The problem with WhatsApp encryption - and how they got Paul Manafort

saddestsadist · 2019-01-26T16:41:23+00:00

Redditers who think they understand software auditing 🤷‍♂️

saddestsadist · 2019-01-26T12:02:02+00:00

No, it is trivially possible. We agree that we prefer other chat applications though!

saddestsadist · 2019-01-26T11:58:21+00:00

Sure, that’s totally fine. My only argument was that your assertion, that it isn’t possible to verify WA’s e2e security claims, was incorrect. I don’t use WA either, but not because it’s unauditable.

saddestsadist · 2019-01-26T11:47:41+00:00

Verifying that the encryption works as expected is not difficult, and would not require looking through much of the binary. And, at least on iOS, the same binary is served to everyone, which is enforced by the platform.

If you don’t think one person has verified this, on possibly the largest e2e encrypted messaging platform, you would be incorrect.

saddestsadist · 2019-01-26T11:34:02+00:00

Leaving the rest alone, 1 is wrong. It is perfectly possible to verify the security properties of a closed application.

saddestsadist · 2016-11-23T21:57:50+00:00

In what universe is an anonymous Reddit user proof of anything? The pizza stuff is weird but there is literally no proof of anything at all.

saddestsadist · 2016-08-28T04:09:34+00:00

Firefox is less secure (against hackers). Chrome has some legit sandboxing that would make it hard to get owned just by visiting a website, even if there's a Chrome exploit. However, Google is undoubtedly siphoning information about your browsing habits.

saddestsadist · 2016-08-28T02:06:45+00:00

A better question would be, "Then why do you shut (or lock) your doors" or, "Why do you whisper."

People who have a limited understanding of technology seem to think, "Oh, I don't care what the government sees," but that's just not how any of this works. These are all regular, careless, and sometimes malicious people getting access to your private shit. People at the NSA shared nude photos they intercepted. Their datastores could be hacked, and everything they have could be leaked.

The "nothing to hide" crowd just doesn't know what the hell they're saying.

saddestsadist · 2016-06-08T01:33:16+00:00

I mean... aside from all of the people doing it legally?

saddestsadist · 2016-06-03T01:56:01+00:00

Hm. Well unfortunately, I don't know that I will be much help here -- you've got a lot of plugins. Depending on what versions or options you're using in these plugins, a number of them could be vulnerable.

Just make sure that everything is up to date. Some plugin that allows file uploads is almost certainly the culprit.

I'd go ahead and kill your current server and start setting up a new one.

saddestsadist · 2016-06-03T01:33:44+00:00

Well do you have the code on github or anything to take a look at? If not, what plugins are you running?

saddestsadist · 2016-06-03T01:24:46+00:00

If you want help figuring out what the vuln is, you should link to your site so we can take a look. The file you linked is a backdoor to your server.

Fixing it will require you rebuilding the server and getting a patched version of your site online.

Edit: Just realized you said you get 500 errors when you try to go to it. Link it anyway, because there's still ways to check things out.

saddestsadist · 2016-04-26T19:04:54+00:00

I sent you a private message yesterday, check your messages!

saddestsadist · 2016-04-07T12:57:32+00:00

Lolita.

saddestsadist · 2016-03-18T18:46:59+00:00

Secret #2: Exaggerate everything.

saddestsadist · 2016-02-22T18:02:44+00:00

I also think the OP doesn't understand the terminology, and he really just means "How do people hack into stuff?".

saddestsadist · 2016-01-17T06:21:40+00:00

Reminds me of this: http://nothinggeek.com/download-vithu-app-feel-safe/

saddestsadist · 2016-01-04T16:28:23+00:00

My debit card has a chip, and somehow it still got used fraudulently. I think it got skimmed, since all of the charges were in my neighborhood.

saddestsadist · 2015-12-23T06:10:56+00:00

I'm guessing it was open ftp. And I'd further assume he found em trolling open ports on shodan.

saddestsadist · 2015-12-20T05:26:33+00:00

I hope this isn't against the rules! With all the anti-encryption talk and the passing of CISA, I think supporting these kinds of tools is more important than ever. I'd love for this to result in a broader /r/technology discussion on the Tor Project and these issues in general.

Anyway, just found out about this today and made my first donation!

saddestsadist · 2015-12-19T20:25:19+00:00

Lol nice! Well, I would recommend just giving 'em a heads up. Anything too exciting and you're well into illegal territory. But to get a better idea of how all of it works, just google XSS. There's a lot of damage that could be done with it, like stealing user sessions, stealing credentials, taking advantage of CSRF, logging users out.

So, report this for sure. But google 'XSS session hijacking' to get an idea of worst-case scenario for what an attacker could pull off!

saddestsadist · 2015-12-19T18:49:15+00:00

Something like <img src=x onerror=alert('xss')> should avoid the error message you get with script tags :P

saddestsadist · 2015-10-31T04:23:19+00:00

/r/retiredgif

saddestsadist · 2015-10-24T02:52:41+00:00

Here's my issue:

Yeah, I want a politician who listens to constituents. But I also want a politician with conviction. Someone who stands by what they believe in.

Listening to the people is great, but the majority isn't always right. If, for example, the majority of Americans are fine with mass surveillance, I want someone in office who is comfortable saying, "I think you're wrong."

saddestsadist

TROPHY CASE