On a completely unconnected note, what was the name of that technique that GCHQ uses to disrupt online forums and subtly undermine peoples reputations?
Readit Newssvkkfnisgkcn3ta commented on WhatsApp backdoor allows snooping on encrypted messages theguardian.com/technolog... · Posted by u/katpas
svkkfnisgkcn3ta commented on WhatsApp backdoor allows snooping on encrypted messages theguardian.com/technolog... · Posted by u/katpas
Good question.
Stock Android does not, by inspecting network traffic, contact Google servers.
Google play services and other GApps, do, and they can be exploited in this traffic, or told by Google to activate other backdoors.
Signal with GApps, Google can know which phones, and which users, are using Signal, thats a security vulnerability. Google can infer from their Google-messaging thing, that notifications are sent, and have a high probability of knowing if it is to Signal. Who talks when is leaked to Google.
>Stock Android does not, by inspecting network traffic, contact Google servers.
It does to check for internet access upon connecting to wifi.
svkkfnisgkcn3ta commented on WhatsApp backdoor allows snooping on encrypted messages theguardian.com/technolog... · Posted by u/katpas
I remember receiving the downvote brigade[1], when Moxie himself said that I should trust WhatsApp without having the source code and the ability to put it on my device.
We (even a "smart" community like HN) clearly do not have the ability to think critically about security, and even when our leaders are sincere -- and I really don't mean to suggest Moxie/Signal was complicit in this move -- we still rush to defend our champions so quickly that we don't even think about what's going on.
However something really important is that this might be mere incompetence: FaceBook might not have any mechanism for launching this attack, they just thought the notification message was annoying so they didn't display it. To that end we need to be vigilant about stupidity as well.
Where does it end? Will we actually stop being okay with buffer overflows and sloppy programming? Or are we going to continue trying to "be safer" and use "safe languages" and continuing to try to solve the problem of too much code to read clearly with more code.
I'd go further and say Moxie is complicit by way of negligence. It's unethical to assist in the implementation of your protocol when you can't guarantee its privacy protections will actually stand. Otherwise it's free PR for Facebook to tout "Snowden-approved crypto".
I have no doubt Moxie acted in good faith and wanted to expand encryption to a large number of users, but this is just another example of why proprietary software cannot be trusted.
Any and all proprietary implementations of the Signal protocol are now suspect. OWS should denounce these implementations as least as firmly as they do interoperable open source Signal client forks.
Eben Moglen - Why Freedom of Thought Requires Free Media and Why Free Media Require Free Technology
Video [0] https://archive.org/details/EbenMoglen-WhyFreedomOfThoughtRe...
Transcript [1] https://benjamin.sonntag.fr/Moglen-at-Re-Publica-Freedom-of-...