The Ultimate Bad Take: Bloomberg's Leonid Bershidsky Thinks A WhatsApp Vulnerability Proves End To End Encryption Is Useless
from the no,-no,-wrong,-wrong dept
Bloomberg has really been on a roll lately with getting security stories hellishly wrong. Last fall it was its big story claiming that there was a supply chain hack that resulted in hacked SupermMicro chips being used by Amazon and Apple. That story has been almost entirely debunked, though Bloomberg still has not retracted the original. Then, just a few weeks ago, it flubbed another story, claiming that the presence (years ago) of telnet in some Huawei equipment was a nefarious backdoor, rather than a now obsolete but previously fairly common setup for lots of equipment for remote diagnostics and access.
The latest is an opinion piece, rather than reporting, but it’s still really bad. Following yesterday’s big revelation that a big security vulnerability was discovered in WhatsApp, opinion columnist Leonid Bersidsky declared it as evidence that end-to-end encryption is pointless. This is, to put it mildly, a really, really bad take. The whole article is a confused jumble of mostly nonsense, mixed with stuff that was already widely known and irrelevant:
The discovery that hackers could snoop on WhatsApp should alert users of supposedly secure messaging apps to an uncomfortable truth: ?End-to-end encryption? sounds nice ? but if anyone can get into your phone?s operating system, they will be able to read your messages without having to decrypt them.
Um. Duh? The whole point of end-to-end encryption is that it protects messages in transit and not at rest. That’s the whole “end-to-end” bit. At the ends it’s decrypted. You can also encrypt content on a device — this is what the FBI is so annoyed about regarding Apple’s iPhone encryption — but to argue that end-to-end encryption is pointless because it doesn’t do what it’s not supposed to do in the first place is crazy.
It gets worse:
?End-to-end encryption? is a marketing device used by companies such as Facebook to lull consumers wary about cyber-surveillance into a false sense of security.
It is true that some people confuse “end-to-end encryption” with perfect security, which it is not. But it is simply wrong (laughably so) to say that it’s merely a “marketing device.” In actuality, end-to-end encryption is a hugely important part of what keeps your data protected when you communicate online. It provides real security for the conditions it’s designed to provide security for — and not other conditions, such as the one the hack takes advantage of.
Bershidsky complaining about on-device malware reading your WhatsApp messages as being evidence that end-to-end encryption is pointless is like arguing that you should never wear seatbelts because they won’t protect you if you drive off a cliff. Seatbelts protect you in lots of common scenarios, but might not protect you in extreme scenarios like driving off a cliff. And end-to-end encryption protects you in lots of messaging scenarios, but won’t protect you if someone can install something directly on your device.
The tug of war between tech firms touting end-to-end encryption as a way to avoid government snooping and state agencies protesting its use is a smokescreen. Government and private hackers are working feverishly on new methods to deploy malware with operating system-wide privileges.
It’s not a “smokescreen.” It’s dealing with one type of attack. It’s bizarre to suggest that end-to-end encryption is useless because there are some advanced ways that people can get around it, ignoring all the other ways that it helps protect most people. End-to-end encryption does much more to protect tons of people, and saying that we can ignore it just because it doesn’t stop all attacks is really dangerous.
Bloomberg should be ashamed to be publishing such dangerous nonsense. It is the equivalent of anti-vax nonsense, telling people not to protect themselves.
Filed Under: at rest, cybersecurity, encryption, end-to-end encryption, in transit, leonid bersidsky, vulnerabilities
Companies: bloomberg, facebook, whatsapp
Comments on “The Ultimate Bad Take: Bloomberg's Leonid Bershidsky Thinks A WhatsApp Vulnerability Proves End To End Encryption Is Useless”
Would that make end-to-end encryption “anti-hax”?
How much are the security services paying them to publish this nonsense, as they will benefit if people are scared away from encryption.
Re: Re:
Nothing, this kind of reporting is part and parcel of the stenography service offered by big media to the government…for access.
Reminds me....
…of a friend who discovered it was possible to open his fancy electronic safe if you had access to the battery compartment.
YES, it can be done. On a bench, with several million dollars of gear and a lot of computing time.
I told him that if he was worried about that level of "hacking", he’s already so screwed he shouldn’t worry about it.
Re: Reminds me....
The gear cost and technical difficulty might protect him. Don’t count on computing time as a deterrent. The bad guys can use botnets for that.
Re: Re: Reminds me....
My point to him, and in regards to this article, is that the amount of man-hours and tech required to open the safe or intercept and decrypt an end to end encrypted data transfer means…
…If you have a legitimate worry about it, you’re already under a microscope by the NSA, CIA, FBI, and every other TLA group.
NOTHING is secure if you’ve got the money, manpower, etc. to unsecure it. You take reasonable precautions – enough that your neighbors can’t see or read it, and, preferably, that the local law enforcement can’t easily break.
Re: Re: Re: Reminds me....
"NOTHING is secure if you’ve got the money, manpower, etc. to unsecure it. You take reasonable precautions – enough that your neighbors can’t see or read it, and, preferably, that the local law enforcement can’t easily break."
True enough. For most apartment doors a simple crowbar WILL break them down in short order. And yet no one has ever earnestly suggested upgrading that standard because the status quo serves well to discourage casual would-be trespassers/thieves – which for most people is all they’ll ever risk encountering.
And that’s the same with computer security. As long as circumventing your security takes any effort at all you will remain reasonably safe as long as you aren’t a high-profile target at which point it’s dubious if anything will keep you safe.
Re: Re: Re:2 Reminds me....
"True enough. For most apartment doors a simple crowbar WILL break them down in short order. "
Not any of my apartments. Vertical bolts aren’t all that expensive and are simple to install.
Like I said, reasonable precautions.
And, before some AC jumps me on them, YES, they do add to the value, therefor I can charge higher rents – because of the sense of higher security.
Re: Re: Re:3 Reminds me....
"Not any of my apartments. Vertical bolts aren’t all that expensive and are simple to install."
Unless the door itself is pretty well built – made of steel, for instance, a healthy adult with a proper tool can still take it down.
The point being that a door – or window – WILL be defeated by anyone who insists on getting in and is willing to bring a crowbar, sledgehammer, or ladder. That said there’s a difference between a door you can stomp open with a few full-weight kicks and one requiring a 12-lb sledge or heavy crowbar to open.
My point being that reasonable precautions will ward off every casual would-be intruder, while still remaining useless vs any determined intruder.
Re: Re: Re:2 Reminds me....
That’s really not true, and automation is the difference (plus a lower risk of getting caught). If a million houses have the same cheap lock, there aren’t enough criminals to break into all of them. But you might be surprised how quickly an unpatched Windows XP installation or old router will be compromised after connecting to the internet. Untargeted attacks are much more likely to hit you in the digital realm—ransomware for example.
Re: Re: Re:3 Reminds me....
"That’s really not true, and automation is the difference (plus a lower risk of getting caught). If a million houses have the same cheap lock, there aren’t enough criminals to break into all of them. But you might be surprised how quickly an unpatched Windows XP installation or old router will be compromised…"
I wouldn’t be surprised, no. If your OS is badly patched and your firewall is leaky then you’re already deep in "no effort required" territory.
If compromising your PC requires anything more than someone somewhere running random port scans however, you’re fairly safe – until someone deliberately targets your specific PC.
In the example mentioned in the OP Bloomberg actually states a scenario where you already have a compromised PC as a reason not to trust end-to-end encryption. Which assumes that from the get-go you’ve already messed up very basic security measures to begin with.
Re: Re: Reminds me....
<i>"The gear cost and technical difficulty might protect him. Don’t count on computing time as a deterrent. The bad guys can use botnets for that."</i>
It’s a pretty simple equation, really. If the potential intruder has access to the lock for an extended period of time, that lock will be opened. It’s why DRM is such an inherently flawed concept.
When it concerns a physical safe the real security comes from two things – that it will take a long time to unlock without the key or code, and that it’s too cumbersome to easily remove from the premises.
Bloomberg has acquired the same reputation as Tim Wakefield, and its so-called "Tech-reporting’ should be treated the same way.
He’s not wrong. If someone points this kind of firepower at you, end-to-end encryption will do absolutely nothing for you. Then again, you’re probably not that interesting. In which case end-to-end encryption will most likely do nothing for you. There is a very narrow zone of being "not quite interesting but of some interest" where end-to-end encryption might just do exactly what you hope it will do for you, and almost none of us are in it.
Re: Re:
Literally nobody anywhere is suggesting that end-to-end encryption is panacea, or that it negates the need for defense-in-depth or proper opsec.
He’s wrong, and so are you.
Re: Re:
"He’s not wrong. If someone points this kind of firepower at you, end-to-end encryption will do absolutely nothing for you. Then again, you’re probably not that interesting."
Well, when you’re discussing actual on-device malware the analogue in the real world would be that of trying to secure your apartment while an accomplice of the would-be burglar is sitting on your couch drinking tea and waiting calmly for you to go to bed so he can open the door.
There are plenty of ways to compromise a PC to the point where encryption won’t matter since there’s a malware app reading your keystroke inputs and streaming your monitor cam to an undisclosed recipient…
…even so that’s not an argument against end-to-end encryption.
It’s an argument for sensible security habits. Noscript/ublock as a permanent browser addon, not installing untrusted applications, never running or opening downloads without an AV scan, etc.
Re: Re: Re:
What does this mean? To a computer security professional, any application that can compromise your security is "trusted" by definition. To a layperson, I don’t think it means much of anything; how should they decide what’s "untrusted"?
Re: Re: Re: Re:
"To a layperson, I don’t think it means much of anything; how should they decide what’s "untrusted"?"
Trust, but Verify.
Before installing any app, run it past your regular AV and a separate malware-dedicated client. Spybot or Malwarebytes, for instance.
And never be a beta tester – installing an app on release day. Make sure it’s past its first few weeks.
Be aware that if the site you got the app from seems shady, with some odd, obviously RNG-generated URL or which offers a deal too good to be true…then it probably is just that.
Online as offline you can’t ever guarantee your safety. But you CAN avoid being an easy mark.
On that note...
A Boeing plane crashed, all planes are useless!
Re: On that note...
Even worse. A Boeing plane crashed, so your Toyota’s airbags and seatbelts are useless.
Re: On that note...
"A Boeing plane crashed, all planes are useless!"
More like "If the pilot is drunk or stoned the plane will likely crash. Therefore air travel is hazardous and useless".
It’s not an honest argument Bloomberg’s using there.
Sounds like Bloomberg’s Leonid Bershidsky is a fucking hack.
Isn’t Bloomberg the guys who have twice now cried wolf over Chinese supply chain hacking?
I wouldn’t take anything they say regarding technology seriously.
Don’t take this as me crapping on ‘fucking Millennials’ as a group, but from what I’m seeing in journalism they just . . . they just all suck.
No standards and there doesn’t seem to be any editors or sub-editors checking their work. Bloomberg is just putting out longer versions of click-bait articles with no care as to the damage its doing to the publication’s reputation as long as it gets people talking (and linking).
Re: Re:
Though it turns out, that this particular guy is my age. So I guess he’s just a hack. They’re everywhere.
Re: Re: Re:
47? Pfft. Kids these days.
Young punks. Get off my phone!
Re: Re: Re: Re:
Hey, I like it when the former firebrand "activists" hit about forty, and the week or so after they’ve sent their kids across the country to college realize…
…THEIR parents sent THEM off to college like that to get RID of them and their "causes" for a few years while they grew up…
/s
He should google The Nirvana Fallacy, then give up on technical journalism and go live in a yurt.
“Locking your door” sounds nice — but if anyone can get into your house, they will be able to steal your stuff without having to unlock it.
Close Leonid, but ...
So, end-to-end is working fine, but someone has compromised your phone. Leonid goes "end-to-end doesn’t work". Dude, just ditch the phone.