Hacker News new | past | comments | ask | show | jobs | submit login
Belgium Arrests Two in Probe Over Returning Syria Fighter (bloomberg.com)
76 points by Errorcod3 on June 9, 2015 | hide | past | favorite | 54 comments

Maybe you missed this — when end-to-end encryption was launched, they mentioned that they did not yet encrypt iOS, nor group chat.


Did they make a subsequent announcement that they were encrypting those?

Who's they? Because Whatsapp has never said it uses end to end encryption - anywhere.

Also, I guess it is possible that the so called terrorists used iPhones, but I think there's a higher chance they used Android phones. Of course we don't know exactly, but either way you shouldn't have assumed Whatsapp uses end-to-end encryption even before this.

So those who thought Whatsapp was "safe", treat this as yet another warning sign that you shouldn't be using it for private conversations.

Those who were already paranoid about it, you probably weren't using it already for that, so this changes nothing.

> Because Whatsapp has never said it uses end to end encryption - anywhere.

They most certainly did:


Why do you think it's more likely they used Android phones ?

As of May 2015, iOS has 53.5% of the mobile market Android 41.7% (in Belgium) - source: http://howwebrowse.be/

I want to add that not only the price is crucial but a bit of security. Using a closed OS with belief you're not being tracked? Well, they are not so stupid. The best choice for such things is a chinese no-name-smartphone on Android or just an old Nokia on Symbian^3 or 9.4.

My guess would be price, especially if they're periodically changing phones to reduce their chances of surveillance. OTOH maybe they weren't doing that.

> Because Whatsapp has never said it uses end to end encryption - anywhere.

Good point, thanks

AFAIK end-to-end encryption can only be used with Android clients.


tl;dr end-to-end encryption in WhatsApp is not really useful (yet)

which, if you rely on it, defeats at least one "end" in "end-to-end" if you don't know what device your peer is using. So much for end-to-end encryption in Whatsapp...

That's exactly what I was thinking. If WhatsApp was an Android-only app, it might be able to claim end-to-end security. Even then a quirk in a certain version of Android on one end, or even a hardware quirk with a certain model phone, could impact security.

Of course if you want the most secure communication possible with someone, you won't use a smartphone in the first place. There isn't a cellphone on the planet that's 100% secure from eavesdropping.

>If WhatsApp was an Android-only app, it might be able to claim end-to-end security.

Have they made this claim though, or stated it as a goal?

I've never used Whatsapp, but maybe they inform you whether or not the other end supports and is using encryption? It would certainly be easy for them to do something like that, hopefully they do.

They don't...

As much as I like and respect Moxie, I think it's a huge personal risk for him to associate himself with Facebook (WhatsApp)[0].

That said, come on... there's no user exposed key management in Whatsapp, or secure means to perform a handshake with your contacts. Even if they've really rolled out Moxies crypto protocol on Android, like they claim (go look at the source and verify... oh, wait), on features alone you can't trust it... you just can't create a secure channel unless you're in control of the keys.

And on terrorists using Whatsapp... well, Whatsapp accounts are tied to your cell phone #. The authorities can work with WhatsApp to piece together who messaged who, and when, and where you both physically were at the time. This is enough to bust terrorists. Deploying E-to-E crypto was never about anonymity.

[0] https://whispersystems.org/blog/whatsapp/

As many have pointed out Whats App's E2EE isn't deployed on all platforms and messaging services.

Furthermore they've only rolled it out about 6 months ago, there's a good chance that the information which lead to this case was collected before the E2E encryption was rolled out.

Even if you do you use an app that always uses crypto end to end (e.g. signal/textsecure)


There's no guarantee that apple/google/microsoft haven't been ordered to install a backdoored version.

tl;dr RMS was right

It's by far easier to force MSFT, Google or Apple to backdoor the device rather than an individual app. Especially since at least on Android devices you can always pull the APK you got form the store apart and see if it's being messed with.

Seems very unwise of them to disclose this capability, if it exists. Might be a red herring? Or maybe an accidental disclosure through due to belgian/US miscommunication.

From an intelligence perspective this was profoundly dumb to reveal. This is the heart of what protecting sources and methods is all about. However, it really should go without saying that one should operate in the assumption that all digital communications are compromised, at least commercial services.


In the comments on this unrelated story of identifying a terrorist people argued that it's possible the story is deliberate misinformation, it could also be the case here.

To what end? To encourage Terrorists to use another mechanism, almost certainly better vetted?

"In its initial phase, though, Whatsapp’s messaging encryption is limited to Android, and doesn’t yet apply to group messages, photos or video messages. " http://www.wired.com/2014/11/whatsapp-encrypted-messaging/

It's called "Consumer Marketing of Encryption."

Almost certainly Whatsapp is doing consumer to server encryption, but not end to end. If this is true, then Whatsapp holds or can decrypt the internal storage or transfer of messages.

