Although Pavel eventually did take action. The investors were pissed off that they never made a profit on Telegram and was mentally associated with helping ISIS. When he started Telegram, he pissed off his US investor who got heat for Telegram being used by ISIS to communicate. Unlike Moxie Marlinspike (founder of WhatsApp and also Signal) who claims he is an “anarchist”, Pavel walked the walk. Pavel is a true libertarian who’s stood for his beliefs against his own government, and lost control of his company as a result. offices being ransacked, veiled personal threats etc.), his shareholders pushed him out and he and his brother fled the country and started Telegram. Pretty soon he started receiving the standard “tax evader” treatment ( i.e. But we can't ever forget that: all analytics surfaces are attack surfaces.Īctually, this is exactly what Pavel Durov (Mark Zuckerberg’s counterpart and founder of the Russian Facebook vkontakte) did when Russian authorities asked him to reveal who helped organize the Maidan protests in 2013/2014Īnd he just posted the middle finger on his site. I don't think the solution is for us as a community to advocate for removing all error analytics in distributed systems. Of course, lack of visibility into runtime errors can lead to vulnerabilities as well. and consider the ways it might be possible for a small group of people at Signal to cause a specific set of messages to be seen as corrupt without raising any flags to the community auditing the code. The log message itself doesn't even need to carry sensitive data its existence alone, when the trigger conditions are known, can be used to carry out a highly targeted attack.Įven open-source systems can be vulnerable to this: see e.g. There are also tons of ways to exfiltrate data through known channels in ways that are difficult for security researchers to distinguish from otherwise secure app analytics code.Ī crash/exception logging system, say, might appear to researchers to anonymize data, but it would be very possible for code to be written that happens to raise a mundane exception when specific users or geofences see specific words on screen, in a way where that list of users/geofences/words could be controlled by non-technical teams. Why does it produce a larger binary content than a full-blown Linux kernel?! It's impossible to audit that there is no routine pushing keys to, say, the usual analytics backend they use - and to make it worse, according to APKMirror, they push updates every few days. 2118352 945166 xĢ5MB of already compressed Dalvik code, probably double that if you restore it to Java class files and triple to quadruple that in Java source files. FFS the OG Facebook app was already blowing past the limits of Android in 2013, and the current Whatsapp app isn't much better - just look at the current APK file: That assumes somebody is digging through each update and the thousands of classes. > There's just no way, in real life, for Facebook to add what you're describing to one of the most prominent messaging apps in the world without somebody noticing. The most likely scenario, is that the US-gov is very powerful and capable to enforce laws in their own country and that you have to respect the laws if you want you company to continue. I'd be really surprised that Zuck takes responsibility and ends up in jail because he refuses to execute a legal request regarding imminent terrorism attack (risking penal risk and being charged as helping the criminals, well, there's a plus that's more time to spend in the Metaverse). One push of code on one URL to send back the part about the # sign, and done, or to activate new trials in Google Chrome, or to push a Play Store update to single users, etc.). (think about it, how easy it would be to decrypt Mega.nz file, for example in a real-life scenario. > and broadly any app where the founders may eventually be arrested by the US (as the US has a lot of extra-jurisdiction power). Not saying it specifically for WhatsApp, it's valid for any US-based app Of course, a random user won't have its dog food or gardening communications intercepted, but once you trigger certain patterns, welcome to the new "user trials / feature flags / beta". So, if US law permits or requests in some way interception of communications, or that operators have to report certain activities, then your right to secrecy is done. The weakest link here, is that Facebook has to respect US laws. The problem here is way way behind the computer. The problem is not technical, FB could write anything, the security of the system is as weak as its weakest link.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |