary 18, 2017 4:19 PM

@Clive, @Wael : thanks for the clarifications.

You're right that without stating the level of security or adversarial model, I posed an ill-defined question. I did state, though vaguely, I am after a "simple, no-frills" solution; I might have added explicitly that I was excluding from consideration (or treating separately) the class of problems which you both, and others, have been discussing here often, of OS pwnage or compromise, even less hi-tech, targetted espionage ala NSA-TAO ;=)

CzernoJanuary 18, 2017 4:26 PM

@Dirk : thank you as well ! I'll study your recommendations in detail. Which, I saw, include OTR+XMPP - comforting that towards which I've been leaning.

WaelJanuary 18, 2017 4:28 PM

@Czerno,

Why use IM? If you have nothing to hide, you have nothing to fear (not true by the way.) Use this forum like I do for IM. The only risk is the moderator mounting a denial of service attack on you (kicking your a**, revoking your citizenship, and deporting you from this cyber-land.)

ab praeceptisJanuary 18, 2017 4:36 PM

Czerno

Front up: I'm not particularly interested in messaging but I think that we *could* create something at least quite reasonable.

For a start, we *do* have the capability to encrypt (sym.). I think that we also have, at least indirectly or potentially, the rest of the needed building blocks.
Actually, thinking about your question I came to notice that oe god way to answer it is by approaching it from the "what we should *not* do" (or what's wrong today) angle.

Most importantly, we should properly analyze the problem(s). Unfortunately, that is often not done but instead large PR blobs are chosen. PK/TLS is a particularly gross example. Why?
PK is basically about a certain, not necessarily common, scenario, namely about unknowns and untrusteds.
Moreover usually crypto is broken for one major reason: They mix up algorithm, implementation and diverse features. An example is the whole RTT early payload obsession of ssl/tls.

Funnily (?), PKI and signal share a common disease, albeit in different forms. PKI has been greedily perverted to the point of being useless or even dangerous, while signal simply ignored the problem.

Technically speaking messaging is just a buffered mechanism that exchanges data between 2 or more parties.
The problem doesn't arise from that mechanism per se (not even from the need to buffer) but from other problems, in particular from the identification and authentification need, from the reasonably assumed to be hostile scenario, and the like.

One might even go so far as to say that the typical PK approach does not solve but merely push the problem somewhere else (the communication between other parties such as CAs and clients suffers from the same problems).

*Obviously* we need some out of band or secondary channel.

Let's look closer. Alice and Bob want to communicate. One question that comes to mind and might turn out to be quite helpful is "Why?". Maybe they are colleagues or maybe they are customer and seller. In that very constellation there is already part of an answer to some questions. If they are colleagues they already know each other and almost certainly have out of band means to exchange e.g. preshared keys. Et voilà, what do we find looking at banks? Exactly that. They use 2nd channels or oob communication.

In other words: I would first and foremost address the id/auth problem. From there the rest is simple.

ThothJanuary 18, 2017 5:35 PM

@all

Half a year ago, Snowden and Bunny wanted to produce a hardware inspector for smartphones and the hardware inspector comes with it's own external display and input.

If they could scale it t a QWERTY keyboard and have a USB HID working over Android, it maybe possible to create a version of XMPP chat with a 'bypass' mode to send received ciphertext to the external security module to decrypt and display and for the external security module's keyboard to create encrypted reply for the app to send.

I wonder what's the initial starting cost of making a PCB with USB-HID, a LCD display and some QWERT keyboard for the external security module ?

WaelJanuary 18, 2017 5:45 PM

@Thoth,

I wonder what's the initial starting cost of making a PCB with USB-HID, a LCD display and some QWERT keyboard for the external security module ?

I vaguely remember answering that question in the past. Sub 30 dollars was my answer.

WaelJanuary 18, 2017 5:50 PM

@Thoth,

I found the link but won't share it because of redundancy of links. My answer was:

Sub $30.00, whether you use C.H.I.P or Raspberry Pi zero or similar.

MarkJanuary 18, 2017 8:11 PM

"He's technically correct. This is not a backdoor. This really isn't even a flaw. It's a design decision that put usability ahead of security in this particular instance".

"How serious this is depends on your threat model. If you are worried about the US government -- or any other government that can pressure Facebook".

Bruce, you can't really be serious? Have we learnt nothing from Snowden?

It's a vulnerability that can be used as a backdoor, and you can bet your Orange Ape of a soon-to-be-president that the NSA know all about it.

Facebook are known partners with the NSA.

You do the maths.

WaelJanuary 18, 2017 9:57 PM

@Nick P,

their GUI, malware loving OS

:)

You're right! Both links are good. You forgot the other one, though. And, of course, your response :)

Don't take this as a challenge. I don't want to get into a link war with you. I'm not worthy! One should know his limitations, and I know mine... I think.

Nick P: Google goes to him for help with difficult searches ;)

Clive RobinsonJanuary 18, 2017 10:46 PM

@ Thoth,

Snowden and Bunny wanted to produce a hardware inspector for smartphones and the hardware inspector comes with it's own external display and input.

From memory of the photograph of their prototype they had hand soldered something like six fine wires to test points on the phone PCB.

Obviously this ment "cracking the case and voiding the warranty".

I know you can by an "unofficial" repair manual out of Hong Kong's famous electronics flea,market[1] for each model of iPhone as I've seen a couple of them but, they are in Chinese (There may be ones in English but I'm not sure how good they would be)...

Thus you should be able to make your own version of the sleeve with little problem, but I don't think it would be a marketable product due to the wring requirment.

That said if you are taking the cryptotext "off board" any smart phone will do, so a stock android device which costs little could be more easily moded and might work through either the USB or hands free via blue tooth or a facilities connector.

Which ever way you go, with the extetnal electronics and display you have the energy gapping issue to get to grips with and that could be a real toughy to solve.

[1] The flea market is in Apliu Street which runs parallel to Cheung Sha Wan Road which is famed for the "Golden Shopping Arcade" which is computer geek heaven ;)

FigureitoutJanuary 19, 2017 1:27 AM

Czerno
I am after a "simple, no-frills" solution
--I mean, c'mon. Let's be realistic. Only people who care about their security the most will get it eventually. It's taken me ~8 years to get the confidence I need to say I can evade most attackers w/ custom plans for operations that would be necessary. I've offered simple solutions that use radios from the 1980's (likely won't have chips like intel ME in it), connected to a PC you can type on. OTP's over a random RF channel would go mostly undetected throughout a random day. We don't have other communication methods that don't go thru AT&T and Comcast and *for sure* tapped internet fibers. RF goes freely thru the airwaves, sometimes only certain areas can receive and only if you have a receiver can you receive. I don't get why we keep trying at centralized internet-based comms, besides it being the best we can do at scale and cost-wise.

Downloading an app on your iphone or android phone won't cut it but it's a good gauge of a potential market of people who want secure/private comms. Whatsapp has what, a billion users? Someone could make a killing if they get this right.

UseeXcvJanuary 19, 2017 4:35 PM

Now I know what my government, its spy apparatus as well as most of FVEY have been reading casually.

It's not really a risk until you realize it affects group messages one forced key change (maybe fake base tower etc) and you see just what you need to find out.. Cause lately the contacts of mine have been getting their keys rolled unexplainably.

Amarendra GodboleJanuary 20, 2017 4:16 PM

We can debate till the end of universe if this was a "backdoor", "tradeoff", "vulnerability" or insert-your-favorite-word-here - I believe WhatsApp should really not call it "end-to-end encryption". Since its not.

Bong-Smoking Primitive Monkey-Brained SpookJanuary 20, 2017 4:59 PM

@Amarendra Godbole,

I believe WhatsApp should really not call it "end-to-end encryption". Since its not.

Depends where the 'ends' are. End-to-End with a 'secure' MiTM or piecewise end-to-end is also accurate.

Rolf WeberJanuary 21, 2017 10:11 AM

@Dirk Praet

The post from Nicholas Weaver you linked is great. And I'm very confident not only he but a lot of other smart people did write about man-in-the-middle attacks before I did. I never claimed I found something new. I mean, man-in-the-middle attacks are as old as public key encryption, and that WhatsApp is "vulnerable" (I wouldn't call it a vulnerability because providers like WhatsApp with billions of users have no other chance than to do what WhatsApp does -- WhatsApp is as secure as it can reasonably be) was as obviously as obviously something can be.

What's a bit strange is that I posted my article here (and I think this is why Bruce get notice of it), we both discussed about it, but back than you objected my points, not that Weaver wrote something similar before. But anyway.

My point never was that I found a "vulnerability", let alone a new one. Back then and today I argued that governments should introduce something like the Feinstein/Burr proposal, that they should demand from service providers that they are able to "break" their *own* encryption, and that the companies can do this without putting any regular customers at risk.

ab praeceptisJanuary 21, 2017 8:17 PM

Rolf Weber

Back then and today I argued that governments should introduce something like the Feinstein/Burr proposal, that they should demand from service providers that they are able to "break" their *own* encryption, and that the companies can do this without putting any regular customers at risk.

Please, elaborate.

Dirk PraetJanuary 22, 2017 6:27 AM

@ ab praeceptis

Please, elaborate.

@Rolf Weber at the time argued that not only it was desirable but also perfectly possible to introduce undetectable NOBUS backdoors. The usual suspects strongly disagreed on both accounts.

ab praeceptisJanuary 22, 2017 7:55 AM

Dirk Praet

That's what I intended to indicate for myself, too. But I wanted to be fair and give him the opportunity to come up with something reasonable.

Rolf WeberJanuary 22, 2017 3:42 PM

@Wael

I still don't remember any Benni, let alone having ratted him out ...


@ab praeceptis

I think we discussed this before here, but ok.

In the wake of the Snowden hysteria, companies began to develop a new marketing hype: Build encrypted services of which they claimed not only they themselves could break. And I have 2 problems with this claims:

1. It is often not the honest truth. The companies control server and client software, have source code and internal knowledge, and are bound by usability constraints, preventing them from introducing every possible security measure. So in reality they *are* often capable of breaking their own security, but simply don't want, because they think it's more popular to pretend they are unbreakable than to help law enforcement with valid warrants.

2. Even if they succeed to implement a system even companies themselves cannot break it is highly irresponsible to offer services without being able to respond to lawful requests.

And this is why I support legislation like the Feinstein/Burr proposal, that would require from companies that they always must be capable to respond to lawful requests. If not, they are fined for each request they are not able to answer.

And as I said, I'm very confident companies could implement this requirement without making any regular user less secure. For the example of WhatsApp, they could perform the described man-in-the-middle attack, and additionally they could modify their client so that it doesn't alert on key changes if the new key is from WhatsApp itself. This way WhatsApp could reasonably respond to lawful requests, while its users are still safe from attacks of all other parties other than WhatsApp itself.

WaelJanuary 22, 2017 6:59 PM

@Rolf Weber,

I still don't remember any Benni, let alone having ratted him out ...

This Benni! You shared some threads with him once upon a time!

https://www.schneier.com/blog/archives/2015/06/yet_another_lea.html#c6699331

https://www.schneier.com/blog/archives/2014/09/two_new_snowden.html#c6678693

https://www.schneier.com/blog/archives/2014/08/new_snowden_int.html

Oh, well. If you happen to know where he is, give him our Regards :)

I believe you, by the way. You've been away for too long to remember. And I know lying isn't one of your vices!

ab praeceptisJanuary 22, 2017 11:51 PM

Rolf Weber

I agree with some of your observations and statements. My question, however, was of a technical nature.

I refer to what you said:

Back then and today I argued that governments should introduce something like the Feinstein/Burr proposal, that they should demand from service providers that they are able to "break" their *own* encryption, and that the companies can do this without putting any regular customers at risk.

How?

How would a system work in which per definitionem every customers data/communication can be decrypted and eavesdropped/mirrored/copied, whatever - while at the same time "regular customers" (presumably those whose data some agency does not desire) data/communiction can not be decrypted and eavesdropped/mirrored/copied, whatever?

Logically speaking, there is a set S of elements (customers) for whose data/communication the proposition "can not be stolen" holds true. At the same time you submit that there is a set I of elements for whose d/c the proposition "can not be stolen" is per definitonem false. Hence looking at the defining attribute of S and I I is the negation of S, which is commonly called a contradiction.

Now, one could, of course, introduce some mechanism to take elements out of S and put them into I. It should, however, be noted that the constituting attribute (proposition) of S necessitates to not at any point in time be in I.

In other words: your proposition is untenable. The result set is empty.

Reason: "Being secure" (to keep it in simple laymans terms) necessitates continuity, i.e. for any element of S to never be in I.

What you submit is "secure" to mean "secure for some time and under certain conditions" which boils down to "not secure".

Moreover your position seem to be the one I call "mc cain't rage", i.e. one that *only* cares about access for lea and agencies and not at all for customers and security. What you propose is, in simple terms, a fake towards customers; something that by some definition can be vaguely called "secure" while it actually is intentionally insecure.

One strong indicator of that disease is that you do not even care about a mechanism that would allow customers to at least know whether they are currently in S or in I.

"Secure", please finally note that is by definition "not insecure". Even not sometimes or a bit or when the moon is full. It's math and msath doesn't care about politicians wet dreams.

Well noted, my point is not about politics, it is not about the question whether eavesdropping might sometimes be strongly desirable. It is only about your statement being provably wrong.

WaelJanuary 23, 2017 1:04 AM

@ab praeceptis, @Rolf Weber,

demand from service providers that they are able to "break" their *own* encryption, and that the companies can do this without putting any regular customers at risk.

One can't logically evaluate this statement before the following fuzzy terms are clearly defined: 'regular customers' as opposed to what kind of customers? 'Risk' as in what? Then detail how the method of 'break thier own encryption' - ignoring the without clause - is to be accomplished. When that's clear, then one can proceed with set theory and logic evaluation, if that's the preferred approach. Otherwise we're making some assumptions that may or may not hold true.

