Hacker News new | past | comments | ask | show | jobs | submit login
NSO hacked WhatsApp to spy on top government officials at U.S. allies (reuters.com)
686 points by lladnar 19 days ago | hide | past | web | favorite | 300 comments



The article doesn't really say what hackers had access to, but it sounds like they had full control over their phones. There is a lot bigger story here and I'd love to read a post-mortem in a few months.

Also, WhatsApp is such an obvious target for a state actor. I saw several articles of the last year that mentioned Jared Kushner using Whatsapp so I assume a lot of government folks use it for off the books "encrypted" communication.


A buddy of mine is Special Forces (U.S.). He said JSOC recently banned use of WhatsApp and encouraged everyone to switch to the open-source Signal (another encrypted messaging app). Allegedly WhatsApp uses Signal's encryption (OpenWhisper) but I stopped trusting it the second Facebook bought them out.


> Allegedly WhatsApp uses Signal's encryption (OpenWhisper

About the partnership: https://signal.org/blog/whatsapp-complete/

But of course, in this case the issue seems to be either compromise of the device(s) via zero days, whatsapp usage simply being the target matrix - and/or a leveraging a zero day in whatsapp for full device compromise.

It's unlikely signal would be immune - they didn't Crack the encryption, they cracked the app/os.

In olden times the vector might have been a font, or a gif.

The only advantage signal has is a conservative interface and small userbase. I'm not sure if they do some kind of hard-line whitelisting of attachments though - if you can pack an exploit as a file, I'm pretty sure you could send it via signal.


> The only advantage signal has is a conservative interface and small userbase.

Signal is open source, WhatsApp is not. So how did you determine Signal has only one advantage over WhatsApp, without access to the WhatsApp source code?


Advantage in terms of security vulnerabilities - evidence seems to indicate that having the source code available isn't a big factor in reducing zero days. In addition, signal isn't any more protected against a rooted device.

Nothing seems to indicate a back door here.


If one assumes that WhatsApp are implementing the protocol as well as signal are (which I do), then I think there are three questions in deciding what is more secure:

1. Do you trust Facebook (or open whisper systems) with your metadata/expect them to delete it?

2. How likely are there to be bugs (in the app, not in the protocol itself) which lead to exploits. On the one hand WhatsApp probably have more people working on the app and likely more security people too. On the other hand they may be pushed to add more features and having lots of code churn may introduce security holes.

3. How much work will be put into exploiting each app. On the one hand more people use WhatsApp but on the other, I guess security conscious people may be more likely to use signal.

A known exploit to WhatsApp happened due to 2 with a bug in how audio calls were initiated. I don’t really have a good guess as to how the apps compare on points 2 and 3 but I guess WhatsApp loses on 1. A more practical point is that it’s likely easier to convince someone to use WhatsApp than signal, especially for group chat.


WhatsApp will rekey and send old messages without notifying the user. This means MITM is possible and not always detectable. This is their intended design (but you can change the preference so that you at least get notified when it happens).

(Widely reported, see Guardian article)


That guardian article was pretty bad. It scared a lot of people from WhatsApp (which is still in general mode secure than most options) to text messaging by claiming that this was somehow some huge security flaw.

From WhatsApp’s point of view this was a reasonable ux trade off. It is a major pain point of signal when it does this (particularly in group chats where it is more likely to happen).

But I agree that from a strict security focused point of view this is a disadvantage to WhatsApp.


Sorry, but his is a major security flaw. WhatApp, their mothership Facebook, or any party who can coerce them into doing so (e.g. the US government), can use this to rekey targets with their own keys, virtually undetectable by most regular users, thereby completely MITMing the message exchanges.

Even moxie, who created this stuff, more or less admitted this[0], by saying the rekeying notification is the only defense, but that one is off by default in whatapp last I checked (which moxie confirmed[1]), which makes whatapp insecure by default at the very least. I wouldn't be surprised if WhatApp servers know if this notification setting is on or off, which would enable them to e.g. target people with insecure default settings only to avoid detection.

I already said this in [0], but let's repeat it: This is essentially the same as if a webbrowser would just accept any TLS certificate without showing a warning no matter if valid or the issuer trust.

Sure, this is hard problem to solve UX-wise and user-education-wise, but that doesn't excuse that you advertise your known-and-deliberately-insecure-by-default default-MITMable product as "secure communication using end-to-end encryption".

[0] https://news.ycombinator.com/item?id=13395869

[1] https://news.ycombinator.com/item?id=13396393


Anyone expecting secure messaging from WhatsApp must have Rekeying Notification set ON. Compare it to having a lock installed and using the key to close the lock.

Personally I can not imagine Human Rights Activist having the Rekeying Notification set OFF.


This is not like a lock and using the key. Not in the very least. It has as much to do with a psychical lock as it has to to with a toaster or a banana. Nothing.

>Personally I can not imagine Human Rights Activist having the Rekeying Notification set OFF.

I can. A lot of those people are not tech savvy. And the targets of e.g. the most recent NSO story weren't just activists, but a lot of other people too, politicians, state officials, lawyers, journalists, etc.

And on top of that, this system becomes MITMable as soon as one of the communicating parties has notifications off (or ignores them, which then comes back to the UX and education issue).


'On the one hand WhatsApp probably have more people working on the app'

From a career in software development, I tend to feel that the more devs, the buggier. Maybe, MAYBE (number of QA)/(number of devs) = reliability coefficient.


The size of the red team could also be significantly larger. The more people you have looking for security holes the more likely to find them


Correlates with my experience, too, however size of the QA team is not a reliable indicator. I've seen it first hand where the QA is huge, but doesn't have good devs, only people that point out process flaws.


A QA team is trying to find bugs with the current release. They are not looking for mitm attacks or misuse. That would be more security who are generally looking for more obvious issues at the network level.


Keep in mind also that WhatsApp also demands full access to ALL your contacts in order to really work properly, as opposed to Signal where you just add the people you want to use Signal with


Even of they implement the Signal protocol, they have additional modifications to support ads, which increases the attack surface.


Well, and as pointed out elsewhere the signal protocol only covers messages in transit. How keys are managed, etc. also strongly affect security. In the signal app, the phones own the keys rather than another entity (hence why messages get rekeyed on whatsapp and why you're easily able to load messages on a new phone).


Reread my comment. If you have additional code to support things like ads, you add attack surface for people to find a way to inject code execution in the context of the WhatsApp process, which has access to the decrypted messages.


Does WhatsApp have ads?


They are already onboarding advertisers and will have ads appear in the app very soon. https://www.independent.co.uk/life-style/gadgets-and-tech/ne...


It doesn't. At first, it used an SMS IIRC that charged you a dollar every month or year, not sure. Then they scrapped that and they are now basing the income on WhatsApp for Business, although I don't know if they are charging yet. But as operating costs were actually low, they mostly ran off of papa Facebook's dollars.


Approx 20 months ago, numerous people I had contact with working in western military special operations units dropped WhatsApp in a fairly brief period of time.


Interesting. I think, FB matches whatsapp numbers with fb profiles and other meta data.


Facebook didn't buy Signal. One of the original executives from Facebook left to help start the Signal foundation with Moxie precisely because he had become sick of Facebook's insane behavior.


I think you misinterpreted the parent comment—I read it to mean that they stopped trusting WhatsApp as soon as Facebook bought them despite using the same technology as Signal. Your interpretation might be right, though.


No, you're correct. I stopped trusting WhatsApp after the Facebook acquisition.


FYI, WhatsApp added end-to-end encryption after Facebook acquisition.


I have been using signal for awhile and I try to convince people to use it, however I'm curious if using signal would have prevented this. It sounds like they got into WhatsApp servers and then did something else to get full access to people's phones.


>y banned use of WhatsApp and encouraged everyone to switch to the open-source Signal (another encrypted messaging app)

Oversimplification: WhatsApp is based on Signal, but repurposed for Facebook.


NSO still have multiple ubpatched 0 days in WhatsApp Telegram and most other messaging apps.

Your best bet is to use something obscure so you cannot easily be targeted or not being connected to the same net.

At the Israeli army we had phones that ran completely separate software stacks and talked to a different network for this. Nothing was on the internet.


Also since modem stacks are so terrible - ideally two phones where one is just a hotspot for the other one and the one using the hotspot does not have a cellular modem. Also ideally not Android or iOS.

Of course it is better to not be on the public internet with any sensitive device if at all possible. Anything on the internet is considered public.


Security by using obscure software has its own problems, alas.

You have less eyeballs looking for exploits on the good guys side as well. So problems stay open.


Within my experience, security by obscurity works only if you're low profile. If significant amounts of money will be spent decrypting your mess, it's game over.

OTOH, we usually only hear about the failed attempts, so there's a selection bias.


I deliberately didn't use the phrase security by obscurity, because that usage of obscurity is synonymous with secrecy. And that's not what the original comment was about.

I agree about the low profile being necessary (even if not sufficient).


Terminology: vulnerability or flaw is what the good guys are looking for. Exploits are implementions of the attack enabled by the vulnerability.


The more obsure and different the less likely. If closed source the knowledge belongs to the creators. If the circle is extremely small the chance of that knowledge being shared with your enemy is low. It goes up when that circle is increased.

When you want the biggest circle open source is safer. If your circle is small closed will be safer.


Your enemy can often learn those secrets not by being shared, but by other means. Eg reverse engineering.

But in any case, the original comment was using 'obscure' in the sense of uncommon not in the sense of 'secret'. As far as I can tell.


That sounds pretty cool. Did you all have your own separate physical layer just for military too, or did you use the same physical layer as the civilian world?


That's really clever. Using a custom made program or something obscure would be the only safe way.


PureOS + GNURadio + a software-defined radio + a power amplifier...


Based on the U.K. news, approximately everyone in parliament uses WhatsApp to talk/scheme with one another


Not just the UK, most international diplomacy is done through Whatsapp: https://www.theguardian.com/technology/2016/nov/04/why-do-di...


This is why I've been telling everyone that WhatsApp end-to-end encryption is moot if the client isn't open-source.

Nobody listens though, until something like this happens.


It says the hackers had access to WhatsApp servers, so they can tell who is talking to whom, and depending on how WhatsApp does encryption they may have been able to decrypt messages. I say may, because WhatsApp had pitched itself as an encrypted messaging system, though personally I’d bet they could because it’s easy to claim your service is encrypted and yet still design backdoors for yourself.


The article is garbling the WhatsApp allegations: WhatsApp says the hackers abused WhatsApp servers to hack phones, not that the servers had a flaw. To send the malicious payloads to the victims, the hackers sent messages that flowed over WhatsApp's networks, which largely what they're hanging the lawsuit on.

https://context-cdn.washingtonpost.com/notes/prod/default/do...

The actual flaw was this one: https://nvd.nist.gov/vuln/detail/CVE-2019-3568


"Prior to notifying victims, WhatsApp checked the target list against existing law enforcement requests for information relating to criminal investigations, such as terrorism or child exploitation cases. But the company found no overlap, said a person familiar with the matter. Governments can submit such requests for information to WhatsApp through an online portal the company maintains."

There is already an official backdoor, or how should I understand that?


You have it correct. Nearly every major US provider maintains some sort of online interface for law enforcement to submit requests. The level of information provided via these means varies, but they are obligated to respond to legitimate requests with wharever data they have on hand.

Dont like it? Go with a security-minded service like signal. Or, better yet, something totally severless and open source.


I don't use WhatsApp. But if they have an official backdoor, then it's not really e2e encrypted. Until now I thought, at least the official statement was, WhatsApp is truly e2e encrypted. Just that.


Maybe they are. But they would still have non-content timing, location and connection data. That is just as useful as message content.


It can be end to end and Encrypted and still have a backdoor.

I.e keeping a continuous web client active which the user isn't notified about


Even with encryption, WhatsApp could provide users' contact lists, message send time and volume, IP addresses, phone numbers.

Having a phone number is almost same as having person's location and identity. That's why really secure messengers won't require a phone number.


Isn't the fear more about a man-in-the-room attack rather than weaknesses in the e2e?


The end-to-end refers there to the hand-held device, not the peers' brains. The backdoor will then simply be in the hand-held device, intercepting the data meant to be displayed by the WhatsApp application.


> security-minded service like signal.

There's no security-minded service which use Google services.


I don't think it's fair to call this a "backdoor". Because of E2EE the law enforcement access is limited to looking up IP addresses associated with whatsapp users and such.


That was my question. What information does WhatsApp share with the law enforcement. Just, as you said IP and so, or also the messages?


if it's truly end to end encrypted, they would only have metadata. which is what the NSA collects en masse from Telecom providers.


>which is what the NSA collects en masse from Telecom providers

What does that even mean? There are so many different kinds of metadata I'm not sure why it's useful to compare Telecom metadata collection to Whatsapp.


Here in Brazil, if I understand corrected from some leaks, after the judicial request WhatsApp stop (or something related) the encryption between Bob and Alice. After that all conversations is in plain text and accessible to federal police.


Do they disable it or do they noisily mitm it?


> Sources familiar with WhatsApp’s internal investigation into the breach said a “significant” portion of the known victims are high-profile government and military officials spread across at least 20 countries on five continents.

Welp!


I know a military contractor working on stuff for non-Nato airforces. These guys use WattsApp for everything. It blew my mind.


Fun fact, a few of my friends and even family work for NSO and until recently they used WhatsApp for their own internal communication.

They literally moved off it a few days ago when shit hit the fan into more secure software because Facebook is targeting NSO employees.


Specifically what more secure software? Im looking for a secure messenger now.


Signal is usually one of the more popular one for a more secure alternative.


Funnily enough - they moved to signal. They are not telling me - but I assume they have an exploit for that as well - but it isn't controlled by Facebook.


I sincerely hope you are joking but from what I've seen myself it would not surprise me at all.


Nope. I wish it were a joke. Now this stuff isn't modern gear on F35s (think testing benches, displays, meetings, etc) but it's still horrific.


This seems like a disinformation campaign aimed at diverting attention from the fact that the governments of the human rights activists, human rights lawyers themselves used pegasus from NSO to target them.

Many of the Indian activists, journalists, lawyers who were targeted are working for low caste victims of false cases filed against them. John from Citizen Lab personally called them and told 'Your government attacked you'[0].

If anyone from Citizen Lab/WhatsApp is reading this, please corroborate with evidence that the governments themselves spied on its citizens when these activists sue them in court.

[0]: https://scroll.in/latest/942218/nagpur-lawyer-notified-by-wh...


How is this disinformation? The story says that NSO was used to target human rights advocates.


Don't forget that some disgruntled employee stole the software a few years ago. So who knows who has access to this.

https://m.calcalist.co.il/Article.aspx?guid=3741738


That website made my screen go black and my phone get hot!


That wasn't just me!?


Really wish I knew what this said



Which is hilarious and hypocritical, since the government keeps talking about making end-to-end encryption apps illegal to distribute without backdoors. Now they're using an encryption app with a backdoor,* and they're upset about it? I thought this is what they wanted!

*I know, I know, this probably wasn't done with a backdoor -- it's just funnier to lie in this context.


In fact, demonstrating this point is probably part of the reason Facebook is litigating this case. It gives them a solid example of the risks of backdoors that they can point to when governments ask for them.


There's a nice plot stemming from there.

“A rogue big tech employee puts on a grey hat to orchestrate a hack + personal blackmail on government officials, to instill a deep fear out of them and make them realize the folly of refusing end-to-end encryption.”


Mr Robot season 5


I guess they just don't like the inconvenience of having to find the backdoors on their own. It's hard work! But hard work has never killed anyone*

*With the exception of people forced to work to death, or under unsafe conditions, or that were doing a perfectly reasonable amount of hard work that none the less triggered a heart attack. Or...


Depends, if months of hard work results in a drive strike, it could be said to have killed some one.


“The government” is not a homogeneous entity.


The government isn't a monolithic entity, remember.


The real irony comes from an Administration who ran on the odious idea of "locking up" government employees who mishandled communications, who then turns around and begins a mass campaign of mishandling communications...


"You're doing mishandling of communications wrong. Here, let me show you how to really mishandle communications."


How else do you expect them to conduct illegal activities?


The same way most large governments & corporations do it: Without any accountability or consequences.


"Rules for thee but not for me."


Hypocritical? How many of your personal secrets (or even your corporate secrets) would cause >= thousands of people to die or >= billions of taxpayer dollars to be lost if they were leaked?


> How many of your personal secrets (or even your corporate secrets) would cause >= thousands of people to die or >= billions of taxpayer dollars to be lost if they were leaked?

Personal means, and should continue to mean, something. I'm not willing to let governments define what is personal to me.


I don't think people with more impactful secrets deserve more privacy than anybody else.


[flagged]


That's only true after the fact.

Up front the prospect of even greater damage might deter people.

Similar to how punishing wrong-doers in general doesn't help anyone after the fact, but one justification people bring up is deterrence before the fact.

(I profess no firm opinion in the matter. This is just giving the argument a steelmanning.)


I suspect your example would be more compelling if you used a first breach in ethics that would be less heinous. Cheating on your spouse is a common one to defend privacy of bad people; tax dodging if you want something illegal.



No one who wants to talk securely should ever use a facebook-owned channel in the first place.


It depends who your adversaries are.

It's one thing to say "they shouldn't use a facebook channel to talk securely", it's another to say "they shouldn't use a facebook channel on the same device as they use another channel to talk securely". My understanding of this was that it is the latter.

Unfortunately people often don't have the luxury of doing the latter.


  > Unfortunately people often don't have the luxury of doing the latter.
What? Just don't install the Facebook or other social apps. I do have Telegram, but no other social media apps on my phone. If you need to communicate, then SMS / MMS / telephone is fine. What can be done with Facebook that cannot be done with normal SMS or MMS or phone calls or video calls?


I also don't have any facebook apps on my phone - but from what I understand there are countries where whatsapp is how a lot of business is done. If you can't afford the time and opportunity cost of avoiding those businesses you have to install it.


I actually do live in a country where people expect you to have Whatsapp, both for personal and for business. And I still don't install it.


The Facebook app came pre-installed on my Android phone, and I couldn't get rid of it without rooting my phone (which would make it less secure).


Sad to see you're downvoted. The state of open source on Android is quite dire - it's difficult to run a fully patched ASOP - and the alternative is "customized" os installs with tons of crap. If nothing else, the more code that runs, the more bugs to exploit.


SMS and MMS and phone calls are far less secure than whatsapp


Unless you're arguing that Facebook-owned channels are more prone to security bugs, I don't see how this conversation is useful. Let's not forget that whatsapp is end-to-end encrypted by default; they literally brought end-to-end encryption to the masses.


Arguably, they shouldn't be using a smartphone or any computer at all, if they really want to be secure.


The bad guys will find out first.

Back when I first heard that, the bad guys were bored and/or hyperactive teenagers who understood how computers work. Today we are talking nation-state actors and nation-state-sponsored actors with practically unlimited resources.

Keeping your code secret will not stop them, cf. WhatsApp. "Responsible disclosure" will not stop them either, and sets up all the wrong kinds of incentives for vendors to sit on problems until just before the "responsible" disclosure window closes. And FFS, there are still grown adults that believe building backdoors into E2E won't be exploited by the bad guys first, insofar as they are not the bad guys themselves.

I only have questions, not answers, and I don't know what we do from here.


We have to make this knowledge of closed source systems not being safe more wide spread more approachable to the lamen.

It will take time but generations are slowly waking up to the bullshit. We need to be able to run open source code on servers in a transparent and reportable way that everyone can understand

I see services like whatsapp taking the stance it is essential. Its the only place I (barely) feel like I can speak my mind when chatting with non tech savvy friends (of which it would be a hard sell to get to install anything else more rock solid). I really hope we can adopt widespread e2e encrypted chat platforms moving forward and dont regress in this front else it will be a sad future


Use Matrix (Riot.im is a great client)

Or Signal, but without the phone number signup


How do you sign up without a phone number?


