The article doesn't really say what hackers had access to, but it sounds like they had full control over their phones. There is a lot bigger story here and I'd love to read a post-mortem in a few months.
Also, WhatsApp is such an obvious target for a state actor. I saw several articles of the last year that mentioned Jared Kushner using Whatsapp so I assume a lot of government folks use it for off the books "encrypted" communication.
A buddy of mine is Special Forces (U.S.). He said JSOC recently banned use of WhatsApp and encouraged everyone to switch to the open-source Signal (another encrypted messaging app). Allegedly WhatsApp uses Signal's encryption (OpenWhisper) but I stopped trusting it the second Facebook bought them out.
But of course, in this case the issue seems to be either compromise of the device(s) via zero days, whatsapp usage simply being the target matrix - and/or a leveraging a zero day in whatsapp for full device compromise.
It's unlikely signal would be immune - they didn't Crack the encryption, they cracked the app/os.
In olden times the vector might have been a font, or a gif.
The only advantage signal has is a conservative interface and small userbase. I'm not sure if they do some kind of hard-line whitelisting of attachments though - if you can pack an exploit as a file, I'm pretty sure you could send it via signal.
> The only advantage signal has is a conservative interface and small userbase.
Signal is open source, WhatsApp is not. So how did you determine Signal has only one advantage over WhatsApp, without access to the WhatsApp source code?
Advantage in terms of security vulnerabilities - evidence seems to indicate that having the source code available isn't a big factor in reducing zero days. In addition, signal isn't any more protected against a rooted device.
If one assumes that WhatsApp are implementing the protocol as well as signal are (which I do), then I think there are three questions in deciding what is more secure:
1. Do you trust Facebook (or open whisper systems) with your metadata/expect them to delete it?
2. How likely are there to be bugs (in the app, not in the protocol itself) which lead to exploits. On the one hand WhatsApp probably have more people working on the app and likely more security people too. On the other hand they may be pushed to add more features and having lots of code churn may introduce security holes.
3. How much work will be put into exploiting each app. On the one hand more people use WhatsApp but on the other, I guess security conscious people may be more likely to use signal.
A known exploit to WhatsApp happened due to 2 with a bug in how audio calls were initiated. I don’t really have a good guess as to how the apps compare on points 2 and 3 but I guess WhatsApp loses on 1. A more practical point is that it’s likely easier to convince someone to use WhatsApp than signal, especially for group chat.
WhatsApp will rekey and send old messages without notifying the user. This means MITM is possible and not always detectable. This is their intended design (but you can change the preference so that you at least get notified when it happens).
That guardian article was pretty bad. It scared a lot of people from WhatsApp (which is still in general mode secure than most options) to text messaging by claiming that this was somehow some huge security flaw.
From WhatsApp’s point of view this was a reasonable ux trade off. It is a major pain point of signal when it does this (particularly in group chats where it is more likely to happen).
But I agree that from a strict security focused point of view this is a disadvantage to WhatsApp.
Sorry, but his is a major security flaw. WhatApp, their mothership Facebook, or any party who can coerce them into doing so (e.g. the US government), can use this to rekey targets with their own keys, virtually undetectable by most regular users, thereby completely MITMing the message exchanges.
Even moxie, who created this stuff, more or less admitted this[0], by saying the rekeying notification is the only defense, but that one is off by default in whatapp last I checked (which moxie confirmed[1]), which makes whatapp insecure by default at the very least. I wouldn't be surprised if WhatApp servers know if this notification setting is on or off, which would enable them to e.g. target people with insecure default settings only to avoid detection.
I already said this in [0], but let's repeat it: This is essentially the same as if a webbrowser would just accept any TLS certificate without showing a warning no matter if valid or the issuer trust.
Sure, this is hard problem to solve UX-wise and user-education-wise, but that doesn't excuse that you advertise your known-and-deliberately-insecure-by-default default-MITMable product as "secure communication using end-to-end encryption".
Anyone expecting secure messaging from WhatsApp must have Rekeying Notification set ON. Compare it to having a lock installed and using the key to close the lock.
Personally I can not imagine Human Rights Activist having the Rekeying Notification set OFF.
This is not like a lock and using the key. Not in the very least. It has as much to do with a psychical lock as it has to to with a toaster or a banana. Nothing.
>Personally I can not imagine Human Rights Activist having the Rekeying Notification set OFF.
I can. A lot of those people are not tech savvy. And the targets of e.g. the most recent NSO story weren't just activists, but a lot of other people too, politicians, state officials, lawyers, journalists, etc.
And on top of that, this system becomes MITMable as soon as one of the communicating parties has notifications off (or ignores them, which then comes back to the UX and education issue).
'On the one hand WhatsApp probably have more people working on the app'
From a career in software development, I tend to feel that the more devs, the buggier. Maybe, MAYBE (number of QA)/(number of devs) = reliability coefficient.
Correlates with my experience, too, however size of the QA team is not a reliable indicator. I've seen it first hand where the QA is huge, but doesn't have good devs, only people that point out process flaws.
A QA team is trying to find bugs with the current release. They are not looking for mitm attacks or misuse. That would be more security who are generally looking for more obvious issues at the network level.
Keep in mind also that WhatsApp also demands full access to ALL your contacts in order to really work properly, as opposed to Signal where you just add the people you want to use Signal with
Well, and as pointed out elsewhere the signal protocol only covers messages in transit. How keys are managed, etc. also strongly affect security. In the signal app, the phones own the keys rather than another entity (hence why messages get rekeyed on whatsapp and why you're easily able to load messages on a new phone).
Reread my comment. If you have additional code to support things like ads, you add attack surface for people to find a way to inject code execution in the context of the WhatsApp process, which has access to the decrypted messages.
It doesn't. At first, it used an SMS IIRC that charged you a dollar every month or year, not sure. Then they scrapped that and they are now basing the income on WhatsApp for Business, although I don't know if they are charging yet. But as operating costs were actually low, they mostly ran off of papa Facebook's dollars.