Some other highlighted words are easier to understand with greater accuracy.

I had a previous discussion with@Rolf Weber and forgot where it ended... but I think the key phrase is: under what conditions should [we mandate] a service provider be able to decrypt someone's information, if we are to assure that statement logically valid. Then we can talk about the technical aspects and wether they are tenable.

ab praeceptisJanuary 23, 2017 1:30 AM

Nope, that discussion is not even necessary. security that can be deactivated by any third party at their will is no security, period.

One could, however, discuss about "optional limited security priviledge". Then, and only in that context, political aspects were to be discussed.

I'm insisting somewhat stubbornly because that whole pseudo-security thingy is worthless as exactly those agencies who would decide whether anyone can or can not enjoy the limited security priviledge are the ones against which we need to defend.

We don't need secure communication because some evil mafiosi or terroristes want to listen in. We need it because the state agencies have turned against the very people whom to protect is their task.

It has been shown over and over again that the nsa, fbi, bnd, ghcq, etc. are the worst offenders and the most ignorant of constitutional rights.

For some states and large organizations (incl. corporations) that may be different; for us citizens however the enemy is clearly the state agencies (and not some evil chinese hackers).

JoeJanuary 23, 2017 1:46 AM

About a decade ago, Skype was claimed to have end-to-end encryption. A knowledgeable third party had audited the code and declared it secure. Skype used opaque closed-source code, but we trusted it because we were told that we could trust it.

Today WhatsApp has the same security credentials that Skype did then, and WhatsApp is just opaque today as Skype was then.

So we can safely trust WhatsApp today just like we trusted Skype then.

WaelJanuary 23, 2017 1:46 AM

Nope, that discussion is not even necessary.

Okay, that's perfectly fine with me. I'll passively watch this discussion to its conclusion. Let's see how it progresses :)

WaelJanuary 23, 2017 2:08 AM

@ab praeceptis, @Rolf Weber,

And here is my SHA-256 prediction of what I'm going to tell you at the end of the discussion. If you bring it to a closure, that is!

7f8219ddb957a904fc8707189a8d161f3a54c056cf9cda55a9ad5a6bf039c2db

Don't take it too seriously, I ain't no fortune teller :)

dafsfdsfJanuary 23, 2017 2:12 AM


Snowden did not leak anything via Whatsapp did he ?

I hope you guys see where all the lunacy is going.

Jen Gold StochkholmJanuary 23, 2017 3:25 AM

@ Ab Praeceptis
> In other words: your proposition is untenable. The result set is empty.

please extend my sincere gratitude and warmth for the wonderful clarity, decisiveness, and razor sharp lucid transparency you contribute here. It really is exemplary. I could go on and use lots of other adjectives but in general the mood music is one of admiration .
I might add, I think contrary to what a couple here might feel, you have an excellent sense of humour with a fair bit of range ( ie ability to be very subtle and only noticable by those with eyes to see - or overt )

Rolf WeberJanuary 23, 2017 8:31 AM

@Wael

Regarding Benni, I really think I didn't ever answer to him, let alone having a discussion. So I really don't really remember him.

7f8219ddb957a904fc8707189a8d161f3a54c056cf9cda55a9ad5a6bf039c2db

I'll do my very best. :-)

One can't logically evaluate this statement before the following fuzzy terms are clearly defined: 'regular customers' as opposed to what kind of customers?

For me, a regular customer is a customer for whom there is no lawful request to hand over his user data.


@ab praeceptis

security that can be deactivated by any third party at their will is no security, period.

I agree to this, but the key point is "*any* third party". WhatsApp is not any third party, it's a very prominent third party, because the whole relevant infrastructure is in their hand. It is the *only* third party who can "deactivate" the security, and they can do this anyway, because they are in control of client, server and source code. The "attack" I describe is one that requires that the "attacker" has access to WhatsApp servers, private keys and source code. This could only be WhatsApp itself, it's close to impossible that somebody else could exploit this.

One strong indicator of that disease is that you do not even care about a mechanism that would allow customers to at least know whether they are currently in S or in I.

Customers still had options, for example they could use a modified client that still alerts (this wouldn't be an easy task, but I bet that there will emerge projects that will reverse engineer WhatsApp's client), they could use another service (like Signal), or they could write and use their own software.
Don't get me wrong, I don't want to outlaw encryption in any way, I just want that the big mainstream providers are always able to respond to legal requests.

We don't need secure communication because some evil mafiosi or terroristes want to listen in. We need it because the state agencies have turned against the very people whom to protect is their task.

To each his own. But given your complete distrust in governments, under which laws would you trust a company like WhatsApp, an American company under American jurisdiction?

Clive RobinsonJanuary 23, 2017 9:00 AM

@ Wael,

I had a previous discussion with@Rolf Weber... the key phrase is: under what conditions should [we mandate] a service provider be able to decrypt someone's information

As I've said befor, it would be pointless legislation, because it can only be valid if the service provider can get beyond the security end point.

They can only do that if they can stop the user puting in their own code or cipher. Whilst detecting a cipher is possible because the alphabet is of moderate size, a code especialy a One Time Code can have an alphabet of any size. Thus the alphabet could be made of english or other language sentences that are self consistent and indistinguishable from natural language...

This means that no mater what coercion the LEO puts on the Service Provider, the Service Provider can not decrypt the users code. The only option for the LEO is to tell the service provider to drop the user or play with the connection to make it unreliable in some way. Which would tip the user off if they were sensible...

ab praeceptisJanuary 23, 2017 9:09 AM

Rolf Weber

You opened another can of worms. What does "can" mean in "can deactivate security"? From my pov "can" includes nsa, fbi and accomplices, too, because they can force us-american companies to make use of their "can" for them. But it doesn't stop there; what about the technician? Or about the guy at such a company whose brother, a cop, asks a favour?

Turn it any way you want, data/communication either is secure or it's not, period. There is only one sensible meaning of security, namely "only the legitimate parties can open/read" (i.e. the (usually 2) participants in secure communication or the owner of the data).

Don't get me wrong, I don't want to outlaw encryption in any way, I just want that the big mainstream providers are always able to respond to legal requests.

Pardon me but that's an utterly unreasonable and untenable approach. 2 major reasons:
a) really dangerous threats won't use those systems. The ones trusting and using it are small fish and/or idiots.
b) For such an approach to be valid and legitimate, a far better context would be needed. That's one of the reasons, btw, why I consider NSLs sheer idiocy. A state using such tools signs its confession to have left the grounds of the constitution.
Another element gravely missing is proper and credible oversight. You simply *can't* credibly argue the "but we need a backdoor for rare occasions of very high threat potential and danger!" line in a banana republic like most western countries, where obedient, lazy, "judges" basically rubberstamp whatever any agency comes up with.

