Readit News logoReadit News
WireWrap commented on Encrypted email is still a pain   incoherency.co.uk/blog/st... · Posted by u/jstanley
schoen · 9 years ago
EFF has criticized WhatsApp for being closed source, but not for this particular aspect of the key exchange functionality.

Because of the history around how WhatsApp was criticism over this and some of the apparent results of that criticism, tptacek particularly doesn't want people to conflate "there is something bad, unfortunate, or inadequate about WhatsApp" with "WhatsApp has a 'backdoor' in its key exchange" (and I understand that!).

WireWrap · 9 years ago
> EFF has criticized WhatsApp for being closed source, but not for this particular aspect of the key exchange functionality.

The articles I've seen appeared carefully worded so as to achieve some balance, but did express some criticism and concern.

"Nevertheless, this is certainly a vulnerability of WhatsApp, and they should give users the choice to opt into more restrictive Signal-like defaults." from:

https://www.eff.org/deeplinks/2017/01/google-launches-key-tr...

Key change notification concerns paragraph from:

https://www.eff.org/deeplinks/2016/10/where-whatsapp-went-wr...

WireWrap commented on Encrypted email is still a pain   incoherency.co.uk/blog/st... · Posted by u/jstanley
tptacek · 9 years ago
By making the discredited argument that WhatsApp's key-change behavior is a fatal flaw, you're disagreeing with:

* The EFF

* Moxie Marlinspike

* Matthew Green

* Bruce Schneier

* Isis Lovecruft from Tor

* the grugq

* Matt Blaze

* Avi Rubin

* Steve Bellovin

* Joseph Lorenzo Hall

* Bart Preneel

* Peter Honeyman

* Jon Callas (who cofounded PGP Corp)

* Paulo Barreto

... and about 50 more experts equally respected in the field if less known to the typical HN reader.

WireWrap · 9 years ago
> By making the discredited argument that WhatsApp's key-change behavior is a fatal flaw, you're disagreeing with... and about 50 more experts equally respected in the field if less known to the typical HN reader.

No, the vulnerability was confirmed and the argument that it represents a fatal flaw for those needing fully secure communications is sound. No one competent (and intellectually honest) has disputed this, or would even try to do so. The open letter itself acknowledges it, and I know every open letter signer I followed did so as well.

What the open letter did was take issue with the language used by The Guardian, point out the potential for such language to scare some people into less secure solutions, and argue that the vulnerability is a reasonable trade-off for convenience that can benefit some users too.

WireWrap commented on There is a WhatsApp 'backdoor'   tobi.rocks/2017/01/there-... · Posted by u/t0b
WireWrap · 9 years ago
> Signal does not have this vulnerability, but WhatsApp has it.

That might need a footnote or something. TheGuardian is reporting: Moxie Marlinspike of OWS said Signal planned to make blocking notifications an option for some users and use non-blocking notifications by default.

https://www.theguardian.com/technology/2017/jan/14/whatsapp-...

WireWrap commented on SpiderOakONE – Zero Knowledge Cloud Storage   spideroak.com/solutions/s... · Posted by u/ergot
rarrrrrr · 9 years ago
Thanks for your feedback.

Just as a data point for comparison, Dropbox charges $100/year for 1000 GB, but they don't do meaningful encryption, and therefore can de-duplicate your files vs. the files of all their other customers, which significantly reduces their storage costs (and allows for some entertaining information leakages!)

SpiderOak charges $120/year for 1000 GB.

Edit to add: SpiderOak deduplicates files within a single user's account (i.e. copies are free, and if you add another layer to a photoshop file and re-save, it won't take up the full space to archive both versions) but it is not possible [1] for us to deduplicate data across multiple users.

[1] https://spideroak.com/articles/why-spideroak-doesnt-deduplic...

WireWrap · 9 years ago
How do you "dedupe within a single user's account" without violating "zero knowledge"?
WireWrap commented on WOT is selling your PII and browsing history   lifehacker.com/web-of-tru... · Posted by u/_yoqn
stowawaywot · 9 years ago
I have seen the data the article talks about. For more than 99 % of the URLs, there was NO "cleaning" performed whatsoever, instead they just used the raw URL and made it thus accessible to anyone who bought the data. Some of these URLs included sensible session information, password reset tokens, e-mails or private links to content hosted on Dropbox / Google Calendar / Google Drive and similar web services.

Also, WOT is not the only extension doing this, the company behind it has hundreds of other extensions and mobile apps that perform the same kind of data collection, capturing several percent of the entire Web traffic in total (in Germany alone, almost 3 million people were spied upon using this technique).

Browser vendors really need to change their attitude towards extensions, as they basically allow users to install malware/spyware in their browsers without performing any real certification / auditing. At the very least there should be a way for users to see a full audit log of the information that an extension sends to remote servers, as this is usually already enough to tell if the extension is sending more data than it should.

Also, anonymization should NEVER be done on the remote end, but always at the source, as there is no way to guarantee that it will happen otherwise (as WOT proves).

