Signal President Blasts WhatsApp's Privacy Claims (cybernews.com) 59
Signal president Meredith Whittaker challenged recent assertions by WhatsApp head Will Cathcart that minimal differences exist between the two messaging platforms' privacy protections. "We're amused to see WhatsApp stretching the limits of reality to claim that they are just like Signal," Whittaker said in a statement published Monday, responding to Cathcart's comments to Dutch journalists last week.
While WhatsApp licenses Signal's end-to-end encryption technology, Whittaker said that WhatsApp still collects substantial user metadata, including "location data, contact lists, when they send someone a message, when they stop, what users are in their group chats, their profile picture, and much more." Cathcart had previously stated that WhatsApp doesn't track users' communications or share contact information with other companies, claiming "we strongly believe in private communication."
While WhatsApp licenses Signal's end-to-end encryption technology, Whittaker said that WhatsApp still collects substantial user metadata, including "location data, contact lists, when they send someone a message, when they stop, what users are in their group chats, their profile picture, and much more." Cathcart had previously stated that WhatsApp doesn't track users' communications or share contact information with other companies, claiming "we strongly believe in private communication."
It's not WhatsApp isn't secure... (Score:5, Insightful)
It doesn't actually matter if WhatsApp is "technically" secure or not. Their opaque code-base means none of us can ever verify their claims which means using their their platform requires a lack of due-diligence which is a failure of the process.
As if the lack of transparency isn't enough, we actually do know who control that code-base. The company controlling it seems to be a criminal conspiracy. Facebook has payed over $7 BILLION in penalties for 19 violations. [source: https://violationtracker.goodj... [goodjobsfirst.org] ]. Can you trust an organization with a 20 year track record of defrauding the American people?
WhatsApp is not secure.
Re:It's not WhatsApp isn't secure... (Score:5, Insightful)
You mean his DUI hire secretary of defense fucked up.
Re: (Score:1, Flamebait)
Acute and chronic TDS cannot possibly be the sole and only lens by which you view the entirety of existence, surely?
You don't talk like that all the time, do you? Surely? Does it make you feel smarter than the other Klan members? I said good day, sir! [adjusts monocle]
Re: (Score:3)
I'd never defend WhatsApp, but ... (Score:3)
in a strictly technical sense? Any given app CAN be completely secure, regardless of somebody auditing the code.
The "security process" you speak of only has relevance in the corporate world, where people want documentation that specific things were done. I have little faith that some code auditing process for "security" can really ensure a program is secure. Sure - they can check for obvious things like back-door passwords embedded in the code. But plenty of security issues aren't even well documented and c
Re:It's not WhatsApp isn't secure... (Score:5, Insightful)
Practically speaking though, is Signal any more trustworthy? You can look at the source code, but nobody does. Everyone installs from Google Play or the Apple Store. Signal could build a different version, or the NSA could lean on Google and Apple to distribute a backdoored version, either globally or to specific accounts.
You have to use Signal's servers too, no federation with ones in potentially better legal jurisdictions or under different entities control. Even if the messages are E2E encrypted, the server gets a lot of metadata. If you could use a third party client with Signal, you could have one that produces some random noise to help with that.
Re: (Score:1, Troll)
Re: (Score:1, Troll)
> So Signal knows where you are, at what time, and your phone number.
exactly; its a mass invitation to get spied on while thinking you are secure.
Signal also has truly terrible user identification design, as the recent war planning leak shows. Instead of requiring in person exchange of certificates, and having any kind of external certificate validation system, its basically "blindly trust someone based on their phone number".
i dont think there is any safe way to operate signal, due to the lethal combina
Re: (Score:2, Insightful)
Practically speaking though, is Signal any more trustworthy?
Yes, it is. Things are not all black and white. There are shades. Signal is not perfect, by any stretch, but it is more trustworthy.
"Neither of these is perfect, so they are equally bad." is not a useful line of reasoning. Be aware of the flaws, yes, but also be aware of the relative strengths.
