
How to Tell Us a Secret - wglb
https://www.nytimes.com/2018/09/19/reader-center/confidential-tip-line.html
======
myth_buster

      WhatsApp, with more than 1.2 billion active users, is one of the easiest ways to send secure information.
      “With WhatsApp, it’s as simple as sending a text message — but it’s encrypted,” Mr. Dance explained.
    

I'm not a security expert but I think this is not exactly the best practice.
This may have been true pre-fb acquisition but there has been changes to how
WhatsApp behaves, especially server side storage.

Also the departure of WhatsApp founders under uncertain terms, doesn't give me
much confidence with usage of that app for clandestine operations.

Perhaps folks here who are well versed with the state of the app can chime in.

~~~
CiPHPerCoder
> This may have been true pre-fb acquisition but there has been changes to how
> WhatsApp behaves, especially server side storage.

WhatsApp messages are encrypted end-to-end between each person using it. The
whole point of end-to-end encryption is _not having to trust the server-side
storage_.

Furthermore, WhatsApp uses the Signal Protocol-- the state-of-the-art for
secure messaging protocols.

The worst that WhatsApp can see is "who's talking to who?"

Finally, the adoption of the Signal Protocol in WhatsApp came long after the
Facebook acquisition.

So, no. It wasn't better off pre-fb.

~~~
nostoc
> who's talking to who?

That can be a problem when you're a whistle blower contacting a journalist.

~~~
CiPHPerCoder
Sure, that can be _a_ problem. However, it's completely irrelevant to the
problem of server-side storage, as the comment I replied to was citing.

(Server-side storage is a non-issue, due to the encryption protocols in use.
It doesn't matter if you distrust Facebook, they aren't going to be able to
read your messages. End of.)

~~~
reitanqild
I avoid WhatsApp but this is correct AFAIK (given that they don't push a
malicious client at some point.)

The main problems with WhatsApp are as I can see:

\- they scoop up metadata

\- they upload the data more or less plaintext to Google for backup. (I
personally dislike but trust Google but not everyone trusts them.)

\- they paid way to much for it to not try to monetize it in all kinds of
crazy ways

~~~
TheSpiceIsLife
> given that they don't push a malicious client at some point

How do we know this hasn't happened already?

How do we know it won't happen tomorrow?

~~~
Operyl
Because there are a number of people constantly reverse engineering these
clients to be sure that it doesn’t.

~~~
shshhdhs
This doesn’t really help as much as you seem to hope for. As a counterpoint, I
would like to introduce you to the Underhanded competitions:

[http://www.underhanded-c.org](http://www.underhanded-c.org)

[https://underhandedcrypto.com](https://underhandedcrypto.com)

------
newscracker
They should also add a strong recommendation that WhatsApp and Signal are
better used from a burner phone and a disposable phone number. With phone
(directory) aggregation platforms like Truecaller that collect many people’s
names and numbers and also provide free lookups, certain people who want or
need a higher degree of anonymity would end up being inadvertently exposed to
the people at NYT.

------
plgonzalezrx8
Does anyone else think that Anonymous tips can sometimes be a two-edged blade
if claims are not properly backed up with facts? Sometimes we see a lot of
news articles and news regarding X, Y, Z topic from anonymous sources, being
passed as legit news and reliable, but when you examine the news in more
details, nothing that backs up such claims can be found. How can this be
addressed in a way that doesn't expose those who provide the information, but
at the same time, it ensures honest, and factual information is being
published?

~~~
jlmorton
> Sometimes we see a lot of news articles and news regarding X, Y, Z topic
> from anonymous sources, being passed as legit news and reliable, but when
> you examine the news in more details, nothing that backs up such claims can
> be found.

Your implication is that because a story contains no named sources, the
information is not legitimate, or not reliable. I would submit to you that
this is exceedingly rare at a reputable newspaper like the New York Times, and
although all newspapers are sometimes mislead by their sources, or otherwise
get things wrong, when this happens at a paper like the Times, it is
universally followed by a correction.

In other words, the Times is not going to print a story based on anonymous
submissions without any further vetting, or investigation. They're going to
seek independent corroboration, they're going to involve other experts, and
they're going to ask questions of the principals.

~~~
rock_hard
I have not found this to be true.

There is tons of NYT articles that are factually wrong and have never been
updated.

~~~
jumelles
That's an extraordinary claim to make without any evidence. The entire
business model of a newspaper is that they report facts.

~~~
PurpleBoxDragon
Their business model is that they sell papers (or access to a website, or get
ad views).

They can do this by reporting facts, but generally it is easier to do this by
reporting stuff people want to read, which includes facts and non-facts and
things that may or may not be factual. This also generally involves summaries
which aren't factually true as they drop relevant details, but which are close
enough that people tend to tolerate them (see any reporting on a scientific
paper ever).

Also, an "an anonymous source said X" could be factual, but the implication is
that X has some level of truth when the only known fact is that in reference
to that X was said by an anonymous source.

------
qubax
A newspaper that quashed the weinstein story 13 years ago wants us to tell it
secrets?

[https://www.thewrap.com/media-enablers-harvey-weinstein-
new-...](https://www.thewrap.com/media-enablers-harvey-weinstein-new-york-
times/)

The NYTimes should be the last company anyone should be telling secrets to. We
have social media. People should post it anonymously to social media than an
establishment organization like the NYTimes.

Hell post it on HN. I trust HN and the mods here more than I trust the editors
at the NYTimes.

~~~
EduardoBautista
Seeing how "fake news" spread through social media, I have the complete
opposite belief as you.

~~~
qubax
Sure, social media isn't perfect. But lots of real news spread through social
media too. Real news like the weinstein story that the nytimes squashed.
That's the difference between social media and the nytimes. You can't silence
truth on social media. You could spread lies, but you can't silence truth.
Whereas news companies can silence truth and spread lies.

Also, news companies aren't immune to "fake news". The news industry have
spread their fair share of "fake news". And their fake news causes wars and
the suffering of millions of innocent people.

If you really cared about fake news, then you should be more worried about the
news companies than social media. It's odd you are not. But I guess you trust
a couple of highly biased editors tied to the establishment more than an open
platform like HN. I frankly trust HN far more than the nytimes. HN isn't
perfect, but you are far more likely to get the truth here than in the
nytimes. Certainly the mods here do a better job of keeping things even-keeled
and less biased.

~~~
boomboomsubban
>You can't silence truth on social media. You could spread lies, but you can't
silence truth. Whereas news companies can silence truth and spread lies.

News outlets never had the ability to silence truth, just limit how easily it
could spread. You could still self publish your truth or tell everyone you
know, the same thing social media allows.

>If you really cared about fake news, then you should be more worried about
the news companies than social media. It's odd you are not

Media companies are perfectly capable of using social media to spread their
propaganda. It's likely easier, as it allows them to craft separate versions
that appeal to different people.

------
anonu
Everyone believing WhatsApp is "secure" is one of the greatest shams of this
modern internet era. There's absolutely no way to verify this claim...

------
known
[https://vim.cx](https://vim.cx) is better

------
secfirstmd
For sources and journalists looking for more advice on how to manage both
digital and physical security on the go. We built an open source app with
simple lessons on it. Big update and iOS on the way.

[https://secfirst.org/umbrella/](https://secfirst.org/umbrella/)

------
urda

        grep "gpg" - no results
        grep "pgp" - no results
    

What in the what. Oh come on, how can you go through all this effort writing
how share secrets with them, and there's zero mention of an actual public key?

~~~
sbradford26
All of the more detailed information is on a tips page that they link to.

[https://www.nytimes.com/tips](https://www.nytimes.com/tips)

~~~
urda
That's good to see they have it then! Shame they don't call it out on the
actual article page.

To the user downvoting me: yeah sorry the original comment still stands and is
100% accurate. If you have something meaningful to add to the conversation
actually add it.

~~~
aidenn0
They mention it indirectly on the article page, as they do mention encrypted
e-mail, and on their tips page, PGP is the only method suggested for encrypted
e-mail.

