Re: [liberationtech] Fwd: [WhatsApp backdoor allows snooping on encrypted messages]

[Rich Kulawiec]

On Sun, Jan 15, 2017 at 03:52:57PM -0200, Daniel Arnaudo wrote:
> Also anyone using Yahoo Mail on this thread might want to reconsider if
> they're concerned with privacy.

The same can be said of AOL, Hotmail/Outlook, and Gmail.  (Even though
I think very highly of Google's security people.)  The combined attacker
budget for compromising these is enormous and it seems overly optimistic
to me to assume that nobody's managed to pull it off yet.  (Maybe not in
full, but at least in part.)  I hope I'm wrong.  I'd *like* to be wrong.
I don't think I'm wrong.

---rsk

-- 
As democracy is perfected, the office of president represents, more and more
closely, the inner soul of the people.  On some great and glorious day the
plain folks of the land will reach their heart's desire at last and the
White House will be adorned by a downright moron. -- H.L. Mencken 7/26/1920

-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Fwd: [WhatsApp backdoor allows snooping on encrypted messages]

[Daniel Arnaudo]

This Ars Technica piece has some longer discussion of the pros and cons,
and the perspective of different security researchers. Seems like it is a
topic that has needed to be addressed for awhile regarding WhatsApp.
Ultimately, if you do use WhatsApp and are concerned about security, turned
on the key change notifications features as the article describes:

" WhatsApp users should strongly consider turning on security notifications
by accessing Settings > Account > Security."

http://arstechnica.com/security/2017/01/whatsapp-and-friends-take-umbrage-at-report-its-crypto-is-backdoored/

Also anyone using Yahoo Mail on this thread might want to reconsider if
they're concerned with privacy.

https://krebsonsecurity.com/2016/12/my-yahoo-account-was-hacked-now-what/

Dan Arnaudo

Cybersecurity Fellow
Jackson School of International Studies
University of Washington

@ipolitico/ http://ipoliti.co

On Sun, Jan 15, 2017 at 12:47 PM, Andrés Leopoldo Pacheco Sanfuentes <
alps6...@gmail.com> wrote:

> Thanks, FL, for your succinct description.
>
> Anybody serious about decryption cannot use standard social networks,
> which are predicated on access to private data for marketing and
> "development" (eg, as test data for new features, debugging, etc)
> purposes, and naturally open to government intrusion with few
> exceptions that have proven irrelevant in the final analysis (e.g. the
> iPhone in question was cracked and data on it accessed by the
> government, without Apple's consent or assistance). Still, we as
> concerned citizens of the world have to take the high road and object,
> ceaselessly protesting this sorry state of affairs.
>
> Those wanting to preserve the integrity of certain of their
> communications and personal data need to resort to alternative tools,
> which provide protections with varying degrees. Concerned citizens of
> the world in the hacking space would continue to work on these tools
> to shield them from the prying eyes of marketeers and governments.
>
> Finally, what you depict about the rule of law and governments, as you
> note, is not exclusive to this topic of private data. For example,
> Central American and Mexican mothers and children entering the US
> without authorization through its Southern Border and seeking
> protection from rampant violence in their countries of origin are not
> given the appropriate treatment as stipulated in current US law
> regarding asylum seekers.
>
> Best Regards | Cordiales Saludos | Grato,
>
> Andrés L. Pacheco Sanfuentes
> 
> +1 (347) 766-5008
>
>
> On Sun, Jan 15, 2017 at 7:25 AM, FL  wrote:
> > First of all I thank Carlo and Cristina for welcoming me. I was afraid
> that
> > as a man who studied law rather than computer science I wouldn’t fit in
> here
> > so well. :-)
> >
> > I’ll clarify right from the beginning though that neither I live in the
> US
> > nor I work on the privacy field. I’m just a geek (not hacker) and a
> lawyer
> > who happens to be deeply worried about the current state of affairs.
> Because
> > of that and because I don’t have much time, I can’t study in deep the US
> > regulatory frame that some of you have mentioned. However, I would very
> much
> > like to say a few “general” things.
> >
> > I think we all here understand we are going through a dark age, where you
> > can't trust the so-called rule-of-law anymore. That democracy and the
> > rule-of-law are just a charade to cover-up the fact that a group of
> people
> > can do whatever they want as they keep the power (technical resources in
> > this case) to do so, has never been as evident as it is now.
> >
> > Facing that reality, I think it's good to reduce the possible approaches
> on
> > this issue, very simply, to just two alternatives — laws of man and laws
> of
> > physics (just as Assange et al. put it in 'Cypherpunks').
> >
> > We have realized laws of man don't matter that much anymore. That old
> > principle of life, according to which the strongest one can do whatever
> he
> > wants, is obviously bigger than any Constitution, law or court decision.
> So,
> > if laws of man won't work as it has been proven over and over again until
> > this point, it's clear the discussion should go on through a different
> path,
> > i.e. laws of physics (aka encryption). It is true encryption, not laws,
> what
> > matters the most. And if that means that there is something wrong in a
> > widely used piece of code (say IM, browsers, etc.), it needs to be
> addressed
> > right away.
> >
> > You can fight PRISM, XKEYSCORE and every secret program calling them
> > illegal, against the Constitution, against what your Founder Fathers
> > declared, and even against common sense and decency all you want. Still,
> > nothing of that grants there won't be mass surveillance. If it's not
> clear
> > and obvious enough at this point, I'll say it again: nothing. Your
> > government will play whatever ridiculous legal gymnastics is necessary to
> > call 

Re: [liberationtech] Fwd: [WhatsApp backdoor allows snooping on encrypted messages]

[carlo von lynX]

On Sun, Jan 15, 2017 at 11:40:13AM -0500, Rich Kulawiec wrote:
> So I think the operational question is not "are they present?" --
> the question is "what do they have access to?"

Consider also the blackmailing power of XKEYSCORE.
More or less anyone in any major corporation can be
blackmailed to collaborate, right? Not just in the US,
likely worldwide.

-- 
  E-mail is public! Talk to me in private using encryption:
 http://loupsycedyglgamf.onion/LynX/
  irc://loupsycedyglgamf.onion:67/lynX
 https://psyced.org:34443/LynX/
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Fwd: [WhatsApp backdoor allows snooping on encrypted messages]

[Rich Kulawiec]

On Sun, Jan 15, 2017 at 08:47:51AM -0600, Andr??s Leopoldo Pacheco Sanfuentes 
wrote:
> Anybody serious about decryption cannot use standard social networks,
> which are predicated on access to private data for marketing and
> "development" (eg, as test data for new features, debugging, etc)
> purposes, and naturally open to government intrusion with few
> exceptions that have proven irrelevant in the final analysis [snip]

I concur completely.  I'd also like to ask a pointed question, in re
the phrase "naturally open to government intrusion":

Do you [generic you] think that everyone working AT Facebook is working
FOR Facebook?

Of course they're not.  Any intelligence agency worth its name has
long since planted their own people inside.  It's an obvious, cheap,
effective, easy, very-low-risk potentially-high-reward move.

Plus: they get paid twice.  And if caught, they don't get executed
for espionage: they just get fired.  (Fired *quietly*.  Do you really
think Facebook would want it publicly known that an Elbonian agent was
working in devops for 6 years?  Hint: what would that do to their stock
price and 4Q earnings?)  And then they get replaced.

(And please don't tell me that Facebook could stop this.  Given that
intelligence agencies routinely plant people *inside each other*,
I sincerely doubt that they'd have any trouble getting their folks
past whatever security theater Facebook uses to screen employees.)

The same is no doubt true of any sufficiently-large "social network"
or cloud computing operation: Twitter, AWS, etc.  All that fruit hangs
much too low to be left unpicked.  The upside is huge, the downside
is negligible.

So I think the operational question is not "are they present?" --
the question is "what do they have access to?"

---rsk
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Fwd: [WhatsApp backdoor allows snooping on encrypted messages]

[carlo von lynX]

Very interesting, rsk & FL.

On Sun, Jan 15, 2017 at 08:47:51AM -0600, Andrés Leopoldo Pacheco Sanfuentes 
wrote:
> Anybody serious about decryption cannot use standard social networks,

Decryption? You mean encryption? Indeed most users of
technology aren't serious about encryption. Not even
the hackers. When it comes down to pragmatism you get
an unencrypted reply from Gmail with all of your original
PGP message cited in the clear. Even from "hackers".
Not all, but too many for me.

I am thinking of shutting down my e-mail identity for
good because everyone around me continously breaches my
civil rights by telling me private things in the clear.

It wouldn't be so hard to introduce technical norms
that enforce the constitutionality of the network,
instead it is normal that if I want to protect civil
rights and democracy I should refrain from using the
Internet.

> iPhone in question was cracked and data on it accessed by the
> government, without Apple's consent or assistance). Still, we as

How do you know?

> On Sun, Jan 15, 2017 at 7:25 AM, FL  wrote:
> > I think we all here understand we are going through a dark age, where you
> > can't trust the so-called rule-of-law anymore. That democracy and the

That is a harsh thing to read, coming from a lawyer.
Not even a US lawyer.

But I'd like to challenge the idea that man has by themselves broken
the rule-of-law. Technology itself is the strongest factor.

> > We have realized laws of man don't matter that much anymore. That old
> > principle of life, according to which the strongest one can do whatever he
> > wants, is obviously bigger than any Constitution, law or court decision. So,

Not obvious at all to me. Each time a dramatic event like Bastille or WW2
created the conditions for the foundation of a new constitutional democracy
there was a certain period of time in which rule-of-law dominated over
corruption. Subsequent generations slowly erode democracy by ongoing
parliamentarism, and then there are technological developments that imply
a worldwide political shift towards totalitarism, simply by the possibilities
that arise. A powerful political shift towards better democracy could
compensate for that, like norms on mandatory encryption and transparency of
operating systems. But neither is the factual shift to the right being
seen and acknowledged, nor does anyone seriously dare to consider that a 
normative approach to fixing the Internet could actually work, especially
since the Grateful Dead have set the best-intended but utterly wrong
ethical frameset for the digital age. They said - leave us alone - and the
result is - a monopolistic marketplace of tracking gone out of control.