Make informed decisions.
Re:It's not WhatsApp isn't secure... (Score:4, Interesting)
I don't think exposing your code makes the code any more secure, than hidden code. Heartbleed lurked in OpenSSL's fully visible code for years before it was exploited in the wild. In fact, private code repos might be *more* secure because nobody can analyze the code looking for code vulnerabilities to exploit. Rather, they must rely on trial and error.
Re: (Score:2)
I don't think exposing your code makes the code any more secure, than hidden code.
You are speaking in absolutes. Having source available greatly increases the likelihood of finding mistakes. Having source available almost completely eliminates all hostile code.
So no, source being available does not guarantee security. I am unsure why you think it would. But without source available, any kinds of shenanigans could be going on behind the scenes and it is incredibly difficult to identify.
Trust your closed programs if you wish, but don't do it because you think available source is not an abs
Re: (Score:3)
You are speaking in absolutes. Having source available greatly increases the likelihood of finding mistakes
Yes. The question is, who will find them first? The good guys, or the bad guys?
We're not talking about "hostile" code, we're talking about mistakenly introduced security vulnerabilities. To exploit these, it's not necessary to alter the code with hostile intent, it's just necessary to know that the vulnerability exists, and how to exploit it.
Regarding trusting closed programs...consider Toyota Motor Company. They have an excellent reputation for reliability and safety. Is this because they have an open sour
Re: (Score:3)
Can you trust an organization with a 20 year track record of defrauding the American people?
About 49.8% of 2024 U.S. voters would say "yes" -- well, before Jan 20, 2025 anyway, not sure about now...
The chat has now been published (Score:5, Informative)
For those not following closely, The Atlantic published the text message thread a few hours ago: Here Are the Attack Plans That Trump’s Advisers Shared on Signal [theatlantic.com]
Re: (Score:3)
Heh, your leaders are really an unbelievable bunch of cretins. Where did you dig em up?
Re: (Score:2)
It's the result of Fox News broadcasting fear and lies 24/7. Haitians are eating cats and the only way to stop them is vote republican.
Re: (Score:1)
Let's say the leaders represent the people they lead very well.
Re: (Score:2)
Gulf of Space Between Ears (Score:2)
> leaders...unbelievable bunch of cretins.
The irony is that the anti-DEI crew eschewed merit for loyalty & buddyism, the very thing DEI attempts to prevent.
Greenland may outmaneuver US's military simply by monitoring them. After all, Vietnam did it by making it hard to tell who the enemy is. It just may be possible to out-chaos Captain KKKaos himself.
Re: (Score:2)
The irony is that these idiots got into government and plan to stay there, legally or otherwise.
Despite all the second amendments.
On the topic of Greenland, I hope so. The drive of the orange shitgibbon for a noble price has already gotten as bloody as the Eyerack war of that other idiot, dubya with a significant potential for more.
Re: (Score:2, Troll)
For those not following closely, The Atlantic published the text message thread a few hours ago: Here Are the Attack Plans That Trump’s Advisers Shared on Signal [theatlantic.com]
To be fair, it's basically a worthless leak. Those aren't "war plans", they're an attack on some back-woods terrorists. I wouldn't be surprised if the "leak" was purposeful. Many administrations have told foreign countries they're attacking that they're about to bomb an area.
In my opinion, the bigger and more concerning fuck up was to discuss these plans in a way that the government can't be audited in the future. It's a middle finger to all citizens who hope for more transparency from their "leaders". Sho
Re:The chat has now been published (Score:5, Insightful)
For those not following closely, The Atlantic published the text message thread a few hours ago: Here Are the Attack Plans That Trump’s Advisers Shared on Signal [theatlantic.com]
To be fair, it's basically a worthless leak. Those aren't "war plans", they're an attack on some back-woods terrorists. I wouldn't be surprised if the "leak" was purposeful. Many administrations have told foreign countries they're attacking that they're about to bomb an area.