Gerard van VoorenJanuary 23, 2017 12:16 PM

@ Joe, ab praeceptis,

So we can safely trust WhatsApp today just like we trusted Skype then.

I agree. It's only a matter of time before Bruce comes to the conclusion that Whatsapp is better not being used and that's because GAFAM companies use the sliding scale policy everywhere they can to make money.

IMO the only long term stable solution is secure (PKI) verified open source messaging. Which leaves a couple of questions such as which program, how to store keys, etc.

RatioJanuary 23, 2017 12:41 PM

[...] in a banana republic like most western countries, where obedient, lazy, "judges" basically rubberstamp whatever [...]

Let's hear about those non-Western countries doing better than what you describe. Let's also hear about the Western countries where you characterization does not apply. Let's have the data behind your rhetoric.

Gerard van VoorenJanuary 23, 2017 12:41 PM

I meant P2P secure (PKI) verified open source messaging, accompanied by local running servers running open source software as well.

ab praeceptisJanuary 23, 2017 7:00 PM

Ratio

Classical case of fairness and modesty being turned against someone. The reason I didn't talk about non-western countries is mainly the fact that I know them considerably less well than western countries.

Oh and as for "the Western countries where you characterization does not apply" I have a simple answer: It's not the citizens burden to prove countries are ignoring constitution and laws - it's the countries burden to prove that they are acting lawfully and within the spirit of their constitution.

But to show good will I will point at two countries: the united states of a part of a part of America and germany. The former is well known to shit on laws and to have rubber stamp courts and the latter is known as an eagerly willing outpost.

But this is getting political and we already have more than plenty enough politics here.

RatioJanuary 23, 2017 8:36 PM

@ab praeceptis,

The reason I didn't talk about non-western countries is mainly the fact that I know them considerably less well than western countries.

Let's just assume you know most western countries well enough for you to qualify them like that. But weren't you something of a connaisseur of Russia (according to one of your recent comments)? You could have commented on the situation there at a bare minimum. Maybe you know other non-Western countries?

It's not the citizens burden to prove countries are ignoring constitution and laws - it's the countries burden to prove that they are acting lawfully and within the spirit of their constitution.

No, the onus is on whoever makes an assertion. In this case that's you.

But to show good will I will point at two countries: the united states of a part of a part of America and germany. The former is well known to shit on laws and to have rubber stamp courts and the latter is known as an eagerly willing outpost.

Those aren't examples of Western countries that do not qualify as banana republic according to you. What is an example of such a country?

But this is getting political and we already have more than plenty enough politics here.

No, it's getting factual. Where's the data?

RatioJanuary 23, 2017 11:16 PM

@ab praeceptis,

First, try as hard as you like but you are not in a position to impose your wanton "rules" on me.

What rules? Do whatever. Go nuts. Have a ball.

[...] I felt no need to mention Russia as they don't propagandize themselves as a democracy lighthouse.

So countries that don't propagandize themselves as a democracy lighthouse do have proper and credible oversight? Or shouldn't those countries be held to the same standard?

The onus to prove that they act within law and constitution is on the state/agency.

That's not how it works. Or do you think that Russia should prove it wasn't behind the US election hacks? Ei incumbit probatio qui dicit, non qui negat.

Obviously both [the US and Germany] are banana republics

I'd gathered as much from your previous comment. But I asked you for examples of Western countries that do not qualify as a banana republic according to you. (You said most are, so it would be interesting to know which countries aren't.)

Pardon my french but fuck you.

I'm not sure the @moderator would consider your suggestion to be within the bounds of respectful discourse that is expected here.

I will certainly not work as your secretary and search and compile data for you.

One or more references would do.

You see, we all have our own measures; mine is mainly how much someone contributes here in directly security related matters. I haven't much from you other than repeated attempts to arrogate some kind of a "the judge of reason to pass".

How is my (lack of) comments in other discussions of any relevance to my comments in this one? Every comment stands alone; the same person can be spot-on in one and completely clueless in another.

And just to clarify: I am not, nor do I want to be, the judge of anything.

ab praeceptisJanuary 24, 2017 12:43 AM

Ratio

So countries that don't propagandize themselves as a democracy lighthouse do have proper and credible oversight?

A typical demonstration of a Ratio arbitrary "conclusion". I told my reason for not mentioning Russia and now you arbitrarily invent a weird rule out of that and to put it in my mouth.
Obviously as so often you bend and pervert what you get when one is generous enough to answer your questions that were meant as but a trap.

That's not how it works. Or do you think that Russia should prove it wasn't behind the US election hacks? Ei incumbit probatio qui dicit, non qui negat.

For a start "The burden of proof is upon him who asserts and not upon the one negating" is - without context - but wanton blabla. Keep it for yourself.

Your attempt at logic is poor. Russia is a) *another* country and b) *accused". What I was talking about was however a (western or other) countries duty towards its citizens or towards parties to whom an assertion about itself is made.

Accusing Russia (or anyone) of a crime needs prove or at least credible and strong evidence.

As it is the coutries I talked about who blabber all day long about being oh so legitimate, lawful, and democratic - and against whom there is plenty evidence of their assertion being untrue - it is upon them to show that their assertions are true.
Moreover I'm not talking of consequences. All I do is to say "you (western countries) are but a bunch of liars and banana republics".

Concerning the "Russia disturbed or even bent our elections!" accusations, there are - and in fact have been and openly confessed - dire consequences.

Do you now finally understand the difference between an accusation and a "I do not believe your assertions" statement?

... banana republic according to you. (You said most are, so it would be interesting to know which countries aren't.)

So? You are free to do research on that. You are also free to ask others to support you in that. You are, however, *not* free to impose that desire upon others by playing tricks, playing the judge of reason, etc.

One or more references would do.

How generous. But I wonder what for? To convince you? To see my statement accepted or at least tolerated by you? I couldn't care less.

How is my (lack of) comments in other discussions of any relevance to my comments in this one?

That is easy to answer. In a restaurant I judge by the meal and the service. If the cook also happens to sing beautifully or to be an interesting partner for political discussions that's plus. Of, however, they rarely serve meals I don't care about the rest.

This is a blog about (hopefully mainly IT) security. I judge people by what they contribute in that field. Be it as a living lexikon like Nick P, be it like an experienced and much and smartly reflecting man like Clive Robinson, be it like an actual hands-on engineer like Thoth, to just name a few. Or be it even as a newbie with some serious interest trying hard to learn.

I don't particularly like much politics here but I can understand that (particularly the us-americans) currently can hardly resist. Of course, I can also understand that IT and security have i.a. a political dimension, too. But as far as I'm concerned the main course here should be the technical aspects of security.

And then there is Ratio, who seems to mainly lurk and wait for .. oh well, I will politely stop this part.

In my minds eye you are mostly a nuisance and you contribute very very little in what I consider the "currency" here. Try your games with someone else.
If you want to really honestly discuss you'll find me open. If however, like usually, you are merely waiting for your chance to make yourself look big and smart by trying to make others look small and stupid then you have to live with a reaction as far as I'm concerned.