Approx 20 months ago, numerous people I had contact with working in western military special operations units dropped WhatsApp in a fairly brief period of time.
Facebook didn't buy Signal. One of the original executives from Facebook left to help start the Signal foundation with Moxie precisely because he had become sick of Facebook's insane behavior.
I think you misinterpreted the parent comment—I read it to mean that they stopped trusting WhatsApp as soon as Facebook bought them despite using the same technology as Signal. Your interpretation might be right, though.
I have been using signal for awhile and I try to convince people to use it, however I'm curious if using signal would have prevented this. It sounds like they got into WhatsApp servers and then did something else to get full access to people's phones.
NSO still have multiple ubpatched 0 days in WhatsApp Telegram and most other messaging apps.
Your best bet is to use something obscure so you cannot easily be targeted or not being connected to the same net.
At the Israeli army we had phones that ran completely separate software stacks and talked to a different network for this. Nothing was on the internet.
Also since modem stacks are so terrible - ideally two phones where one is just a hotspot for the other one and the one using the hotspot does not have a cellular modem. Also ideally not Android or iOS.
Of course it is better to not be on the public internet with any sensitive device if at all possible. Anything on the internet is considered public.
Within my experience, security by obscurity works only if you're low profile. If significant amounts of money will be spent decrypting your mess, it's game over.
OTOH, we usually only hear about the failed attempts, so there's a selection bias.
I deliberately didn't use the phrase security by obscurity, because that usage of obscurity is synonymous with secrecy. And that's not what the original comment was about.
I agree about the low profile being necessary (even if not sufficient).
The more obsure and different the less likely. If closed source the knowledge belongs to the creators. If the circle is extremely small the chance of that knowledge being shared with your enemy is low. It goes up when that circle is increased.
When you want the biggest circle open source is safer. If your circle is small closed will be safer.
That sounds pretty cool. Did you all have your own separate physical layer just for military too, or did you use the same physical layer as the civilian world?
It says the hackers had access to WhatsApp servers, so they can tell who is talking to whom, and depending on how WhatsApp does encryption they may have been able to decrypt messages. I say may, because WhatsApp had pitched itself as an encrypted messaging system, though personally I’d bet they could because it’s easy to claim your service is encrypted and yet still design backdoors for yourself.
The article is garbling the WhatsApp allegations: WhatsApp says the hackers abused WhatsApp servers to hack phones, not that the servers had a flaw. To send the malicious payloads to the victims, the hackers sent messages that flowed over WhatsApp's networks, which largely what they're hanging the lawsuit on.
"Prior to notifying victims, WhatsApp checked the target list against existing law enforcement requests for information relating to criminal investigations, such as terrorism or child exploitation cases. But the company found no overlap, said a person familiar with the matter. Governments can submit such requests for information to WhatsApp through an online portal the company maintains."
There is already an official backdoor, or how should I understand that?
You have it correct. Nearly every major US provider maintains some sort of online interface for law enforcement to submit requests. The level of information provided via these means varies, but they are obligated to respond to legitimate requests with wharever data they have on hand.
Dont like it? Go with a security-minded service like signal. Or, better yet, something totally severless and open source.
I don't use WhatsApp. But if they have an official backdoor, then it's not really e2e encrypted. Until now I thought, at least the official statement was, WhatsApp is truly e2e encrypted. Just that.
The end-to-end refers there to the hand-held device, not the peers' brains. The backdoor will then simply be in the hand-held device, intercepting the data meant to be displayed by the WhatsApp application.
I don't think it's fair to call this a "backdoor". Because of E2EE the law enforcement access is limited to looking up IP addresses associated with whatsapp users and such.
>which is what the NSA collects en masse from Telecom providers
What does that even mean? There are so many different kinds of metadata I'm not sure why it's useful to compare Telecom metadata collection to Whatsapp.
Here in Brazil, if I understand corrected from some leaks, after the judicial request WhatsApp stop (or something related) the encryption between Bob and Alice. After that all conversations is in plain text and accessible to federal police.
> Sources familiar with WhatsApp’s internal investigation into the breach said a “significant” portion of the known victims are high-profile government and military officials spread across at least 20 countries on five continents.
Funnily enough - they moved to signal. They are not telling me - but I assume they have an exploit for that as well - but it isn't controlled by Facebook.
This seems like a disinformation campaign aimed at diverting attention from the fact that the governments of the human rights activists, human rights lawyers themselves used pegasus from NSO to target them.
Many of the Indian activists, journalists, lawyers who were targeted are working for low caste victims of false cases filed against them. John from Citizen Lab personally called them and told 'Your government attacked you'[0].
If anyone from Citizen Lab/WhatsApp is reading this, please corroborate with evidence that the governments themselves spied on its citizens when these activists sue them in court.
Which is hilarious and hypocritical, since the government keeps talking about making end-to-end encryption apps illegal to distribute without backdoors. Now they're using an encryption app with a backdoor,* and they're upset about it? I thought this is what they wanted!
*I know, I know, this probably wasn't done with a backdoor -- it's just funnier to lie in this context.
In fact, demonstrating this point is probably part of the reason Facebook is litigating this case. It gives them a solid example of the risks of backdoors that they can point to when governments ask for them.
“A rogue big tech employee puts on a grey hat to orchestrate a hack + personal blackmail on government officials, to instill a deep fear out of them and make them realize the folly of refusing end-to-end encryption.”
I guess they just don't like the inconvenience of having to find the backdoors on their own. It's hard work! But hard work has never killed anyone*
*With the exception of people forced to work to death, or under unsafe conditions, or that were doing a perfectly reasonable amount of hard work that none the less triggered a heart attack. Or...
The real irony comes from an Administration who ran on the odious idea of "locking up" government employees who mishandled communications, who then turns around and begins a mass campaign of mishandling communications...
Hypocritical? How many of your personal secrets (or even your corporate secrets) would cause >= thousands of people to die or >= billions of taxpayer dollars to be lost if they were leaked?
