Follow

Israeli espionage firm hacks WhatsApp. Can install spyware with missed call.

theguardian.com/technology/201

My advice: dump WhatsApp today and start using Wire (wire.com/en/products/personal-). Tell your friends and family to do the same. (It’s a simple, free download on all app stores. Easy to use, doesn’t require your phone number, and their business model is based on charging for commercial use and for pro accounts.)

You can find more alternatives on @switchingsocial (switching.social/ethical-alter)

@aral @switchingsocial i like wire but the fact contact lists aren't encrypted is problematic

@aral What about Matrix? Or good, old fashioned XMPP? (via Xabber / Pidgin)

@GothFvck xmpp does not work for modern use cases. Not because of the protocol but because of the many many ways it can break.

@clerical I use it. But they want your phone number and they’ve let themselves be used to whitewash both Google and Facebook on privacy so I prefer Wire. They’re the best options at the moment. But also keep your eye on Jami.

@aral in last 2 weeks I moved from Signal to Wire and since today to XMPP. Reason are Signal doesn't "accept" thirdly party client and Wore being unreliable without google play services
@clerical

@aral @switchingsocial I've read a lot of comments from people saying Wire is not a good messenger, so I guess I'll stick with Signal for now.

The only annoying thing is that I need to give people my phone number.

@DC7IA @switchingsocial Can you give me a few links to those comments. I’d like to see what the actual arguments are.

@aral @switchingsocial I'd need to google again for opinions. I did not read them today.

@aral @switchingsocial My issue is I can't seem to find good arguments to convince my friends to switch to a privacy-friendly app like Wire, they're always like "do I care if my conversations get spied on, I'm not a Minister," and I don't know what to tell them

@gaperst @aral @switchingsocial

If you don't mind risking some smugness, you can ask them for permission to install a recording device in their house. "I promise not to do anything bad with it, I just have my reasons."

Typically people are fine with privacy invasion because there's no face attached and they can't foresee consequences. Remove one and or both and people start to piece the problem together.

@gaperst @aral

It's not just government spies that spy on people, those are just the ones that get the headlines.

Smaller criminals use privacy exploits to steal people's money, to commit fraud in their name, or distribute all kinds of dubious/illegal material.

(A friend recently asked for help moving to a better email account because their yahoo had been hijacked to send all kinds of dubious spam.)

@switchingsocial @aral I'm convinced we should use as many means as possible to prevent ourselves from this kind of threat, but you can't deny the chances it happens to some random proprietary software user are low, and the risk doesn't really justify the effort of changing your habits : if you get your money stolen, you have insurances, if your identity is stolen, too bad but nothing actually *did* happen to you, etc.

That is why I can't convince my friends to change their habits.

@gaperst @aral

If you leave your front door unlocked, it's probably going to be ok. But the consequences if some violent person comes in are pretty terrible (and that has happened to an acquaintance of mine).

Identity theft is a hideous thing to get out of, especially if you live in a country with heavy dependence on credit rating agencies etc.

@switchingsocial I like your comparisons. Thank you for your answers.

@gaperst @aral @switchingsocial Such people need to understand that it could have bad personal consequences in the future especially when multiple datasets from different sources are combined & that it's a danger to democracy if so many people use one centralized, proprietary messenger. Both points have nothing to do with being a minister, activist or just an ordinary person.

@aral @DC7IA
I'm curious as well. Largest problem of #Wire is the lack of users, but otherwise it's not worse than others, and its security is on par with #Signal. And in contrast you can run Wire server on your server (theoretically, since it's heavily wired into amazon).

@DC7IA @grin @aral
yes, signal and wire has desktop version, I am using both on my linux

@grin @aral @DC7IA I wouldn't say Wire's security is on par with Signal's. People can sign up to Wire without giving away their phone number, that's true, but Signal has some really clever security and privacy features that Wire currently lacks. Here are 3 of them:

Encrypted profiles
signal.org/blog/signal-profile

Private contact discovery
signal.org/blog/private-contac

Sealed sender
signal.org/blog/sealed-sender/

@tobiaalberti @aral @DC7IA I stand corrected, it is not on par with Signal in the general sense; however its security regarding e2ee is the same, it is completely anonymous in contrast to signal, and can use self-hosted server. (I'm not sure what's the current status of Signal group size and usability, and some long-standing unfixed bugs. Same for wire.)

@grin @aral @DC7IA Didn’t Telegram’s MTProto encryption protocol receive some pretty worrying reviews from the infosec community over the years?

@tobiaalberti @aral @DC7IA I cannot recall any part of #Telegram (including #MTProto) which did not get some pretty worrying review… Unless it's been changed radically it is not much more secure than #hangouts in the general case (when you don't select manually secure one-to-one chat, which is only as secure as mtproto, which is believed to be not very much).

@DC7IA The Wire UI on Android is quite horrible, and doesnt follow any of the design patterns for the platform. That makes the app difficult to use for normal users, and I heard its completely unusable for blind people.

@aral @switchingsocial

@aral @switchingsocial According @privacytools , Wire keeps a list of all the users you contact until the account is deleted, and therefore is not so privacy-friendly.

@aral @switchingsocial I would recommend #riot / #matrix all open source and federated. And you have your choice of clients.

@aral @switchingsocial gsocial I'd suggest start using Delta.Chat because of it's 100% #Decentralized, Free (as in #Freedom) server backend! #DeltaChat #Email #EmailIsCool
@aral I am somewhat skeptical that this is a hack or exploit, from what I've read into this, it appears more they found a back-door not intended for them and used it for interception.

@aral @switchingsocial
>"Attackers could transmit the malicious code to a target’s device by calling the user and infecting the call whether or not the recipient answered the call. "

"Infecting" a call? How is this possible? 🤔

@aral @switchingsocial

Oh wait. I thought Whatsapp was just a messenger app, but apparently it does VOIP calls too, so I guess they're talking about calls via the app, not regular phone calls on the phone line.

@leadore @aral @switchingsocial My understanding is as follows: Whatsapp asks for permission to make and answer phone calls. Now when an incoming call sends some crafted code with it, this crashes whatsapp and allows for running the exploit.

Sign in to participate in the conversation
Aral’s Mastodon

This is my personal Mastodon.