And btw. I prefer a comment from Gerard van Vooren (whom you like to molest) every day and twice on sunday.

Rolf WeberJanuary 24, 2017 3:06 PM

@ab praeceptis

From my pov "can" includes nsa, fbi and accomplices, too, because they can force us-american companies to make use of their "can" for them.

Yes, this ist how lawful intercepts work since ages. The government approaches a service provider with a lawful request, the provider checks it, maybe challenges it, then collects the data and returns it to the government.
The most important point is that the government can not help itself. It needs the service provider, who can check the request whether it is lawful and not too broad, and can challenge it. And if government and company overdo it, there is always the possibility that whistleblowers will reveal this.

But it doesn't stop there; what about the technician?

The technician would have to be in possession of the private encryption key and access to the server or the network to perform the MITM. Unlikely, but depends on the internal security of the company, so possible, yes. And it would require criminal energy, because the technician would commit a crime.
I consider this risk very low, because the high likelihood it would be detected, at least if commited on big scale.

Turn it any way you want, data/communication either is secure or it's not, period. There is only one sensible meaning of security, namely "only the legitimate parties can open/read"

Turn it any way you want, companies are subject to the jurisdiction of countries they are based. If you want to be independant from this "threat", you need to run your own software or service. Every western democracy allows this. Then -- maybe -- you can guarantee that always and under all circumstances only the "legitimate parties" can open/read, and call it "secure", after your definition. But when you use the service of companies like WhatsApp, you need to face that there is not only the tech, but the law as well.

a) really dangerous threats won't use those systems. The ones trusting and using it are small fish and/or idiots.

Criminals that are not lazy and careless, and don't make mistakes, will hardly be caught. But that's not the reality. Or otherwise said: It's absolutely ok when only the "idiots" are caught. That's not a bug, that's a feature.

like most western countries, where obedient, lazy, "judges" basically rubberstamp whatever any agency comes up with.

You must have missed the Snowden files showing the clashes between FISC and NSA/USG. The FISC is no rubberstamp. Oversight works quite well in western countries, especially in the U.S.

ab praeceptisJanuary 24, 2017 9:23 PM

Rolf Weber

It needs the service provider, who can check the request whether it is lawful and not too broad, and can challenge it.

For a start that is a problem that governments co-created. One could, for instance, have made laws requiring ISPs to check packets for faked headers (mainly a false source).
As for the "can check the request" you are, I'm feeling, entering the realm of fairy tales. Even without NSLs, the equivalent of nuclear bombs, your statement doesn't hold. Trying that the gov goons would tell you "it already has been checked by a judge" and that by now, it's not a proposition but an order the provider has to comply with, period.

the technician would commit a crime. I consider this risk very low, because the high likelihood it would be detected, at least if commited on big scale.

No, actually not. Just have a look at CAs. Many of them don't meet even minimal requirements of OpSec. I do not see any reason to assume that just-any-provider would do better than CAs which are after all considered "high-sec".

call it "secure", after your definition.

I think this shows the problem quite well. It's not *my* definition; it's not that everybody can have its own definition. Your statement is about as reasonable as saying that 3+2=5 unless someone needs it to temporarily be 12.

Well noted, I do *not* discuss whether states or gov agencies should or even must have access to any and every communication or data they deem to be relevant e.g. for national security. That may or may not be the case but that's an entirely different discussion.

I'm discussing about what security is. And anything that can be temporarily "unlocked" - usually without the target/victim even knowing to make it even worse - is *NOT* security.

And btw, if ever any spook in my country dared to do that with me I'd hunt him down like a wild dog. I'd start a private war.

Just look at those men who have spent decades in a prison because some cops played games or judges or prosecutors were crooked or lazy or incompetent.
How do you compensate for that? No amount of money will make 60-year old men a 30-year old again. No amount will give him children, a career, etc.
I've yet to see the guilty cop or judge being disposessed and put at the mercy of his victim. Usually they get away with a slap on their hand, if that.

Now, go the next step to see what you are asking for (state players rarely do). You demand that it shall be possible to eavesdrop, copy, whatever confidential data and communication from everyone at any time, period.
Sure you put nice garments on it, things like judges needing to sign and the companies being obliged to otherwise properly protect those data, communications or whatever. But what you demand, no matter how nicely dressed up, is to put any and every data and communication at the will of gov. people.

I find it *very* significant that you don't spend so much as a single thought at protecting the citizens, not even about informing them post-facto (that would disturb your comfort). Nothing. All you're interested in is "how can we get at those data/communications?"

THAT is criminal. There is no difference whatsoever between you/gov spooks and a plain bank robber. Both of you don't care shit about the victim or its rights; both of you *only* care about what you want.

Next part: If data/communication is not secure - and that is what you want - then all flood doors are open.

You want to replace security by a fake at put the whole thing into the worst hands known, into gov. hands. And you want to lie about it; you want to tell the citizens a fairy tale about being secure while, in fact, in your system they would have no security at all.

In your system sensitive data of companies, of citizens, even of gov. could and would be stolen every day and nothing would be secure.
That just so happens to be quite exactly the current situation. The reason? In all those years clueless control-maniac freaks with gross disrespect for law and citizens had the saying.

Time to change that.

Rofl RabmoJanuary 24, 2017 10:09 PM

And btw, if ever any spook in my country dared to do that with me I'd hunt him down like a wild dog. I'd start a private war.
You drew first blood!!!

Sancho_PJanuary 25, 2017 10:33 AM

@ab praeceptis

Good points @Rolf Weber.
I’d like to add two remarks:

1)
”But what you demand, no matter how nicely dressed up, is to put any and every data and communication at the will of gov. people.”
- and: -
”You want to replace security by a fake at put the whole thing into the worst hands known, into gov. hands.”

Now the “worst hands” might sound strange, but we must take into account that most governments are far worse than our own (western) plutocracies. Giving them power over communication is paving their path to a cruel fascism (watch Turkey ! ).
Many people’s thinking is focused on their own small world, e.g. cozy Germany, but haven’t other cultures in mind.

+ Gov are ordinary people, stupid and evil as the average of mankind.
They also can’t hold secrets, as history has proven.
We probably could trust them in their intent, but not in their deeds.
All their knowledge and methods will end up at the real criminals.

2)
”And anything that can be temporarily "unlocked" - usually without the target/victim even knowing to make it even worse - is *NOT* security.” (my emph)

This is my personal pet, however, I’ve never heard that in any discussion:

It must be our first priority to educate people.
This starts with kids but doesn’t stop at adults. Only well educated, open minded people are successful, adapted and useful in our community.
Education needs good arguments, example, patience, rules and control.

The LEO’s focus is on control, but it’s confused with eavesdropping (and incitement).
This is paramount: Control = Check + Act
So control isn’t about silently, hidden and cowardly listen and spy.
To control someone must have the guts to stand up and say “Stop it, you are at the limit, we’ll have an eye on you”.

That said, if they find someone suspicious, the very first must be to openly confront that person with their suspicion. This must be done by an official note and personal conversation about what both sides see fact.
A judge must be consulted to decide an open warrant to tap whatever and to automatically inform all partners of any wiretapped conversation (remember the ‘crck” in POTS time, but more openly).
A time for a second conversation with the judge, probably to end the surveillance, must be given.

Only then people know that their (or their partner’s) behavior is at the brink, they are being checked, they can challenge it, educate others, and probably learn to behave in society.

Mass surveillance is the wrong direction, we must go into individual control.

ab praeceptisJanuary 25, 2017 11:02 AM

Sancho_P

but we must take into account that most governments are far worse than our own (western) plutocracies

Some years ago I would have agreed without thinking much about it. Not anymore though.

Example germany: While blabbering nice-sounding democracy blabla, de facto they not only ignore the law but the constitution too. Moreover they stigmatize and even punish citizens who dare to speak their mind.

Example Russia: Remember pussy riot? I mean that was about as anti-government and as anti "dictator" Putin as it gets.
Well it turned out that pussy riot got frequently financed by the government which explained (then under some pressure) that, well, it's in the nature of art to not always be convenient.
Also Putin usually gets around 70% or even 80% in polls. Well noted, in polls made by organisations well known to be anti-Putin.

You'll have a hard time in germany to find 80% of the people on the streets to be content and happy with *all major parties combined*.

*That*, the people, I think is the final measurement that counts.

I think we in the west (read: in the us and its colonies roughly equating nato) are brainwashed and indoctrinated all our lives plus, as a second factor, we rarely get real news and information. So I tend to be very careful when judging other/not-western countries.

Last but not least I came to think that democracy *can* be the best system - if properly balanced and credibly controlled. If not, however, it can - and I think in quite some cases did - turn into a really heinous form of dictatorship, albeit nicely dressed.

Clive RobinsonJanuary 25, 2017 11:58 AM

@ ab praeceptis,

If not, however, it can - and I think in quite some cases did - turn into a really heinous form of dictatorship...

As one Russian leader once put it,

    The people who cast the votes decide nothing. The people who count the votes decide everything." Joseph Stalin

But that is just part of why democracy fails, you can only vote for those alowed on the ballot paper, and in some voting systems (PR) you vote for a party not a representative, then the party gets to decide who gets their share of the vote to supposadly represent you.

But there are other fiddles, we have just seen one. In a First past the Post system with realy only two main parties you can force one side to loose by simply spliting their voters. In a near 50:50 election just taking four or five percent of one parties voters away from them will guarantee that the party will lose.

In essence Donald Trump proved to the GOP that he could and would make them loose by taking their voters. Thus he gave them an option make me your candidate of choice or have Hillary in the White house for one or two terms.

Thus the Republicans crumbled and Donald Trump is President... Now the real question becomes can the Republicans "pull him in" or will he "run wild". They have to be carefull as now he's President Donald can do a lot and if either house trys to block him, he can queer their pitch for the elections in a couple of years.

This has real entertainment potential especially as Donald Trump is not realy a Republican...

Sok PuppetteJanuary 25, 2017 1:54 PM

Yeah, I lost a lot of respect for you and a lot of othe people over your signing onto that Tufekci letter. The letter was worse than the Guardian piece. It's one thing for a newspaper to publish sensationalist stuff. You expect that. It's a different thing for people who claim to be security experts to defend big holes in things like identity-to-key binding.

If server compromise or phone number compromise were actually a "remote" letter, there'd be no need for end to end crypto in the first place.

Sok PuppetteJanuary 25, 2017 1:55 PM

Grr. Should have been:

If server compromise or phone number compromise were actually a "remote" THREAT, there'd be no need for end to end crypto in the first place.

Dirk PraetJanuary 25, 2017 2:25 PM

@ Sancho_P

Many people’s thinking is focused on their own small world, e.g. cozy Germany, but haven’t other cultures in mind.

I don't think Germany is a very good example. Given their past, the average German citizen is very concerned about any form of surveillance and encroachment on civil liberties. Which they were also very vocal about in the wake of Snowden's revelations. Admittedly, the reaction of the Chancellery was significantly different, but I have never understood how of all people on this forum a German could become the fiercest supporter of the total surveillance state.

@ ab praeceptis

I think we in the west are brainwashed and indoctrinated all our lives plus, as a second factor, we rarely get real news and information.

Look for media governments rail against or news outlets whose journalists are being prosecuted, imprisoned or shot. Subscribe to their RSS feeds. Avoid anything Murdoch.

@ Clive

Now the real question becomes can the Republicans "pull him in" or will he "run wild".

They've already proven they can't (or won't) reign him in. Neither McConnell, Ryan or Priebus did anything to stop him. I currently see only a few vocal opponents like McCain, Graham and perhaps Rubio. The best way to describe the rest is something like "Vichy Republicans", more concerned with preserving their own positions than with the interests of party and country.

Sancho_PJanuary 25, 2017 4:26 PM

@ab praeceptis

I don’t want to go to far into politics, so I try to make my last remark here
(though I may have understood your ”measurement” wrong, if so, I apologize):

What would have happened to Pussy Riot in, say, Iran or Pakistan?

In “cozy” states they will harass you using taxpayer’s (your own) money.
In other states instead whole families would disappear within one day if they find out before it gains publicity:
https://www.wired.com/2017/01/social-media-made-world-care-standing-rock-helped-forget/
Standing Rock is possible only with high tech, educated people and uncensored social media, but not in undeveloped countries (at least 1/3 of our planet).
Have you once been to Congo or Sudan?
Even considering to give them power to access comm-content is immoral.

@Dirk Praet

Germany was taken for Rolf Weber’s apparently cozy (?) view of the world.
I guess as long as Germans have their Weißwurscht and Bier (or Hering and Pils) they trust Mummy and their Gang.
And they have all reason to do so.

Clive RobinsonJanuary 25, 2017 7:05 PM

@ Dirk Praet,

They've already proven they can't (or won't) reign him in.

The question in both cases is "Why not?", which as @Wael has pointed out is one of those awkward "why" questions.

Whilst many US politico's are without doubt nest featherers, it's to soon to call on that. There are other posabilities including "inertia" and "letting him run" etc which all give rise to a "Honeymoon period".

It could be argued that an astute political operator is "letting him run" to either run out of steam to then be "reeled in" or until he drops the proverbial thus can be seen by all as something to be disposed of promptly. For which there is the impeachment path, but history shows it's a card to play with care especially "against your own", and unlike the Russia claims, will require "extrodinary evidence" not innuendo and filibuster.

But the nest feathering behaviour is one we have seen in the past so many times that it's become a meme in it's own right. So it's entirely possible the GOP is sitting on it's hands currently for a reason. The question then is which reason might it be of the several possible...