From what I read, NSO didn't only hack Whatsapp, they also used vulnerabilities in the Android OS in the media decoder. Given all the CVEs patched on each Android security patch, that wouldn't be surprising.

If that's the case, the articles are focusing too much on WhatsApp failure, but not enough on the failure of the Android OS. To me there is some kind of shared responsibility between the app and the OS here.

Who knows how many CVEs are hiding in the Signal and Riot.im apps? And Riot.im asks for many permission...


Or Briar or Ricochet, or something developed in house. Honestly, the thing that's so perplexing to me is why so many people in these roles would be using Whatsapp at all for these things. It's like SoS mentality (to use an imperfect metaphor) run amok.


The article claims that "a flaw in WhatsApp-owned servers" was used to "take over users’ phones".

This seems to imply that the hackers were able to escape from the WhatsApp mobile app to perform other actions on the phones.

How would this be possible?

Or is this just likely careless journalism, and the exploit was that the server breach allowed the attackers to exfiltrate WhatsApp data only?


It was done using pegasus exploit from NSO. A missed video call to the target on WhatsApp was all that necessary to deliver the payload, escape the sandbox & exploit the operating system.

What WhatsApp & CitizenLab said to the victims in India about the attack[0].

[0]: https://scroll.in/latest/942218/nagpur-lawyer-notified-by-wh...


The article says: "The Facebook-owned software giant alleges that NSO Group built and sold a hacking platform that exploited a flaw in WhatsApp-owned servers to help clients hack into the cellphones of at least 1,400 users."

The actual complaint reads: "Between in and around April 2019 and May 2019, Defendants used WhatsApp servers, located in the United States and elsewhere, to send malware to approximately 1,400 mobile phones and devices (“Target Devices”). Defendants’ malware was designed to infect the Target Devices for the purpose of conducting surveillance of specific WhatsApp users (“Target Users”). Unable to break WhatsApp’s end-to-end encryption, Defendants developed their malware in order to access messages and other communications after they were decrypted on Target Devices. Defendants’ actions were not authorized by Plaintiffs and were in violation of WhatsApp’s Terms of Service. In May 2019, Plaintiffs detected and stopped Defendants’ unauthorized access and abuse of the WhatsApp Service and computers."

https://context-cdn.washingtonpost.com/notes/prod/default/do...

In other words: WhatsApp does not allege a server breach. It alleges that phones were hacked via carefully crafted messages to trigger an exploit[1] on the phones, but to do that, hackers sent the messages via WhatsApp servers. They mention that, because otherwise they would have less of an argument to sue over. As far as I can tell, they're alleging that NSO Group was part of a scheme to interfere with the WhatsApp relay servers and to break the TOS, stated several different ways under different theories and laws.

[1] this one https://nvd.nist.gov/vuln/detail/CVE-2019-3568


To prove NSO used WhatsApp servers, I suppose WA will have to present inferences from metadata it recorded and saved. So WA will be required to demonstrate how much can yet be learned about its users by passing communications through its servers.


> How would this be possible?

Anecdotally, from a friend at WhatsApp, their engineering has been distracted by integration with Facebook. Holes that would have been patched in an independent WhatsApp may have been left to fester in the-now Facebookdivision.


I think OP is asking how NSO was able to escape the phone's sandbox model. To do that, they would need an exploit for the phone's OS, in addition to the WhatsApp exploit. So, the obvious question: which operating systems were specifically targeted?

Another comment mentions Pegasus... that was an iOS exploit patched in 9.3.5 (3 years ago). Does that line up with the timeline of this article?

Given that Android exploits are far more common than iOS, I would expect they had one of those too.

But then, where are Apple and Google in this case? It wasn't solely Facebook who was exploited; their app was just the initial vector to escalate to an attack on the OS. NSO probably could have achieved the same with dozens of other apps, but WhatsApp was chosen because of ease of deliverability (messaging) and popularity.


>Given that Android exploits are far more common than iOS, I would expect they had one of those too.

The Pixel was the only device that was not pwned in the 2017 Mobile Pwn2Own competition - the iPhone, running iOS 11.1, was exploited 4 times via both WiFi and Safari.

I'd be incredinly surprised if NSO were able to compromise an up to date Pixel phone.


That’s great for the Pixel. But what percent of Android phones are the Pixel, and not one of the hundreds of other varieties with varying patch schedules?

(That’s not entirely snark. I do wonder how high risk individuals are choosing which devices they use for communication.)


That by itself doesn’t mean much; very few people use Pixel devices and there’s significantly less attention put on it.


“WhatsApp did not identify the clients of NSO Group, who ultimately chose the targets.”


Thats really funny because a friend of mine used to work there and always talked about how all the internal very classified communication was done via whatsapp!


What's the deal with the end-to-end encryption here, I don't understand. If you get control over the server, you can circumvent it with WhatsApp? How did the attackers get hold of the private keys?



I’m shocked! I would have never expected this! Having a single organization so specialized in the particular domain handling nearly everyone’s data getting hacked? How ridiculous!

Apple have single handedly done the internet a gross disservice by not making it easy for users to set up webhooks for push notifications. If it weren’t for that chat would have a chance at being sane.


How people go to work at NSO Group, is beyond me. They must pay really well.


I hate facebook just like everyone else, but doesn't it have more resources to spend on WhatsApp security than Signal Foundation? Yes, Signal is open-source, but how many people are actually looking for its vulnerabilities full-time?


Just because Facebook can doesn’t mean they will. Justifying security research budgets is notoriously difficult in the corporate world.


I am just confused that NSO are getting all the flak for this when there are many bigger players in the market (like Verint) peacefully happily doing the same thing for years.

Of course, I don't think this particular report is correct (I am sure the US spies on its allies like all big countries but I doubt it would need NSO and given the US regulates the body that regulates who NSO is allowed to sell to - I doubt it)


But I thought WhatsApp was end-to-end encrypted?


If you want secure your top choices, in my opinion, are Signal and Wire -- and I like Wire better because I can sign up with a burner account or seemingly random alias on my ProtonMail account.

But don't just take my word for it -- here's a good place to start your own research: https://www.securemessagingapps.com/


Why is Wechat missing on that list?


They do not offer e2e encryption and as we all know, China government does not believe in privacy.


WhatsApp- the app- is the end. They pwned the app itself.


It is, but when you create a new contact you are trusting the WhatsApp service that the public key of the other party actually is their public key. The service can always give both parties a key of their own making instead of the actual keys of the parties. IIRC you can verify the public keys via QR codes but maybe such verification wasn't part of security practices. Thus if you hack the service, you may be able to read messages even though it's supposed to be end-to-end encrypted.

Another possibility is them faking a public annoucement to all Whatsapp users about some update or something. That announcement could then contain an image that exploits a vulnerability in the operating system's image decoder libraries. Or something like that. Without further information you can only speculate, but what's certain is that hacking the WhatsApp servers gives them ways to hack the phones that they previously didn't have.


This case is much simpler than that: there was a buffer overflow exploited in WhatsApp clients.

https://nvd.nist.gov/vuln/detail/CVE-2019-3568


Yeah, the exploit has absolutely nothing at all to do with message encryption. It's just your run-of-the-mill security hole that happens in other software all the time. As such, most of the comments in this thread are completely off base.

What makes it notable is which app it was found in, the reach of that app's userbase, and that a company was selling these exploit services.


Oh thanks, this wasn't mentioned in the linked article.


Skimming the actual complaint (unhelpfully, not linked by the article) clears a lot up about what happened.

https://context-cdn.washingtonpost.com/notes/prod/default/do...


Messages probably are, the app itself may have openings that allow an attacker to see messages.

In the early days of android, it was also possible to have a rogue google update service on a wifi AP, so when android connected to it you could push an update with malware.


E2E provides protection against the server provider knowing your content. It doesn't protect either end, since that would be impossible.

In this case, it seems like WhatsApp itself was compromised; malware was distributed through the server directly to the app, or something along those lines. (Y'know how you can dynamically change apps nowadays using Codepush, etc? If Whatsapp had something like that in their pipeline, and that thing was compromised, and that compromise could be targeted at specific devices, then no amount of encryption can save you.)


My understanding is it was this buffer overflow vulnerability:

https://nvd.nist.gov/vuln/detail/CVE-2019-3568


They exploited the app to take over the phone through a vulnerability


So i wonder about a ways of implementing secure communications using untrusted device over untrusted channels.


You can just encrypt it before typing it down and send encrypted text so the cleartext is never on the device. It's just not convenient at all though theoretically this can be a separate device that is not connected to the internet.


Earlier this month the DOJ asked Facebook to "halt end-to-end encryption" by adding a backdoor to all of Facebook's apps. Perhaps this is a reason.

https://www.engadget.com/2019/10/03/doj-facebook-end-to-end-...


I m confused, the top government officials are the children or the predators?


The answer is yes.


Why would facebook comply?


Why wouldn't a company of that size comply?


It’s an unnecessary cost and hurts whatever brand value remains.


Facebook is already given the NSA instant access to all their significant user data. Do you think they're doing that for free?


What are Israel doing to get so good at this and chip design and weapons making and everything else they seem to be really good at?

There’s only about 8 million people in the whole country. There are plenty of cities with more people than that.

How come they punch so far above their weight?


My experience with Israeli companies suggests that a culture which values intellectual achievement and competition is more widespread there.

Similar cultural enclaves exist elsewhere in the world and are presumably similarly effective, but they just aren't as large a portion of the population.

Even small cultural differences can have outsized effects because of pollination-- e.g. it's easier to learn from an expert in a domain if there are more experts around you.

I think your question isn't really that much different to asking why the bay area has "punched above its weight" in terms of producing successful tech companies compared to other regions around the US... or why other regions have had a lot more success in other domains.


My experience is the exact opposite. There is a culture of laziness and most offices are carried by a handful of outstanding people and propped up by significant foreign investment.

The difference with Israel, specifically in regards to hacking, is purely the amount of government support and protection independent actors receive for things that might otherwise be considered nefarious in other countries.


Also humans self-segregate. All else being equal a human who has property A will prefer to live with other humans who have property A, rather than humans with property B. Skin colour, favourite icecream flavour, late risers versus early birds - anything. We can deliberately make adjustments at policy level to reduce the harmful consequences (or of course, we can do stuff like red-lining to make it worse) but that's what they naturally do.

So these cultural affects will snowball.


Do you have a source to cite here, or can you refine what kind of properties you're talking about? I urinate standing up and prefer to live with someone who urinates while seated. This is the prevailing preference amongst people who urinate while standing.


This is colloquially referred to as "the big sort" in the United States - people moving to states where a higher portion of people share their political ideology. Your favorite search engine should point to many sources with this search term, though some are more dubious about the strength of the effect than others.


There’s only about 10 million people in Sweden and we’ve produced Saab, Ericsson, Volvo, IKEA, H&M, Spotify, Skype, MySQL to name a few.

I don’t think it’s that uncommon.


Well, Sweden is indeed one of the known tech powerhouses. But this just seems to prove the parent point, as there are many places in the world with similar population/quality of life/etc., but none of them come even close to Sweden/Israel/Bay Area in terms of tech.


It depends on how you define tech. The Netherlands are small (16m people) and world leaders in Agritech. We've got some decent tech companies in general (Philips, Booking, NXP, TomTom) and of course Shell / Unilever.

You can probably say something similar about Finland or Ireland.


Philips? The same company that sold me 15W grow lights while claiming they were 40w? I don't trust that company as far as I can throw it after that bit of outright fraud they pulled on me.


There is no reason why other well educated countries could being doing the same thing, but with the Israeli's, nothing is off the table. If a company in Israeli learns how to hack WhatsApp, that is seen as an advantage for the Israeli government. If an American company learns how to hack WhatsApp, they bound by ethics to let WhatsApp know and make sure the issue is fixed. Israeli culture thinks that is crazy to do that because they can use the flaw against their enemies.


Sounds like they are morally bankrupt. This is not something to be proud of in today's world.


I agree that it isn't a trait to be proud of, but show me a government that isn't morally bankrupt and I'll show you a government that you don't know enough about.

Being civilized seems to be a low priority in the civilized world.


The US also has export restrictions on crypto and other tech, which makes this kind of business harder for US companies. Especially with countries that aren’t strong Us allies.

When I worked in the radar business we couldnt just sell them to anyone.


Israel got about a million highly educated ex-Soviet immigrants who kick started the hi-tech industry in the early 90s. It’s slowly declining tho as Israel focuses more on educating kids about their “Jewish identity” than science and technology.


Other countries off-shoring their spycraft. <cough> <cough>


The Israeli army makes you code 12 hours a day for a year in some training programs.

Our punch is above our weight because of hard work and skepticism.

That's not the terrible stuff like NSO. NSO is just a clever way for the government (and the US government - don't forget) to export the military technology, regulate it and then claim they did not do it but a private company did.

Virtually everyone in NSO was in 8200, this is a way for the US and its allies to get around military trade issues.


I don't think they make anyone do that. The people who join these programs are predisposed to programming 12 hours a day (or more) in the first place. It's an effect rather than a cause.


