
WhatsApp voice calls were used to inject spyware on phones - EwanToo
https://www.ft.com/content/4da1117e-756c-11e9-be7d-6d846537acab
======
galadran
Interesting!

Google's Project Zero team investigated WhatsApp's and Facetime's video
conferencing last year:

"Overall, WhatsApp signalling seemed like a promising attack surface, but we
did not find any vulnerabilities in it. There were two areas where we were
able to extend the attack surface beyond what is used in the basic call flow.
_First, it was possible to send signalling messages that should only be sent
after a call is answered before the call is answered, and they were processed
by the receiving device_. Second, it was possible for a peer to send
voip_options JSON to another device. WhatsApp could reduce the attack surface
of signalling by removing these capabilities."

"Using this setup, I was able to fuzz FaceTime calls and reproduce the
crashes. I reported three CVEs in FaceTime based on this work."

WhatsApp: [https://googleprojectzero.blogspot.com/2018/12/adventures-
in...](https://googleprojectzero.blogspot.com/2018/12/adventures-in-video-
conferencing-part-4.html)

Facetime: [https://googleprojectzero.blogspot.com/2018/12/adventures-
in...](https://googleprojectzero.blogspot.com/2018/12/adventures-in-video-
conferencing-part-2.html)

In both cases, the close source nature of the applications stymied their
efforts. Looks like NSO was willing to spend more time and resources!

~~~
pvg
_In both cases, the close source nature of the applications stymied their
efforts._

Why do you say that? In the WhatsApp case, they were able to repeatedly modify
the code and also yank it out and run it in their own controlled environment,
etc.

~~~
criley2
From my experience, working with real source from the repo with comments etc
is very different than working with reverse engineered binaries.

That's probably what they're referring to.

~~~
pvg
The post says "the close[d] source nature of the applications stymied their
efforts" not "finding security bugs is harder than not-finding security bugs".
I didn't read anything in the linked post that supports the former statement,
the latter one (or variants) seems obvious.

------
roywiggins
It's not just the NSO group. Hacking Team is not exactly shy about the
services they offer.

[https://en.wikipedia.org/wiki/Hacking_Team](https://en.wikipedia.org/wiki/Hacking_Team)

FinFisher:
[https://en.wikipedia.org/wiki/FinFisher](https://en.wikipedia.org/wiki/FinFisher)

MiniPanzer:
[https://en.wikipedia.org/wiki/MiniPanzer_and_MegaPanzer](https://en.wikipedia.org/wiki/MiniPanzer_and_MegaPanzer)

~~~
bjourne
Wow! I had no idea there was a whole industry selling spyware to
dictatorships. Surveillance equipment, yes, but not actual hacking tools.
Really sickening. Must be why governments in Europe are so afraid of Huawei
building 5G networks - they will only run Chinese spyware.

~~~
metildaa
Huawei's equipment will almost assuredly run anyone's spyware. Huawei uses a
medley of ancient, highly vulnerable OpenSSL libraries sprinkled through their
basestation code, and apparently they've forgone any kind of version control
to ensure an optimally confusing work environment for their development teams:
[https://hmgstrategy.com/resource-
center/articles/2019/04/04/...](https://hmgstrategy.com/resource-
center/articles/2019/04/04/uk-flunks-huawei)

Frankly, these products are likely unmaintainable long term without a total
refactoring of the codebase, nevermind the abject lack of security.

The trick with these vendors is the codebase will never see serious
improvement, as these basestations aren't going to be sold for the next
decade, so Huawei will do the bare minimum and shelve support in short order.

~~~
winter_blue
Huawei's software development practices seem quite horrifying. Critical
systems like these ideally would be written in specially-designed programming
languages that support mathematically proving correctness (Coq comes to mind).
There's probably still room in the programming language design field to create
new languages that are user-friendly but also integrate Coq-like systems plus
other verifiability and correctness techniques into the language itself.

~~~
Semaphor
If you find that horrifying, don't look at Cisco CVEs ;)

~~~
metildaa
Or Juniper's constant flow of new CVEs, they are a popular alternative to
Cisco that many ISPs use heavily :P

Network security is piss poor, most of these vendors add vulnerabilties atop
secure distros (OpenWRT, Debian, etc) and flog it as the best thing since
sliced bread.