So, considering the Whatsapp case, my talking points would be:

- in a democracy-abiding Internet, end-to-end encrypted messaging is a
  fundamental function which does not belong to any company and is
  implemented in verifiable open source codes;
- law enforcement is not obtained by backdoors and backroom tricks
  but by open protocol standards that are implemented transparently
  in the code and define constitutionally viable forms of surveillance
  of targets in limited numbers of operations, cryptographically signed -
  maybe even by the use of a consensus mechanism* that evaluates the
  percentage of devices currently under inspection and protects from
  totalitarian abuse from within the operating system code.

These are two of the points the YBTI law proposal are about, in case
you start seeing the potential in this approach and want to read on.

*) Consensus protocols are cryptographic primitives blockchains are 
   built upon.. but without the blockchain and the proof-of-work they
   are actually ecologically viable.

> > if laws of man won't work as it has been proven over and over again until
> > this point, it's clear the discussion should go on through a different path,
> > i.e. laws of physics (aka encryption). It is true encryption, not laws, what
> > matters the most. And if that means that there is something wrong in a
> > widely used piece of code (say IM, browsers, etc.), it needs to be addressed
> > right away.

Seeing these two powers positioned against each other is what is keeping a
lot of the hacker community from actually getting anything done. Encryption
by itself won't do, because laws can always outlaw encryption and imprison
anyone who dares to use it. The true power lies in having law of man that
utilizes law of nature to implement ethical requirements for democracy and
human survival on earth. In a digital age where there is no tangible
evidence of the trespassing of civil obligations, civil rights and obligations
must be enforced by mandatory encryption.

As a side note, another major problem in the privacy discourse is the idea
that it has anything to do with individuals. It doesn't. It's about 
society's ability ot exercise democracy - so it is about everybody around
you, not about yourself. You have no damn 

Re: [liberationtech] Fwd: [WhatsApp backdoor allows snooping on encrypted messages]

[Andrés Leopoldo Pacheco Sanfuentes]

Thanks, FL, for your succinct description.

Anybody serious about decryption cannot use standard social networks,
which are predicated on access to private data for marketing and
"development" (eg, as test data for new features, debugging, etc)
purposes, and naturally open to government intrusion with few
exceptions that have proven irrelevant in the final analysis (e.g. the
iPhone in question was cracked and data on it accessed by the
government, without Apple's consent or assistance). Still, we as
concerned citizens of the world have to take the high road and object,
ceaselessly protesting this sorry state of affairs.

Those wanting to preserve the integrity of certain of their
communications and personal data need to resort to alternative tools,
which provide protections with varying degrees. Concerned citizens of
the world in the hacking space would continue to work on these tools
to shield them from the prying eyes of marketeers and governments.

Finally, what you depict about the rule of law and governments, as you
note, is not exclusive to this topic of private data. For example,
Central American and Mexican mothers and children entering the US
without authorization through its Southern Border and seeking
protection from rampant violence in their countries of origin are not
given the appropriate treatment as stipulated in current US law
regarding asylum seekers.

Best Regards | Cordiales Saludos | Grato,

Andrés L. Pacheco Sanfuentes

+1 (347) 766-5008


On Sun, Jan 15, 2017 at 7:25 AM, FL  wrote:
> First of all I thank Carlo and Cristina for welcoming me. I was afraid that
> as a man who studied law rather than computer science I wouldn’t fit in here
> so well. :-)
>
> I’ll clarify right from the beginning though that neither I live in the US
> nor I work on the privacy field. I’m just a geek (not hacker) and a lawyer
> who happens to be deeply worried about the current state of affairs. Because
> of that and because I don’t have much time, I can’t study in deep the US
> regulatory frame that some of you have mentioned. However, I would very much
> like to say a few “general” things.
>
> I think we all here understand we are going through a dark age, where you
> can't trust the so-called rule-of-law anymore. That democracy and the
> rule-of-law are just a charade to cover-up the fact that a group of people
> can do whatever they want as they keep the power (technical resources in
> this case) to do so, has never been as evident as it is now.
>
> Facing that reality, I think it's good to reduce the possible approaches on
> this issue, very simply, to just two alternatives — laws of man and laws of
> physics (just as Assange et al. put it in 'Cypherpunks').
>
> We have realized laws of man don't matter that much anymore. That old
> principle of life, according to which the strongest one can do whatever he
> wants, is obviously bigger than any Constitution, law or court decision. So,
> if laws of man won't work as it has been proven over and over again until
> this point, it's clear the discussion should go on through a different path,
> i.e. laws of physics (aka encryption). It is true encryption, not laws, what
> matters the most. And if that means that there is something wrong in a
> widely used piece of code (say IM, browsers, etc.), it needs to be addressed
> right away.
>
> You can fight PRISM, XKEYSCORE and every secret program calling them
> illegal, against the Constitution, against what your Founder Fathers
> declared, and even against common sense and decency all you want. Still,
> nothing of that grants there won't be mass surveillance. If it's not clear
> and obvious enough at this point, I'll say it again: nothing. Your
> government will play whatever ridiculous legal gymnastics is necessary to
> call their dark practices ‘legal’. Except that, of course, nothing of that
> makes them legal, the same way that droning people on foreign and sovereign
> territories (even worse, with no previous due-process) is not legal just
> because Obama says so.
>
> In order to protect our privacy and freedom, encryption is the way to go and
> the really important matter to discus. This is why hackers are, in reality,
> the ones called to change the current state of things. Changes in law-making
> will do little, specially in a country that is not precisely well-known for
> having people willing to account their government, stand for their rights
> and turn things upside down a little bit if necessary.
>
> FL
>
> P. S. Have a look at this news. Needless to say, the legal implications of
> this are huge and affect not only privacy, but also basic principles such as
> due-process. The 'fuck you people' train is not stopping.
>
> https://theintercept.com/2017/01/13/obama-opens-nsas-vast-trove-of-warrantless-data-to-entire-intelligence-community-just-in-time-for-trump/
>
> (Btw, Obama ruling with executive orders bypassing the Constitution, the
> Congress and practically 

