Quote of the day—Jan Koum

I think this is politicians, in some ways, using these terrible acts to advance their agendas. If the White House thinks that Twitter can solve their ISIS problem, they’ve got (a lot of problems).

Jan Koum
April 4, 2016
Forget Apple vs. the FBI: WhatsApp Just Switched on Encryption for a Billion People
[Yes. And the same is true of gun control, a lot of banking laws, tax law, and probably 1000 or more other things. WhatsApp is just exploiting a small chink in the armor.

Government back doors to communications violates The Jews in the Attic Test. WhatsApp intent is to keep communication private. This is no small task. I’m certain it is private from your local police force, snoopy neighbors, and most employers. But if a billion people use it that is a very juicy target for nation states. Such a high value target will justify an enormous expenditure of resources to break it. I expect it is only a matter of time before it is broken. But that doesn’t mean that it will stay broken or that gaining access to each conversation isn’t very expensive and cost prohibitive except in extremely important situations.

That said, I have WhatsApp installed on my phone.—Joe]

9 thoughts on “Quote of the day—Jan Koum

  1. Unfortunately that article isn’t readable; it produces a popup complaining about ad blockers. So much for Wired; I don’t understand why they can’t get this right. Everyone else does.
    Meanwhile, end to end encryption is good, provided it’s done right. Unfortunately, it is very hard to get it right. There are plenty of examples of people getting it wrong: DVD encryption, A4 cipher for the GSM cell phone protocols, 802.11 WEP, and so on. A protocol designed by a single anonymous designer should be treated with extreme skepticism. If the protocol specification is not made public, the only valid conclusion is that the protocol cannot be trusted. (The converse does not hold: WEP was published but worthless, because its design was approved by the standards organization without input or review from qualified people.)
    Some people say that weak encryption, or doubtful encryption, is better than none. I strongly disagree. For one thing, it may be so weak that from the point of view of the adversary it doesn’t exist. And for another, weak encryption is false advertising: it creates an expectation of protection where none exists. Would you argue that a cardboard lock on your front door is better than no lock at all? I would not, because if you have no lock, you know the door is open. But with a fake lock, you are led to believe your house has been secured when in fact it has not.

    • Paul,
      I’m running NoScript in Firefox, and the article comes up without even needing to allow Wired be approved. Actually, there are times that giving approval to a parent web page makes it unreadable, until nearly everything is approved, and on occasion that list scrolls off the screen, each ok generating additional requests for other programs. I originally set up NoScript to speed up page loading, but sometimes the result can take longer with the need to input. I need a more powerful computer…

      • Interesting. I use Safari on a Mac, with pretty much the standard settings (no popups) and no specialized plugins.
        Fortunately I got the story from a WSJ article; it got a fair amount of text. It also mentioned the name of the company or organization behind the crypto. I’ll have to take a look to see if it allays my skepticism somewhat.

  2. joe:

    with all due respect, i want the assholes to know precisely what i am doing, and what i am thinking, every hour of the day. i want them to know.

    and, i want them thinking about it. i want them to know that i do not intend to miss out on any of the fun. any of it.

    john jay

    • That’s fine. Your choice — not theirs. That’s the point of encryption: you can choose to have your communications visible to the adversary, or not. You can chose to encrypt everything to foil traffic analysis. Or you can be selective.
      It’s all about choice.

  3. [I]f a billion people use it that is a very juicy target for nation states. Such a high value target will justify an enormous expenditure of resources to break it. I expect it is only a matter of time before it is broken. But that doesn’t mean that it will stay broken or that gaining access to each conversation isn’t very expensive and cost prohibitive except in extremely important situations.

    A couple points:
    1. RE: staying broken. It’s said the Internet sees censorship as damage and routes around it. Security measures such as encryption tend to function the same way; the developers, upon realizing their system has been cracked, will redouble their efforts and build a better system.
    2. A billion people having encryption turned on, while it does present a juicy target for nation states, also increases the noise-to-signal ratio exponentially. Unless the nation states can crack the whole thing, for every illicit encrypted message there’s going to be a crap-ton of innocuous conversations that … also happen to be encrypted. Indeed, the developers of the TOR browser encourage people to download and use it, even if they’re NOT subject to government censorship, communicating with government whistle-blowers or crime victims, or working to improve human and civil rights worldwide. The more mundane activity that happens over the network, the harder it is to trace the high-value activity, and the more resources will have to be expended with little-to-no return.

    RE: the Jews in the Attic: It’s much harder and far more expensive to try to use network analysis to pinpoint the one or two houses hiding Jews, when the networks indicate half the town is sending and receiving encrypted messages (which may or may not include references to Jews) at all times.

    Just my $0.02.

    • Precisely. Imagine a game of three card monte, where the juicy data is under one of the cards, and one of the other cards is face up (unencrypted).

      Now, imagine a hundred cards, and they’re all face down.

      States will view this as a challenge, of course. Hence the ham handed attempts to regulate encryption tools as weapons.

  4. “…politicians, in some ways, using these terrible acts to advance their agendas.”’

    In some ways? No, Young Grasshopper; in all ways imaginable, and they spend all their time imagining new and creative ways. “Never let a crisis go to waste” only just begins to explain the mentality– It allows for the supposition that one stands by and waits for crisis rather than creating crisis and the illusion of crisis.

  5. If the politicians really want to read my mail, I’ve no doubt they’ll find a way to do it. They have unlimited resources and time and money.

    I, on the other hand, am under no obligation whatsoever to make it easy for them. If they don’t like me using the encryption of my choice, perhaps they should remember that they work for me, not the other way around.

    So, no, I have no sympathy whatsoever for government agencies demanding backdoors.

Comments are closed.