> How many of your personal secrets (or even your corporate secrets) would cause >= thousands of people to die or >= billions of taxpayer dollars to be lost if they were leaked?
Personal means, and should continue to mean, something. I'm not willing to let governments define what is personal to me.
Up front the prospect of even greater damage might deter people.
Similar to how punishing wrong-doers in general doesn't help anyone after the fact, but one justification people bring up is deterrence before the fact.
(I profess no firm opinion in the matter. This is just giving the argument a steelmanning.)
I suspect your example would be more compelling if you used a first breach in ethics that would be less heinous. Cheating on your spouse is a common one to defend privacy of bad people; tax dodging if you want something illegal.
It's one thing to say "they shouldn't use a facebook channel to talk securely", it's another to say "they shouldn't use a facebook channel on the same device as they use another channel to talk securely". My understanding of this was that it is the latter.
Unfortunately people often don't have the luxury of doing the latter.
> Unfortunately people often don't have the luxury of doing the latter.
What? Just don't install the Facebook or other social apps. I do have Telegram, but no other social media apps on my phone. If you need to communicate, then SMS / MMS / telephone is fine. What can be done with Facebook that cannot be done with normal SMS or MMS or phone calls or video calls?
I also don't have any facebook apps on my phone - but from what I understand there are countries where whatsapp is how a lot of business is done. If you can't afford the time and opportunity cost of avoiding those businesses you have to install it.
Sad to see you're downvoted. The state of open source on Android is quite dire - it's difficult to run a fully patched ASOP - and the alternative is "customized" os installs with tons of crap. If nothing else, the more code that runs, the more bugs to exploit.
Unless you're arguing that Facebook-owned channels are more prone to security bugs, I don't see how this conversation is useful. Let's not forget that whatsapp is end-to-end encrypted by default; they literally brought end-to-end encryption to the masses.
Back when I first heard that, the bad guys were bored and/or hyperactive teenagers who understood how computers work. Today we are talking nation-state actors and nation-state-sponsored actors with practically unlimited resources.
Keeping your code secret will not stop them, cf. WhatsApp. "Responsible disclosure" will not stop them either, and sets up all the wrong kinds of incentives for vendors to sit on problems until just before the "responsible" disclosure window closes. And FFS, there are still grown adults that believe building backdoors into E2E won't be exploited by the bad guys first, insofar as they are not the bad guys themselves.
I only have questions, not answers, and I don't know what we do from here.
We have to make this knowledge of closed source systems not being safe more wide spread more approachable to the lamen.
It will take time but generations are slowly waking up to the bullshit. We need to be able to run open source code on servers in a transparent and reportable way that everyone can understand
I see services like whatsapp taking the stance it is essential. Its the only place I (barely) feel like I can speak my mind when chatting with non tech savvy friends (of which it would be a hard sell to get to install anything else more rock solid). I really hope we can adopt widespread e2e encrypted chat platforms moving forward and dont regress in this front else it will be a sad future
From what I read, NSO didn't only hack Whatsapp, they also used vulnerabilities in the Android OS in the media decoder. Given all the CVEs patched on each Android security patch, that wouldn't be surprising.
If that's the case, the articles are focusing too much on WhatsApp failure, but not enough on the failure of the Android OS. To me there is some kind of shared responsibility between the app and the OS here.
Who knows how many CVEs are hiding in the Signal and Riot.im apps? And Riot.im asks for many permission...
Or Briar or Ricochet, or something developed in house. Honestly, the thing that's so perplexing to me is why so many people in these roles would be using Whatsapp at all for these things. It's like SoS mentality (to use an imperfect metaphor) run amok.
It was done using pegasus exploit from NSO. A missed video call to the target on WhatsApp was all that necessary to deliver the payload, escape the sandbox & exploit the operating system.
What WhatsApp & CitizenLab said to the victims in India about the attack[0].
The article says: "The Facebook-owned software giant alleges that NSO Group built and sold a hacking platform that exploited a flaw in WhatsApp-owned servers to help clients hack into the cellphones of at least 1,400 users."
The actual complaint reads: "Between in and around April 2019 and May 2019, Defendants used WhatsApp servers,
located in the United States and elsewhere, to send malware to approximately 1,400 mobile phones and devices (“Target Devices”). Defendants’ malware was designed to infect the Target Devices for the purpose of conducting surveillance of specific WhatsApp users (“Target Users”). Unable to break WhatsApp’s end-to-end encryption, Defendants developed their malware in order to access messages and other communications after they were decrypted on Target Devices. Defendants’ actions were not authorized by Plaintiffs and were in violation of WhatsApp’s Terms of Service. In May 2019, Plaintiffs detected and stopped Defendants’ unauthorized access and abuse of the WhatsApp Service and computers."
In other words: WhatsApp does not allege a server breach. It alleges that phones were hacked via carefully crafted messages to trigger an exploit[1] on the phones, but to do that, hackers sent the messages via WhatsApp servers. They mention that, because otherwise they would have less of an argument to sue over. As far as I can tell, they're alleging that NSO Group was part of a scheme to interfere with the WhatsApp relay servers and to break the TOS, stated several different ways under different theories and laws.
To prove NSO used WhatsApp servers, I suppose WA will have to present inferences from metadata it recorded and saved. So WA will be required to demonstrate how much can yet be learned about its users by passing communications through its servers.
Anecdotally, from a friend at WhatsApp, their engineering has been distracted by integration with Facebook. Holes that would have been patched in an independent WhatsApp may have been left to fester in the-now Facebookdivision.
I think OP is asking how NSO was able to escape the phone's sandbox model. To do that, they would need an exploit for the phone's OS, in addition to the WhatsApp exploit. So, the obvious question: which operating systems were specifically targeted?
Another comment mentions Pegasus... that was an iOS exploit patched in 9.3.5 (3 years ago). Does that line up with the timeline of this article?
Given that Android exploits are far more common than iOS, I would expect they had one of those too.
But then, where are Apple and Google in this case? It wasn't solely Facebook who was exploited; their app was just the initial vector to escalate to an attack on the OS. NSO probably could have achieved the same with dozens of other apps, but WhatsApp was chosen because of ease of deliverability (messaging) and popularity.
>Given that Android exploits are far more common than iOS, I would expect they had one of those too.
The Pixel was the only device that was not pwned in the 2017 Mobile Pwn2Own competition - the iPhone, running iOS 11.1, was exploited 4 times via both WiFi and Safari.
I'd be incredinly surprised if NSO were able to compromise an up to date Pixel phone.
That’s great for the Pixel. But what percent of Android phones are the Pixel, and not one of the hundreds of other varieties with varying patch schedules?
(That’s not entirely snark. I do wonder how high risk individuals are choosing which devices they use for communication.)
Thats really funny because a friend of mine used to work there and always talked about how all the internal very classified communication was done via whatsapp!
What's the deal with the end-to-end encryption here, I don't understand. If you get control over the server, you can circumvent it with WhatsApp? How did the attackers get hold of the private keys?
I’m shocked! I would have never expected this! Having a single organization so specialized in the particular domain handling nearly everyone’s data getting hacked? How ridiculous!
Apple have single handedly done the internet a gross disservice by not making it easy for users to set up webhooks for push notifications. If it weren’t for that chat would have a chance at being sane.
I hate facebook just like everyone else, but doesn't it have more resources to spend on WhatsApp security than Signal Foundation? Yes, Signal is open-source, but how many people are actually looking for its vulnerabilities full-time?
I am just confused that NSO are getting all the flak for this when there are many bigger players in the market (like Verint) peacefully happily doing the same thing for years.
Of course, I don't think this particular report is correct (I am sure the US spies on its allies like all big countries but I doubt it would need NSO and given the US regulates the body that regulates who NSO is allowed to sell to - I doubt it)
If you want secure your top choices, in my opinion, are Signal and Wire -- and I like Wire better because I can sign up with a burner account or seemingly random alias on my ProtonMail account.
It is, but when you create a new contact you are trusting the WhatsApp service that the public key of the other party actually is their public key. The service can always give both parties a key of their own making instead of the actual keys of the parties. IIRC you can verify the public keys via QR codes but maybe such verification wasn't part of security practices. Thus if you hack the service, you may be able to read messages even though it's supposed to be end-to-end encrypted.
Another possibility is them faking a public annoucement to all Whatsapp users about some update or something. That announcement could then contain an image that exploits a vulnerability in the operating system's image decoder libraries. Or something like that. Without further information you can only speculate, but what's certain is that hacking the WhatsApp servers gives them ways to hack the phones that they previously didn't have.
Yeah, the exploit has absolutely nothing at all to do with message encryption. It's just your run-of-the-mill security hole that happens in other software all the time. As such, most of the comments in this thread are completely off base.
What makes it notable is which app it was found in, the reach of that app's userbase, and that a company was selling these exploit services.
Messages probably are, the app itself may have openings that allow an attacker to see messages.
In the early days of android, it was also possible to have a rogue google update service on a wifi AP, so when android connected to it you could push an update with malware.
E2E provides protection against the server provider knowing your content. It doesn't protect either end, since that would be impossible.
In this case, it seems like WhatsApp itself was compromised; malware was distributed through the server directly to the app, or something along those lines. (Y'know how you can dynamically change apps nowadays using Codepush, etc? If Whatsapp had something like that in their pipeline, and that thing was compromised, and that compromise could be targeted at specific devices, then no amount of encryption can save you.)
You can just encrypt it before typing it down and send encrypted text so the cleartext is never on the device. It's just not convenient at all though theoretically this can be a separate device that is not connected to the internet.
My experience with Israeli companies suggests that a culture which values intellectual achievement and competition is more widespread there.
Similar cultural enclaves exist elsewhere in the world and are presumably similarly effective, but they just aren't as large a portion of the population.
Even small cultural differences can have outsized effects because of pollination-- e.g. it's easier to learn from an expert in a domain if there are more experts around you.
I think your question isn't really that much different to asking why the bay area has "punched above its weight" in terms of producing successful tech companies compared to other regions around the US... or why other regions have had a lot more success in other domains.
My experience is the exact opposite. There is a culture of laziness and most offices are carried by a handful of outstanding people and propped up by significant foreign investment.
The difference with Israel, specifically in regards to hacking, is purely the amount of government support and protection independent actors receive for things that might otherwise be considered nefarious in other countries.
Also humans self-segregate. All else being equal a human who has property A will prefer to live with other humans who have property A, rather than humans with property B. Skin colour, favourite icecream flavour, late risers versus early birds - anything. We can deliberately make adjustments at policy level to reduce the harmful consequences (or of course, we can do stuff like red-lining to make it worse) but that's what they naturally do.
Do you have a source to cite here, or can you refine what kind of properties you're talking about? I urinate standing up and prefer to live with someone who urinates while seated. This is the prevailing preference amongst people who urinate while standing.
This is colloquially referred to as "the big sort" in the United States - people moving to states where a higher portion of people share their political ideology. Your favorite search engine should point to many sources with this search term, though some are more dubious about the strength of the effect than others.
Well, Sweden is indeed one of the known tech powerhouses. But this just seems to prove the parent point, as there are many places in the world with similar population/quality of life/etc., but none of them come even close to Sweden/Israel/Bay Area in terms of tech.
It depends on how you define tech. The Netherlands are small (16m people) and world leaders in Agritech. We've got some decent tech companies in general (Philips, Booking, NXP, TomTom) and of course Shell / Unilever.
You can probably say something similar about Finland or Ireland.
Philips? The same company that sold me 15W grow lights while claiming they were 40w? I don't trust that company as far as I can throw it after that bit of outright fraud they pulled on me.
There is no reason why other well educated countries could being doing the same thing, but with the Israeli's, nothing is off the table. If a company in Israeli learns how to hack WhatsApp, that is seen as an advantage for the Israeli government. If an American company learns how to hack WhatsApp, they bound by ethics to let WhatsApp know and make sure the issue is fixed. Israeli culture thinks that is crazy to do that because they can use the flaw against their enemies.