Re: [liberationtech] Fwd: [WhatsApp backdoor allows snooping on encrypted messages]

[FL]

First of all I thank Carlo and Cristina for welcoming me. I was afraid that as 
a man who studied law rather than computer science I wouldn’t fit in here so 
well. :-)

I’ll clarify right from the beginning though that neither I live in the US nor 
I work on the privacy field. I’m just a geek (not hacker) and a lawyer who 
happens to be deeply worried about the current state of affairs. Because of 
that and because I don’t have much time, I can’t study in deep the US 
regulatory frame that some of you have mentioned. However, I would very much 
like to say a few “general” things.

I think we all here understand we are going through a dark age, where you can't 
trust the so-called rule-of-law anymore. That democracy and the rule-of-law are 
just a charade to cover-up the fact that a group of people can do whatever they 
want as they keep the power (technical resources in this case) to do so, has 
never been as evident as it is now.

Facing that reality, I think it's good to reduce the possible approaches on 
this issue, very simply, to just two alternatives — laws of man and laws of 
physics (just as Assange et al. put it in 'Cypherpunks').

We have realized laws of man don't matter that much anymore. That old principle 
of life, according to which the strongest one can do whatever he wants, is 
obviously bigger than any Constitution, law or court decision. So, if laws of 
man won't work as it has been proven over and over again until this point, it's 
clear the discussion should go on through a different path, i.e. laws of 
physics (aka encryption). It is true encryption, not laws, what matters the 
most. And if that means that there is something wrong in a widely used piece of 
code (say IM, browsers, etc.), it needs to be addressed right away.

You can fight PRISM, XKEYSCORE and every secret program calling them illegal, 
against the Constitution, against what your Founder Fathers declared, and even 
against common sense and decency all you want. Still, nothing of that grants 
there won't be mass surveillance. If it's not clear and obvious enough at this 
point, I'll say it again: nothing. Your government will play whatever 
ridiculous legal gymnastics is necessary to call their dark practices ‘legal’. 
Except that, of course, nothing of that makes them legal, the same way that 
droning people on foreign and sovereign territories (even worse, with no 
previous due-process) is not legal just because Obama says so.

In order to protect our privacy and freedom, encryption is the way to go and 
the really important matter to discus. This is why hackers are, in reality, the 
ones called to change the current state of things. Changes in law-making will 
do little, specially in a country that is not precisely well-known for having 
people willing to account their government, stand for their rights and turn 
things upside down a little bit if necessary.

FL

P. S. Have a look at this news. Needless to say, the legal implications of this 
are huge and affect not only privacy, but also basic principles such as 
due-process. The 'fuck you people' train is not stopping.

https://theintercept.com/2017/01/13/obama-opens-nsas-vast-trove-of-warrantless-data-to-entire-intelligence-community-just-in-time-for-trump/

(Btw, Obama ruling with executive orders bypassing the Constitution, the 
Congress and practically everything is no different from the Rule by Decree 
practiced in Ancient Rome a few centuries ago and many Latin American 
governments in the current era — I’d say it’s even worse.)

> On 15-01-2017, at 09:38, Rich Kulawiec  wrote:
> 
> 
> Who owns WhatsApp?  Facebook.
> 
> What is the purpose of Facebook?  Surveillance and data acquisition.
> They've spent billions building the infrastructure for it.  They have
> expanded the nature and scope of it at every possible opportunity.
> They have been caught -- over and over and over again -- lying about it.
> 
> So now, suddenly, for no particular reason, they're going to reverse
> course, do the exact opposite of what they've always done *and* they're
> going to tell the truth about it?  After spending billions to acquire
> WhatsApp and all that valuable data?  Yeah.  That's gonna happen.
> 
> Quoting from the same story referenced earlier:
> 
>   "In August 2015, Facebook announced a change to the privacy
>   policy governing WhatsApp that allowed the social network to
>   merge data from WhatsApp users and Facebook, including phone
>   numbers and app usage, for advertising and development purposes."
> 
> And let me quote Dave Burstein's take on this from Dave Farber's IP list:
> 
>> I just read both articles twice. I'm not a security expert, but I think I
>> see what's happening here.
>> 
>> I believe the Guardian article was correct in the claim that Facebook
>> could, sometimes read some encrypted messages, using a feature included to
>> deal with users switching SIM cards, etc.  Depending on security settings,
>> the user may not 

Re: [liberationtech] Fwd: [WhatsApp backdoor allows snooping on encrypted messages]

[Rich Kulawiec]

Who owns WhatsApp?  Facebook.