High levels of investment, mandatory military service, and exceptionally good education.

If you ever get the chance to talk to someone from Israel, especially someone in tech who was raised in Israel, I recommend it. Ask them about where they went to school. You'll learn a lot.


> exceptionally good education.

Is that so?!

I’m an Israeli and I assumed that it’s the really bad education that is responsible for stronger skepticism and Chutzpah.


I have heard that Technion, huji, tau are good schools for cs/ee.


They are great, but academy is not the breeding grounds of NSO and its ilk.


I don’t think there’s anything particularly special about Israel, and that what’s really happening is that you don’t hear about the other firms in other countries, many of which are either more competent or have better tradecraft.


It's like everybody suddenly forgot about hacking team and vupen and whoever else.


I was told by a few people that their work culture is a sweatshop with "more work less bullshit" approach, is it true?


Not really. We work more hours relatively to some other countries, but generally don't work that hard. I Worked with people from other countries (Specifically, US, Germany, UK, France), in general they seem to work harder _when they work_ but they finish the day early and take more vacation days.

In any case, it's far away from being a "sweatshop", technology companies are a nice gig.


No.


If an American tech company tried to do something like this some employees would refuse and you would hear about the employee protests. I think because of the compulsory military service and their multi-generational dirty war Israel engineers don't seem to have these kinds of moral qualms.

(Normally I get flagged on HN for saying things like this, would love an explanation if it happens this time.)


I'm not going to flag you but I think you're drawing the wrong conclusions.

I don't have the numbers but I would be very surprised if the majority of Israeli cyber-ops ex-military sells spyware to authoritarian regimes. A few did do that but I don't think it's justified to blame the military service and whatnot for this.

Another thing to remember is that an Italian company also sold spyware to authoritarian regimes. The things they did was really similar to the Israeli one. Same excuses, same pr, same blabla... but without the compulsory military service and whatever reasons you listed.


There might be a certain degree of culture that helped.

For instance we tech worker share a very distinct culture from the general culture. Maybe the general culture/ a big subpart of the general culture in Israel is closer to the tech culture, and thus spurring more tech development.


Israel is beset on all sides by enemies of its state and has basically been at war since its creation. It has a very strong incentive to develop military industries. With support from the international community, they also have had the means to do so.



Do they?


[flagged]


> On top of that, everybody has been trying to murder Jews during the entire history, so there's a lot of natural selection.

It doesn't seem plausible that war or murder leads to a positive force on someone's character or natural ability. There are many great tragedies where the flower of a nation's manhood has been lost in war and left the country in a worse off position to grow it's populace. The Battle of the Somme for one.

Most religions and ethnic groups has at least one persecution story if not centuries of them, I don't see the evidence that it leads to a uniform positive increase in outcomes.


> On top of that, everybody has been trying to murder Jews during the entire history, so there's a lot of natural selection.

Wow! Does it work too for the blacks? Maybe, blacks run fast to escape from whites on electric cars!! And women! Women are prettier than men to manipulate men!!

Please, don't do that. Please DON’T.


Lots and lots of outside money.


Yep especially US "aid".


Throughout history, Jews had to outsmart and outperform their peers in order to survive.


I guess it's part of their mentality. Just take a look at how many Jewish people have won the Nobel prize. Sure, most of them weren't even Israelis, but it seems that intellectual prowess is part of their heritage.

https://en.wikipedia.org/wiki/List_of_Jewish_Nobel_laureates


I presume that most people will disagree with this but I believe that it is related to Jewish people on average being generally smarter than a non-jewish person. Consider for example: https://en.wikipedia.org/wiki/List_of_Jewish_Nobel_laureates

> "Nobel Prizes[note 1] have been awarded to over 900 individuals,[1] of whom at least 20% were Jews, although the Jewish population comprises less than 0.2% of the world's population"

This is also true in my personal experience as well. A lot of my professors had Jewish ancestry and are some of the smartest people that I know. A lot of famous computer scientists have Jewish ancestry too (Sussman, Stallman, etc).


I don’t comment on the “Jewish are smarter” comment but I always attribute their success to their culture and work “mind”.

Sort of similar to how “Asian parents push their children to become doctors.” It’s not necessarily that Asians are smarter, but they do work hard to achieve what they want… statistically speaking.


Jewish do indeed account for a disproportionate number of Nobel Prizes, among other things. At the very least, that seems to indicate that intellectual prowess is highly regarded inside the Jewish community and, as such, strongly encouraged as kids grow up. It's possible that the Jewish culture itself may provide members with a sense of structure and discipline that other cultures perhaps lack (at least on average).


Kindling this kind of provocative discussions should not be permitted here. The argument that x is smarter than everyone else without ever this being able to be verified is ridiculous. I don't suppose that a kid in Nigeria has the same access to education, resources, foreign aid, easy visa and an immense network as the average kid in Israel.

Of course, that is an extreme. But assigning intelligence to a "gene" and excluding any kind of environmental or societal/cultural reason for this kind of outlier is not very "smart"


> Kindling this kind of provocative discussions should not be permitted here

I simply and in good faith answered jonplackett's question based on my personal opinion and observations. My intention was not to provoke, although I do realise that this is a sensitive topic for some.

> But assigning intelligence to a "gene" and excluding any kind of environmental or societal/cultural reason for this kind of outlier is not very "smart"

Certainly, I do not believe that genetics is the only factor that affects intelligence. That being said, in the same spirit, I think that excluding genetics as a potential factor just because it makes some feel uncomfortable is not very smart.


Its a dangerous path - saying that one race is smarter directly implies that another race is dumber. That sort of dialogue is completely taboo at least in the US.


What about Obama's American exceptionalism speech? Seemed to be accepted fine.


Myths can be powerful things. Doesn't necessarily make them true.


Do you really not know the difference between nationality and race? There are people of every race and creed in the US.


I do actually, but in this context it doesn't really matter. Does any - not first generation immigrant - say I am 10% Irish, 10% Jewish from Russian Empire, 50% Welsh and 30% Italian? Maybe some people do but in reality you say you are an American. And for most of the world that's how it sounds anyway.


The problem is, because some misguided prejudiced people made up the bogus concept of "race" and used it to justify various forms of discrimination, we're no longer allowed to criticize the very real concept of "culture."

The people with the greatest influence over our language have succeeded in merging the two concepts, walling them both off from polite discourse for reasons known only to themselves.


Taboos are a way to hinder progress and science. I will not fall into that trap.

I could be wrong ofc, but I was under the impression that it is widely accepted in the scientific community that intelligence is at least partially affected by genes.

> saying that one race is smarter directly implies that another race is dumber

Note: I said on average.