The most obvious --thus probably wrong-- reason would be the next stage of the election cycle. History shows that a US President, whilst not a figurehead is constrained in a number of ways by the other elected representatives who can significantly modify, delay indefinitely or out right deny a Presidents policy objectives. However such behaviour earns public disapprobation which effects near future votes, thus as in much that is political a calculation has to be made. The 2018 midterm elections are thus something that will be on Republican minds especialy with the "gerymandering opportunity" of the "redistricting"[1] following the 2020 census adding more spice than normal. So the republicans do not want an inappropriately timed back lash against the "new third way" President who is Republican in name only, but is currently seen as a "vote getter" for them. Thus short term and longterm aims and objectives have to be balanced if the GOP want's to get it's self to a position it wants, not one that is yet again expedient.

I'm only partly joking when I say that I think some of the Older GOP members would see a Presidential Assassination as the best option if timed right, as it would avoid the cannibalism look of impeachment whilst also riding on the sympathy vote.

[1] https://en.m.wikipedia.org/wiki/United_States_redistricting,_2022

Clive RobinsonJanuary 25, 2017 8:07 PM

@ Sok Puppette,

The problem I see is that both the Newspaper article and the letter are just distractions, when you consider the real "elephant in the room" which is the lack of end point security. Untill that is addressed the "fail safe -v- user experience" argument is a little like "rearranging the deck chairs on the Titanic", which ever way you look at it the ship is still sinking and the right or the wrong of the deck chair arangment is not going to change that.

Both sides have in my point of view "over egged their puddings" and thus there is over statment by both parties in the matter.

A more honest approach by both sides is thus called for.

Is the Whatsapp method secure in of it's self, no. Is the Whatsapp method fail safe, definatly not. Does the whatsapp method do anything about host platform security, no nothing at all. Is Signal any better, no not realy it is not secure either, nor is it ever going to be, nor is any other similar app.

Put simply you can not build a traditional castle without being on bed rock. Smart phones, pads and most other current conveniant user devices are more like quick sand than bed rock. Thus you need to solve the foundation problem long before you start to build the castle, otherwise your efforts will sink from beneath you.

Thus the first thing users realy need to learn is that both Whatsapp and Signal are not giving you real security only partial communications security. All they are doing is giving you a measure of privacy against some but by no means all low level attackers. They are like having your letters being delivered by armourd car to your front door with a fancy electronic lock on it. Whilst they look great and attract attention, they will not stop a peeping tom looking through your windows or keep out anyone getting in by any other opening such as the backdoor, garage door, windows etc and copying your letters...

ab praeceptisJanuary 25, 2017 11:38 PM

Sancho_P

"The average German is far from being concerned re surveillance."

Pardon me, but the average german is about as stupid as the Pizza he eats. Well noted, that is in no way a racial remark or about genetics or the like. It's simply the result of decades of stupidization.

Formerly germany had a triple strided education system. First, the basis, was "Grundschule", for everyone for 4 years beginning at age 6. After that there was either 4 years "Hauptschule" typically followed by an apprenticeship in some company. Or one went 5 years to "Realschule", also typically followed by an apprenticeship. Those 2 were what produced the world renowned and quite capable workers and employees. The major difference being that Hauptschule was usually suggested at the end of Grundschule for those kids who either evidently had some artisanal or crafts talent or those who were considered not smart enough for the other 2 strides. Realschule was considered as something better and typically produced office and administration employeed or smarter craftsmen.
Finally, the third stride, "Gymnasium", was for those who were either deemed intelligent enough by their teachers or by their rich parents (there was a joke along the line "dentists kids are always gifted!"); the goal was to go to university once was done with the 9 years Gymnasium and had his "Abitur" which was the needed ticket to enter university.
Depending on the state and other circumstances, one would typically need a teachers recommendation to enter the screening tests for Gymnasium, though legally everyone was entitled to try it. Mainly depending on the state about 20% to 50% passed that test and went to Gymnasium. Bavaria, for instance, was considered hardcore while some northern states were considered more lenient and some mainly city-"states" were considered a free trip - and worthless. Having a "good" Abitur in Bavaria was considered far better than a "very good" one in say, Hamburg.

Well, germans are germans and so they, of course, noted down and saved everything in their archives. Tests, test questions and tasks, results, average, just everything.

In the late 60ies the political "left" began to see election candy in that well proven system that had delivered excellent results. So they began to make a lot of noise about "social injustice" and that everything needed to become more "equal" and "fair", insisting that the old system gave major advantages to the rich - which was utter bullshit.
In short, they began to dismantle the good school system and to create a worthless, purely politically driven one.

Remember me telling you that the germans kept records of everything? The reason is this: such we can - and some did - look at examination tasks then and now, and at different school types.
The results are shocking. Nowadays they have PhD's who have difficulties writing and calculating. Even a "Dr." doesn't mean a lot. Then, say 40 years ago, in the "evil, injust" old system, the germans were known to be among the best engineers, doctors, craftsmen, welders, nurses, whatever, you name it.

In fact, recent research shows than a considerable parts of todays freshmen at university would utterly fail to pass the tests that one needed 40 years ago at the end of Hauptschule (the simplest and shortest stride for the "less gifted").

Long story, apologies, but I felt some background was needed to support my entry statement. And indeed one can conclusively show that the germans have been willfully stupidized.
Such they are also in an "optimal" condition to soak up all the system propaganda.

It can actually be funny at times. Right now, for example. After being tought for decades that us-americans are basically the heroic Übermenschen who never do wrong and whatever they do is smart and for the better of the world, imagine the situation in german livingroom when merkel suddely declares Trumps usa less then perfect and when, in fact, the german mass media and politics try to change towards a usa critical position! Hilarious if one has some sense of humor.

But it gets even better. Trump says things that are quite similiar to what "evil ultra-rightist" have said for years. Formertimes, of course, it was very easy to just declare them "Nazis!" and stigmatize them into quietude and, more importantly, to keep citizens away from thinking or, god forbid, joining thise evil rightists!
While that may sound funny, it wasn't at all. "Evil rightists" could even end up in justice farces and see their lives more or less destroyed.

Now, however, those "evil rightists" have a trump-card. All they need to do is to say that there position is very similar to the us-american presidents one and that they just repeat what Trump says - which, by definition is good in german thinking (after all the indoctrination).

Now, quite some germans are awakening and beginning to recognize that they have been duped, stupidized, and basically kept like cattle, albeit in a rather cozy looking barn.

Dirk PraetJanuary 26, 2017 9:17 AM

@ ab praeceptis

And indeed one can conclusively show that the germans have been willfully stupidized.

The "dumbing down" of the education system you describe can be observed pretty much all over Western and Northern Europe as an unintended, but very real consequence of lowering the bar to better accommodate children from disenfranchised families and those with a migration background. I've seen it myself with the daughter of one of my exes, who after completing primary school was still hardly able to read cartoons or write her own name. Which I and many of my generation were already doing in kindergarten.

