Newsletter 3: January 24th 2024

Thank you for reading this newsletter (and for your patience this week; I got sick over the weekend which explains the slight delay). If someone forwarded this newsletter to you, that is very kind of them and don't forget to thank them for it. You can subscribe here to receive future newsletters directly into your inbox.

Something nice for Spanish speakers, Diego Morábito has been kind enough to start translating these newsletters into Spanish. Until I find a better way of sharing these, I'm putting them on the website. You can find the first one here.

Martijn
(martijn@lapsedordinary.net)

We need to talk about WhatsApp. Or do we?

Earlier this month, security researcher Tal Be’ery reported on a security issue in WhatsApp, that discloses how many (if any) linked devices someone has connected to their WhatsApp account. This information is visible by anyone who knows the target’s phone number, even if they have been blocked.

More precisely, you can use the web version of WhatsApp to see contacts’ “identity keys”, each of which corresponds to a device. And thus if there is more than one such key, the user is using multiple devices. (Be’ery explains how to do this in a browser; I confirmed it works and it's not hard to do.)

To allow for end-to-end encryption with multiple devices, WhatsApp creates a unique key pair for each device, the public key of which is the identity key that all contacts need to use to send and encrypt messages. You can think of each device being its own participant in a (group) chat and thus every WhatsApp instance needs to store all their contacts' public keys, for each device they use.

It is true that this design is less than ideal. Commenting on the issue in TechCrunch, Runa Sandvik (Granitt) says it could be useful for gathering information and plotting attacks. Indeed, a very skilled adversary may use this information to utilize an exploit that only works in the browser, knowing that their target uses WhatsApp in a browser.

This is an extreme edge case. Now I write this newsletter for those who have a reason to worry about edge cases in general, but I still don’t think this is a major concern even for at-risk individuals. That said, I do generally recommend Signal, which is more tailored towards at-risk people. And as a good principle, if you are really worried about edge cases, it’s good practice to limit your online exposure*. Not using a messaging account on more than one device is one example of that.

_{* in cybersecurity, which unfortunately heavily borrows language from the military, this is called ‘reducing your attack surface’}

It is possible for WhatsApp to fix this 'issue' (in a follow-up post Be'ery explains how), but I don't suspect it's going to be a big priority for them. It's certainly not something that should be used to get people off WhatsApp in favour of less secure alternatives (as has happened in the past). Less than ideal though it may be in some aspects, I still think WhatsApp's security is pretty impressive for such a widely used messaging app.

What else?

A blog post from security researcher Troy Hunt looks at a massive database of stolen website credentials that was recently discovered. The post gives some insight into how passwords are commonly stolen these days: not from websites or services, as most of them store them in a half-decent way*, but from malware that steals credentials from infected machines. (Phishing will play a role too, though I guess it could be less effective at stealing passwords than malware is.) Hunt does note that many of the credentials in the database go back more than a decade, so it is also a reminder that the Internet never forgets. In any case, it is a good opportunity to recommend Hunt's free Have I Been Pwned? service, that allows you to check or monitor if your email address has appeared in a data breach.

_{*by using hashes and salts, which makes the passwords significantly harder to recover once stolen.}

7amleh, the Arab Center for the Advancement of Social Media, published its 9th annual report 'Hashtag Palestine 2023' on the violations of digital rights of Palestinians and their supporters and how these violations have increased following the Israeli war on the Gaza Strip.

The Great Firewall of China is well known for preventing information getting into the country, but the Tibetan Action Institute writes how a 'firewall' is also used to prevent information from China-occupied Tibet from getting out of the region, as well as how Tibetans are forced to police each other, thus to create some kind of internal firewall.

The Open Technology Fund's ICFP Fellow Beau Kujath worked together with Mexico’s SocialTIC to analyze nine* popular Latin American mobile apps and found their security to be lacking, from sending data over plain HTTP to freely sending your personal data to many servers. These issues may not mean that anyone can get access to your account, they certainly aren't great and another arugment for at-risk individuals to take a minimalistic approach when it comes to installing apps.

_{*or, as the report calls it: eight.}

Non-security things

A book I enjoyed: I know the 'multiverse' as a concept from some pretty confusing movies but not until I read Laura Mersini-Houghton's Before the Big Bang: The Origin of the Universe and What Lies Beyond did I realize it is also a concept in a branch of theoretical physics, that argues our universe is one of many. I love this stuff where physics meets philosophy and Mersini-Houghton explains things quite well, though it did at times help I have a background in mathematics. As a nice bonus, she nearly weaves in scenes from her personal life of growing up in communist Albania.

A song I liked: Del Shannon - Runaway (Spotify - YouTube)
Last year, I finally got round to reading Bob Stanley's long history of pop music Yeah Yeah Yeah. It's a great book and an excellent resource for discovering 'new' music, especially from the early days of pop music. Del Shannon's 1961 hit Runaway is one of my favourites, because of the irresistible way Shannon sings wo-wo-wo wonder and because of the synthesizer musitron solo that neatly breaks the song in two.