What the recent Facebook/WhatsApp announcements could mean

Ever since Facebook acquired WhatsApp (in 2014) I have wondered how long it would take before we found that our supposedly “end to end encrypted” messages were being mined by Facebook for its own purposes.

It has been a while coming, but I think it is now clear that end to end encryption in WhatsApp isn’t really the case, and will definitely be less secure in the future.

Over a year ago, Gregorio Zanon described in detail why it was that end-to-end encryption didn’t really mean that Facebook couldn’t snoop on all of the messages you exchanged with others. There’s always been this difference between one-to-one messages and group messages in WhatsApp, and how the encryption is handled on each. For details of how it is done in WhatsApp, see the detailed write-up from April 2016.

Now we learn that Facebook is going to be relaxing “end to end encrypted”. As reported in Schneier, who quotes Kalev Leetaru,

Facebook’s model entirely bypasses the encryption debate by globalizing the current practice of compromising devices by building those encryption bypasses directly into the communications clients themselves and deploying what amounts to machine-based wiretaps to billions of users at once.

 


 

Some years ago, I happened to be in India, and at a loose end, and accompanied someone who went to a Government office to get some work done. The work was something to do with a real-estate transaction. The Government office was the usual bustle of people, hangers-on, sweat, and the sounds of people talking on telephones, and the clacking of typewriters. All of that I was used to, but there was something new that I’d not seen before.

At one point documents were handed to one of the ‘brokers’ who was facilitating the transaction. He set them out on a table, and proceeded to take pictures. Aadhar Card (an identity card), PAN Card (tax identification), Drivers License, … all quickly photographed – and this made my skin crawl (a bit). Then these were quickly sent off to the document writer, sitting three floors down, just outside the building under a tree at his typewriter, generating the documents that would then be certified.

And how was this done: WhatsApp! Not email, not on some secure server with 256 bit encryption and security, just WhatsApp! India in general has a rather poor security practice, and this kind of thing is commonplace, people are used to it.

So now that Facebook says they are going to be intercepting and decrypting all messages and potentially sending them off to their own servers, guess what information they could get their hands on!

It seems pointless to expect that US regulators will do anything to protect consumers ‘privacy’ given that they’re pushing for weakening communication security themselves, and it seems like a foregone conclusion that Facebook will misuse this data, given that they have no moral compass (at least not one that is functioning).

This change has far-reaching implications and only time will tell how badly it will turn out but given Facebook’s track record, this isn’t going to end well.

May I please get whatever Windows version powers the Dreamliner?

It is being widely reported that the FAA has issued an Airworthiness Directive (AD) requiring that Boeing 787 Dreamliners must be rebooted every 21 or so days.dreamliner

This is not a hoax.

This is the AD issued by the FAA 0n 2016-09-24, I obtained a copy of this AD from here.

The AD states:

This AD requires repetitive cycling of either the airplane electrical power or the power to the three flight control modules (FCMs). This AD was prompted by a report indicating that all three FCMs might simultaneously reset if continuously powered on for 22 days. We are issuing this AD to address the unsafe condition on these products.
A little investigation indicates that this isn’t the first time the FAA has had to do this. The last time they had to do something like this was in 2015-09 when they issued this AD which I obtained from here. That AD was more specific about the reason for the problem, stating
This condition is caused by a software counter internal to the GCUs that will overflow after 248 days of continuous power.
It has been widely rumored that the present AD about the 21 day action is similarly motivated, and the logic is that a timer with millisecond precision which will overflow at about 24 days.
This is all very droll, and I hope to hell that they power cycle their planes on the ground regularly and all that. My only question is this, since they are in fact running Windows under the covers, how on earth are they able to keep the thing going for 21 days?
With Windows 7 that was a piece of cake but this new Windows 10 that I have wants to reboot every night and I don’t have any say in the matter.
So whatever Boeing did to keep the damn thing going 21 days, it would be great if they shared that with the world.

The saga of the mixed up email continues

In May 2015, I wrote about the risks of handing out your email address and making a mistake. (That post appeared on facebook at the time).

Well, it appears that the person handing out my gmail address isn’t just one person; we now have a second.

Someone handed out my email address and applied for life insurance. And the agent promptly emailed the entire application packet to me!

This time, it had a phone number so I called the guy. After explaining (what seemed like an eternity) that I had his application packet, I asked him what his email address was.

His answer “amrith something dot com”.

Oh boy!

Why you really should be careful when you hand out your email address

About three years ago I received an email from the large Indian Cell phone provider AIRTEL with the subject “Your airtel Bill for airtel number: 0444*******”. Now, I don’t have an AIRTEL phone number, and I figured this was odd but it looked like a real bill. I still have the email, billing period 11/4 to 10/5/2012. And that was the start of my saga.

It said my airtel ebill was protected with a unique password and all that so I couldn’t do much so I ignored it.

But I called the number and spoke with some dude. His name is also Amrith. And I told him that he must have accidentally given Airtel my email address so would he please fix it. He muttered something and hung up.

Shortly thereafter I received email from ICICI with a life insurance policy for “BEENA P”. There was some link which took me to their online site and I’d have to login and register and stuff which I didn’t have any way of doing.

Over the past three years I have received numerous emails from Airtel asking for payment on the landline which I replied to and said I wasn’t the person. Later I replied and said they should cancel the telephone line. They sent me email saying they were sorry to see me go. I called Airtel support and told them what was up and the dweeb I spoke with couldn’t figure out what to do with me so they said they’d email the customer. And yes, I got that email.

Over the years, I have canceled the phone service numerous times, it gets reactivated. I have received numerous statements for Beena’s insurance policy but now they send encrypted PDF’s with a password. The password is the first four letters of Beena’s name (BEEN) presumably and the date of birth as DDMM. OK, I’m bored but not that bored and I didn’t have the patience to try the 366 possible combinations to figure out what the right one was so I ignored it.

And each time this dipshit gives ICICI and Airtel my email address.

Today I got an email from ICICI wishing Beena P a happy birthday!

Would someone who knows someone at ICICI who has a slightly non-trivial job title please put me in touch with that person?

Oh, the PDFs which are all sitting in my GMAIL (we all know google never deletes anything) contain a policy number and all you need to create an online profile with ICICI is a policy number and a date of birth.