What is the purpose of Facebook?  Surveillance and data acquisition.
They've spent billions building the infrastructure for it.  They have
expanded the nature and scope of it at every possible opportunity.
They have been caught -- over and over and over again -- lying about it.

So now, suddenly, for no particular reason, they're going to reverse
course, do the exact opposite of what they've always done *and* they're
going to tell the truth about it?  After spending billions to acquire
WhatsApp and all that valuable data?  Yeah.  That's gonna happen.

Quoting from the same story referenced earlier:

"In August 2015, Facebook announced a change to the privacy
policy governing WhatsApp that allowed the social network to
merge data from WhatsApp users and Facebook, including phone
numbers and app usage, for advertising and development purposes."

And let me quote Dave Burstein's take on this from Dave Farber's IP list:

> I just read both articles twice. I'm not a security expert, but I think I
> see what's happening here.
> 
> I believe the Guardian article was correct in the claim that Facebook
> could, sometimes read some encrypted messages, using a feature included to
> deal with users switching SIM cards, etc.  Depending on security settings,
> the user may not even be aware of the switch. Facebook "cooperates with
> legal government requests."  In England and probably other countries,
> the security agencies can legally request just about anything.
> 
> The Guardian probably was misleading writing "Facebook and others,
> could intercept.  The Guardian shouldn't have called it a "backdoor"
> without qualifying the comment with "for Facebook & Governments."
> 
> It appears that no one could use this without Facebook's help.
> Governments presumably could get Facebook's help.  It would cost Facebooks
> $B's to be shut out of India or Russia, $10's of billions if it prevented
> them from China.  I see no reason to believe Zuckerberg would resist to
> the end that kind of pressure.  Apple wouldn't; they just kicked the New
> York Times out of the App Store in China.  Google might, as evidenced
> by their willingness to exit China.
> 
> Facebook's answer to Gizmodo was so misleading the author should not
> have written the story that way. Facebook denied that this was a way for
> outsiders to crack What'sApp, which wasn't the Guardian's claim.
> But Facebook didn't address the substantive claim in the article, that
> Facebook and the governments it cooperates with can intercept (some,
> sometimes.)

I pointed out much the same thing on this list years ago.  If China
goes to Facebook and says "put in a backdoor or stop doing business here",
Facebook will put in a backdoor.  If Russia goes to Facebook and says
"give us a full data feed or stop doing business here", Facebook will
give them a full data feed.  Of course they will: there's no way they're
going to leave all money on the table.

---rsk
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Fwd: [WhatsApp backdoor allows snooping on encrypted messages]

[Jason Cronk]

On 2017-01-14 13:41, Thomas Delrue wrote: 

> On 01/14/2017 08:17 AM, FL wrote: 
> 
>> I'm not sure that every American company, by law, must implement a backdoor, 
>> as you imply. The last time I checked, iMessage was a very secure platform 
>> with no known vulnerabilities -- which in fact has made Apple struggle with 
>> US agencies more than a few times.
> 
> CALEA
> (https://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act)
> is no longer in effect? Or am I thinking of the wrong thing?
 It's unclear whether CALEA applies to Apple on not. If it doesn't, then
we're done. If it does, CALEA provides an exemption that prevents the
government from forcing decryption to which it doesn't have the key
(i.e. requisite information). See
https://www.techdirt.com/articles/20160223/23441033692/how-existing-wiretapping-laws-could-save-apple-fbis-broad-demands.shtml
for a lengthier write up on the issue. 

-- 
R. Jason Cronk, JD
IAPP Fellow of Information Privacy
CIPM, CIPT, CIPP/US, PbD Ambassador
PRIVACY AND TRUST CONSULTANT
ENTERPRIVACY CONSULTING GROUP
www.enterprivacy.com
-_--> Our next open Privacy by Design Worksho_p [Feb 1, 2017
Indianapolis, IN [1] 

Links:
--
[1]
https://www.eventbrite.com/e/privacy-by-design-workshop-indianapolis-feb-2017-tickets-30695924336-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Fwd: [WhatsApp backdoor allows snooping on encrypted messages]

[Thomas Delrue]

On 01/14/2017 08:17 AM, FL wrote:
> I'm not sure that every American company, by law, must implement a backdoor, 
> as you imply. The last time I checked, iMessage was a very secure platform 
> with no known vulnerabilities — which in fact has made Apple struggle with US 
> agencies more than a few times.

CALEA
(https://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act)
is no longer in effect? Or am I thinking of the wrong thing?

>> On 14-01-2017, at 10:02, carlo von lynX  wrote:
>>
>>> On Fri, Jan 13, 2017 at 07:26:29PM -0500, Sebastian Benthall wrote:
>>> https://whispersystems.org/blog/there-is-no-whatsapp-backdoor/
> https://www.theguardian.com/technology/2017/jan/13/
>>
>> I've also read 
>> http://www.golem.de/news/schluesselaustausch-aufregung-um-angebliche-whatsapp-backdoor-1701-125571.html
>> and https://tobi.rocks/pdf/whatsappslides.pdf
>> and to me it seems like all of the articles are
>> technically describing the same procedure.
>> The difference is only in the framing.
>>
>> For Facebook it is a necessity that people not be
>> bothered by key changes, for anyone in the libtech
>> business it is an alarming signal that MITM is
>> technicaly possible by default and users must be
>> specifically aware of the issue to avoid it.
>>
>> But why is anyone even expecting any true privacy
>> from an American proprietary product? Have the
>> PRISM and MUSCULAR programs suddenly been discontinued?
>> Has Freedom Act amended NSLs also for non-Americans?
>> How could Facebook afford not to pump everything they
>> can get into XKEYSCORE as before? Why did the European
>> Supreme Court rule that the US is not a safe harbor
>> for EU citizen data? Did I miss any recent developments?
>>
>> Is it the general strategy to have people debate whether
>> there is a backdoor when by law Whatsapp MUST have some
>> backdoor?


-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Fwd: [WhatsApp backdoor allows snooping on encrypted messages]

[Andres Pacheco]

 blockquote, div.yahoo_quoted { margin-left: 0 !important; border-left:1px 
#715FFA solid !important; padding-left:1ex !important; background-color:white 
!important; } Last time I heard the us govt failed to force Apple to break an 
iPhone. They had to reform to independent contractor mercenaries, I.e. "Evil 
Hackers!" Ergo i infer us law has not yet gotten to the point of requiring 
backdoors in code.


Sent from Yahoo Mail for iPhone


On Saturday, January 14, 2017, 9:04 AM, carlo von lynX 
 wrote:

On Sat, Jan 14, 2017 at 10:48:48AM -0300, FL wrote:
> Sadly I'm not a hacker — I'm a lawyer, so I haven't checked their code nor 
> any other company's for that matter.

We have plenty of hackers but not enough lawyers, so your
view on what the laws currently actually imply is very welcome.

> However, my main point remains unaddressed — I'm not sure that American 
> companies are 'required by law' to implement backdoors.

Alright, didn't percieve that as your main point.
Well, here's what I know last time I checked:

- PRISM is a reality
- NSLs have been used to oblige such companies to
    + hand over access to their data centers
    + expect no legal harm when denying any existence of NSLs
    + expect general public to never become aware

Leaks have broken the latter promise, so those companies
had good reasons to be upset. Freedom Act has changed
NSLs in such a way that American citizen must no longer be
bulk collected, NSA must only be allowed to run "selectors"
which in the case of Whatsapp means that some backdoor
must be provided to execute surveillance on such selectors.

Also, I have to look up Casper Bowden's posts again,
somewhere the laws explicitly give zero rights to non-US
citizen - all of humanity is backdoorable and bulk
collectible. And then we have programs like
https://en.wikipedia.org/wiki/Muscular_%28surveillance_program%29
which explicitly bypass US law.

Isn't Patriot Act essentially obliging the NSA to collect
all it can? If the NSA must do that, then any company
impeding the NSA from doing so is breaching that law, no?


-- 
  E-mail is public! Talk to me in private using encryption:
        http://loupsycedyglgamf.onion/LynX/
          irc://loupsycedyglgamf.onion:67/lynX
        https://psyced.org:34443/LynX/
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.


-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Fwd: [WhatsApp backdoor allows snooping on encrypted messages]

[carlo von lynX]

On Sat, Jan 14, 2017 at 10:48:48AM -0300, FL wrote:
> Sadly I'm not a hacker — I'm a lawyer, so I haven't checked their code nor 
> any other company's for that matter.

We have plenty of hackers but not enough lawyers, so your
view on what the laws currently actually imply is very welcome.

> However, my main point remains unaddressed — I'm not sure that American 
> companies are 'required by law' to implement backdoors.

Alright, didn't percieve that as your main point.
Well, here's what I know last time I checked:

- PRISM is a reality
- NSLs have been used to oblige such companies to
+ hand over access to their data centers
+ expect no legal harm when denying any existence of NSLs
+ expect general public to never become aware

Leaks have broken the latter promise, so those companies
had good reasons to be upset. Freedom Act has changed
NSLs in such a way that American citizen must no longer be
bulk collected, NSA must only be allowed to run "selectors"
which in the case of Whatsapp means that some backdoor
must be provided to execute surveillance on such selectors.

Also, I have to look up Casper Bowden's posts again,
somewhere the laws explicitly give zero rights to non-US
citizen - all of humanity is backdoorable and bulk
collectible. And then we have programs like
https://en.wikipedia.org/wiki/Muscular_%28surveillance_program%29
which explicitly bypass US law.

Isn't Patriot Act essentially obliging the NSA to collect
all it can? If the NSA must do that, then any company
impeding the NSA from doing so is breaching that law, no?


-- 
  E-mail is public! Talk to me in private using encryption:
 http://loupsycedyglgamf.onion/LynX/
  irc://loupsycedyglgamf.onion:67/lynX
 https://psyced.org:34443/LynX/
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Fwd: [WhatsApp backdoor allows snooping on encrypted messages]

[FL]

Sadly I'm not a hacker — I'm a lawyer, so I haven't checked their code nor any 
other company's for that matter.

However, my main point remains unaddressed — I'm not sure that American 
companies are 'required by law' to implement backdoors. And the fact that I 
check the news instead of a proprietary piece of code doesn't mean that someone 
must have a secret and mandatory backdoor.