The issue is not the average, but the extremes. When you have two identical distribution curves but one's center is shifted, the effect on the ends of the distributions are exaggerated.

A standard deviation increase in the average leads to a huge difference in demographics at the extremes. The population with lower mean will have the majority of the lower tail of the distribution, and the the other population will dominate the upper tail. In the highest 1% they will appear enormously over-represented.

In the middle is where it matters least, because near average people for both populations might have very similar iqs.

For a paper on the issue of specifically ashkenazi (rather than 'jewish') IQ I recommend this one from the University of Utah:

http://web.mit.edu/fustflum/documents/papers/AshkenaziIQ.jbi...

Note the increased IQ is specifically for askenazi jews, as opposed to say sephardic jews. The paper identifies historical social issues that would make selection for intelligence a strong factor in ashkenazi history, explores possible genetic causes identified through unique mutations not present in adjacent populations, and goes into depth on IQ and IQ heritability.

A high level summary available from the economist behind a paywall but viewable here:

https://outline.com/XnhPWd

I hope you find it interesting. I think its scientific enough that few people should find it controversial, except those who believe that IQ is not a useful measurement of intelligence, which I don't think is an opinion you share given your previous posts.

The controversial part would be Jordan B Peterson talking about it here:

https://www.youtube.com/watch?v=JQHH6o9ual8

No matter your feelings on him, worth a watch.


Also in my experience (mainly business) I experimented that Jewish people are much smarter than the average non Jewish business people I've been dealing with. At best I could get a draw, never a business win. (I don't mean anything bad or implying anything more than what I've written. Please read my comment in a positive way).


Anybody using Oversec? I am not using it, but the concept sounds good.

> Oversec constantly monitors the text on your screen. When it finds an encrypted text, it tries to decrypt it and then shows the decrypted text as an overlay in place of the encrypted text.

> In order to encrypt a text, Oversec shows a button next to an active input field. After having entered the secret text, tapping that button makes Oversec read the text, encrypt it and put back the encrypted text into the field. It is now ready to be sent in the subjacent app as usual - the app doesn't even know that it is sending encrypted data!

https://www.oversec.io/

Edit: Created a separate submission at https://news.ycombinator.com/item?id=21414464


Israel has some companies who are really good at this. I recall a story about the Saudis purchasing service from some Israeli companies to spy on other's cellphones.


That was literally NSO. They were the company that gave the Saudi's access to Jamal Khashoggi's phone.


Sometimes you just feel like using Signal instead


Signal's software is timebombed to force you into taking automatic updates. These updates could be used to force targeted users into backdoored builds.

Additionally, the signal has had a long history of being feature hostile to strongly secure use, through things like making it very difficult to cryptographically verify the identity of the party you're talking to... or automatically resending the last message you sent when the far end merely claims its key has changed.

I recommend people treat signal as unencrypted communications-- _actually_ unencrypted private communications are too absurdly insecure to use. But in practice signal does not provide the kind of strong security that we would associate with 'encrypted communication', and maybe UI considerations make that an unrealistic goal. Instead signal provides the kind of security we should expect from _ANY_ communication, but which isn't actually provided due to pervasive surveillance.


I mean, Signal is open source and not owned by Facebook, so I'm not sure why anybody uses WhatsApp instead.


Last I checked Signal's UX was worse enough that I'd be fighting a real uphill battle to get my friend group to switch.


That's reasonable, I suppose I'm lucky to have a friend group that universally prefers open source sorftware to good UX -- there was never really a question for us.


It's a little eye opening to me that anyone could have a friend group that "universally prefers open source software to good UX".

I have and use Signal with some friends, but there are also loads of people I communicate with who couldn't even tell you what open source software is, let alone articulate a preference for it over good UX.

Are all of your friends software engineers and/or technophiles?


I don't have many friends, TBH. I've got 2 friends who use normal SMS, and a group of 6 friends (not including myself) who use Signal; of those, three of them are software developers and one of them uses R at work though software development isn't her primary job. The other two are probably more aware of open source software than they would otherwise be due to peer exposure. It's also worth noting that one of my developer friends got the rest of us into programming, though three of us had been running Linux before that -- it's not that I've disproportionately made friends with software developers, it's that a group of people I'd been hanging out with for years assimilated a software developer who converted the rest of us. There may have been some MDMA involved in that.

Edit in case of potential ambiguity: s/a couple of/2


Exactly.

When all your friends are already using Facebook and you start telling them to use Signal instead... well, I can tell you from experience that it's almost impossible to break the status quo.

What has happened to me is that usually there's 1-2 persons from each friend group who care enough that they will relay information to you through Signal.

I still don't have a friend group that is 100% Signal. For that to happen, more than 50% of the group would need to care enough about privacy to completely abandon other communication channels and accept the cost of switching platforms. The rest would probably follow. In reality, I don't have a single non-tech friend who would give a fuck about encryption. You tell them about Signal and they go "cool", that's it.


"It's a little eye opening to me that anyone could have a friend group that "universally prefers open source software to good UX"

Plenty of us still prefer using command-line to this very day. Most of my work is still done on DOS 6.22.


I like the command line and it doesn't surprise me that other people do too. What surprises me is that there are people where an entire friend group universally prefers open source over good UX, since plenty of my friends couldn't tell you what the terms "command line", "open source", and "UX" mean.


The UX is fine IMO. They've been improving it. I have a couple non tech savvy friends that use it and they're fine with it.


Because everyone uses it. Once a social app becomes mainstream it gets a giant advantage due to the amount of inertia needed to switch entire social circles to a new platform.

Most new social platforms that make it big don't really take over older ones, they just grab a younger generation - usually just by being the network their parents aren't in.


You don't understand why people use a communications app with 1.6 billion users as opposed to one with likely less than a million?

It's network effects

In my own anecdotal experience Signal ranks way below Viber (popular with migrants + expats), Wickr (popular with people doing illegal things and corporate executive scheming), Telegram (popular in crypto, scammers and terrorists)

The only real broad use of Signal i've seen is amongst journalists - and even there i'm not certain how much they actually use it or if it's just the "i'm crypto aware" version of a blue checkmark for their Twitter profiles


It's a much better app, user experience-wise. I prefer Signal for obvious reasons, but WhatsApp is easier to use (and has a much better web interface).


I agree, but when the people you want to talk to are on WhatsApp already...


Not only are there network effects, but as you go through various cities in Latin America you will notice on the billboards that mobile service providers advertise "free" WhatsApp. As a result of the success of those ads, your contacts in that region will prefer WhatsApp to other media.


People use it because other people use it.

Signal's lack of a web interface is another reason.

Moreover, Telegram took the users that left WhatsApp for more secure alternatives (even though Telegrams homemade encryption doesn't look promising).

Same reasons why a lot of people don't leave Facebook.


they have features signal has not yet copied and probably won't (statuses e.g.)


The main one being actual users


The Signal client is open source. The back end not so much.

A lot of Signal is basically "trust Moxie".


> A lot of Signal is basically "trust Moxie".

Let me come out and defend Signal (I usually defend Telegram, but I don't think we should be unfair to anyone):

As far as I am aware no one who knows what they are talking about has come out with anything that says Signals end-to-end encryption is broken.

If I have understood it correctly an as long as that is true, NSA, FSB and the Chinese might be running the message handling together and there's still no reason to be worried that your messages will be intercepted in transit.

Disclaimer:

- as far as I am aware Signal is the safest messenger available for everyone

- even if all the above is true you are still trusting them with your metadata. I think they are good people. If you are scared of them, be aware that they know who you talk to and when. This is however true for any mainstream technology as far as I am aware.

- being good at crypto doesn't make them immune to bugs. There was a nasty vulnerability a few months ago that was remotely exploitable. Again, this is the same, or even worse for every other messenger.


>As far as I am aware no one who knows what they are talking about has come out with anything that says Signals end-to-end encryption is broken.

You have to check xmpp with omemo, it has libre servers and in federated


> This is however true for any mainstream technology as far as I am aware.

It's too bad bitmessage can't scale :/


And most of that is coming from MattGreen and Ptacek.


Not that I'm dissing Signal (it is my preferred platform, sadly not most used), but don't both WA and Signal use Open Whispers systems? So isn't there the potential that the same exploit might work on Signal?


WhatsApp allegedly uses an implementation of the OpenWhisper encryption system that Signal created (and still uses). However as there is no source code available unlike Signal, there's no way to verify if WhatsApp "really" is using it (or using it correctly).


It's certainly better to have source, but this seems like a matter of degree? You don't really know what's in Signal unless you compile it yourself, and/or they have reproducible builds and you verify checksums. Instead you're trusting that the source matches the binary, and probably also that someone else who knows more about crypto is reviewing the source carefully.

In the modern world we basically outsource everything, including trust and verification. An open, social process of verification can be better, though.


But it's _so_ much better than GPG and the WoT where you have to ... verify..... everything........... yourself...........


Is there a way to verify that the Signal app in the app store was compiled from the published Signal sources?


Yes, this is generally called "reproducible builds". Signal has reproducible builds for Android, here is how to build it and compare against the one on your phone:

https://github.com/signalapp/Signal-Android/blob/master/Repr...


This is true, but that also doesn't answer the question. It still leads to a possibility. The hack could also sidestep OW in some other way and only be WA specific, but still begs the question. Security is a constant cat and mouse game, so if someone says: "well, that only affects WhatsApp, it won't affect us -- even though we use the same underlying structure." sounds kinda naive.


Couldn't you determine by looking at the code in the APK, at least for Android?


It might be a bit difficult (but not impossible) to do that... the APK you download is not the APK that the developer uploads to the Play store. Usually, developers upload a "bundle," and then Google optimizes it by stripping out irrelevant media, i18n, etc., to deliver a smaller optimized APK to the end user.

So you can't just generate an MD5 of your APK and match it against the store description like the good old days when you could make sure your Linux ISO was legit, but there's probably some way to make it work?

EDIT: It might be possible to circumvent Google's bundling/optimizing by just uploading a regular old APK, but IIRC that was becoming more difficult these days. Unfortunately I'm not an Android dev expert.


Yes, "no way to verify" is a bit strong. Not as easy to verify is true (but: if you review the source, you'd also have to build the app yourself).


The app its self is the weakness not the protocol. But also the article says "that exploited a flaw in WhatsApp-owned servers to help clients hack into the cellphones".


Who's to say Signal will protect you any better against targeted remote-code-execution attacks from well-funded cyber mercenaries like NSO?


Yeah, I pretty much assume that targeted attacks will always succeed when a well-funded state actor is involved.

For me, I look at encryption as a mitigation for surveillance. Anything that increases the marginal cost to monitor an individual makes broad surveillance less economic.

Signal will always have the edge for surveillance due to the relative difficulty of hiding a back door. Whatsapp will always be suspect in that they could easily be forwarding everyone’s messages to third parties.


How many people actually worry about these spy agencies? If a state actor wants you or your information they'll just pull up in a black van and take you and use a $5 wrench to beat it out of you.


Much of what NSO Group does is sell to smaller despotic regimes who then use them to spy on dissidents who live abroad and would be quite hard (and embarrassing) to black-bag. Not everyone can send a murder team to Stockholm (or wherever).

Some despotic regimes do have large kidnap-and-murder programs (ex Rwanda) but if you just want to keep tabs on exiled dissidents and learn exactly who they're talking with back home, NSO Group has a product for you.


I get the implication but America isn't Russia and they just don't do it, too big of a headache, too easy to blowback into political realm. Officers hate when clandestine work erupts into public political drama.

Plus, why would you hire a team of people to kidnap a citizen and beat them when you can assign a ticket to a government blackhat at the NSA who will run the commands against your devices and take what they need without you ever knowing.

Even then, there is substantial risk of whistleblowing for illegal data collection against citizens (Snowden et al) so they would instead in a clandestine manner ask a fellow member of the Five Eyes to perform the surveillance "legally".

Our society has known about Five Eye roundabout spy agreements for a long time and has largely shrugged, so the risk of public political blowback doing this would be minimal.


> How many people actually worry about these spy agencies?

I don't really worry about the spy agencies themselves -- I am not of any interest to them.

However, I worry a lot about the likes of NSO and the tools they produce. They are likely to end up being used, in one form or another, by criminals and corporations.


These tools keep authoritarians in power and indirectly impact hundres of millions of people. It's like saying you don't care about pacific ocean plastic because you live on the east coast.


> These tools keep authoritarians in power

Indeed. I think I covered that in "criminal" category, but perhaps I should have been more explicit.


How’s that different from selling weapons to them, though?


It's not - we shouldn't be selling weapons to them either. Ditto with sharing intel.

Sanctions on selling exploits seems easier to achieve though since there is less of a conflict with economic interests


The state actor will have a more difficult time doing that if you are living in a different country. Exploits don't care about borders: https://www.voanews.com/africa/ethiopia-accused-using-spywar...


I get your point that a highly-motivated attacker has other, less sophisticated, ways of getting to your data.

However, if we're playing poker and I learn your tell, it's in my best interest that you are naive to that fact. While not the best analogy, I would think that the same concept would apply to state actors.


There have been a few electron vulnerabilities that affected signal. Plus signal demands that you have a phone number in order to use it. Also the fact that each device has its own key promotes the users to just blindly accept new keys.


Would this attack have been preventable with signal?


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: