Given how WhatsApp is the de-facto way to communicate outside of the West and China, these security/data-handling "weaknesses" are most likely a feature, not a bug. An absolute bonanza for the certain intelligence services.
Remember, kids: End to end encryption is useless if the "ends" are fully controlled by an (untrustworthy) third party.
> According to the 115-page complaint, Baig discovered through
> internal security testing that WhatsApp engineers could “move
> or steal user data” including contact information, IP addresses
> and profile photos “without detection or audit trail”.
That isn't really the breach you're making it out to be. Profile photos, unless made private/contacts only, are already publicly visible, and so is "contact information".
Of course these are useful to intelligence services, but this doesn't mean that Baig found they don't have true end-to-end encryption.
> A Meta spokesperson, Andy Stone, wrote on Threads, the company’s text-based social network: “Sadly this is a familiar playbook in which a former employee is dismissed for poor performance and then goes public with distorted claims that misrepresent the ongoing hard work of our team.”
Skeletons keep piling up while PR try to dismiss them
From enabling genocide in Myanmar, to interfering with elections, to giving user data to third parties in violation of its own daya policies, to straight up weird stuff like pirating/torrening books to train their steaming pile of garbage called llama, to having sex chatbots be weird to children.
And then there is the even weirder decisions of zuck, the biggest loser of all:
- VR didnt seem to catch on
- the metaverse is a giant smelly pile of poo and he sunk millions in it
- he is hiring AI engineers at absurd money in a rapidly cooling bubble market
- he immediately started ass kissing the orange stain that calls himself president
Is he purposefully trying to be a caricature cartoon vilain, a grotesque loser, and his company an emblem of evil? Or is it just cluelessness?
Seems just in line with all the other Meta Scandals: from providing a platform for genocide in Myanmar, harming the psychology of 100s of millions of teenagers (Instagram) to pushing extremist and fascists content while receiving big ad cash dollars for propaganda that lifts criminals and fascist politicians into the highest offices. Meta has no red lines, as long as it lines Zuckerberg's pockets.
If you haven't already: Signal is the strongest independent e2e encrypted consumer app that is driven by a non-profit organisation using a zero knowledge approach.
I hate Meta as much as the next person, but it feels like "endangering billions of users" is exagerating here. The complaint is pretty much that WhatsApp engineers can access metadata (NOT the content of the messages).
This said, WhatsApp is not open source, so it's impossible for users to verify how the encryption works, so users have to trust that it's properly end-to-end encrypted.
If you care about privacy (and you should), then you should use Signal instead of WhatsApp.
Didn't Hacker News feature an article on their home page at some point (10 years ago?) that at that time Facebook misconfigured something and users could observe their data being fed directly to some Israeli intelligence company? That was the day I deleted my FB account and never looked at anything they offer anymore.
I've seen some people right here on HN say that Whatsapp was an inspired acquisition and Zuck is a great product guy, knows what to buy and who to hire
"He also claimed the company failed to remedy the hacking and takeover of more than 100,000 accounts each day, ignoring his pleas and proposed fixes and choosing instead to prioritize user growth."
There is no oversight of these monstrosities of any sort. I doubt anyone would have issues with the thesis that Meta would implement anything that might curb their user numbers unless it was mandated.
Why would they? They are beholden to their shareholders first. If it isn't illegal then it isn't illegal, immoral perhaps but that is not illegal, unless it is illegal.
My learned friends are going to have to really get their bowling arms warmed up for this sort of skit. For starters, you need a victim ... err complainant.
> In his whistleblower complaint, Baig is requesting reinstatement, back pay and compensatory damages, along with potential regulatory enforcement action against the company.
If the company is so bad (it is), why does he want back?!
'Just pay me the salaries I "missed", and keep them coming.' The regulatory action is just "potential".
Unsurprising given it’s been an open secret for over a decade that Meta employees will (if you have the right contacts or amount of money), orchestrate banning or seizing long-standing active accounts with desirable usernames and giving them to their friends or the highest bidder.
> WhatsApp engineers could “move or steal user data” including contact information, IP addresses and profile photos “without detection or audit trail”.
That's rather surprising about the accessing user data bit. When I was at Meta, the quickest way to get fired as an engineer was to access user data/accounts without permission or business reason. Everything was logged/audited down to the database level. Can't imagine that changing and the rules are taught very early on in the onboarding/bootcamp process.
When it comes to e2e encryption it's important for the ends to be static (not web apps) and auditable (open source, reproducible builds) because the software running on the ends can trivially compromise anything going trough either of them. It can be as simple as a script being loaded from the server into a runtime such as Lua (closed source app). Or custom javascript delivered (web app).
When these conditions aren't met, any e2e encryption claim can be dismissed out of hand. This does not mean the service offers no value, it just means it cannot be trusted to keep anything confidential.
36 comments
[ 3.2 ms ] story [ 65.6 ms ] threadRemember, kids: End to end encryption is useless if the "ends" are fully controlled by an (untrustworthy) third party.
> According to the 115-page complaint, Baig discovered through
> internal security testing that WhatsApp engineers could “move
> or steal user data” including contact information, IP addresses
> and profile photos “without detection or audit trail”.
That isn't really the breach you're making it out to be. Profile photos, unless made private/contacts only, are already publicly visible, and so is "contact information".
Of course these are useful to intelligence services, but this doesn't mean that Baig found they don't have true end-to-end encryption.
Skeletons keep piling up while PR try to dismiss them
From enabling genocide in Myanmar, to interfering with elections, to giving user data to third parties in violation of its own daya policies, to straight up weird stuff like pirating/torrening books to train their steaming pile of garbage called llama, to having sex chatbots be weird to children.
And then there is the even weirder decisions of zuck, the biggest loser of all:
- VR didnt seem to catch on
- the metaverse is a giant smelly pile of poo and he sunk millions in it
- he is hiring AI engineers at absurd money in a rapidly cooling bubble market
- he immediately started ass kissing the orange stain that calls himself president
Is he purposefully trying to be a caricature cartoon vilain, a grotesque loser, and his company an emblem of evil? Or is it just cluelessness?
This said, WhatsApp is not open source, so it's impossible for users to verify how the encryption works, so users have to trust that it's properly end-to-end encrypted.
If you care about privacy (and you should), then you should use Signal instead of WhatsApp.
Counterpoint: he's a monopolist and scummy person (https://news.ycombinator.com/item?id=1692122) who refuses to stop (https://arstechnica.com/tech-policy/2019/09/snapchat-reporte...) from the early days onwards (https://news.ycombinator.com/item?id=1169354)
https://news.ycombinator.com/item?id=15007454
There is no oversight of these monstrosities of any sort. I doubt anyone would have issues with the thesis that Meta would implement anything that might curb their user numbers unless it was mandated.
Why would they? They are beholden to their shareholders first. If it isn't illegal then it isn't illegal, immoral perhaps but that is not illegal, unless it is illegal.
My learned friends are going to have to really get their bowling arms warmed up for this sort of skit. For starters, you need a victim ... err complainant.
If the company is so bad (it is), why does he want back?!
'Just pay me the salaries I "missed", and keep them coming.' The regulatory action is just "potential".
I have no sympathy for Meta, but this guy...
So not messages.
Complaint:
https://storage.courtlistener.com/recap/gov.uscourts.cand.45...
When these conditions aren't met, any e2e encryption claim can be dismissed out of hand. This does not mean the service offers no value, it just means it cannot be trusted to keep anything confidential.