[liberationtech] Fwd: [WhatsApp backdoor allows snooping on encrypted messages]

carlo von lynX lynX at time.to.get.psyced.org
Sun Jan 15 08:21:40 PST 2017 

Very interesting, rsk & FL.

On Sun, Jan 15, 2017 at 08:47:51AM -0600, Andrés Leopoldo Pacheco Sanfuentes wrote:
> Anybody serious about decryption cannot use standard social networks,

Decryption? You mean encryption? Indeed most users of
technology aren't serious about encryption. Not even
the hackers. When it comes down to pragmatism you get
an unencrypted reply from Gmail with all of your original
PGP message cited in the clear. Even from "hackers".
Not all, but too many for me.

I am thinking of shutting down my e-mail identity for
good because everyone around me continously breaches my
civil rights by telling me private things in the clear.

It wouldn't be so hard to introduce technical norms
that enforce the constitutionality of the network,
instead it is normal that if I want to protect civil
rights and democracy I should refrain from using the
Internet.

> iPhone in question was cracked and data on it accessed by the
> government, without Apple's consent or assistance). Still, we as

How do you know?

> On Sun, Jan 15, 2017 at 7:25 AM, FL <flucom.02 at gmail.com> wrote:
> > I think we all here understand we are going through a dark age, where you
> > can't trust the so-called rule-of-law anymore. That democracy and the

That is a harsh thing to read, coming from a lawyer.
Not even a US lawyer.

But I'd like to challenge the idea that man has by themselves broken
the rule-of-law. Technology itself is the strongest factor.

> > We have realized laws of man don't matter that much anymore. That old
> > principle of life, according to which the strongest one can do whatever he
> > wants, is obviously bigger than any Constitution, law or court decision. So,

Not obvious at all to me. Each time a dramatic event like Bastille or WW2
created the conditions for the foundation of a new constitutional democracy
there was a certain period of time in which rule-of-law dominated over
corruption. Subsequent generations slowly erode democracy by ongoing
parliamentarism, and then there are technological developments that imply
a worldwide political shift towards totalitarism, simply by the possibilities
that arise. A powerful political shift towards better democracy could
compensate for that, like norms on mandatory encryption and transparency of
operating systems. But neither is the factual shift to the right being
seen and acknowledged, nor does anyone seriously dare to consider that a 
normative approach to fixing the Internet could actually work, especially
since the Grateful Dead have set the best-intended but utterly wrong
ethical frameset for the digital age. They said - leave us alone - and the
result is - a monopolistic marketplace of tracking gone out of control.

So, considering the Whatsapp case, my talking points would be:

- in a democracy-abiding Internet, end-to-end encrypted messaging is a
  fundamental function which does not belong to any company and is
  implemented in verifiable open source codes;
- law enforcement is not obtained by backdoors and backroom tricks
  but by open protocol standards that are implemented transparently
  in the code and define constitutionally viable forms of surveillance
  of targets in limited numbers of operations, cryptographically signed -
  maybe even by the use of a consensus mechanism* that evaluates the
  percentage of devices currently under inspection and protects from
  totalitarian abuse from within the operating system code.

These are two of the points the YBTI law proposal are about, in case
you start seeing the potential in this approach and want to read on.

*) Consensus protocols are cryptographic primitives blockchains are 
   built upon.. but without the blockchain and the proof-of-work they
   are actually ecologically viable.

> > if laws of man won't work as it has been proven over and over again until
> > this point, it's clear the discussion should go on through a different path,
> > i.e. laws of physics (aka encryption). It is true encryption, not laws, what
> > matters the most. And if that means that there is something wrong in a
> > widely used piece of code (say IM, browsers, etc.), it needs to be addressed
> > right away.

Seeing these two powers positioned against each other is what is keeping a
lot of the hacker community from actually getting anything done. Encryption
by itself won't do, because laws can always outlaw encryption and imprison
anyone who dares to use it. The true power lies in having law of man that
utilizes law of nature to implement ethical requirements for democracy and
human survival on earth. In a digital age where there is no tangible
evidence of the trespassing of civil obligations, civil rights and obligations
must be enforced by mandatory encryption.

As a side note, another major problem in the privacy discourse is the idea
that it has anything to do with individuals. It doesn't. It's about 
society's ability ot exercise democracy - so it is about everybody around
you, not about yourself. You have no damn right to sign away your friends'
civil rights by agreeing to the terms of use of Facebook and Whatsapp.
You are disrispecting your civil obligations by using cloud services.

> > You can fight PRISM, XKEYSCORE and every secret program calling them
> > illegal, against the Constitution, against what your Founder Fathers
> > declared, and even against common sense and decency all you want. Still,
> > nothing of that grants there won't be mass surveillance. If it's not clear
> > and obvious enough at this point, I'll say it again: nothing. Your

No government on Earth can afford to stop data mining the Internet,
but any government on Earth can stop putting its own democracy and
economy in plain view of its competitors by introducing norms for
mandatory end-to-end encryption and anonymization.
What are they waiting for?

> > government will play whatever ridiculous legal gymnastics is necessary to
> > call their dark practices ‘legal’. Except that, of course, nothing of that
> > makes them legal, the same way that droning people on foreign and sovereign
> > territories (even worse, with no previous due-process) is not legal just
> > because Obama says so.

>From a strategic point of view for governments, if *nobody* can
harvest digital social interactions and steal industry secrets -
then there is no need for it to bulk collect its own population.
It can safely go back to interpreting the laws in the technological
frame of the 1980s: where wiretapping meant selecting only few real
targets and surveillance meant spending manpower in gaining social
trust, penetrating social circles. That's the way to do it, if you
want to enforce the law without breaking the constitution first.

> > In order to protect our privacy and freedom, encryption is the way to go and
> > the really important matter to discus. This is why hackers are, in reality,
> > the ones called to change the current state of things. Changes in law-making
> > will do little, specially in a country that is not precisely well-known for
> > having people willing to account their government, stand for their rights
> > and turn things upside down a little bit if necessary.

Hackers have been trying to change the current state of things.
Here's what wrent wrong:

1. Ethical encryption tools can't at the same time have a business model.

Just look at Bitcoin and other blockchain tools - none of them have
ethical safeguards builtin and are therefore thousand times better
suited to evade the law and the needs of the majority of the population.
They empower the rich to hide their riches and impede redistribution
among mankind, yet no human society works without redistribution.
The HANDY paper has shown that civilizations collapse each time the gap
between rich and poor grows too large - right now we are in the most
unequal period of human history and the only chance to fix that is
to legislate redistribution - because there is no such thing as anarchic
equality. Never existed in the history of humankind. Anarchy is actually
empowering the super-rich even more than a broken democracy or totalitarian
system.

2. University funding does not let you develop products.

Hackers in the research community have developed entire strategies
for alternate Internet protocol stacks that will respect constitutional
principles bottom-up throughout the stack - but they are only paid to 
finish up their research paper and publish it, not to make an end-user
product out of it.

The fact that there is no funding for ethical software is the missing
link here. Funds for software that is neither doing research nor
designed to make anyone earn a lot of money. Tor is an exceptional
case that got a lot further than others, still alpha mixing is on the
shelf since 2006 so Tor stays vulnerable to traffic shaping attacks
while the central directory service architecture remains firmly in
place even if the reasons not to make Tor a distributed system are
scientifically historic.

> > P. S. Have a look at this news. Needless to say, the legal implications of
> > this are huge and affect not only privacy, but also basic principles such as
> > due-process. The 'fuck you people' train is not stopping.
> >
> > https://theintercept.com/2017/01/13/obama-opens-nsas-vast-trove-of-warrantless-data-to-entire-intelligence-community-just-in-time-for-trump/

Looks like one more step in the direction of giving up the Constitution
in the pursuit of totalitarian control over potential terrorists -
unless of course there are even worse motivations in place.
Note how 'totalitarian control' is worse than 'potential terror'.

On 15-01-2017, at 09:38, Rich Kulawiec <rsk at gsp.org> wrote:
> > Who owns WhatsApp?  Facebook.
> > What is the purpose of Facebook?  Surveillance and data acquisition.

Yup. The Third Reich made some corporations and monopolies very
rich. It was a great time for capitalism. Deregulated capitalism.

> And let me quote Dave Burstein's take on this from Dave Farber's IP list:
> > The Guardian probably was misleading writing "Facebook and others,
> > could intercept.  The Guardian shouldn't have called it a "backdoor"
> > without qualifying the comment with "for Facebook & Governments."
> > It appears that no one could use this without Facebook's help.

Eh.. backdoors that can be used by anyone are vulnerabilities,
not backdoors.

> > But Facebook didn't address the substantive claim in the article, that
> > Facebook and the governments it cooperates with can intercept (some,
> > sometimes.)

Exacto.

> > I pointed out much the same thing on this list years ago.  If China
> > goes to Facebook and says "put in a backdoor or stop doing business here",
> > Facebook will put in a backdoor.  If Russia goes to Facebook and says
> > "give us a full data feed or stop doing business here", Facebook will
> > give them a full data feed.  Of course they will: there's no way they're
> > going to leave all money on the table.

So you would agree that if National Security says that it must
include all communications crossing Whatsapp into its rebranded
internal search engine (formerly known as XKEYSCORE), then that
is what will happen. Let's not forget that the Whatsapp protocol
allows the server to tell the client not to use encryption..
according to 
https://moderncrypto.org/mail-archive/messaging/2014/001133.html

-- 
  E-mail is public! Talk to me in private using encryption:
         http://loupsycedyglgamf.onion/LynX/
          irc://loupsycedyglgamf.onion:67/lynX
         https://psyced.org:34443/LynX/

More information about the liberationtech mailing list