WireWrap · 9 years ago
> Browser vendors really need to change their attitude towards extensions, as they basically allow users to install malware/spyware in their browsers without performing any real certification / auditing.

Browser vendors have already increased restrictions on extensions to the point where it impedes the development and use of some security improving extensions. There may be some things that could be changed to improve transparency and end user control. But it is ultimately the end user's responsibility to determine what is and isn't appropriate for their use. Browser vendors don't have enough information to make that call.

> At the very least there should be a way for users to see a full audit log of the information that an extension sends to remote servers, as this is usually already enough to tell if the extension is sending more data than it should.

Which of the popular browser's don't have the ability to display network traffic? I've used the one in Chrome and the one in Firefox on multiple occasions.

Normally, the problem isn't detecting that an extension is sending data to a server. The problem is that people don't look for that and discover it. Or they discover it and tolerate it based on a hope that the data will never be misused. Cloudy judgement.

WireWrap commented on How ‘strong anonymity’ will finally fix the privacy problem   venturebeat.com/2016/10/0... · Posted by u/endswapper
WireWrap · 9 years ago
If "You can be very sure that the anonymous person you communicated with last week is the same anonymous person you are communicating with and potentially transacting with today." that person DOESN'T have strong anonymity.

If "You can be very sure that any transaction you make cannot be disputed." then you DON'T have strong anonymity.

WireWrap commented on Adblock Plus now sells ads   theverge.com/2016/9/13/12... · Posted by u/mariusavram
ptero · 9 years ago
I hope their ads are small unobtrusive and easy to detect, so that another ad blocker can easily remove them :)
WireWrap · 9 years ago
https://adblockplus.org/forum/viewtopic.php?f=12&t=45876

||acceptableserver.com^ and might as well ||combotag.com^

WireWrap commented on With Windows 10, Microsoft Disregards User Choice and Privacy   eff.org/deeplinks/2016/08... · Posted by u/DiabloD3
whatareyoureal · 9 years ago
Should have just branded it Windows 7 SP2. But I guess everyone expects MS to support multiple branches of code forever.

These discussions always avoid talking about the merits of data-driven design and always assume malicious intent.

WireWrap · 9 years ago
> These discussions always avoid talking about the merits of data-driven design and always assume malicious intent.

Perhaps because most of the time the implementations do some harm, the doing of that harm is by design, there are ulterior motives, it is forced upon users, and the representations made to users are intentionally vague and misleading.

A simple litmus test: Is telemetry opt-in?

WireWrap commented on UK surveillance bill includes powers to limit end-to-end encryption   techcrunch.com/2016/07/15... · Posted by u/wjh_
tetrep · 9 years ago
I think this same logic that is purportedly the reasoning behind this bill would also require us to constantly record all of our vocal communications, as that would be the only way we could ensure that criminals could not have communications that aren't accessible to law enforcement.

This, of course, would require microphones on all citizens as well as many more in the surrounding environment, to ensure communications of unwilling citizens can be monitored as well. And, of course, we'd need video as well to get those pesky sign language users[0].

These sort of bills always make me wonder if we'll ever see a moral stance taken by tech companies. There's a few skirmishes that happen every now and then but there doesn't seem to be any general consensus on what companies will tolerate in both themselves and their business partners. I'd love to see a "Fair Trade"-esque branding used as an indication that the product and its supply chain don't include actors who support government surveillance.

[0]: OT, but it makes me realize you can literally make illegal gestures due to https://en.wikipedia.org/wiki/Hate_speech_laws_in_the_United...

WireWrap · 9 years ago
I think they'd have to monitor and restrict thoughts or at least be able to extract memories. The frightening thing is: if there ever comes a time when such technology is available, they will try to use it.
WireWrap commented on Why you should bet big on privacy   techcrunch.com/2016/05/17... · Posted by u/oulipo
rhindi · 10 years ago
Author here!

I am the founder of https://snips.ai. At Snips, we are building an assistant that is private by design: what I describe in the article are things we actually work on today :-)

Happy to share my thoughts on it and contribute to the debate!

More details about what we do:

Like the big software companies (the G, the A, the F, the M), we want to build an AI to help you get what you want more effectively.

But we believe this can only be done if we take care of people privacy: your AI should ultimately know your favorite restaurant, your girlfriend’s name, but also your health record and everything else you might not always feel comfortable sharing with the world at large.

This is why an AI alter-ego will have to work with privacy-by-design. You should not have to trust any company whose CEO might soon be replaced by another not as trustful one.

We think about your data as your most intimate and valuable property, and we want to use it without compromising its safety!

WireWrap · 10 years ago
> your AI should ultimately know your favorite restaurant, your girlfriend’s name, but also your health record and everything else you might not always feel comfortable sharing with the world at large.

No. It should know what the user wants it to know. Which may or may not be those things.

W

u/WireWrap

KarmaCake day96January 4, 2015View Original