We can however debate to which extent this was done on purpose to - as you say - willfully keep or make people stupid. From an economic vantage, it makes little sense. I do however agree that US propaganda, especially in West Germany, has always been rampant and to date is still very much present in German MSM. Germans, as a people, and due to their economic prosperity, may have become quite complacent, but there is no denying that they are slowly waking up to the smell of brutal new realities brought about by Snowden, Merkel's questionable immigration policies and the rise of Trump. How this plays out will become a bit clearer after the upcoming elections.

Rolf WeberJanuary 26, 2017 9:42 AM

@ab praeceptis

Only a short answer, I'm currently pretty busy.

No amount of money will make 60-year old men a 30-year old again. No amount will give him children, a career, etc.

And what's your point? Because surveillance can be abused, and sometimes is and was, you want to abolish it. Is this your logic?
And because police sometimes commits wrongdoings, you want to abolish police? Same for justice. Same for governments at all.
Maybe you like the idea of an anarchy, I don't. I'm quite happy with our western societies. I realize police is necessary, and that they have the right for eavesdropping when there is probable cause. You don't. I doubt we will ever find a common ground.

Now, go the next step to see what you are asking for (state players rarely do). You demand that it shall be possible to eavesdrop, copy, whatever confidential data and communication from everyone at any time, period.

No, I want that they can compel companies under their jurisdiction to respond to lawful requests. No more, no less.
For example, I realize that this will hardly be possible if a suspect uses eg Signal. I have no problem with that. I dont't want to outlaw strong encryption, I don't want that governments can read everything. As I told you, it's good enough for me when only lazy idiots who use WhatsApp are caught. I don't want more.

But it cannot be that criminals and terrorists just use cozy mainstream tools like WhatsApp and are safe even from law enforcement with a warrant. Governments will not tolerate this on the long run, believe me -- and I absolutely support governments here.

ab praeceptisJanuary 26, 2017 10:50 AM

Rolf Weber

Actually I would even be OK with security agencies being able to crack *all* communications. I *do* see the necessity for them being able to do their job.

The problems in my minds eye are the following:

- Full information of the citizens immediately afterwards. Incl. detailled information of why he was eavesdropped and exactly and completely what has been eavesdropped.
- In case the citizen turns out to be innocent and wrongfully suspected, those in charge are to be punished - and in adequate ways, i.e. for example, nude photos of them and their wives and bank account information are handed to the victimized citizen. Is must be *painful* for two reasons: a) they must think twice before intruding into the private sphere of citizens and b) they must experience themselves what they do to others.
- Any and all information must be annihilated as soon as it becomes clear that the citizen was wrongfully suspected or after he has been in court and the case is closed.
- Any and all unrelated information must be deleted immediately; failing to do so will automatically and without any ifs and buts terminate the jobs of all involved.
- All persons victimized, e.g. any contacts, must be informed in full.
- Any order to eavesdrop must be signed not only by judges but also cleared by civil advocates (e.g. as not overly broad).
- any public servants knowing the victim even remotely must be excluded from the operation.
- all public servants operationally involved must go through tough checks, both psychological and background, once a year and must pass 100% clean.


Short version: I want them extensively examined and *brutally* punished for even the slightest abuse.

Looking at the reality we find that complete assholes who just happen to have a badge and judges one can't trust at all and who are more then willing to bend over are grossly abusing their power and ignorantly victimizing citizens who then are quite helpless.

THAT is the problem. And the fact that "but we must be able to trace baby killing brutal terrorists!" is consistently abused by lea people who often enough are worse than the hunted civilians.

I have reasons for my position. When I was a *very* young man I once was woken up by loud knocking. Opening still sleepy I looked at 4 or 5 cops and right into 2 barrels. They temporarily arrested me, turned my appartment into a trash bin, refused to tell me *anything* and then left just saying "It's OK. You are free again" without any explanation whatsoever.
When I called the police headquarters they laughed at me and told me to shut up.

Happily enough I had certain means and contacts. Some days later my lawyer told me the reason for that horror event: some elderly neighbour who saw me frequently coming home in the morning had "informed" the cops that I might be a terrorist because I slept during the day. Seriously. Btw. I was working at night then, simple as that.

From then on I spent some years to hunt down those cop animals as well as the rubber-stamping judge. The cops I got; they were graded down and punished. The judge I didn't get; the system protected him too well, he basically had carte blanche because one judge doesn't go against another judge. We had to arrange something different to have him punished adequately (read: very hard). Later it turned out that that "judge" pig was the man to go to for corrupt cops as he would stamp just about everything.

And you are asking me to give those animals the power to break encryption (or demand it be broken)? Think again.

WaelJanuary 31, 2017 11:33 PM

@ab praeceptis, @Rolf Weber,

Come on guys! What's the verdict? I said I'll watch passively, but the show is it not on! Do I have to wait till next season? I'm running out of patience!

@Rolf Weber,

I'll do my very best. :-)

Not good enough. Even BND won't be able to crack it.

WaelMarch 24, 2017 8:17 PM

@ab praeceptis,

Nope, that discussion is not even necessary.

I don't believe you.

@Rolf Weber,

I'll do my very best. :-)

What's the matter? Not enough GPU processing power? Add a few thousand more cards... perhaps you'll crack it within the next two months (it's not words you'll find in a dictionary, though)

You guys haven't brought this discussion to a closure. I'm running out of patience! It's been two months already.

I'll give you a week then I'll reveal my prediction :)

suffocated_several_timesMarch 26, 2017 12:00 AM

Been waiting with baited breath for that ;-) Still have a few lives left, I hope.

@Moderator cc: @Bruce
Private suggestion box for those of us who prefer not to use email? I recognize that's yet another additional workload, but perhaps it could be assisted by the already existing analytics.

ValentinoMarch 29, 2017 4:46 PM

@suffocated_several_times

Why not just use a disposable email account, no registration required, to send the suggestion to him? Failing that then why not leave a comment in the blog?

If you're concerned about privacy/security you could use Bruce's PGP key to encrypt the message and email it to him. [1]

The only other alternative would be a system like SecureDrop; this would have the added benefit of allowing whistle-blowers to anonymously submit information to Bruce. He may be too busy to siphon through all the information he may or may not receive - I don't know.

[1] As an example, and obviously the below isn't real ciphertext, a truly paranoid person could leave an anonymous tip/suggestion by encrypting it with his PGP key and leaving it in the blog. It'd be very labour intensive for him if lots of people did this but it's the only other way of doing it anonymously.

It's quick, convenient, secure and meaningless to anybody who isn't in possession of his key:

d374+rphX4dgMaqnSc18TSH1k1GmXX/5OLCU5pno1Zu8qmzOlDSTelBM0lsBzDcD4jTCI0BDldbO769zDfhxmCwMKwEE8EI+CxXFR6AKIj0qzxlF/IBPt4asl8XfmewwZodJH9GJE6rCwuaY8x2LgYV3KeyAFTlEOowkGQp63oJ2i9uRHdji

Instead of using Lorem Ipsum I generated some random text but you get the general idea on how you could deploy such a scheme. It's making sure he sees the person's suggestion which is problematic.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.