------
neonate
[http://archive.is/kDz13](http://archive.is/kDz13)

~~~
kristofferR
1.1.1.1 mirror:
[https://archivecaslytosk.onion.pet/kDz13](https://archivecaslytosk.onion.pet/kDz13)

------
rhamzeh
Non-paywalled article on this: [https://9to5mac.com/2019/05/13/whatsapp-
vulnerability-israel...](https://9to5mac.com/2019/05/13/whatsapp-
vulnerability-israeli-spyware/)

~~~
mcintyre1994
Also BBC one:
[https://www.bbc.co.uk/news/technology-48262681](https://www.bbc.co.uk/news/technology-48262681)

------
thelittleone
I guess these types of vulnerabilities could be placed intentionally. It would
allow certain agencies to again access via "exploit" and all the while claim
they support user privacy. These companies are under pressure from governments
(like the recent Australian government law to requiring access to encrypted
messages). Seems like a decent solution for company and governments.

~~~
bouncycastle
It's not a decent solution, because it doesn't take much to find these
vulnerabilities, just a matter of time.

~~~
lixtra
But time is enough. New bugs can be introduced with the next update.

~~~
bouncycastle
The update can be analyzed to see what was changed, even if we only have the
binary executable. If we know that an app contains intentional bugs, just
looking at where the update made changes could eliminate a lot of looking &
find the bugs even faster! There are many automated tools that can do this
too, eg. Fuzzing. The updates can also hint us where the previous bug was and
what to look out for in the future.

So, nope. Introducing security bugs and backdoors just makes it insecure for
everyone.

~~~
iforgotpassword
Oh, so you are reverse engineering and thoroughly analyzing every WhatsApp
update? That's reassuring. Cause otherwise I'd have said nobody does this on a
regular basis which would mean it still is a viable method.

~~~
gdfasfklshg4
Their is an entire industry that either is already or definitely would be
doing this if there were deliberate bugs in Apps.

~~~
whenchamenia
There is, and there are.

------
ezequiel-garzon
It seems to me that if this is possible an OS software upgrade of some sort is
urgently required, in addition to possible updates of WhatsApp. How come there
isn’t coverage of this as Android and iOS vulnerabilities?

~~~
floatingatoll
Gaining control of WhatsApp gains access to any API accessible to WhatsApp.
Incompetent reporting may be at fault.

On Android, WhatsApp seeks a wide array of permission-controlled APIs. It does
so on iOS as well. Once granted, the app has access to any data available
through access-allowed APIs.

App code goes through an audit process to ensure that the app isn’t using
accessible APIs inappropriately, and doesn’t permit unapproved code execution.

This vulnerability allows an attacker to execute unapproved code in the
WhatsApp context. Any API that iOS or Android offer WhatsApp under normal
circumstances is now attacker-controlled.

The two questions unanswered by the press to date are simple. On iOS and on
Android, can the attacker’s code be terminated by force-quitting and
uninstalling WhatsApp?

Either the attack is persistent only because it sets up shop inside the app,
which may have OS-granted background and/or screen-off execution rights, and
thus can be terminated simply by quitting and removing the app — or, the
attack gains persistence beyond the confines of the app.

Media reports are unclear on this point. If the OS offers apps endpoints that
an app executing attacker-controlled code can use to infect the OS with
persistent attack code that executes outside the app’s boundaries and remains
after app uninstallation, then that’s absolutely a flaw in the design of the
OS. As you say, “Android and iOS vulnerabilities”.

Is this the case?

~~~
jmkni
Very interested to know what this means in practice, particularly for iOS.

AFAIK, there's no permissions which allow you to read SMS messages, take
screenshots (unless jailbroken), access photos in the background, access the
camera in the background etc etc

Does this just spy on the users Whatsapp activity, or spy on the user in a
broader way?

How could the API's whatsapp _does_ have access to be abused?

~~~
floatingatoll
> How could the APIs .. be abused?

The app is infected, calls a 0-day using an illegal parameter that’s normally
rejected by app store filters, and gains a permanent beachhead in your Android
system services list.

> access photos in the background

Unclear. Apps can show thumbnail galleries of your photos within their native
UI, so it may well be possible for them to continue directly to reading
photos.

> access the camera in the background

Unclear. Does FaceTime continue transmitting video when the phone screen is
turned off? Is it possible to capture stills or video when the screen is off
on a jailbroken phone?

> or spy on the user in a broader way

Android WhatsApp seeks permission to read your SMSes, so that would be almost
certainly correct as well there.

~~~
jmkni
Well I was thinking specifically about iOS :)

There's no possible way to read SMS messages programatically in iOS for
example, the closest you get is reading one time passwords sent, and you can
only do that when the user has the keyboard open when the SMS is received.

I know Android is slightly more lax in this (and some other) regards. I wonder
if Android whatsapp users targeted by this exploit have had more data exposed
than iOS users targeted by the same exploit?

~~~
floatingatoll
All WhatsApp iOS users have an unpredictable set of permissions granted,
whereas all WhatsApp Android users have all permissions granted.

If I were a nation state attacker, I would be thrilled to find that my target
was Android.

------
lol768
CVE-2019-3568 suggests this was a buffer overflow. I'd like to understand why
this was implemented in native code - Android seems to have an
`android.net.rtp` package?

Is this simply for performance, or to enable code-sharing across Android and
iOS? Is there anything about WhatsApp's use-case that would prevent an
implementation using managed code?

~~~
auiya
Also, what exploitation mitigations are broken on Android/iOS such that a
buffer overflow is reliably exploitable? Are their implementations of ASLR
useless? Is it trivially bypassed? Is mandatory code-signing not
enabled/enforced?

~~~
lol768
All very good questions, hopefully we can get some more information as time
progresses (maybe a PoC, or at least a technical write-up on the specifics)

------
stunt
I wonder! Should we call it a vulnerability or a leaked backdoor?

Besides, I think if it was from any other developer, probably it would be
removed from the AppStore and force delete from user devices.

------
bjourne
All my life I've thought spyware was developed primarily by evil Russian and
Chinese hackers. But apparently also by Israeli developers with _their
government 's blessing_ and open endorsement. That's some very shady stuff.

Before someone says something about government surveillance of fiber cables.
Yes, that is also bad, but exploiting vulnerabilities to install spyware on
peoples phones... It crosses yet another line that shouldn't ever be crossed.

~~~
xenospn
They managed to destroy Iranian nuclear centrifuges using a very sophisticated
attack. Read up on Stuxnet.

Also, as an Israeli, I can 100% confirm that Israelis have absolutely no
issues with crossing any kind of boundary. The fact that others think that
such a thing as "boundaries" exist only serves as an advantage.

~~~
olivermarks
Not clear whether you consider this a good thing or a disgrace?

~~~
golergka
As another israeli - certainly a good thing. For a nation in our position, in
a deeply hostile region, where a major military defeat is certain to be
genocide, doing everything possible for national defence is the only way
possible to survive. Stuxnet in particular is something that I'm extremely
proud of.

~~~
timobet
You say this as your country is invading and occupying land that doesn’t
belong to them and murdering innocents to drive them out. Yeah, nice way to be
proud.

~~~
FigmentEngine
very hard to think of any country that has NOT done this. History shows that
people and their countries do bad things.

~~~
simiones
True, but there is a difference between 'my ancestors have done this' and
'some of the taxes I'm paying are going into continuing the occupation; I've
voted for the people who are ordering the air strikes'. There's fewer
countries where that's true today.

------
billysielu
"update the app" is the sum of the advice?

how about telling us how to check if this exploit was used, how to remove the
spyware, etc?

