How on earth is this possible?

General cycling advice ( NOT technical ! )
DaveReading
Posts: 742
Joined: 24 Feb 2019, 5:37pm

Re: How on earth is this possible?

Post by DaveReading »

Bonefishblues wrote: 23 Nov 2021, 8:15am
[XAP]Bob wrote: 22 Nov 2021, 11:01pm Absolutely they can - they may or may not be able to read the contents, but that wasn’t in the list.
They may not. Unless you are privy to some information, in which case please share it.
Unfortunately, "may" is an ambiguous word.

Do you mean "they might not" (read the contents), or "they cannot"?

Given the reportedly widespread use of WhatsApp in the more unsavoury circles of the world, I'm pretty sure the latter is the case, though I wouldn't rule out a backdoor.
Bonefishblues
Posts: 10977
Joined: 7 Jul 2014, 9:45pm
Location: Near Bicester Oxon

Re: How on earth is this possible?

Post by Bonefishblues »

DaveReading wrote: 23 Nov 2021, 8:23am
Bonefishblues wrote: 23 Nov 2021, 8:15am
[XAP]Bob wrote: 22 Nov 2021, 11:01pm Absolutely they can - they may or may not be able to read the contents, but that wasn’t in the list.
They may not. Unless you are privy to some information, in which case please share it.
Unfortunately, "may" is an ambiguous word.

Do you mean "they might not" (read the contents), or "they cannot"?

Given the reportedly widespread use of WhatsApp in the more unsavoury circles of the world, I'm pretty sure the latter is the case, though I wouldn't rule out a backdoor.
Sorry to be so ambiguous. I rather hoped the exchange gave the context to understand exactly my meaning.

What's this 'back door' you are raising?
User avatar
[XAP]Bob
Posts: 19793
Joined: 26 Sep 2008, 4:12pm

Re: How on earth is this possible?

Post by [XAP]Bob »

Bonefishblues wrote: 23 Nov 2021, 8:15am
[XAP]Bob wrote: 22 Nov 2021, 11:01pm Absolutely they can - they may or may not be able to read the contents, but that wasn’t in the list.
They may not. Unless you are privy to some information, in which case please share it.
Whilst they claim to have implemented end to end encryption, and claim not to transfer the keys to the mothership I have no way of establishing that they haven't - it's not as if we can inspect the source code is it...

The meta data is, in itself, hugely valuable - the contents... well, they'd love to still have access to that - and we'd likely never know.

They've only just allowed the backups to be encrypted (in the last couple of weeks), so that's one loophole big enough to drive a bus through being closed off - although again, how confident are you in their encryption, which isn't able to be reviewed?
A shortcut has to be a challenge, otherwise it would just be the way. No situation is so dire that panic cannot make it worse.
There are two kinds of people in this world: those can extrapolate from incomplete data.
Bonefishblues
Posts: 10977
Joined: 7 Jul 2014, 9:45pm
Location: Near Bicester Oxon

Re: How on earth is this possible?

Post by Bonefishblues »

[XAP]Bob wrote: 23 Nov 2021, 9:41am
Bonefishblues wrote: 23 Nov 2021, 8:15am
[XAP]Bob wrote: 22 Nov 2021, 11:01pm Absolutely they can - they may or may not be able to read the contents, but that wasn’t in the list.
They may not. Unless you are privy to some information, in which case please share it.
Whilst they claim to have implemented end to end encryption, and claim not to transfer the keys to the mothership I have no way of establishing that they haven't - it's not as if we can inspect the source code is it...

The meta data is, in itself, hugely valuable - the contents... well, they'd love to still have access to that - and we'd likely never know.

They've only just allowed the backups to be encrypted (in the last couple of weeks), so that's one loophole big enough to drive a bus through being closed off - although again, how confident are you in their encryption, which isn't able to be reviewed?
So what should I do - there's 'backdoors' to the data being referenced, you seem to be inferring there's no data integrity, or are you simply saying this is valuable data (NSS!) and it might be being misused, but we don't know - or what, exactly?
Jdsk
Posts: 24478
Joined: 5 Mar 2019, 5:42pm

Re: How on earth is this possible?

Post by Jdsk »

Bonefishblues wrote: 23 Nov 2021, 9:50amSo what should I do...
We switched to Signal wherever possible.

Jonathan
Bonefishblues
Posts: 10977
Joined: 7 Jul 2014, 9:45pm
Location: Near Bicester Oxon

Re: How on earth is this possible?

Post by Bonefishblues »

Jdsk wrote: 23 Nov 2021, 9:53am
Bonefishblues wrote: 23 Nov 2021, 9:50amSo what should I do...
We switched to Signal wherever possible.

Jonathan
Yes, you mentioned that Jonathan, but are these concerns based on evidence, or suspicions, or what, exactly?
User avatar
[XAP]Bob
Posts: 19793
Joined: 26 Sep 2008, 4:12pm

Re: How on earth is this possible?

Post by [XAP]Bob »

Signal is at least open source, so the veracity of it's encryption claims can be verified (and have been).

It is almost certainly the most secure chat application out there.
A shortcut has to be a challenge, otherwise it would just be the way. No situation is so dire that panic cannot make it worse.
There are two kinds of people in this world: those can extrapolate from incomplete data.
User avatar
[XAP]Bob
Posts: 19793
Joined: 26 Sep 2008, 4:12pm

Re: How on earth is this possible?

Post by [XAP]Bob »

Signal is at least open source, so the veracity of it's encryption claims can be verified (and have been).

It is almost certainly the most secure chat application out there.
When you use Signal, your data is stored encrypted on your devices. The only information that is stored on the Signal servers for each account is the phone number you registered with, the date and time you joined the service, and the date you last logged on.

This is different from apps like WhatsApp, which actually collects your metadata for their own use (and passes it along to Facebook too). This is also different from apps like Wire messenger that encrypt your data but store some of it on their servers.
Is Signal messenger really safe?
The short answer is yes. Signal messenger is really safe.

The long answer is, complicated. What do you mean by safe? Is Signal the most secure and private messenger app in existence? Probably. Can I guarantee that the NSA can't crack the encryption? No. The cryptographic community says that the encryption is secure. But can anyone guarantee it with 100% certainty? No. Will quantum computers be able to break the encryption? Theoretically, yes, at some point in the future. But as far as we know, no sufficiently powerful quantum computer exists so we can't say for sure one will be able to do the job.

Is Signal more secure than WhatsApp?
While it isn't obvious at first glance, Signal is definitely more secure than WhatsApp. Both products use secure end-to-end encryption for the content of their messages. They are both equally secure as far as that goes. In fact, WhatsApp's end-to-end encryption uses the Signal protocol to encrypts its data too.

But Signal encrypts your metadata, while WhatsApp logs as much of your metadata as possible, and passes it along to Facebook. While metadata doesn't expose the contents of your messages, it does include information on who you talked to, when you connected, and much more.
https://securitytech.org/secure-encrypt ... pp/signal/
A shortcut has to be a challenge, otherwise it would just be the way. No situation is so dire that panic cannot make it worse.
There are two kinds of people in this world: those can extrapolate from incomplete data.
Bonefishblues
Posts: 10977
Joined: 7 Jul 2014, 9:45pm
Location: Near Bicester Oxon

Re: How on earth is this possible?

Post by Bonefishblues »

[XAP]Bob wrote: 23 Nov 2021, 10:41am Signal is at least open source, so the veracity of it's encryption claims can be verified (and have been).

It is almost certainly the most secure chat application out there.
Is WhatsApp unsecure is the question I'm trying to understand the answer to.

Several people, including you, are seeming to indicate concerns so I'd like to understand whether I am using something I should be worried about (notwithstanding something else might be better)
Jdsk
Posts: 24478
Joined: 5 Mar 2019, 5:42pm

Re: How on earth is this possible?

Post by Jdsk »

Bonefishblues wrote: 23 Nov 2021, 9:59am
Jdsk wrote: 23 Nov 2021, 9:53am
Bonefishblues wrote: 23 Nov 2021, 9:50amSo what should I do...
We switched to Signal wherever possible.
Yes, you mentioned that Jonathan, but are these concerns based on evidence, or suspicions, or what, exactly?
I have two rather different concerns:

1 Analysis of the security, as posted above by [XAP]Bob, and see:
https://en.wikipedia.org/wiki/Compariso ... ts#Privacy

2 It's run by Meta/Facebook.

Jonathan
Bonefishblues
Posts: 10977
Joined: 7 Jul 2014, 9:45pm
Location: Near Bicester Oxon

Re: How on earth is this possible?

Post by Bonefishblues »

Jdsk wrote: 23 Nov 2021, 1:19pm
Bonefishblues wrote: 23 Nov 2021, 9:59am
Jdsk wrote: 23 Nov 2021, 9:53am
We switched to Signal wherever possible.
Yes, you mentioned that Jonathan, but are these concerns based on evidence, or suspicions, or what, exactly?
I have two rather different concerns:

1 Analysis of the security, as posted above by [XAP]Bob, and see:
https://en.wikipedia.org/wiki/Compariso ... ts#Privacy

2 It's run by Meta/Facebook.

Jonathan
I'm a bit hard-of-thinking at the moment, because head like cheese, but I'm not sure my central question as to whether WA is actively unsecure has been answered Jonathan?

(Leaving aside the question of holding noses, because Meta)
User avatar
[XAP]Bob
Posts: 19793
Joined: 26 Sep 2008, 4:12pm

Re: How on earth is this possible?

Post by [XAP]Bob »

It depends how much you trust faecesbook to honour their word.

In theory the messages are encrypted and they don't have your key, but it's only in the last couple of weeks that backups could be encrypted.
There is also no guarantee that they aren't exporting the key to be able to read the messages as well.

And that's why we can't answer the "is WA insecure"; it can't be analysed properly (by security researchers) because the source code isn't available.

There is a certainty that they are mining the meta data, and using that information to sell you to other companies.
A shortcut has to be a challenge, otherwise it would just be the way. No situation is so dire that panic cannot make it worse.
There are two kinds of people in this world: those can extrapolate from incomplete data.
Jdsk
Posts: 24478
Joined: 5 Mar 2019, 5:42pm

Re: How on earth is this possible?

Post by Jdsk »

[XAP]Bob wrote: 23 Nov 2021, 4:35pmAnd that's why we can't answer the "is WA insecure"; it can't be analysed properly (by security researchers) because the source code isn't available.

There is a certainty that they are mining the meta data, and using that information to sell you to other companies.
Agreed x2.

Jonathan
Bonefishblues
Posts: 10977
Joined: 7 Jul 2014, 9:45pm
Location: Near Bicester Oxon

Re: How on earth is this possible?

Post by Bonefishblues »

Jdsk wrote: 23 Nov 2021, 4:40pm
[XAP]Bob wrote: 23 Nov 2021, 4:35pmAnd that's why we can't answer the "is WA insecure"; it can't be analysed properly (by security researchers) because the source code isn't available.

There is a certainty that they are mining the meta data, and using that information to sell you to other companies.
Agreed x2.

Jonathan
I'll tell my also-Covid-ridden mate that some good is coming from our "How crap are you feeling?" chats :D

...but seriously for a moment, what is the utility of the meta data?
User avatar
[XAP]Bob
Posts: 19793
Joined: 26 Sep 2008, 4:12pm

Re: How on earth is this possible?

Post by [XAP]Bob »

It's a huge part of what the large advertising companies (google and facebook) sell (remember we are the product).

It's massively valuable, but you get to see no value from handing it over. Traditional communications providers are, at least in the EU, prevented from monetising this information, because it is seen as an invasion of privacy.
A shortcut has to be a challenge, otherwise it would just be the way. No situation is so dire that panic cannot make it worse.
There are two kinds of people in this world: those can extrapolate from incomplete data.
Post Reply