A letter to Facebook

What’s up with Whatsapp?

Image result for whats app

You may have seen the numerous press articles this week advising you to update your Whatsapp. The advice came from Whatsapp, which has 1.5 billion users and is owned by Facebook.

The reason for asking people to update the app on their smartphones was the discovery that hackers had been able to remotely install surveillance software on phones via a “major vulnerability” in the app. According to the BBC, WhatsApp said the attack targeted a “select number” of users and was orchestrated by “an advanced cyber-actor”.

Facebook discovered the flaw in the technology earlier this month. It threatened to break Whatsapp’s promise to its users of being a secure” communications app with messages that are end-to-end encrypted. This means they should only be displayed in a legible form on the sender or recipient’s device. However, the surveillance software would have let an attacker read the messages on the target’s device.

The Whatsapp team found a fix for the problem last Friday, after which people could download the new app without the ‘bug’, although some users appeared to be disgruntled that Facebook hadn’t published any notes about the fix itself.

It is likely that those whose phones may have been targeted by the hackers are “Journalists, lawyers, activists and human rights defenders,” Ahmed Zidan of the Committee to Protect Journalists told the BBC.

How did hackers use the security flaw?

One thing they did was use Whatsapp’s voice call function to ring a target’s phone. Even if the target didn’t answer the call, the surveillance software was installed on their phone. Furthermore, the call was removed from the call log, so the person who didn’t answer it, wouldn’t even see that they had missed a call from an unknown number.

Facebook and Whatsapp told the press on Monday: “The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems.”

It also issued a briefing to security specialists stating, “”A buffer overflow vulnerability in WhatsApp VOIP [voice over internet protocol] stack allowed remote code execution via specially crafted series of SRTCP [secure real-time transport protocol] packets sent to a target phone number.”

The attack was old-fashioned

As Professor Alan Woodward pointed out, this is a “pretty old-fashioned” method of attack. He explained what happened: “A buffer overflow is where a program runs into memory it should not have access to. It overflows the memory it should have and hence has access to memory in which malicious code can potentially be run. If you are able to pass some code through the app, you can run your own code in that area. In VOIP there is an initial process that dials up and establishes the call, and the flaw was in that bit. Consequently you did not need to answer the call for the attack to work.”

We don’t know how many people were targeted in this attack, and there are some questions that remain to be answered about whether updating the app on your phone effectively removes the spyware in its entirety. Furthermore, WhatsApp has not said whether the attack could extend beyond WhatsApp and reach other personal data on the phone.

But, even if you are not a journalist, a lawyer or a human rights activist, download the new version of the app, because as always it is better to be safe than sorry.

 

 

 

 

 

 

 

Could Silicon Valley be the Encryption Killer?

If you value your privacy online then you logically must also be a supporter of encryption. It frightens governments, because encryption prevents them from undertaking mass surveillance on all of our communications. For the longest time, Silicon Valley has been the defender of encryption, but Kalev Leetaruwriting for Forbes, believes that the one-time protector of our privacy may be taking another road and rolling back the protections that encryptions provides us with.

The reason behind this change of heart is not to help out governments: it is. Leetaru suggests, “for their own profit-minded needs to continue mining, monetising and manipulating their users.”

Encryption puts a dent in profits

Encryption is a way of securing Internet communications and keeping them away from the prying eyes of the ‘Deep State’ as well as cybercriminals. In the early days of Silicon Valley, encryption was “a value-add that had no impact on their own use of their users’ data.” Then came Edward Snowden and the Valley firms portrayed themselves as standing up against governments on behalf of their users. However, what was also happening was that they were “encouraging their users to share ever more intimate information to be mined.”

As Leetaru points out, “The movement from HTTP to HTTPS was an easy sell for the major internet companies,” simply because the cost of migrating from SSL certificates and all the other changes required, were all borne by the websites; not Silicon Valley. The only thing they had to pay for “was the added cryptographic computational cost, necessitating some additional hardware investment.”

And here is something important to consider in this debate: SSL only protected user communications in transit. The major Internet companies could still access user data in unencrypted form and use it to monetise their users.

What will Facebook do?

However, end-to-end encryption is a threat to these Silicon Valley companies and the cash they can make from our personal data. Look at Facebook and Whatsapp, which uses end-to-end encryption. Leetaru remarks that Facebook’s “entire existence is prefaced on the ability to mine its users’ most personal and private communications.” And you can bet that Facebook is looking at ways of working around the protections of the Whatsapp encryption in order to continue mining its users’ private communications.

Unfortunately, “the rise of end-to-end encryption is finally aligning the interests of both governments and Silicon Valley,” and while we see governments as the enemy of privacy; it is Silicon Valley that poses a threat in the name of profit.

Facebook and Telegram move in on crypto

Although it has taken Internet messaging giants a while to join the cryptocurrency scene, it was inevitable that they would become involved at some point. So, it’s no surprise to see a New York Times article by Nathaniel Popper and Mike Isaac discussing how “Facebook, Telegram and Signal, are planning to roll out new cryptocurrencies over the next year that are meant to allow users to send money to contacts on their messaging systems, like a Venmo or PayPal that can move across international borders.”

Facebook’s secretive actions have been much discussed in the last few weeks, as they have been employing blockchain engineers and crypto experts, and has been in talks with crypto exchanges, but as yet haven’t revealed their precise plans. It is believed that Facebook is working on a token for Whatsapp that would allow users to send the tokens to other users almost instantly.

Telegram, the messenger channel used by numerous crypto-related projects, is also working on a digital asset in some form. Meanwhile, Signal, which is a specialist messaging service used by technology specialists and those working on privacy issues, is also said to have a token in the works.

The messenger app advantage

The advantage companies like Facebook and Telegram have over bitcoin and other cryptocurrencies is this: they already have millions and millions of users; Telegram has 300 million worldwide and Facebook has billions. In other words they have a global reach that the crypto projects as yet don’t have and as a result Facebook and Telegram can make the digital wallets used for cryptocurrencies available, in an instant, to hundreds of millions of users.

Eric Meltzer, co-founder of a cryptocurrency-focused venture capital firm, Primitive Ventures, remarked, “It’s pretty much the most fascinating thing happening in crypto right now. They each have their own advantage in this battle, and it will be insane to watch it go down.”

Regulations may be problematic

However, the likes of Facebook and Telegram may face the challenge that existing crypto platforms know all too well — the issue of regulations. Popper and Isaac state that the messaging companies are likely to face many of the same regulatory and technological hurdles that have kept bitcoin from going mainstream

Will it be a crypto token or a stablecoin?

It is likely that Facebook will opt for a stablecoin solution, although it is rumoured that its token will be pegged to a basket of currencies rather than just the US dollar. This will make the token unattractive to speculators, but attractive to consumers who would be able to use the token to pay for goods knowing that it has a stable value. Furthermore, as Popper and Isaac suggest, “Facebook could guarantee the value of the coin by backing every coin with a set number of dollars, euros and other national currencies held in Facebook bank accounts.” As Meltzer say, it is going to be exciting to watch how it plays out with Facebook and Telegram.