I agree that it isn't a trait to be proud of, but show me a government that isn't morally bankrupt and I'll show you a government that you don't know enough about.
Being civilized seems to be a low priority in the civilized world.
The US also has export restrictions on crypto and other tech, which makes this kind of business harder for US companies. Especially with countries that aren’t strong Us allies.
When I worked in the radar business we couldnt just sell them to anyone.
Israel got about a million highly educated ex-Soviet immigrants who kick started the hi-tech industry in the early 90s. It’s slowly declining tho as Israel focuses more on educating kids about their “Jewish identity” than science and technology.
The Israeli army makes you code 12 hours a day for a year in some training programs.
Our punch is above our weight because of hard work and skepticism.
That's not the terrible stuff like NSO. NSO is just a clever way for the government (and the US government - don't forget) to export the military technology, regulate it and then claim they did not do it but a private company did.
Virtually everyone in NSO was in 8200, this is a way for the US and its allies to get around military trade issues.
I don't think they make anyone do that. The people who join these programs are predisposed to programming 12 hours a day (or more) in the first place. It's an effect rather than a cause.
High levels of investment, mandatory military service, and exceptionally good education.
If you ever get the chance to talk to someone from Israel, especially someone in tech who was raised in Israel, I recommend it. Ask them about where they went to school. You'll learn a lot.
I don’t think there’s anything particularly special about Israel, and that what’s really happening is that you don’t hear about the other firms in other countries, many of which are either more competent or have better tradecraft.
Not really. We work more hours relatively to some other countries, but generally don't work that hard. I Worked with people from other countries (Specifically, US, Germany, UK, France), in general they seem to work harder _when they work_ but they finish the day early and take more vacation days.
In any case, it's far away from being a "sweatshop", technology companies are a nice gig.
If an American tech company tried to do something like this some employees would refuse and you would hear about the employee protests. I think because of the compulsory military service and their multi-generational dirty war Israel engineers don't seem to have these kinds of moral qualms.
(Normally I get flagged on HN for saying things like this, would love an explanation if it happens this time.)
I'm not going to flag you but I think you're drawing the wrong conclusions.
I don't have the numbers but I would be very surprised if the majority of Israeli cyber-ops ex-military sells spyware to authoritarian regimes. A few did do that but I don't think it's justified to blame the military service and whatnot for this.
Another thing to remember is that an Italian company also sold spyware to authoritarian regimes. The things they did was really similar to the Israeli one. Same excuses, same pr, same blabla... but without the compulsory military service and whatever reasons you listed.
There might be a certain degree of culture that helped.
For instance we tech worker share a very distinct culture from the general culture. Maybe the general culture/ a big subpart of the general culture in Israel is closer to the tech culture, and thus spurring more tech development.
Israel is beset on all sides by enemies of its state and has basically been at war since its creation. It has a very strong incentive to develop military industries. With support from the international community, they also have had the means to do so.
> On top of that, everybody has been trying to murder Jews during the entire history, so there's a lot of natural selection.
It doesn't seem plausible that war or murder leads to a positive force on someone's character or natural ability. There are many great tragedies where the flower of a nation's manhood has been lost in war and left the country in a worse off position to grow it's populace. The Battle of the Somme for one.
Most religions and ethnic groups has at least one persecution story if not centuries of them, I don't see the evidence that it leads to a uniform positive increase in outcomes.
> On top of that, everybody has been trying to murder Jews during the entire history, so there's a lot of natural selection.
Wow! Does it work too for the blacks? Maybe, blacks run fast to escape from whites on electric cars!! And women! Women are prettier than men to manipulate men!!
I guess it's part of their mentality. Just take a look at how many Jewish people have won the Nobel prize. Sure, most of them weren't even Israelis, but it seems that intellectual prowess is part of their heritage.
I presume that most people will disagree with this but I believe that it is related to Jewish people on average being generally smarter than a non-jewish person. Consider for example: https://en.wikipedia.org/wiki/List_of_Jewish_Nobel_laureates
> "Nobel Prizes[note 1] have been awarded to over 900 individuals,[1] of whom at least 20% were Jews, although the Jewish population comprises less than 0.2% of the world's population"
This is also true in my personal experience as well. A lot of my professors had Jewish ancestry and are some of the smartest people that I know. A lot of famous computer scientists have Jewish ancestry too (Sussman, Stallman, etc).
I don’t comment on the “Jewish are smarter” comment but I always attribute their success to their culture and work “mind”.
Sort of similar to how “Asian parents push their children to become doctors.” It’s not necessarily that Asians are smarter, but they do work hard to achieve what they want… statistically speaking.
Jewish do indeed account for a disproportionate number of Nobel Prizes, among other things. At the very least, that seems to indicate that intellectual prowess is highly regarded inside the Jewish community and, as such, strongly encouraged as kids grow up. It's possible that the Jewish culture itself may provide members with a sense of structure and discipline that other cultures perhaps lack (at least on average).
Kindling this kind of provocative discussions should not be permitted here. The argument that x is smarter than everyone else without ever this being able to be verified is ridiculous. I don't suppose that a kid in Nigeria has the same access to education, resources, foreign aid, easy visa and an immense network as the average kid in Israel.
Of course, that is an extreme. But assigning intelligence to a "gene" and excluding any kind of environmental or societal/cultural reason for this kind of outlier is not very "smart"
> Kindling this kind of provocative discussions should not be permitted here
I simply and in good faith answered jonplackett's question based on my personal opinion and observations. My intention was not to provoke, although I do realise that this is a sensitive topic for some.
> But assigning intelligence to a "gene" and excluding any kind of environmental or societal/cultural reason for this kind of outlier is not very "smart"
Certainly, I do not believe that genetics is the only factor that affects intelligence. That being said, in the same spirit, I think that excluding genetics as a potential factor just because it makes some feel uncomfortable is not very smart.
Its a dangerous path - saying that one race is smarter directly implies that another race is dumber. That sort of dialogue is completely taboo at least in the US.
I do actually, but in this context it doesn't really matter. Does any - not first generation immigrant - say I am 10% Irish, 10% Jewish from Russian Empire, 50% Welsh and 30% Italian? Maybe some people do but in reality you say you are an American. And for most of the world that's how it sounds anyway.
The problem is, because some misguided prejudiced people made up the bogus concept of "race" and used it to justify various forms of discrimination, we're no longer allowed to criticize the very real concept of "culture."
The people with the greatest influence over our language have succeeded in merging the two concepts, walling them both off from polite discourse for reasons known only to themselves.
Taboos are a way to hinder progress and science. I will not fall into that trap.
I could be wrong ofc, but I was under the impression that it is widely accepted in the scientific community that intelligence is at least partially affected by genes.
> saying that one race is smarter directly implies that another race is dumber
The issue is not the average, but the extremes. When you have two identical distribution curves but one's center is shifted, the effect on the ends of the distributions are exaggerated.
A standard deviation increase in the average leads to a huge difference in demographics at the extremes. The population with lower mean will have the majority of the lower tail of the distribution, and the the other population will dominate the upper tail. In the highest 1% they will appear enormously over-represented.
In the middle is where it matters least, because near average people for both populations might have very similar iqs.
For a paper on the issue of specifically ashkenazi (rather than 'jewish') IQ I recommend this one from the University of Utah:
Note the increased IQ is specifically for askenazi jews, as opposed to say sephardic jews. The paper identifies
historical social issues that would make selection for intelligence a strong factor in ashkenazi history, explores possible genetic causes identified through unique mutations not present in adjacent populations, and goes into depth on IQ and IQ heritability.
A high level summary available from the economist behind a paywall but viewable here:
I hope you find it interesting. I think its scientific enough that few people should find it controversial, except those who believe that IQ is not a useful measurement of intelligence, which I don't think is an opinion you share given your previous posts.
The controversial part would be Jordan B Peterson talking about it here:
Also in my experience (mainly business) I experimented that Jewish people are much smarter than the average non Jewish business people I've been dealing with. At best I could get a draw, never a business win. (I don't mean anything bad or implying anything more than what I've written. Please read my comment in a positive way).
Anybody using Oversec? I am not using it, but the concept sounds good.
> Oversec constantly monitors the text on your screen. When it finds an encrypted text, it tries to decrypt it and then shows the decrypted text as an overlay in place of the encrypted text.
> In order to encrypt a text, Oversec shows a button next to an active input field. After having entered the secret text, tapping that button makes Oversec read the text, encrypt it and put back the encrypted text into the field. It is now ready to be sent in the subjacent app as usual - the app doesn't even know that it is sending encrypted data!
Israel has some companies who are really good at this. I recall a story about the Saudis purchasing service from some Israeli companies to spy on other's cellphones.
Signal's software is timebombed to force you into taking automatic updates. These updates could be used to force targeted users into backdoored builds.
Additionally, the signal has had a long history of being feature hostile to strongly secure use, through things like making it very difficult to cryptographically verify the identity of the party you're talking to... or automatically resending the last message you sent when the far end merely claims its key has changed.
I recommend people treat signal as unencrypted communications-- _actually_ unencrypted private communications are too absurdly insecure to use. But in practice signal does not provide the kind of strong security that we would associate with 'encrypted communication', and maybe UI considerations make that an unrealistic goal. Instead signal provides the kind of security we should expect from _ANY_ communication, but which isn't actually provided due to pervasive surveillance.
That's reasonable, I suppose I'm lucky to have a friend group that universally prefers open source sorftware to good UX -- there was never really a question for us.
It's a little eye opening to me that anyone could have a friend group that "universally prefers open source software to good UX".
I have and use Signal with some friends, but there are also loads of people I communicate with who couldn't even tell you what open source software is, let alone articulate a preference for it over good UX.
Are all of your friends software engineers and/or technophiles?
I don't have many friends, TBH. I've got 2 friends who use normal SMS, and a group of 6 friends (not including myself) who use Signal; of those, three of them are software developers and one of them uses R at work though software development isn't her primary job. The other two are probably more aware of open source software than they would otherwise be due to peer exposure. It's also worth noting that one of my developer friends got the rest of us into programming, though three of us had been running Linux before that -- it's not that I've disproportionately made friends with software developers, it's that a group of people I'd been hanging out with for years assimilated a software developer who converted the rest of us. There may have been some MDMA involved in that.
Edit in case of potential ambiguity: s/a couple of/2
When all your friends are already using Facebook and you start telling them to use Signal instead... well, I can tell you from experience that it's almost impossible to break the status quo.
What has happened to me is that usually there's 1-2 persons from each friend group who care enough that they will relay information to you through Signal.
I still don't have a friend group that is 100% Signal. For that to happen, more than 50% of the group would need to care enough about privacy to completely abandon other communication channels and accept the cost of switching platforms. The rest would probably follow. In reality, I don't have a single non-tech friend who would give a fuck about encryption. You tell them about Signal and they go "cool", that's it.
I like the command line and it doesn't surprise me that other people do too. What surprises me is that there are people where an entire friend group universally prefers open source over good UX, since plenty of my friends couldn't tell you what the terms "command line", "open source", and "UX" mean.
Because everyone uses it. Once a social app becomes mainstream it gets a giant advantage due to the amount of inertia needed to switch entire social circles to a new platform.
Most new social platforms that make it big don't really take over older ones, they just grab a younger generation - usually just by being the network their parents aren't in.
You don't understand why people use a communications app with 1.6 billion users as opposed to one with likely less than a million?
It's network effects
In my own anecdotal experience Signal ranks way below Viber (popular with migrants + expats), Wickr (popular with people doing illegal things and corporate executive scheming), Telegram (popular in crypto, scammers and terrorists)
The only real broad use of Signal i've seen is amongst journalists - and even there i'm not certain how much they actually use it or if it's just the "i'm crypto aware" version of a blue checkmark for their Twitter profiles
It's a much better app, user experience-wise. I prefer Signal for obvious reasons, but WhatsApp is easier to use (and has a much better web interface).
