Re: [liberationtech] Fwd: [WhatsApp backdoor allows snooping on encrypted messages]

2017-01-14 Thread Jason Cronk 
On 2017-01-14 13:41, Thomas Delrue wrote: 

> On 01/14/2017 08:17 AM, FL wrote: 
> 
>> I'm not sure that every American company, by law, must implement a backdoor, 
>> as you imply. The last time I checked, iMessage was a very secure platform 
>> with no known vulnerabilities -- which in fact has made Apple struggle with 
>> US agencies more than a few times.
> 
> CALEA
> (https://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act)
> is no longer in effect? Or am I thinking of the wrong thing?
 It's unclear whether CALEA applies to Apple on not. If it doesn't, then
we're done. If it does, CALEA provides an exemption that prevents the
government from forcing decryption to which it doesn't have the key
(i.e. requisite information). See
https://www.techdirt.com/articles/20160223/23441033692/how-existing-wiretapping-laws-could-save-apple-fbis-broad-demands.shtml
for a lengthier write up on the issue. 

-- 
R. Jason Cronk, JD
IAPP Fellow of Information Privacy
CIPM, CIPT, CIPP/US, PbD Ambassador
PRIVACY AND TRUST CONSULTANT
ENTERPRIVACY CONSULTING GROUP
www.enterprivacy.com
-_--> Our next open Privacy by Design Worksho_p [Feb 1, 2017
Indianapolis, IN [1] 

Links:
--
[1]
https://www.eventbrite.com/e/privacy-by-design-workshop-indianapolis-feb-2017-tickets-30695924336-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Fwd: [WhatsApp backdoor allows snooping on encrypted messages]

2017-01-14 Thread Thomas Delrue 
On 01/14/2017 08:17 AM, FL wrote:
> I'm not sure that every American company, by law, must implement a backdoor, 
> as you imply. The last time I checked, iMessage was a very secure platform 
> with no known vulnerabilities — which in fact has made Apple struggle with US 
> agencies more than a few times.

CALEA
(https://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act)
is no longer in effect? Or am I thinking of the wrong thing?

>> On 14-01-2017, at 10:02, carlo von lynX  wrote:
>>
>>> On Fri, Jan 13, 2017 at 07:26:29PM -0500, Sebastian Benthall wrote:
>>> https://whispersystems.org/blog/there-is-no-whatsapp-backdoor/
> https://www.theguardian.com/technology/2017/jan/13/
>>
>> I've also read 
>> http://www.golem.de/news/schluesselaustausch-aufregung-um-angebliche-whatsapp-backdoor-1701-125571.html
>> and https://tobi.rocks/pdf/whatsappslides.pdf
>> and to me it seems like all of the articles are
>> technically describing the same procedure.
>> The difference is only in the framing.
>>
>> For Facebook it is a necessity that people not be
>> bothered by key changes, for anyone in the libtech
>> business it is an alarming signal that MITM is
>> technicaly possible by default and users must be
>> specifically aware of the issue to avoid it.
>>
>> But why is anyone even expecting any true privacy
>> from an American proprietary product? Have the
>> PRISM and MUSCULAR programs suddenly been discontinued?
>> Has Freedom Act amended NSLs also for non-Americans?
>> How could Facebook afford not to pump everything they
>> can get into XKEYSCORE as before? Why did the European
>> Supreme Court rule that the US is not a safe harbor
>> for EU citizen data? Did I miss any recent developments?
>>
>> Is it the general strategy to have people debate whether
>> there is a backdoor when by law Whatsapp MUST have some
>> backdoor?


-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Fwd: [WhatsApp backdoor allows snooping on encrypted messages]

2017-01-14 Thread Andres Pacheco 
 blockquote, div.yahoo_quoted { margin-left: 0 !important; border-left:1px 
#715FFA solid !important; padding-left:1ex !important; background-color:white 
!important; } Last time I heard the us govt failed to force Apple to break an 
iPhone. They had to reform to independent contractor mercenaries, I.e. "Evil 
Hackers!" Ergo i infer us law has not yet gotten to the point of requiring 
backdoors in code.


Sent from Yahoo Mail for iPhone


On Saturday, January 14, 2017, 9:04 AM, carlo von lynX 
 wrote:

On Sat, Jan 14, 2017 at 10:48:48AM -0300, FL wrote:
> Sadly I'm not a hacker — I'm a lawyer, so I haven't checked their code nor 
> any other company's for that matter.

We have plenty of hackers but not enough lawyers, so your
view on what the laws currently actually imply is very welcome.

> However, my main point remains unaddressed — I'm not sure that American 
> companies are 'required by law' to implement backdoors.

Alright, didn't percieve that as your main point.
Well, here's what I know last time I checked:

- PRISM is a reality
- NSLs have been used to oblige such companies to
    + hand over access to their data centers
    + expect no legal harm when denying any existence of NSLs
    + expect general public to never become aware

Leaks have broken the latter promise, so those companies
had good reasons to be upset. Freedom Act has changed
NSLs in such a way that American citizen must no longer be
bulk collected, NSA must only be allowed to run "selectors"
which in the case of Whatsapp means that some backdoor
must be provided to execute surveillance on such selectors.

Also, I have to look up Casper Bowden's posts again,
somewhere the laws explicitly give zero rights to non-US
citizen - all of humanity is backdoorable and bulk
collectible. And then we have programs like
https://en.wikipedia.org/wiki/Muscular_%28surveillance_program%29
which explicitly bypass US law.

Isn't Patriot Act essentially obliging the NSA to collect
all it can? If the NSA must do that, then any company
impeding the NSA from doing so is breaching that law, no?


-- 
  E-mail is public! Talk to me in private using encryption:
        http://loupsycedyglgamf.onion/LynX/
          irc://loupsycedyglgamf.onion:67/lynX
        https://psyced.org:34443/LynX/
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.


-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Fwd: [WhatsApp backdoor allows snooping on encrypted messages]

2017-01-14 Thread carlo von lynX 
On Sat, Jan 14, 2017 at 10:48:48AM -0300, FL wrote:
> Sadly I'm not a hacker — I'm a lawyer, so I haven't checked their code nor 
> any other company's for that matter.

We have plenty of hackers but not enough lawyers, so your
view on what the laws currently actually imply is very welcome.

> However, my main point remains unaddressed — I'm not sure that American 
> companies are 'required by law' to implement backdoors.

Alright, didn't percieve that as your main point.
Well, here's what I know last time I checked:

- PRISM is a reality
- NSLs have been used to oblige such companies to
+ hand over access to their data centers
+ expect no legal harm when denying any existence of NSLs
+ expect general public to never become aware

Leaks have broken the latter promise, so those companies
had good reasons to be upset. Freedom Act has changed
NSLs in such a way that American citizen must no longer be
bulk collected, NSA must only be allowed to run "selectors"
which in the case of Whatsapp means that some backdoor
must be provided to execute surveillance on such selectors.

Also, I have to look up Casper Bowden's posts again,
somewhere the laws explicitly give zero rights to non-US
citizen - all of humanity is backdoorable and bulk
collectible. And then we have programs like
https://en.wikipedia.org/wiki/Muscular_%28surveillance_program%29
which explicitly bypass US law.

Isn't Patriot Act essentially obliging the NSA to collect
all it can? If the NSA must do that, then any company
impeding the NSA from doing so is breaching that law, no?


-- 
  E-mail is public! Talk to me in private using encryption:
 http://loupsycedyglgamf.onion/LynX/
  irc://loupsycedyglgamf.onion:67/lynX
 https://psyced.org:34443/LynX/
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Fwd: [WhatsApp backdoor allows snooping on encrypted messages]

2017-01-14 Thread FL 
Sadly I'm not a hacker — I'm a lawyer, so I haven't checked their code nor any 
other company's for that matter.

However, my main point remains unaddressed — I'm not sure that American 
companies are 'required by law' to implement backdoors. And the fact that I 
check the news instead of a proprietary piece of code doesn't mean that someone 
must have a secret and mandatory backdoor.

I might be wrong though, but I haven't seen any evidence to make me think 
otherwise.

Best regards,

FL

> On 14-01-2017, at 10:38, carlo von lynX  wrote:
> 
> Thx, efecto
> 
>> On Sat, Jan 14, 2017 at 10:17:07AM -0300, FL wrote:
>> I'm not sure that every American company, by law, must implement a backdoor, 
>> as you imply. The last time I checked, iMessage was a very secure platform 
>> with no known vulnerabilities — which in fact has made Apple struggle with 
>> US agencies more than a few times.
> 
> Has there been any litigation with the NSA? I only
> saw interaction with the FBI - and the FBI has a
> less prioritary job: law enforcement. Nothing that
> is worth questioning national security for, so I
> would assume FBI doesn't get the same clearances
> as NSA. You can't monitor an entire population if
> strategically unimportant offences like child abuse
> would blow your cover - thus it is mathematical that
> FBI cannot have the access privileges of NSA.
> 
> By "last time I checked" you don't mean the code
> that is actually deployed into those devices but
> merely "checked the news", right?
> 
> -- 
> Liberationtech is public & archives are searchable on Google. Violations of 
> list guidelines will get you moderated: 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
> change to digest, or change password by emailing moderator at 
> compa...@stanford.edu.
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Fwd: [WhatsApp backdoor allows snooping on encrypted messages]

2017-01-14 Thread carlo von lynX 
Thx, efecto

On Sat, Jan 14, 2017 at 10:17:07AM -0300, FL wrote:
> I'm not sure that every American company, by law, must implement a backdoor, 
> as you imply. The last time I checked, iMessage was a very secure platform 
> with no known vulnerabilities — which in fact has made Apple struggle with US 
> agencies more than a few times.

Has there been any litigation with the NSA? I only
saw interaction with the FBI - and the FBI has a
less prioritary job: law enforcement. Nothing that
is worth questioning national security for, so I
would assume FBI doesn't get the same clearances
as NSA. You can't monitor an entire population if
strategically unimportant offences like child abuse
would blow your cover - thus it is mathematical that
FBI cannot have the access privileges of NSA.

By "last time I checked" you don't mean the code
that is actually deployed into those devices but
merely "checked the news", right?

-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Fwd: [WhatsApp backdoor allows snooping on encrypted messages]

2017-01-14 Thread Cristina [efecto99] 
On 14/01/17 10:02, carlo von lynX wrote:
> On Fri, Jan 13, 2017 at 07:26:29PM -0500, Sebastian Benthall wrote:
>> https://whispersystems.org/blog/there-is-no-whatsapp-backdoor/
 https://www.theguardian.com/technology/2017/jan/13/
> I've also read 
> http://www.golem.de/news/schluesselaustausch-aufregung-um-angebliche-whatsapp-backdoor-1701-125571.html
> and https://tobi.rocks/pdf/whatsappslides.pdf
> and to me it seems like all of the articles are
> technically describing the same procedure.
> The difference is only in the framing.
>
> For Facebook it is a necessity that people not be
> bothered by key changes, for anyone in the libtech
> business it is an alarming signal that MITM is
> technicaly possible by default and users must be
> specifically aware of the issue to avoid it.
>
> But why is anyone even expecting any true privacy
> from an American proprietary product? Have the
> PRISM and MUSCULAR programs suddenly been discontinued?
> Has Freedom Act amended NSLs also for non-Americans?
> How could Facebook afford not to pump everything they
> can get into XKEYSCORE as before? Why did the European
> Supreme Court rule that the US is not a safe harbor
> for EU citizen data? Did I miss any recent developments?
>
> Is it the general strategy to have people debate whether
> there is a backdoor when by law Whatsapp MUST have some
> backdoor?
>

this just can be answer with a : <3 thanks Carlo!

amnesic seems to be the sign of our society, thanks to the ones that
remains coherent.

Cristina (99)


-- 
Esta comunicación puede ser legal y/o ilegalmente recogida, almacenada y
utilizada por distintos actores. Si duda sobre el contenido a compartir,
evite enviarlo sin cifrar.
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Fwd: [WhatsApp backdoor allows snooping on encrypted messages]

2017-01-14 Thread FL 
I'm not sure that every American company, by law, must implement a backdoor, as 
you imply. The last time I checked, iMessage was a very secure platform with no 
known vulnerabilities — which in fact has made Apple struggle with US agencies 
more than a few times.

FL

> On 14-01-2017, at 10:02, carlo von lynX  wrote:
> 
>> On Fri, Jan 13, 2017 at 07:26:29PM -0500, Sebastian Benthall wrote:
>> https://whispersystems.org/blog/there-is-no-whatsapp-backdoor/
 https://www.theguardian.com/technology/2017/jan/13/
> 
> I've also read 
> http://www.golem.de/news/schluesselaustausch-aufregung-um-angebliche-whatsapp-backdoor-1701-125571.html
> and https://tobi.rocks/pdf/whatsappslides.pdf
> and to me it seems like all of the articles are
> technically describing the same procedure.
> The difference is only in the framing.
> 
> For Facebook it is a necessity that people not be
> bothered by key changes, for anyone in the libtech
> business it is an alarming signal that MITM is
> technicaly possible by default and users must be
> specifically aware of the issue to avoid it.
> 
> But why is anyone even expecting any true privacy
> from an American proprietary product? Have the
> PRISM and MUSCULAR programs suddenly been discontinued?
> Has Freedom Act amended NSLs also for non-Americans?
> How could Facebook afford not to pump everything they
> can get into XKEYSCORE as before? Why did the European
> Supreme Court rule that the US is not a safe harbor
> for EU citizen data? Did I miss any recent developments?
> 
> Is it the general strategy to have people debate whether
> there is a backdoor when by law Whatsapp MUST have some
> backdoor?
> 
> -- 
>  E-mail is public! Talk to me in private using encryption:
> http://loupsycedyglgamf.onion/LynX/
>  irc://loupsycedyglgamf.onion:67/lynX
> https://psyced.org:34443/LynX/
> -- 
> Liberationtech is public & archives are searchable on Google. Violations of 
> list guidelines will get you moderated: 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
> change to digest, or change password by emailing moderator at 
> compa...@stanford.edu.
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Fwd: [WhatsApp backdoor allows snooping on encrypted messages]

2017-01-14 Thread carlo von lynX 
On Fri, Jan 13, 2017 at 07:26:29PM -0500, Sebastian Benthall wrote:
> https://whispersystems.org/blog/there-is-no-whatsapp-backdoor/
> > > https://www.theguardian.com/technology/2017/jan/13/

I've also read 
http://www.golem.de/news/schluesselaustausch-aufregung-um-angebliche-whatsapp-backdoor-1701-125571.html
and https://tobi.rocks/pdf/whatsappslides.pdf
and to me it seems like all of the articles are
technically describing the same procedure.
The difference is only in the framing.

For Facebook it is a necessity that people not be
bothered by key changes, for anyone in the libtech
business it is an alarming signal that MITM is
technicaly possible by default and users must be
specifically aware of the issue to avoid it.

But why is anyone even expecting any true privacy
from an American proprietary product? Have the
PRISM and MUSCULAR programs suddenly been discontinued?
Has Freedom Act amended NSLs also for non-Americans?
How could Facebook afford not to pump everything they
can get into XKEYSCORE as before? Why did the European
Supreme Court rule that the US is not a safe harbor
for EU citizen data? Did I miss any recent developments?

Is it the general strategy to have people debate whether
there is a backdoor when by law Whatsapp MUST have some
backdoor?

-- 
  E-mail is public! Talk to me in private using encryption:
 http://loupsycedyglgamf.onion/LynX/
  irc://loupsycedyglgamf.onion:67/lynX
 https://psyced.org:34443/LynX/
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Fwd: [WhatsApp backdoor allows snooping on encrypted messages]

2017-01-14 Thread F LM 
So I guess we can go back to what we were talking about a few days ago. You 
know, "fake news".

FL

> On 13-01-2017, at 21:26, Sebastian Benthall  wrote:
> 
> https://whispersystems.org/blog/there-is-no-whatsapp-backdoor/
> 
>> On Jan 13, 2017 9:14 AM, "Rich Kulawiec"  wrote:
>> It is long *past* time for everyone involved in the kinds of activities
>> discussed here to completely and permanently excise Facebook's
>> services/products from their computing environment.  No excuses.
>> 
>> ---rsk
>> 
>> 
>> - Forwarded message from Richard Forno  -
>> 
>> > To: Infowarrior List 
>> > Date: Fri, 13 Jan 2017 08:18:42 -0500
>> > Subject: [Infowarrior] - WhatsApp backdoor allows snooping on encrypted
>> >   messages
>> >
>> >
>> > WhatsApp backdoor allows snooping on encrypted messages
>> >
>> > https://www.theguardian.com/technology/2017/jan/13/whatsapp-backdoor-allows-snooping-on-encrypted-messages
>> >
>> > A security backdoor that can be used to allow Facebook and others to
>> > intercept and read encrypted messages has been found within its WhatsApp
>> > messaging service.
>> >
>> > Facebook claims that no one can intercept WhatsApp messages, not even the
>> > company and its staff, ensuring privacy for its billion-plus users. But
>> > new research shows that the company could in fact read messages due to
>> > the way WhatsApp has implemented its end-to-end encryption protocol.
>> >
>> > Privacy campaigners said the vulnerability is a ???huge threat to freedom
>> > of speech??? and warned it can be used by government agencies to snoop
>> > on users who believe their messages to be secure. WhatsApp has made
>> > privacy and security a primary selling point, and has become a go to
>> > communications tool of activists, dissidents and diplomats.
>> >
>> > < - >
>> >
>> > Boelter reported the backdoor vulnerability to Facebook in April 2016,
>> > but was told that Facebook was aware of the issue, that it was ???expected
>> > behaviour??? and wasn???t being actively worked on. The Guardian has
>> > verified the backdoor still exists.
>> >
>> --
>> Liberationtech is public & archives are searchable on Google. Violations of 
>> list guidelines will get you moderated: 
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
>> change to digest, or change password by emailing moderator at 
>> compa...@stanford.edu.
> -- 
> Liberationtech is public & archives are searchable on Google. Violations of 
> list guidelines will get you moderated: 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
> change to digest, or change password by emailing moderator at 
> compa...@stanford.edu.
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.