Sure, but those notifications probably don't usually include exact time/equipment/ordinance details, these texts did.
To be accurate, the texts included the type of equipment used and the times they were to be launched *before* they were initiated which, as confirmed by a national security advisor, makes them very classified. Clearly Signal is *not* the place for this -- especially as every person in that group chat has 24/7 access to secure communications, and there a people whose literal job it is to ensure they have that access. This was amateur-hour. Any low(er) level person doing this would be immediately fired and probably prosecuted.
In my opinion, the bigger and more concerning fuck up was to discuss these plans in a way that the government can't be audited in the future. It's a middle finger to all citizens who hope for more transparency from their "leaders". Should governments be allowed to communicate in a way that will never be audited?
Agree. Clear violation of federal records-keeping laws.
Re: (Score:3)
... but her emails!
Re: (Score:2)
Agree. Clear violation of federal records-keeping laws.
Why do you think the law matters anymore? This is not the first time someone has said this and nothing has happened. If a law is not enforced, it is not really a law then is it?
Re:The chat has now been published (Score:4, Interesting)
Re: (Score:1)
It's important to know how many other such discussions they had!
That's the part that bothers me most as a citizen. We can't know about any other such discussions because messages on signal can't be audited after (at most) 4 weeks. No paper trail. No accountability. The real crimes in government happen out of sight of the citizens.
Those silly attack plans leaking didn't put the operations team at any significant risk. Looking back on last December it looks like our F-18s run a greater risk of friendly fire than what the goat herding militia can throw at them...
Re: (Score:3)
The Houthis have anti-aircraft missile systems. You don't think knowing what type of aircraft, and when it's going to be arriving might be helpful?
Stop diminishing how fucking serious this is.
Re: (Score:2)
You have a very skewed world view when "some dumbass added a journalist to a group chat" becomes "he lied his way in" according to you.
He never posted a single line in the chat. And when he saw it was real, he got the fuck out. Explain how he "pretended to be another government official" when he didn't even ask to be invited, and when invited anyway never actually responded to anything.
You dumb fucking cultist.
Re: The chat has now been published (Score:2)
Re: (Score:2)
I wouldn't be surprised if the "leak" was purposeful. Many administrations have told foreign countries they're attacking that they're about to bomb an area.
Very unlikely. There's no indication at all that the DC-based editor of The Atlantic has any real contacts in Yemen. Especially contacts he could have used in the two hours between the attack leak and the attack itself.
In the past, leaks like that have been used to minimize civilian casualties, but the Trump administration officially [nytimes.com] does not give a shit
Re: (Score:2)
You do realize that those "back-woods terrorists" have anti-aircraft missile systems, yeah? And knowing what type of aircraft that's coming would allow for quicker target identification and shooting it down?
Stop carrying water for monumental idiots, before you end up drenched in their idiocy yourself.
Always the weakest link (Score:3)
Demonstrating once again that in the big picture of security, the strongest encryption available can be thwarted by any idiot user.
Re:Always the weakest link (Score:5, Funny)
"We are currently clean on OPSEC" while the editor of one of the largest political publications in the country is sitting inside your group chat. No technology can solve that one.
Re: (Score:2)
"stretching the limits of reality" (Score:2)
stretching the limits of reality
A great expression and, unfortunately, currently the design metric for Washington policy...
Deflection? (Score:2)
Signal is getting a lot of publicity it doesn't want right now. WhatsApp isn't really considered a "secure" platform, despite its claims of end-to-end encryption. Bringing WhatsApp into the conversation isn't really relevant, but maybe Signal hopes it will get people talking about something else.
Re: (Score:3)
Signal is getting a lot of publicity it doesn't want right now. WhatsApp isn't really considered a "secure" platform, despite its claims of end-to-end encryption. Bringing WhatsApp into the conversation isn't really relevant, but maybe Signal hopes it will get people talking about something else.
No, Signal is getting great publicity right now. It's the Trump administration that's taking a beating.
Re: (Score:1)
Maybe. But the Trump administration just exposed Signal's greatest security weakness: anybody can use it, with no vetting. And that leads to the potential for unwanted lurkers, as happened here. A truly secure system would need to require some kind of security certification, such as a CIA clearance, to even use the platform.
Re: (Score:2)
It is more general than that, Signal does everything it can to get people in contact. In particular, it will notify you when one of your contacts join Signal. You can disable this, but it is not the default. It is significant, as it can reveal information you may not want to reveal. You may not want to tell your contact that you have joined signal. Of course, there is also the massive issue that you are using a phone number to join.
I understand why they do this, they want as many people as they can on their
Re: (Score:2)
fine for everyday use, but probably inappropriate for classified conversation
Inappropriate for classified conversation? Oh, hell yeah. But not because of any of the issues you discussed. The biggest reason it's inappropriate for classified conversation is that it's running on an unvetted commercial device. Oh, there's also the fact that using such a device/app to handle classified information is a felony. That's a legal issue, not a security issue, but the law is the way it is because the only way to keep classified information secure is to ensure that it is never present on any
Re: (Score:2)
But the Trump administration just exposed Signal's greatest security weakness: anybody can use it, with no vetting.
Meh. It can be used that way, sure. But you should actually check security numbers via an out of band communication channel. If you do that then you know absolutely who you are talking to.
A truly secure system would need to require some kind of security certification, such as a CIA clearance, to even use the platform.
Nonsense. That is neither necessary nor sufficient for secure communications. It would also be silly, since the real vulnerability of an app like Signal is the device it's running on, not to mention the environment it's used in. If you really need the sort of security required to make war plans you need the devices t
Re: (Score:2)
via an out of band communication channel
I should be a little more precise here. The OOB channel for verification also needs to allow you to strongly identify the other party. Face to face is ideal.
Re: (Score:2)
There are two parts to security: authentication, and authorization. Your OOB channel only deals with the authentication piece, not the authorization piece. The security laps in this incident was not a lapse in authentication, but authorization. The reporter was properly authenticated, but not authorized, to be part of a military planning conversation.
I don't dispute your statement that the devices themselves are insecure. But that's not what lead to this breach.
Re: (Score:2)
There are two parts to security: authentication, and authorization. Your OOB channel only deals with the authentication piece, not the authorization piece. The security laps in this incident was not a lapse in authentication, but authorization. The reporter was properly authenticated, but not authorized, to be part of a military planning conversation.
The journalist wasn't authenticated, either. Walz clearly didn't know who he was adding.
I don't dispute your statement that the devices themselves are insecure. But that's not what lead to this breach.
The adding of the journalist wasn't the real breach here. The real breach was the use of Signal for high-level govt comms, and the decision to send classified information through it.
Re: (Score:2)
Agreed.
Re: (Score:2)
Oh, one more "real problem" point, which is perhaps even more crucial: It's clear that the administration is using Signal heavily, not just in this case.
Note how in the published texts no one asked "Should we be using Signal for this?", they all just blithely went along with it as though it's business as usual. Because it is business as usual for them. And why is the administration using Signal heavily, rather than approved and vetted communications tools? Because Signal will auto-delete the records. N
Signal is good enough for government work (Score:4, Informative)
Let's see WhatsApp demonstrate the security achievement Signal has notched: Being good enough[*] for use by senior administration officials of a world superpower to plan military operations!
[*] Note that Signal is not actually good enough for that. Signal is quite secure, mind you, especially if the users are careful to compare security keys out of band, but the platforms it runs on aren't secure enough for what the idiots in the current administration are using it for. WhatsApp would, of course, be strictly worse.
Meta reads decrypted messages for ads (Score:2)
Meta absolutely does analysis on decrypted messages. There have been many times when I'll make a joke or say something to a friend via Whataspp, and then within 10-15 minutes, I'm getting ads on Instagram for that very thing. It's even become a joke amongst my friends, since it happens so often.
Neither of them are secure.. (Score:2)