Not only are there network effects, but as you go through various cities in Latin America you will notice on the billboards that mobile service providers advertise "free" WhatsApp. As a result of the success of those ads, your contacts in that region will prefer WhatsApp to other media.
Let me come out and defend Signal
(I usually defend Telegram, but I don't think we should be unfair to anyone):
As far as I am aware no one who knows what they are talking about has come out with anything that says Signals end-to-end encryption is broken.
If I have understood it correctly an as long as that is true, NSA, FSB and the Chinese might be running the message handling together and there's still no reason to be worried that your messages will be intercepted in transit.
Disclaimer:
- as far as I am aware Signal is the safest messenger available for everyone
- even if all the above is true you are still trusting them with your metadata. I think they are good people. If you are scared of them, be aware that they know who you talk to and when. This is however true for any mainstream technology as far as I am aware.
- being good at crypto doesn't make them immune to bugs. There was a nasty vulnerability a few months ago that was remotely exploitable. Again, this is the same, or even worse for every other messenger.
Not that I'm dissing Signal (it is my preferred platform, sadly not most used), but don't both WA and Signal use Open Whispers systems? So isn't there the potential that the same exploit might work on Signal?
WhatsApp allegedly uses an implementation of the OpenWhisper encryption system that Signal created (and still uses). However as there is no source code available unlike Signal, there's no way to verify if WhatsApp "really" is using it (or using it correctly).
It's certainly better to have source, but this seems like a matter of degree? You don't really know what's in Signal unless you compile it yourself, and/or they have reproducible builds and you verify checksums. Instead you're trusting that the source matches the binary, and probably also that someone else who knows more about crypto is reviewing the source carefully.
In the modern world we basically outsource everything, including trust and verification. An open, social process of verification can be better, though.
Yes, this is generally called "reproducible builds". Signal has reproducible builds for Android, here is how to build it and compare against the one on your phone:
This is true, but that also doesn't answer the question. It still leads to a possibility. The hack could also sidestep OW in some other way and only be WA specific, but still begs the question. Security is a constant cat and mouse game, so if someone says: "well, that only affects WhatsApp, it won't affect us -- even though we use the same underlying structure." sounds kinda naive.
It might be a bit difficult (but not impossible) to do that... the APK you download is not the APK that the developer uploads to the Play store. Usually, developers upload a "bundle," and then Google optimizes it by stripping out irrelevant media, i18n, etc., to deliver a smaller optimized APK to the end user.
So you can't just generate an MD5 of your APK and match it against the store description like the good old days when you could make sure your Linux ISO was legit, but there's probably some way to make it work?
EDIT: It might be possible to circumvent Google's bundling/optimizing by just uploading a regular old APK, but IIRC that was becoming more difficult these days. Unfortunately I'm not an Android dev expert.
The app its self is the weakness not the protocol. But also the article says "that exploited a flaw in WhatsApp-owned servers to help clients hack into the cellphones".
Yeah, I pretty much assume that targeted attacks will always succeed when a well-funded state actor is involved.
For me, I look at encryption as a mitigation for surveillance. Anything that increases the marginal cost to monitor an individual makes broad surveillance less economic.
Signal will always have the edge for surveillance due to the relative difficulty of hiding a back door. Whatsapp will always be suspect in that they could easily be forwarding everyone’s messages to third parties.
How many people actually worry about these spy agencies? If a state actor wants you or your information they'll just pull up in a black van and take you and use a $5 wrench to beat it out of you.
Much of what NSO Group does is sell to smaller despotic regimes who then use them to spy on dissidents who live abroad and would be quite hard (and embarrassing) to black-bag. Not everyone can send a murder team to Stockholm (or wherever).
Some despotic regimes do have large kidnap-and-murder programs (ex Rwanda) but if you just want to keep tabs on exiled dissidents and learn exactly who they're talking with back home, NSO Group has a product for you.
I get the implication but America isn't Russia and they just don't do it, too big of a headache, too easy to blowback into political realm. Officers hate when clandestine work erupts into public political drama.
Plus, why would you hire a team of people to kidnap a citizen and beat them when you can assign a ticket to a government blackhat at the NSA who will run the commands against your devices and take what they need without you ever knowing.
Even then, there is substantial risk of whistleblowing for illegal data collection against citizens (Snowden et al) so they would instead in a clandestine manner ask a fellow member of the Five Eyes to perform the surveillance "legally".
Our society has known about Five Eye roundabout spy agreements for a long time and has largely shrugged, so the risk of public political blowback doing this would be minimal.
> How many people actually worry about these spy agencies?
I don't really worry about the spy agencies themselves -- I am not of any interest to them.
However, I worry a lot about the likes of NSO and the tools they produce. They are likely to end up being used, in one form or another, by criminals and corporations.
These tools keep authoritarians in power and indirectly impact hundres of millions of people. It's like saying you don't care about pacific ocean plastic because you live on the east coast.
I get your point that a highly-motivated attacker has other, less sophisticated, ways of getting to your data.
However, if we're playing poker and I learn your tell, it's in my best interest that you are naive to that fact. While not the best analogy, I would think that the same concept would apply to state actors.
There have been a few electron vulnerabilities that affected signal. Plus signal demands that you have a phone number in order to use it. Also the fact that each device has its own key promotes the users to just blindly accept new keys.
Dozens of tech companies around the world that were established in the last 4-5 years were done so entirely for the purpose of being fronts for spy agencies to engage in the vast collection of data.
This extends also to shipping, licensing, and auditing companies.
Somehow they’ve managed to assemble the worlds 2nd largest cargo fleet in terms of dry weight tonnage, all verifiable on https://marinetraffic.com btw, and yet they appear on NO LISTING ANYWHERE for the top 100 cargo companies.
That company is a front for the Chinese military, because if you do a reverse WHOIS search you will see http://pacbasin.com was also registered by the same organization...it is an autonomous drone hardware and extended flight operations firm. There is more to say there, but I will leave it at that.
Other firms that have been espionage operations since day one, or were acquired at some point and repurposed as spy outfits. This list includes both Western and Eastern powers:
> That company is a front for the Chinese military, because if you do a reverse WHOIS search you will see http://pacbasin.com was also registered by the same organization...it is an autonomous drone hardware and extended flight operations firm.
Alternative explanation: Pacific Basin decided at some point that they needed an internet presence, and in addition to their main site pacificbasin.com they also registered pacbasin.com to prevent typo-squatting. Some time later, they decided that was no longer necessary and let the domain lapse. Subsequently, it was picked up for cheap to host the glossy marketing website of what appears to be a drone company.
Problems with that website: the social media icons are just for show; the contact email is for the likely unrelated startech.com; I can't find any way to buy their product; the company is called "星彩网平台航拍无人机系统", "星彩" evoking associations to lotteries. It's also completely unrelated to the domain name.
My personal interpretation: the website is intended to scam Chinese investors with a gambling mentality into throwing their money at a fake "high-tech company."
Do you have any data that would be able to distinguish between your hypothesis and my alternative?
To be considered "proven", sure, maybe. But no such thing is needed to merely consider an idea. Look at all the "facts" that have widespread belief, look at all the "not exactly accurate" various organizations broadcast, that turn into very strongly believed "facts" in the public mind.
There's so much obvious lying going on nowadays, and so many perfectly reasonable concerns dismissed as conspiracy theories, that that phrase no longer has any negative connotations for me. In fact, anything remotely complex that doesn't have an air of a conspiracy to it makes me at least as suspicious, kind of in the "which part of this story is untrue, and why" sense.
But hey, each to his own. If you choose to consider only authorized truths, that's your prerogative.
The rise in shipping company fronts may potentially be attributed to miniature nuclear weapons payloads within shipping containers for rapid and unstoppable payload delivery at close proximity to enemy lines.
Btw intelligence agencies are using invisible image watermarking technologies to track users.
Can we talk? One concern we had was that these cargo ships, some subset of the 220, have nuclear weapons onboard that the crew isn’t even aware of. Much like how the soviets used to hide their ICBMs in train cars that move around, this makes tracking these things really hard.
It comes mainly from mapping the subdomains over time and analysis of the ASNs. This is key. You will often see a company with perhaps 200 or so subdomains, that only does business in the United States.
But then you will see one subdomain that maps to ASN 4803 or whatever, which then leads to “China Telecom xinjiang”. In fact I encourage you to type:
org:”China Telecom xinjiang” “NSFOCUS” into Shodan.
Also look at the capital expenditures psychz.net claims on their about page. There is no IaaS company in the world that can afford to lay down as much hardware as they are claiming.
Another thing btw is these sites never seem to have job openings. That is common pattern that applies to perhaps 60% of the firms listed.
So you're saying "typical intelligence analyst stuff" is the reasoning here?
Generally analysts produce questions which operations runs down to figure out if what they think is going on, is actually going on.
Correct me if I'm wrong here but you're basically saying that you have done the first part and found some suspicious links but not the second part do develop actual evidence one way or the other, is that a fair assessment?
I am writing this all on a phone and I am more than happy to produce a 5000 word report which will be posted in 96 hours. I will follow up via a comment here and also send to Michael Forsythe at the New York Times for additional review.
Check below for latest update. Wanted to comment so you got notification. My real name is in my profile with my email address so you’ve got me dead to rights on this one.
It’s coming. I’ve got butcher paper on the floor mapping out 2000 ASNs. My wife says I look like one of the detectives tracking down a serial killer with red string. I run my own consulting company, and actually lost my main client due to the above post being interpreted as “anti-China”. That has been an enormous setback.
Anyone can do this research I want to emphasize. Look at any suspicious VPN company. Now look at 10 of them. Now plug some of those names into Shodan.
Bear with me here, but if you then simply Ctrl-F for ASNs with the same name with the same LLCs, you will construct a perfect circle of peering that is an “internet within an internet”. What it seems to be is a poor man’s TOR. While the US gov built a Tor, this is an alternate Dark Web built by someone...you can pass through 1,000 servers on 500 different hosting companies none of which do legitimate business.
(Hope this counts as a mini blog post for now this must be 250 words).
They subcontract their support to India. William Lu is a scammer and a well known liar. He pays people on web hosting forums to keep it quiet about how he scams his customers. The guy has cockroaches in his data center. He has no money and has lost more than half his ip space in the past year. He even got recorded a few months back in a big conference call admitting he lies about everything and charges his customers for services he doesn't even provide. https://www.youtube.com/watch?v=PzHS4E2e8Bg there's also a dope ass diss track about how garbage their service is on there too. https://www.youtube.com/watch?v=mZBWd1Z2yY0
> org:”China Telecom xinjiang” “NSFOCUS” into Shodan.
I'm going to admit I didn't try putting this into Shodan because for whatever reason I don't have access to it right now. But won't this just show a list of servers running a NSFOCUS WAF? How do you connect that to ProtonMail or LeaseWeb?
Are you suggesting they are an "open secret"? EG, They are not "covert", but they are secretive in that they only sell to maybe western intelligence agencies, etc. Could be why they never have real "openings", they got a hot pipeline constantly exiting from the intelligence community looking to make some real money.
Highwinds - a software company that sold usenet server. 1995 or so. Really high performance one. Later went into usenet hosting.
Choopa - a hosting company that started as a porn DVD ripper. When you provide lots of porn, you get lots of connectivity. At which point someone goes "Why don't we sell the excess? We already paying for it" Sounds familiar?
LeaseWeb - a really old hosting company. Predates Amazon.
Also, WhatsApp is such an obvious target for a state actor. I saw several articles of the last year that mentioned Jared Kushner using Whatsapp so I assume a lot of government folks use it for off the books "encrypted" communication.