
Financial Times journo's private messages quoted to her at China visa renewal - robtaylor
https://twitter.com/YuanfenYang/status/962002259407089664
======
KaiserPro
Ex FT here.

The FT uses a modern(ish) communication stack. Gapps and slack throughout. So
if this ia a work feed, then that raises interesting issues. However I suspect
this is based on her private devices.

For certain journalist there is a "secure room" (well its not a room yet, that
comes later) with isolated throwawy hardware for viewing potentially
insteresting files. But I don't shes not part of that team.

~~~
keithalewis
Ex FT for not spellchecking what they paid you to write?

~~~
KaiserPro
Your kind words of encouragement are most appreciated

I'm not a journo. More importantly the browser I was using didn't have a
working spell check. This all compounds the obvious, which is; I can't spell
for shit, and my proof reading is also notably weak.

------
ohazi
"private" or encrypted? It sounds like she was using WeChat, which... I don't
think anyone ever had any delusions that this was truly private.

~~~
z2600
I think most people who are not in this group would expect it to be private.
My snail mail isn't encrypted, but I have an expectation that it is private.

~~~
craftyguy
> but I have an expectation that it is private

Regardless of what your expectations are, it's not private. Just because you
expect something to be private does not mean that it actually is.

~~~
ComputerGuru
Yes it is. USPS first class (ie regular not bulk) mail IS absolutely private
and may not be opened by authorities without a warrant (and tampering with
them by non authorities is a federal crime).

What security agencies have done is scan and collect all envelope info
(metadata) which was ruled to be not private (makes sense) but with powerful
enough cameras, lights, and enhancement software that most letters sent in
standard envelopes can leak their contents.

~~~
tehlike
And exploiting security bugs is not unlawful? This is a secyrity bug in the
transport mechanism of data.

~~~
ComputerGuru
> And exploiting security bugs is not unlawful?

Not when you have all of congress (minus a very select very few) wagging their
tails and eager to please you it's not.

------
infinity0
Next up, in-your-face "fuck-you-yes-I'm-doing-it" active MITM attacks breaking
through "secure" messaging systems like Signal and ZRTP, that perform next-to-
no key validation ("your partner probably reinstalled") or with very low
entropy validation material (SAS).

Fix the key persistence problem on mobile, stop encouraging people to
reinstall new keys every 2 weeks.

------
PeterisP
It doesn't necessarily imply surveillance or a flaw in the message channel - a
plausible (and IMHO more likely) scenario is that they simply have seen the
messages for one of the recipients.

It takes two to keep a conversation secret, and if one of them is unable to do
so (e.g. has their papers and devices seized/searched), then no channel can be
secure. OTR algorithms won't help you if one endpoint is compromised and its
message history revealed, so switching to another app will help for some
threats but not this (quite common) one.

~~~
kuschku
Actually, the point of OTR is that they would, as they provide plausible
deniability.

~~~
PeterisP
Plausible deniability is kind of bullshit in this and similar cases - sure,
one can't _prove_ that the message was from her, there are all kinds of
possibilities, but the authorities can reasonably assume (especially combined
with an interrogation results and possible other circumstantial evidence) what
was the likely sender, and that's completely sufficient for them, they don't
need to prove anything. Just as in this article - no proof is provided (nor
will ever be), and a reasonable assumption alone is enough to reject or evict
a foreigner or detain and punish a local.

I.e. plausible denial is essentially based on the hope that the opponent will
follow some high standard about what constitutes evidence/proof and what is
the level of plausibility. In a good legal/political environment you don't
really need plausible deniability that much, and in a bad legal/political
environment plausible deniability won't save you from harm; your plausible
denials can simply be ignored.

E.g. in the Signal standard "plausible denial" means that the message _might_
have been spoofed by your recipient as it involves a shared secret that's not
solely available to you - but it's not particularly likely (without extra
evidence, motivation, etc) and not really that plausible. A good lawyer in USA
might succeed using it as an argument to prevent a conviction, but any
totalitarian regime will simply disbelieve it and declare it not sufficiently
plausible; they are not really looking for solid proof of wrongdoing, hints of
wrongdoing are good enough.

------
solaarphunk
Its WeChat. Did she really feel like she had a guarantee of anonymity using a
Chinese messaging app? That seems seriously naïve.

~~~
ShabbosGoy
At this point, what messaging app is truly OTR? Signal doesn’t allow third
parties to build the source, Telegram is compromised for sure, same with
WhatsApp.

~~~
mastax
> Signal doesn’t allow third parties to build the source

No. Signal is GPLv3.

They don't allow third parties to distribute modified binaries that connect to
their servers. You can argue if that is a good idea, but don't misrepresent
the situation.

~~~
exikyut
That's... that's _really_ weird. I definitely argue that it's not a good idea,
and I'd also argue it puts quite a few nails in the coffin in terms of my
trusting it as a good protocol.

Maybe this is an unpopular opinion, but IMO the fact that Facebook "trust" it
means that I have a lot of reserve about using it myself.

~~~
viraptor
It's not that weird from their point of view. "I was using Signal, but my
messages were intercepted anyway" \- "But were you using original Signal, or a
third-party build with ads and malware?"

(if that's the rule anyway - I couldn't find confirmation for that)

~~~
StudentStuff
Additionally, you end up with crap like Noise (a Signal fork that uses the
main servers) where features inconsistently work or are available and the devs
of Noise don't actually pull down new code very often, resulting in a two
tiered network that has many unreliably working features.

Hence why Moxie doesn't think federation is practical with an evolving
communications protocol.

~~~
exikyut
Good point. This is really hard :/

------
btilly
While we are on apps that are supposed to be private, does
[https://signal.org/](https://signal.org/) work as well as it claims?

~~~
Canada
Yes, it does. It's the best option currently available.

~~~
flother
But no software can help you with the age-old problem of human error (aka
PEBCAK):

[https://www.theguardian.com/world/2018/jan/31/this-is-
over-p...](https://www.theguardian.com/world/2018/jan/31/this-is-over-
puigdemonts-catalan-independence-doubts-caught-on-camera)

------
exikyut
Archive of thread: [http://archive.is/QfwWC](http://archive.is/QfwWC)

------
mring33621
NOT PRIVATE

~~~
robtaylor
term used from tweet

"....he saw that by surveilling my private messages and not on my public
feed...."

~~~
cryptonector
Grandparent was clearly making a statement about WeChat private messages not
being private. That's how I took it anyways.

------
S_A_P
I no longer have twitter, but isnt it called DM/Direct message and not private
message? I dont condone the spying, but I dont think I would ever pretend to
think that my twitter activity is "private".

------
staunch
She says "fuck tencent" but she's dealing with a totalitarian government that
restricts fundamental human rights like privacy, speech, movement, and even
procreation!

The question to ask is: why are you as a foreign-based journalist working
with/for the Communist Party of China in the first place? Why are they
cooperating with you at all?

~~~
newfoundglory
What do you think journalists should do, not try and report on China?

~~~
staunch
1\. Stop using a service known to be controlled by the Chinese government for
journalistic endeavors.

2\. Ensure your journalism is helping to improve the world and not enabling
oppression.

------
adamsvystun
How do we know what she says is true?

I mean, I think it's true, solely based on the things I know about China's
surveillance... But it does not mean we should just take this tweet as a
fact...

~~~
mfringel
How do we know what she says is false?

How do we know that she is a person?

How do we know that China is a country?

How do we know what a tweet is?

You're right. There are many assumptions we can make here. Can you say why you
chose that particular point of abstraction?

