undefined | Better HN

0 pointsadmax88q9y ago0 comments

I wouldn't trust whatsapp even before this revelation.

I would never trust a closed source messaging app if I was an activist, regardless of what encryption they claim to implement.

0 comments

hiram1129y ago

I wouldn't trust anything owned by Facebook. Period.

javajosh9y ago

The security of a system is only as strong as it's weakest link, which in this case is the system software (OS and drivers) and hardware. Imagine that baseband-hardware has been fitted with a backdoor that simply says "encrypt all textual input and send to this address". Even better to piggy back to a well-known endpoint, like Facebook, then compromise that (which is easy if you're a state actor). The only thing that really saves us is that it's just too much data! (Well, that and the fact that most of us are happily playing the games of commerce, and not particularly interesting to state security services.)

afshinmeh9y ago

Good point. At least as a technical person, I would like to use an open-source messaging application.

Of course I'm not going to read the source code but at least I'm sure developers behind the app do not open a backdoor for someone else.

xorcist9y ago

The mobile space is tricky. A source code dump doesn't really do much beyond "trust us, this is what you get from App Store too". You also need the possibility to build the software yourself, which include things like API keys, before we're close to what assurances open source software used to give us.

derefr9y ago

The nice thing about a FOSS mobile app is that you can (in theory, at least) sideload it. A covert operation could just gather up everyone's devices, build a fresh copy of the app, and then sideload that copy for everybody.

Of course, for that to be feasible, the network architecture of the app must not require API keys—and so must either be purely peer-to-peer, or involve a FOSS server component that the developer can run an instance of themselves (as in the Matrix protocol.)

seangrogg9y ago

While I'm totally the same in this regard, this does feel a bit like an open-source version of the bystander effect.

OJFord9y ago

I don't know what the bystander effect is, but I assume we're taking about the same thing: I often feel that everyone is, along with myself, thinking "great - open source! I'm sure someone's checking it."

Of course, the counter is that if you publish it you don't risk that someone actually is checking.

Open beats closed, but we must be careful not to think it immediately makes the code sound.

I've been thinking about this particularly recently in relation to Monzo, the will-be bank. There's no web app and slow progress on the android front. Lots of open source effort though, since they publish an API, but... That's my bank account I'm (not) giving open source developers access to.

1 more reply

CamelCaseName9y ago

I suppose the difference is that the bystander effect has a connotation with the person stepping in not getting any real benefit personally (e.g. breaking up a fight) vs. here where you would get some name recognition for calling out Signal (for example)

j / k navigate · click thread line to collapse