~~~
scraegg
I'm not sure what can be done nowadays. In the past you would say, format
disks and go back to a backup before the threatening event happened. But
nowadays all our stuff is in the cloud and you can only go back to the state
from 10 minutes ago, and all our disks are flash drives that you can't fully
format as an end user. Maybe you can just accept that some virusses will
always be there and act accordingly.

~~~
Scoundreller
Some of us do snapshot backups.

Would be nice to have a tool that everyone on the planet could use to run
against those backups and find a common source of the infections, along with
an idea of when it was found in the wild.

------
aaomidi
How were they able to install spyware on iOS devices?

~~~
snowwrestler
Most likely by exploiting an iOS vulnerability . (Which might be unrelated to
the WhatsApp bug, other than using it as a vector.)

------
scraegg
What about Wechat? There are lots of seemingly pretty girls trying to voice or
video call these days. Either I'm suddenly rich in their eyes or there's
something fishy going on.

~~~
wil421
Name a chat app and I can provide a link or comment from someone saying the
same thing about pretty scam girls. Facebook, Whatspp, Gmail, Kik, Snapchat,
Instagram, and even BBSes, AOL, IRC etc...

~~~
scraegg
What I saw on FB is automatic replies from bots. What I know from Skype are
african boys who try to earn their next beer in an internet cafe by acting
they would be a girl. I can confirm it's all not that.

------
0898
Just to be clear – does this affect iPhone, or just Android?

~~~
keyme
Affects both

~~~
ak39
Thanks. Is there a way to detect the infection?

------
JacobHenner
Wonder if this affects Signal, too.

~~~
joecool1029
My gut tells me no. Signal switched over to using the Signal Protocol for call
signaling. It had used a few different signaling standards over the years
(when it used to be called Redphone).

However, it's impossible to really know for sure as the server component for
calls is a proprietary black box.

~~~
cottsak
Agreed. It seems more plausible that the "injected code" would be limited to
(1) the WhatsApp app, and (2) the infrastructure outside of the Signal
Protocol implementation. If true, this still poses a problem to comms/calls
secured end-to-end with the Signal Protocol impl - because once decrypted on
the client, the rest of the WhatsApp may be compromised and able to exfil
comms.

I will be surprised, if this vuln allows the attacker control outside of the
WhatsApp app sandbox to other parts of iOS.

(I will be less surprised if the above is possible in Android)

------
ccnafr
I like it how Facebook doesn't mention anything in the WhatsApp changelog
about this.

~~~
cricalix
Apple won't let you change a changelog after the binary is built and put on
the store. So if you want to get a fix out, but not alert people that you're
on to them, you have to put out a changelog that just says something like
"Bugfixes". Then you have to build another build and submit another changelog,
but Apple probably won't let you issue builds that are duplicates...

------
leoh
Spooky. I just travelled to Israel and this evening, at around 3 AM, iOS
notified me that WhatsApp had been accessing my location in the background,
which I had never seen before except when sharing my location with a friend.

------
EGreg
We need open source software to decentralize large companies’ closed server
farms and WhatsApp.

------
whycomb
Updated WhatsApp on my iphone just now. The version I got was 2.19.50.
According to the CVE it's still vulnerable. Unable to get 2.19.51 which is the
first fixed version. Is this just me? Or is everyone else updating to a still-
vulnerable version?

~~~
Tepix
Have you tried pulling down on the updates screen of the iOS app store? It
refreshes the list of apps to be updated.

~~~
Scoundreller
That did it. Thank you. And to think I _thought_ I installed all of my pending
updates yesterday.

------
ricg
Can the WhatsApp-injected spyware escape the iOS App Sandbox?

~~~
1f60c
I was wondering the same. I would hope no, but even so, WhatsApp has plenty of
permissions that make it a valuable target.

------
OrgNet
Yeah, don't install any Facebook app... use the web if you need to use their
service... same advice has always been true.

------
jonplackett
Isn’t this also a screw up by Apple?

Isn’t Sandboxing supposed to prevent this from getting any worse than hacking
the app itself?

~~~
floatingatoll
Isn’t every article about this saying it persists, without saying how or
whether it’s a sandbox escape? If it just spins up bad code in WhatsApp space,
that’s sufficient to spy on you.

~~~
jonplackett
I'm sure I saw one say it infected the OS. I would like to know some more
proper details too.

------
anonymousDan
Can anyone advise on minimum version numbers containing the patch (on IOS and
Android)?

~~~
floatingatoll
Listed here:
[https://www.facebook.com/security/advisories/cve-2019-3568](https://www.facebook.com/security/advisories/cve-2019-3568)

------
olivermarks
[https://www.zerohedge.com/news/2019-05-13/secretive-
israeli-...](https://www.zerohedge.com/news/2019-05-13/secretive-israeli-
company-uses-whatsapp-voice-calls-install-spyware-phones)

------
Yuval_Halevi
WhatsApp belongs to Facebook

Some of the largest data breaches in the last few years related to facebook

and yet

They continue do whatever they want

GDPR made no difference at all... Only hurt the small-medium business

FB, Google, Aamazon just keep doing whatever they want, protected by army of
lawyers

------
joshlk
The article is behind a paywall. Here is a BBC link:
[https://www.bbc.co.uk/news/technology-48262681](https://www.bbc.co.uk/news/technology-48262681)

------
TheSmoke
is this how saudi activists were tracked or uae tapped the phones of govt
officials from various countries?

------
dbrgn
Here's an article without paywall:
[https://www.bbc.com/news/technology-48262681](https://www.bbc.com/news/technology-48262681)

------
jpangs88
This was behind a paywall, here is a similar article:

[https://www.bbc.com/news/technology-48262681](https://www.bbc.com/news/technology-48262681)

------
dschuetz
Why is that even possible? It's horrifying that simple voice calls via an app
allow that kind of attack.

~~~
floatingatoll
Cellular broadband modems are running a tiny OS that can be hacked by sending
SMS messages with a carefully crafted NUL byte. Battlestar Galactica’s “no
networking, no wireless” computer restriction exists for a very good reason.

------
GMLOOKO
A

------
SeriousM
Paywall, really?

------
accountwhatever
Why was the word "Israeli" removed from the title?

~~~
dang
I took it out because the thread was veering into generic flamewar about
Israel. Actually we often remove country names from titles because they
trigger people into making more nationalistic comments, which are equal parts
indignant and boring.

~~~
anonymousDan
That's a bit of a pathetic policy if you ask me. In my opinion a country who
permits this type of behaviour shouldn't be shielded from the ensuing negative
press. If anything it might encourage otherwise unaware citizens to put
pressure on the government to do something about it.

~~~
dang
I hear you. I agree with your second sentence. But I'm trying to protect HN,
not Israel or anyone else. This place is fragile, and when people bring the
fires of the world here, it can only take so much.

I wouldn't call that kind of title edit (taking out a country name) a policy.
We have an ad hoc bag of tricks and sometimes we use one and sometimes
another, depending on what feels needed. Do I know how unsatisfying that
sounds? You bet. Do I get how it opens us to accusations of bias? I do, better
than anyone else does. But the threads are too complicated to be managed with
precise formalizations.

~~~
anonymousDan
Ack. I can see it's a tricky balance to maintain.

------
forgotmypw3
WhatsApp voice calls used to inject Israeli spyware on phones

Messaging app discovers vulnerability that has been open for weeks

NSO's Pegasus software can allegedly penetrate any iPhone via one simple
missed call on WhatsApp

Mehul Srivastava in Tel Aviv MAY 13, 2019 Print this page

A vulnerability in the messaging app WhatsApp has allowed attackersto inject
commercial Israeli spyware on to phones, the company and a spyware technology
dealer said.

WhatsApp, which is used by 1.5bn people worldwide, discovered in early May
that attackers were able to install surveillance software on to both iPhones
and Android phones by ringing up targets using the app’s phone call function.

The malicious code, developed by the secretive Israeli company NSO Group,
could be transmitted even if users did not answer their phones, and the calls
often disappeared from call logs, said the spyware dealer, who was recently
briefed on the WhatsApp hack.

WhatsApp is too early into its own investigations of the vulnerability to
estimate how many phones were targeted using this method, a person familiar
with the issue said.

As late as Sunday, as WhatsApp engineers raced to close the loophole, a UK-
based human rights lawyer’s phone was targeted using the same method.

Researchers at the University of Toronto’s Citizen Lab said they believed that
the spyware attack on Sunday was linked to technology developed by NSO, which
was recently valued at $1bn in a leveraged buyout that involved the UK private
equity fund Novalpina Capital.

NSO’s flagship product is Pegasus, a program that can turn on a phone’s
microphone and camera, trawl through emails and messages and collect location
data.

NSO advertises its products to Middle Eastern and Western intelligence
agencies, and says Pegasus is intended for governments to fight terrorism and
crime.

In the past, human rights campaigners in the Middle East have received text
messages over WhatsApp that contained links that would download Pegasus to
their phones.

WhatsApp said that teams of engineers had worked around the clock in San
Francisco and London to close the vulnerability. It began rolling out a fix to
its servers on Friday last week, WhatsApp said, and issued a patch for
customers on Monday. The US Department of Justice has also begun looking into
the situation.

“This attack has all the hallmarks of a private company known to work with
governments to deliver spyware that reportedly takes over the functions of
mobile phone operating systems,” the company said. “We have briefed a number
of human rights organisations to share the information we can, and to work
with them to notify civil society.”

NSO said it had carefully vetted customers and investigated any abuse. Asked
about the WhatsApp attacks, NSO said it was investigating the issue.

“Under no circumstances would NSO be involved in the operating or identifying
of targets of its technology, which is solely operated by intelligence and law
enforcement agencies,” the company said. “NSO would not, or could not, use its
technology in its own right to target any person or organisation, including
this individual [the UK lawyer].”

NSO declined to comment on whether it had hacked WhatsApp’s messaging service,
and marketed the technology to clients, or on the US DoJ inquiry.

The UK lawyer, who declined to be identified, has helped a group of Mexican
journalists and government critics and a Saudi dissident living in Canada, sue
NSO in Israel, alleging that the company shares liability for any abuse of its
software by clients.

John Scott-Railton, a seniorresearcher at the University of Toronto’s Citizen
lab, said the attack had failed.

“We had a strong suspicion that the person’s phone was being targeted, so we
observed the suspected attack, and confirmed that it did not result in
infection,” said Mr Scott-Railton. “We believe that the measures that WhatsApp
put in place in the last several days prevented the attacks from being
successful.”

Other lawyers working on the cases have been approached by people pretending
to be potential clients or donors, who then try and obtain information about
the ongoing lawsuits, the Associated Press reported in February.

“It's upsetting but not surprising that my team has been targeted with the
very technology that we are raising concerns about in our lawsuits,” said Alaa
Mahajne, a Jerusalem-based lawyer who is handling lawsuits from the Mexican
and Saudi citizens. “This desperate reaction to hamper our work and silence
us, itself shows how urgent the lawsuits are, as we can see that the abuses
are continuing.”

On Tuesday, NSO will also face a legal challenge to its ability to export its
software, which is regulated by the Israeli ministry of defence.

Amnesty International, which identified an attempt to hack into the phone of
one its researchers, is backing a group of Israeli citizens and civil rights
group in a filing in Tel Aviv asking the ministry of defence to cancel NSO’s
export licence.

“NSO Group sells its products to governments who are known for outrageous
human rights abuses, giving them the tools to track activists and critics. The
attack on Amnesty International was the final straw,” said Danna Ingleton,
deputy director of Amnesty Tech.

“The Israeli ministry of defence has ignored mounting evidence linking NSO
Group to attacks on human rights defenders. As long as products like Pegasus
are marketed without proper control and oversight, the rights and safety of
Amnesty International’s staff and that of other activists, journalists and
dissidents around the world is at risk.”

Copyright The Financial Times Limited 2019. All rights reserved.

~~~
byron_wan
Is this the full FT article?