Alternatively, there is a likelihood that the encryption keys are escrowed or trivially encrypted.

This is what we're seeing in the consolidating web giant world. Words don't match technical expectations, but they meet the letter of the law. We see/saw the same thing with privacy.

Though, does this mean that the encryption was compromised?

Even with encryption they can probably track who you're communicating with.

Perhaps they pushed an insecure version on the suspects.

FWIW this is an article with a headline closer to the original, though with no additional information:


I find it funny that somebody could be really so naive to expect privacy from WhatsApp after it got acquired by Facebook. Especially after we've had similar lessons with Skype + Microsoft.

You're not supposed to do this with story titles.

The correct title for this story would be "Belgium Arrests Two in Probe Over Returning Syria Fighter".

I think in this particular case the story title applies. The part of the story that is interesting/important to HN users is about WhatsApp's compromised encryption, not so much the arrest and charges. Perhaps a nod to the article's title would be better though; something like "Suspects Arrested in Probe Based On WhatsApp Eavesdropping". That covers both aspects of the story.

Noted, and if that's the site's rules, so be it. I certainly wouldn't have bothered with the article or the discussion if the HN headline had been the same as the article headline, though.

Caveat: It's a guideline, not a rule.

Nonsense. The spirit of the guidelines is what matters. That post would never get on the front page of HN, and the current title is far from clickbait - it's the very reason it's of interest to the community.

EDIT: For reference, the original title was something to the effect of WhatsApp - so much for end-to-end encryption.

Then they should write a story about it, because Bloomberg did not write the story their title claims they wrote.

> Investigators said earlier they had detained 16 people in the anti-terror raids after working with U.S. authorities to monitor suspects’ communications on WhatsApp Inc.’s messaging service.

I'd say that paragraph made it "close enough" to the original title, myself.



> "End-to-end" means that, unlike messages encrypted by Gmail or Facebook Chat, WhatsApp won't be able to decrypt the messages itself, even if the company is compelled by law enforcement. The company will set up the key exchange between users, but only the two users will have access to the conversation itself. There are other end-to-end encryption apps on the market — most notably Cryptocat, Silent Text and Telegram — but with over 600 million users across the world, WhatsApp is by far the largest platform to adopt the system.

Its pretty clear their claims of end-to-end encryption are BS and since they can gain access to the keys.

Then write the article analyzing their article and drawing that conclusion. They didn't write that. Submissions are community property; the person who submits an article does not get the privilege of summarizing it for the rest of the site, or of drawing conclusions for us. If you demand that privilege, you have to do your own writing to get it.

Maybe Whatsapp is just helping them connect who talked to whom, without actually being able to look at the contents?

Additionally these points are excellent as well:

https://news.ycombinator.com/item?id=9685977 https://news.ycombinator.com/item?id=9685827 https://news.ycombinator.com/item?id=9685801

Why should someone have to write a blog post that adds little more but what is already implicit in the title?

EDIT: The only reason I can think of is that someone might think Bloomberg wrote the title (because of bloomberg.com and possibly Google results). If that's the real reason, then fair enough. Otherwise it seems awfully silly.

So, at this point a could recommend twitter ? It's pretty nifty to make short statements and include a link to the article ? :D

Ultimately they did, but perhaps unintentionally.

Yeah but OP is trying to point out a specific piece of information that's relevant for hacker news users. It wouldn't have been read through otherwise.

OP has no information other than that Whatsapp was used. The title is not appropriate.

Arresting terrorists operating in Belgium isn't a good enough lede?

Not to me. Absolutely would not have clicked on this had the title been about terrorists in Belgium. I use Whatsapp so I am glad the OP used the title he did.

No, it isn't.

It's good enough when Bloomberg submits it to its own site because that lead is the primary information.

ON HN, where it is submitted because of WhatsApp being mentioned it's not the `lead' at all: it's a detail of the whole story.

I clicked because I found the headline too distant from HN's usual political submissions and I couldn't understand at first why there were so much comments on that particular rather common and not news worthy (at least not until we have more details that would show it matters more than the other fighters who come back) event

I live in Belgium so I thought it was weird it was on HN and that I didn't hear anything of that story that might have interested HN and made me go "I should submit this to HN".

edit: borken english is broken

It is a failing of a vote-based ranking system that a comment with nothing but a complaint about the HN title remains at the top of the discussion, after the title has been corrected (http://i.imgur.com/fItX7pd.png).

Perhaps moderators should take the time to cull/derank these comments when they fix the titles.

I agree.

Unfortunately that title would not be very descriptive why the story is relevant on Hacker News.

To be fair, that doesn't shed any light on what the submitter is trying to point out.


and note taken

Of course this turns into a debate about the article title on HN...

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact