[liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?

[J.M. Porup]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/16/15 14:52, Cypher wrote:
> On 01/15/2015 11:29 AM, carlo von lynX wrote:
>> On Thu, Jan 15, 2015 at 08:49:31AM -0800, Steve Weis wrote:
>>> Note you said "users will never know" if e2e is being used,
>>> but as Moxie says "we'll be surfacing this into the UI" of
>>> upgraded clients.
>> 
>> There is a systemic legal problem by which neither Facebook, nor
>>  Whatsapp, nor Textsecure nor Moxie are in a position to
>> guarantee that whatever is surfaced into the UI actually means
>> what it says.
> 
> I was under the impression that the government couldn't make you 
> actively lie to someone. For example, if I have a message on my
> page that says "we do not collect any user data" and the government
> makes me collect data on an existing user, that's acceptable. But
> they could not stop me from changing that sign and force me to lie.
> I'd assume that would be the case with WhatsApp. Once the visuals
> are surfaced, each new encrypted connection would be forcing the
> service to actively tell a lie, which, as I understand it, isn't
> legal. Of course, IINAL so I don't know.

I would like to give a concrete example of "commandeering." Something
that happened yesterday.

I've been saying for a while now that Twitter has been commandeered.
There's a great deal of circumstantial evidence pointing this way. I
documented my research last March, here:

https://medium.com/@toholdaquill/how-the-military-uses-twitter-sock-puppets-to-control-debate-and-suppress-dissent-a4ccba1e6f05

Be sure to read the footnote about @Asher_Wolf.

Then yesterday, I logged into Twitter, posted a couple of tweets, and
realized that my outgoing tweets had been hacked to include a
*different* image than my profile image.

The image of a gun:

https://twitter.com/toholdaquill/status/556102312494915586

Now, you could argue that someone must have stolen my password and
replaced my profile image. But that never happened. My profile photo
never changed. Only my outgoing tweets contained a different profile
image. To the best of my knowledge, it is not possible for Twitter
users to maintain two different profile images at the same time.

Additionally, the only operating systems I use are Qubes and Tails.
That doesn't make my end points impregnable, but it makes
opportunistic hacks rather unlikely.

What does this mean?

Either:

1) I am a complete liar / fraud / charlatan making this up to annoy
everyone (because why?)

or

2) Something like this happened:

https://firstlook.org/theintercept/2014/02/24/jtrig-manipulation/

Remember? "Change their photos on social networking sites"

Now here's the rub: the Twitter API does not include an optional
"second profile image" parameter. At least not publicly. See:

https://dev.twitter.com/rest/reference/post/statuses/update

Which means that, at the point of a court order / gun, Twitter has
been coerced into putting that parameter into their code, and giving
API keys to a thug who works for the FBI / CIA / NSA.

And the funny thing? If they were trying to scare me, they failed. All
they've done is make me angry.

JMP
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUupUxAAoJEGrDVsHXOmiEufMP/2RUsZG64bYTgTSwPctjtgbC
ki8YMuELXs/VeTFDddWIQagikBgaYJxSY3zV/a/wpt0XPZiaIiQFQsLldZORGDFe
zN1CVIGtvd7u5WyV3bly34TAoXTlmqipsHXMBv8uqz2MPZe1fWJ1Vda4JIEegPmj
9MUxfD+SfQaiTkIz/JoxfX0mKtSKf3G+yMhqqgkuYaMU2Xkx6q8PMlczKyuXIOCB
Ll2lZ2XZR03jUHdnrnCnoYhvhlGyPlrysNvutanIdhW6OdOBSEWC+JnHCh6vCfRZ
UwaMiHXcFLgcECP6JtT4xSmF5pD4+uIixWCC79HteVADUqM+Yu9HeAg0mbu9h1S1
RoXmOuPGqaiFHDqcp1EYEj+GrpePaT0ZEC48d+7M0m5BDV5FqiK7VzvyN6zaul93
JPC8M4EvCnCc+cyLvI6ZwY90YQoj9L80/qsBfk0U0uZjGV0KZcig6EBoVl+Y1lHO
VJwg+J3fex7y6KkMA+Cu2XCCk30Nt2hO8dy2To0wb0RwPGNBjveNR82bE6KHLOwU
niijVg+//aVJQ8oyspJwNvfbosFvHBGCZbCUYVP2cTVrDiEnE/WA7h31FSQ9Rj+g
CpGttn9DECOz1rD/uUhF2neH9n7dNj8vC4dLJavzIgwEp6xukAu8d3WIFwmmtt3u
hfIVBGXJf43LsL+9B2j7
=IwE5
-----END PGP SIGNATURE-----