~~~
tekknolagi
Looks like it, from the archive.is link above.

------
redskull
FT.com worst site in the world.. I thought you can't link things that require
a subscription to read?

~~~
dave7
For these, there is a link below the headline titled "web" \- click this, it
opens in a search that when clicked through allows reading.

~~~
rawrmaan
Wow, TIL. Thanks!

------
kurthr
The title has been modified.

WhatsApp voice calls used to inject Israeli spyware on phones

~~~
dang
Sure, we take out the baity parts of titles because they produce lousier
discussion. This is standard HN moderation:
[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html).
See
[https://news.ycombinator.com/item?id=19906729](https://news.ycombinator.com/item?id=19906729)
for more explanation.

~~~
bjourne
Cursory Google searches seem to indicate that the same policy isn't applied
for Chinese or Russian cyber threats. You also didn't remove the country name
in other recent news, despite the production of even lousier discussion:
[https://news.ycombinator.com/item?id=19638357](https://news.ycombinator.com/item?id=19638357)
[https://news.ycombinator.com/item?id=19634570](https://news.ycombinator.com/item?id=19634570)
The moderation is inconsistent.

~~~
dang
I'm not claiming consistency. For one thing, we don't come close to seeing
everything that gets posted here. If you see a particularly bad post get away
without moderation, the likeliest explanation is that we didn't see it. We
can't be consistent about what we don't see.

There are a ton of other considerations, though, and it gets complicated
quickly. I'm always happy to discuss specific cases, but general arguments are
another matter. Sometimes it feels like people want us to make general
arguments so they can find exceptions and then say things like "aha" and "your
obvious bias" and "figures". But we don't have general policies about such
complicated things. We have basic principles and that's it:
[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html).

If you don't think we've been trying to reduce nationalistic flamewar about
China and Russia, you could try looking at HN threads on those topics. I don't
know anything I've been working at harder lately. On the other hand, there's
100x more of those, especially on China, so cf. the first paragraph above.

[https://hn.algolia.com/?query=by:dang%20nationalistic&sort=b...](https://hn.algolia.com/?query=by:dang%20nationalistic&sort=byDate&dateRange=all&type=comment&storyText=false&prefix=false&page=0)

~~~
bjourne
> I'm always happy to discuss specific cases

If so, then maybe you can explain why you didn't change "Israel’s Beresheet
Spacecraft Moon Landing Attempt Appears to End in Crash" and "A private
spacecraft from Israel will attempt a moon landing Thursday" to "Private
Spacecraft Moon Landing Attempt Appears to End in Crash" and "A private
spacecraft will attempt a moon landing Thursday" respectively?

I think your attempt at reducing nationalistic flame wars is very misguided,
because I want to read what people think. If HN readers want to flame each
other then I would like to have the chance to read the flames even if I'd
likely scroll past them. But if you are going to do it, at least be
consistent.

~~~
dang
In one case I didn't see the article and in the other it didn't cross my mind.
But also, that topic isn't so highly charged, and I didn't see nationalistic
flamewar getting in there.

You're asking for a level of consistency in moderation that we can't deliver.
I'd have to hold 100x more information in my head to come up with a consistent
set of principles that would cover everything we do. Such a set would be
inordinately complicated and impossible to explain or defend, so what would be
the point.

> I want to read what people think.

Me too. But you can't read everything people think, because comments influence
what gets posted in response. If a discussion becomes a flamewar, you're going
to get the angry thoughts of the flamers, but lose the thoughts of those the
flames drive away. It's a tradeoff—we can't have both. On HN the non-flamey,
thoughtful comments take precedence, because that's the only way to optimize
for HN remaining interesting. This is one area where I think we really are
consistent, or at least I hope we are.

Look at it this way: each post changes the kind of site HN is. The container
isn't static—it's altered by what people add to it. Our goal is optimize that
container for curiosity. This is a global optimization problem, so it's
important not to get distracted by local optima. Our experience with things
like nationalistic flames is that while such comments are sometimes
interesting (and certainly the topics are of great world significance), the
_type_ of discussion they lead to is reliably worse. What we do is:
extrapolate the vector of a given comment and ask what its shaping influence
is on the site as a whole. Is it to make HN more, or less, interesting? Where
more, we either do nothing or steer towards; where less, we steer away. In the
case of flamewars, steering away means doing things to prevent the flames from
spreading. There are various tools for that—digging trenches, pouring water,
etc. Picking which to use where is more of an art and I wouldn't say we're
particularly consistent on that level. But the fundamental principle is very
consistent—there's only one, and it motivates literally everything we do here.

~~~
bjourne
> In one case I didn't see the article and in the other it didn't cross my
> mind. But also, that topic isn't so highly charged, and I didn't see
> nationalistic flamewar getting in there.

They are right there, in light-gray color at the bottom of the respective
articles. Now that you have been made aware for the problem, will you change
those articles' titles? I don't understand how you can claim one title is
"baitsy" while the other to examples are not.

------
sb057
This is the same country that has a secret nuclear stockpile (developed in
partnership with Apartheid South Africa) with plans to use the threat of
bombing their European "allies" as blackmail.

[https://en.wikipedia.org/wiki/Samson_Option](https://en.wikipedia.org/wiki/Samson_Option)

~~~
coreman
The "Samson Option" is a conspiracy theory that if Israel is ever at the brink
of destruction it will nuke Europe and America. It is a conspiracy theory
based on the ramblings of one Israeli historian and one American author.

Israel has nuclear weapons and its MAD policies are probably the same as other
nuclear powers.

It's funny because Putin has actually said that Russia will end up destroying
the entire world in retaliation if Russia is ever attacked with nuclear
weapons. But for some reason you don't see this quote get the same attention
as the "Samson Option".

 _‘Why would we want a world without Russia? '_

 _Days later, he reiterated his stance, implying that nuclear war — a
“disaster for the entire world” — would be a response to a major attack
against Russia: “as a citizen of Russia and the head of the Russian state, I
must ask myself: ‘Why would we want a world without Russia? '”_

 _‘Why would we want a world without Russia? '_

[https://www.japantimes.co.jp/opinion/2019/01/27/commentary/w...](https://www.japantimes.co.jp/opinion/2019/01/27/commentary/world-
commentary/putin-and-the-apocalypse/)

~~~
lostlogin
> Israel has nuclear weapons and its MAD policies are probably the same as
> other nuclear powers.

But with a much more controversial relationship with it neighbours, who’s land
it illegally occupies and state policies that are compared to apartheid
policies.

~~~
lostmsu
Much more controversial, than Russian? At least those poor folks in Palestine
have an incompatible religion, which I could not say about Ukraine.

~~~
lostlogin
There are also other examples like China and the Uyghurs. Perhaps “much more
controversial” is going to far, as there is a lot of shitty behaviour.

------
WC3w6pXxgGd
And nobody was surprised.

------
vardump
My desktop WhatsApp on macOS is crashing pretty regularly, once every few
days. Really makes me wonder if I'm being targeted using similar exploits.

~~~
kuroguro
It's probably the link preview preload. It can't handle certain sites and
crashes almost instantly when trying to send a link.

------
a-dub
Maybe that would explain the mysterious WhatsApp voice call I received about a
week ago in the middle of the night from an unknown number? It's still in the
history so maybe that means it didn't work?

~~~
MagicPropmaker
Are you involved with anything that would make you think you'd be worth
someone's time and money to be spying on? Most likely it was a wrong number.

------
kmarc
I am not an expert on RCEs whatsoever but my limited knowledge / gut feeling
tells me that one works by after a buffer overflow flipping some bits and

* invoking syscalls

* using (known) kernel vulnerabilities

* libc bugs

* exploiting buggy posix abstraction, etc.

However, here all platforms seem to be exploited, regardless kernels
(darwin/linux/windows), process models, libc implementations etc.

I cannot unthink that this was simply doable because WhatsApp had already have
code paths to place and run tasks/processes and this exploit works on this,
higher level.