I might be wrong though, but I haven't seen any evidence to make me think 
otherwise.

Best regards,

FL

> On 14-01-2017, at 10:38, carlo von lynX  wrote:
> 
> Thx, efecto
> 
>> On Sat, Jan 14, 2017 at 10:17:07AM -0300, FL wrote:
>> I'm not sure that every American company, by law, must implement a backdoor, 
>> as you imply. The last time I checked, iMessage was a very secure platform 
>> with no known vulnerabilities — which in fact has made Apple struggle with 
>> US agencies more than a few times.
> 
> Has there been any litigation with the NSA? I only
> saw interaction with the FBI - and the FBI has a
> less prioritary job: law enforcement. Nothing that
> is worth questioning national security for, so I
> would assume FBI doesn't get the same clearances
> as NSA. You can't monitor an entire population if
> strategically unimportant offences like child abuse
> would blow your cover - thus it is mathematical that
> FBI cannot have the access privileges of NSA.
> 
> By "last time I checked" you don't mean the code
> that is actually deployed into those devices but
> merely "checked the news", right?
> 
> -- 
> Liberationtech is public & archives are searchable on Google. Violations of 
> list guidelines will get you moderated: 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
> change to digest, or change password by emailing moderator at 
> compa...@stanford.edu.
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Fwd: [WhatsApp backdoor allows snooping on encrypted messages]

[carlo von lynX]

Thx, efecto

On Sat, Jan 14, 2017 at 10:17:07AM -0300, FL wrote:
> I'm not sure that every American company, by law, must implement a backdoor, 
> as you imply. The last time I checked, iMessage was a very secure platform 
> with no known vulnerabilities — which in fact has made Apple struggle with US 
> agencies more than a few times.

Has there been any litigation with the NSA? I only
saw interaction with the FBI - and the FBI has a
less prioritary job: law enforcement. Nothing that
is worth questioning national security for, so I
would assume FBI doesn't get the same clearances
as NSA. You can't monitor an entire population if
strategically unimportant offences like child abuse
would blow your cover - thus it is mathematical that
FBI cannot have the access privileges of NSA.

By "last time I checked" you don't mean the code
that is actually deployed into those devices but
merely "checked the news", right?

-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Fwd: [WhatsApp backdoor allows snooping on encrypted messages]

[Cristina [efecto99]]

On 14/01/17 10:02, carlo von lynX wrote:
> On Fri, Jan 13, 2017 at 07:26:29PM -0500, Sebastian Benthall wrote:
>> https://whispersystems.org/blog/there-is-no-whatsapp-backdoor/
 https://www.theguardian.com/technology/2017/jan/13/
> I've also read 
> http://www.golem.de/news/schluesselaustausch-aufregung-um-angebliche-whatsapp-backdoor-1701-125571.html
> and https://tobi.rocks/pdf/whatsappslides.pdf
> and to me it seems like all of the articles are
> technically describing the same procedure.
> The difference is only in the framing.
>
> For Facebook it is a necessity that people not be
> bothered by key changes, for anyone in the libtech
> business it is an alarming signal that MITM is
> technicaly possible by default and users must be
> specifically aware of the issue to avoid it.
>
> But why is anyone even expecting any true privacy
> from an American proprietary product? Have the
> PRISM and MUSCULAR programs suddenly been discontinued?
> Has Freedom Act amended NSLs also for non-Americans?
> How could Facebook afford not to pump everything they
> can get into XKEYSCORE as before? Why did the European
> Supreme Court rule that the US is not a safe harbor
> for EU citizen data? Did I miss any recent developments?
>
> Is it the general strategy to have people debate whether
> there is a backdoor when by law Whatsapp MUST have some
> backdoor?
>

this just can be answer with a : <3 thanks Carlo!

amnesic seems to be the sign of our society, thanks to the ones that
remains coherent.

Cristina (99)


-- 
Esta comunicación puede ser legal y/o ilegalmente recogida, almacenada y
utilizada por distintos actores. Si duda sobre el contenido a compartir,
evite enviarlo sin cifrar.
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Fwd: [WhatsApp backdoor allows snooping on encrypted messages]

[FL]

I'm not sure that every American company, by law, must implement a backdoor, as 
you imply. The last time I checked, iMessage was a very secure platform with no 
known vulnerabilities — which in fact has made Apple struggle with US agencies 
more than a few times.

FL

> On 14-01-2017, at 10:02, carlo von lynX  wrote:
> 
>> On Fri, Jan 13, 2017 at 07:26:29PM -0500, Sebastian Benthall wrote:
>> https://whispersystems.org/blog/there-is-no-whatsapp-backdoor/
 https://www.theguardian.com/technology/2017/jan/13/
> 
> I've also read 
> http://www.golem.de/news/schluesselaustausch-aufregung-um-angebliche-whatsapp-backdoor-1701-125571.html
> and https://tobi.rocks/pdf/whatsappslides.pdf
> and to me it seems like all of the articles are
> technically describing the same procedure.
> The difference is only in the framing.
> 
> For Facebook it is a necessity that people not be
> bothered by key changes, for anyone in the libtech
> business it is an alarming signal that MITM is
> technicaly possible by default and users must be
> specifically aware of the issue to avoid it.
> 
> But why is anyone even expecting any true privacy
> from an American proprietary product? Have the
> PRISM and MUSCULAR programs suddenly been discontinued?
> Has Freedom Act amended NSLs also for non-Americans?
> How could Facebook afford not to pump everything they
> can get into XKEYSCORE as before? Why did the European
> Supreme Court rule that the US is not a safe harbor
> for EU citizen data? Did I miss any recent developments?
> 
> Is it the general strategy to have people debate whether
> there is a backdoor when by law Whatsapp MUST have some
> backdoor?
> 
> -- 
>  E-mail is public! Talk to me in private using encryption:
> http://loupsycedyglgamf.onion/LynX/
>  irc://loupsycedyglgamf.onion:67/lynX
> https://psyced.org:34443/LynX/
> -- 
> Liberationtech is public & archives are searchable on Google. Violations of 
> list guidelines will get you moderated: 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
> change to digest, or change password by emailing moderator at 
> compa...@stanford.edu.
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Fwd: [WhatsApp backdoor allows snooping on encrypted messages]

[carlo von lynX]

On Fri, Jan 13, 2017 at 07:26:29PM -0500, Sebastian Benthall wrote:
> https://whispersystems.org/blog/there-is-no-whatsapp-backdoor/
> > > https://www.theguardian.com/technology/2017/jan/13/

I've also read 
http://www.golem.de/news/schluesselaustausch-aufregung-um-angebliche-whatsapp-backdoor-1701-125571.html
and https://tobi.rocks/pdf/whatsappslides.pdf
and to me it seems like all of the articles are
technically describing the same procedure.
The difference is only in the framing.

For Facebook it is a necessity that people not be
bothered by key changes, for anyone in the libtech
business it is an alarming signal that MITM is
technicaly possible by default and users must be
specifically aware of the issue to avoid it.

But why is anyone even expecting any true privacy
from an American proprietary product? Have the
PRISM and MUSCULAR programs suddenly been discontinued?
Has Freedom Act amended NSLs also for non-Americans?
How could Facebook afford not to pump everything they
can get into XKEYSCORE as before? Why did the European
Supreme Court rule that the US is not a safe harbor
for EU citizen data? Did I miss any recent developments?

Is it the general strategy to have people debate whether
there is a backdoor when by law Whatsapp MUST have some
backdoor?

-- 
  E-mail is public! Talk to me in private using encryption:
 http://loupsycedyglgamf.onion/LynX/
  irc://loupsycedyglgamf.onion:67/lynX
 https://psyced.org:34443/LynX/
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Fwd: [WhatsApp backdoor allows snooping on encrypted messages]

[F LM]

So I guess we can go back to what we were talking about a few days ago. You 
know, "fake news".

FL

> On 13-01-2017, at 21:26, Sebastian Benthall  wrote:
> 
> https://whispersystems.org/blog/there-is-no-whatsapp-backdoor/
> 
>> On Jan 13, 2017 9:14 AM, "Rich Kulawiec"  wrote:
>> It is long *past* time for everyone involved in the kinds of activities
>> discussed here to completely and permanently excise Facebook's
>> services/products from their computing environment.  No excuses.
>> 
>> ---rsk
>> 
>> 
>> - Forwarded message from Richard Forno  -
>> 
>> > To: Infowarrior List 
>> > Date: Fri, 13 Jan 2017 08:18:42 -0500
>> > Subject: [Infowarrior] - WhatsApp backdoor allows snooping on encrypted
>> >   messages
>> >
>> >
>> > WhatsApp backdoor allows snooping on encrypted messages
>> >
>> > https://www.theguardian.com/technology/2017/jan/13/whatsapp-backdoor-allows-snooping-on-encrypted-messages
>> >
>> > A security backdoor that can be used to allow Facebook and others to
>> > intercept and read encrypted messages has been found within its WhatsApp
>> > messaging service.
>> >
>> > Facebook claims that no one can intercept WhatsApp messages, not even the
>> > company and its staff, ensuring privacy for its billion-plus users. But
>> > new research shows that the company could in fact read messages due to
>> > the way WhatsApp has implemented its end-to-end encryption protocol.
>> >
>> > Privacy campaigners said the vulnerability is a ???huge threat to freedom
>> > of speech??? and warned it can be used by government agencies to snoop
>> > on users who believe their messages to be secure. WhatsApp has made
>> > privacy and security a primary selling point, and has become a go to
>> > communications tool of activists, dissidents and diplomats.
>> >
>> > < - >
>> >
>> > Boelter reported the backdoor vulnerability to Facebook in April 2016,
>> > but was told that Facebook was aware of the issue, that it was ???expected
>> > behaviour??? and wasn???t being actively worked on. The Guardian has
>> > verified the backdoor still exists.
>> >
>> --
>> Liberationtech is public & archives are searchable on Google. Violations of 
>> list guidelines will get you moderated: 
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
>> change to digest, or change password by emailing moderator at 
>> compa...@stanford.edu.
> -- 
> Liberationtech is public & archives are searchable on Google. Violations of 
> list guidelines will get you moderated: 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
> change to digest, or change password by emailing moderator at 
> compa...@stanford.edu.
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.