[spullara]

This headline is extremely dangerous. The phone itself was owned. No encryption was harmed by capturing the keystrokes and audio before it reaches the application. NYTimes should be ashamed of themselves for basically lying about the nature of the hacks.

[dang]

We've updated the headline to what the NYT currently says. Previously it said "WikiLeaks: CIA managed to bypass encryption on popular services Signal, WhatsApp".

[shp0ngle]

No, it's not.

The encryption is not broken, it's bypassed. The data go to an unintended third party, even when the encryption is legit, rendering the encryption useless.

So the word "bypass" is correct.

[scblock]

This is a dangerous headline because it implies that Signal was broken, which could lead to people moving to LESS SECURE SERVICES because they think the more secure one is broken. When in reality is the phone and OS.

They have similar end result for the phone in question, but headlines like this can lead to people being less secure on the whole.

[sqeaky]

Most users cannot tell the difference between between the Phone, OS, App and the signal (Let alone an app named Signal). Likely the journalists work with tech savvy to make sure their understood this and it was hard for them to make sense of gigabytes of technical jargon and noise.

Arguing this point at all is silly when many people, even many IT professionals don't know and don't care about the difference between bypassed and broken. This arguing detracts from the important news...

The CIA sees fit to ignore the security of Americans by not alerting the companies that make the software the CIA exploits. They do this to insure they can hack whoever they want, and there is no meaningful oversight and no ethical, economic or constitutional consideration.

[lvh]

That hardly matters if people's response is to use other, less secure things, as was the case with the Guardian and Whatsapp.

[sqeaky]

This is entirely a non-issue.

If group with the massive funding and pervasive reach like the CIA can operate with impunity it does not matter what app or what security you think you have.

[lvh]

Going from easy dragnet surveillance of unencrypted communications to having to use expensive to deploy, develop, maintain targeted attacks that get patched (with, on iOS, ridiculously high penetration rates) does not seem like a moot issue.

[dogma1138]

People who care sufficiently about the security of their crypto don't use NYT or the guardian as an information source to base their opsec decisions on.

[sverige]

And the bonus to the CIA ignoring the deal the Obama administration made with Big Tech to disclose vulnerabilities is that now (apparently) all of the tools the CIA had accumulated are out in the wild, instead of being fixed.

[sqeaky]

I don't know why Obama allowed this, could he have had the CIA shut this stuff down he was the Chief Executive?

I wonder what this administration will do with this knowledge. It will be interesting to see trump respond too, rather than manufacture news.

[sverige]

Frankly, I am not sure if anyone in the White House has been able to truly control the intelligence agencies since the first Bush. And I say that only because he was a former CIA director, so he had a better chance of knowing where the control levers were hidden.

[acomar]

I've had friends and family reaching out to me all morning saying "Signal is broken, see the NYT." This headline is incredibly misinformed and misleading and I hope they issue a correction quickly.

[paradite]

I don't think your argument about less secure services is helpful to layman. By arguing that Whatsapp is more secure, you are giving people a false sense of security. A good way to phrase it would be "all messaging services are equally vulnerable to these kind of attacks, regardless of encryption."

[ProAm]

> because it implies that Signal was broken

It does mean Signal is pointless to use however. Why encrypt if your communications are picked up prior to encryption? Akin to putting your seat belt on after the car has crashed.

[unethical_ban]

No, no, no!

Defense in depth! Do you stop using TLS on your banking website every time a Windows 0day comes out?

[jacquesm]

Because your opponent might not be the CIA and because your phone might not be compromised.

So in that case switching to something less secure will instantly make your problems worse.

[ProAm]

Of course, Im only speaking in the context that you are worried about the CIA or other governments.

[jacquesm]

Even if you are worried about them it still does not mean that you have been compromised. And if you do worry about them: don't use your phone (or any computer, for that matter) for sensitive stuff.

[cornholio]

"Akin to putting your seatbelt knowing full well a thermonuclear attack is always possible."

Yes, catastrophic compromise is possible, but that does not render all security measures moot. A precious few attackers have the capability for such attacks, they are very costly to develop and therefore very precious and well kept secrets, to be used on high profile targets.

Unless you are a spy, a terrorist, a state official with significant power or a dissident against the likes of Russia or China, end-to-end encryption like Signal will keep your communication private.

[ProAm]

> Unless you are a spy, a terrorist, a state official with significant power or a dissident against the likes of Russia or China, end-to-end encryption like Signal will keep your communication private.

Maybe, if one person can do it so can others. It would be foolish to assume you are safe just because the US government doesn't deem you a person of interest. It might be far fetched, but now that the world knows it's possible to bypass encryption you cannot ignore the fact that Signal may not work at all.

[cloakandswagger]

I'm sure someone savvy enough to use end-to-end encrypted communication channels will switch to less secure methods based off of a headline /s

[derefr]

It's not really that savvy people would be switching away; it's that non-savvy friends/family of savvy people who read this article now will have a slight negative connotation to those product names, so if their savvy friend/relative tries to convince them to switch to either of them, they might say no for stupid reasons.

This is the point of the majority of propaganda, really: it's not to convince the people who know anything about the issue; it's to prejudice the people who don't, so that it'll be harder for the people in the know to communicate the facts to them.

[FabHK]

In particular because the App Store features not only the usual suspects (Skype, Allo, ...), but many other somewhat random apps (Gonzo, BabelNet, Kissapp, 5s, ...) promising encrypted chat, and people might think, "hmm, WhatsApp and Signal are insecure, it says so in the NY Times, so let's try one of these"

[scblock]

It already happened with Whatsapp and the Guardian's irresponsible reporting. Organizers and protesters switching to unencrypted messaging or even SMS, because of the perception that Whatsapp was hacked. Someone savvy enough to use end to end encryption may be someone who values privacy, but there's not reason to assume they are also someone who is themselves a security expert. The point of apps like Whatsapp and Signal working to make end to end encryption easy for the average person is to increase encrypted messaging use, not make everyone a security expert.

[mmrezaie]

Well, it would be really dangerous if they have put a headline that did not make normal people not read it. I do not see this as click bait, and I see this as a usual signal for the mainstream to be aware.

Also, if you these people read only the title, then the problem is not any sort of text, you should fix those people first. No matter what words were chosen they will most likely make the wrong judgment.

[cmdrfred]

If people really require security from state level agencies perhaps they should read more than the headline.

[vog]

The point is that the title mentions explicitly Signal and WhatsApp, generating the false impression that it was a weakness in these applications. However, it was a weakness in the OS, so a proper title would have been:

| WikiLeaks: CIA managed to bypass encryption on popular messaging services on Android phone (nytimes.com)

[sverige]

They pwned iPhones too. And servers. And desktops, tablets, and your TV.

While Signal and WhatsApp have not been broken (apparently), pretty much every platform they are hosted on has been.

The main point is that the CIA can read your encrypted messages before they become encrypted, if they really want to. So while your encryption works, you can still be pwned.

[Certhas]

Or even just "CIA managed to hack into Android phones."

[Glyptodon]

I think the part that's misleading is that with a loose/typical/casual reading it sounds like the bypass is at the application level as opposed to the OS/host level. By suggesting specific apps/services may be "bypassed" they fail to make it crystal clear to all readers that any breakage is likely app/service agnostic.

Of course this source is part of the same media that continually calls the election "hacked" despite there being no known technical irregularities with voting machines or vote recording or the actual election itself [^1] (that I'm aware of, at least). (Yes, computer systems were compromised, and data was exfiltrated from the DNC/related parties and released by foreign state actors. Unfortunately that is not "hacking an election." It's just plain and traditional information ops.)

So it's pretty par.

Mainstream news sources seem to continually get worse at reporting tech related stories, and I think there must be an even greater level of confusion when it comes to typical non-techinical individual citizens.

[^1]: Whether anybody is actually interested in actual elections running in auditable, effective, and functional way is apparently another question entirely, and the answer from most seems to be "nope."

[electic]

You are 100 percent correct. Though I think the headline is a bit clickbaity but have to agree, it is accurate.

[mcphage]

Accurate, but dangerously misleading.

[electic]

How is it misleading if it is accurate? They bypassed it by compromising the phone. No encryption is going to save you in that situation and their targets were WhatsApp, Telegram, etc. So that part is accurate as well. It is a headline, I think what you are expecting is they put all the facts into the headline and there isn't enough space.

[Certhas]

It's misleading by omission. Until I read the article I was under the impression that they had found a flaw or something exploitable in the OWS protocol.

If the problem was with Signal or Whatsapp, as the headline suggested to me, switching to another messaging service is the natural reaction. If people understand that the problem is with the platform, and that all platforms are compromised that solution doesn't work, and using signal is still better than SMS because it still protects against other forms of surveillance.

[r3bl]

Well, why singling out the two services in the headline when this applies to basically every application ever?

Luckily, they've realized the mistake and apparently changed the headline.

[BrailleHunting]

"CIA bypassed secure apps on Android" would've been nice. Sure, there are hacks/implants for other platforms too.

[nostrademons]

They bypassed it by compromising Android phones. There is a clear action item here if you want to be secure: switch to an iPhone, which is what tptacek has been saying here all along.

[mschuster91]

Have you read the announcement? iPhones are wide open for the 3-letter-agencies, too.

[aero142]

I've been thinking a lot about this as it relates to the "fake news" trend. Journalists have been using real information to lead people to wrong conclusions. Now we are very concerned about political sites using false information to lead people to wrong conclusions. Fake facts are bad but using facts to mislead people does damage to people's trust as well.

[spullara]

If they emphasized that no app is secure if the phone itself is compromised I wouldn't hae a problem with it. By calling out specific apps it could cause someone to switch to a less secure alternative not mentioned.

[spullara]

If the app and service were not involved the only reason to mention them is to create doubt they are secure.

[daenney]

Not necessarily. To a lot of people encryption is "using Signal" or "using WhatsApp". They don't necessarily understand that these are distinct things and that their communications could still be captured by virtue of simply using a phone.

[rising-sky]

"The strongest chain will break at it's weakest point".

If I as a user, believe that a sequence of actions, from my keystrokes to voice input, which I perceive to be a direct interaction with a secure app are in fact insecure, then is the app really secure?

I guess that's the question being posed here

[ballenf]

There is a balance -- one is reminded of the constant "data charged may apply" footnote to so many free services. The same goes here: you really shouldn't tout your impenetrable security without also informing users that things external to the service may undermine its utility.

[spullara]

Also make sure no one is looking over your shoulder or listening nearby. "Signal encryption bypasssed by new look over shoulder attack."

[accountface]

I think it's a little different when the person "looking over your shoulder" is omnipotent.

[accountface]

The OS these services run on isn't secure, so wouldn't these services by definition not be secure?

[maxerickson]

The article should be emphasizing that they actively attack devices of targeted individuals, not leading with the particular consequence of this that Wikileaks mentioned in a tweet.

[skywhopper]

But the rest of the headline is misleading. It's Android that was broken into, not Whatsapp or Signal. The headline encourages a false idea that those apps have a systemic flaw that allows the CIA to read any messages sent over them, which is incorrect. "Bypass" is the right word, but the sentence as a whole misses the point and spreads a misleading message.

[nailer]

You're both right: encryption was bypassed, but mentioning specific apps implies those apps were specifically affected and is misleading.

[fhood]

Headline does imply the issue was with the messaging services and not the phones.

[SamBam]

What's wrong with it? They were able to bypass the encryption. They got the data without it being encrypted. How is that not bypassing encryption?

Furthermore, from the point of view of the end-user, the important point is that WhatsApp and Signal are not necessarily secure to use. The exact nature of the security hole is not as important for the vast majority of users.

[spullara]

The phone itself may not be secure. Maybe they should include gmail, schwab, camera, microphone, amazon and every other thing in their description. Literally this is FUD.

[ruleabidinguser]

These are the most relevant apps to use, it indicates that even when using security apps there is a problem. The message is "WhatsApp is not safe", its not relevant to most people why.

[digler999]

And it's a rare case where FUD is absolutely applicable:

Fear that using a "secure" messaging app on your rooted phone will expose you to consequences.

Uncertainty that your communications are secure when using your phone with the "secure" messaging app.

Doubt that using the "secure" messaging app is secure.

yes, it's FUD.

[djKianoosh]

"sidestep" would probably have been a better word choice than "bypass" only because of the connotation of these words... the average person isn't going to parse these words however, sooo... <shrug> ?

[1maginary]

Completely agree that "sidestep" would have been a much better choice. I think the title is technically correct but that doesn't mean much since context matters a lot. "Sidestep" is a lot more intuitive and, I do disagree with you here, I think the average person would get a better idea of what's happening if they read "sidestep" instead of "bypass"

[kelnage]

Unfortunately, this is a line that Wikileaks themselves are running with: https://twitter.com/wikileaks/status/839120909625606152

[tptacek]

Running misinformation is part of Wikileaks' job. It's not the NYT's job.

[jbtule]

They at least re-clarified on twitter. But not in the article. https://twitter.com/nytimes/status/839160771674255360

[compuguy]

I believe they've edited the article:

"Among other disclosures that, if confirmed, would rock the technology world, the WikiLeaks release said that the C.I.A. and allied intelligence services had managed to bypass encryption on popular phone and messaging services such as Signal, WhatsApp and Telegram. According to the statement from WikiLeaks, government hackers can penetrate Android phones and collect 'audio and message traffic before encryption is applied.'"

[pvg]

If that's an edit, it's still pretty poor. The 'experts' quoted are Wikileaks themselves. The disclosure 'A spy agency had 0-day exploits for mobile devices' would not rock anything.

[kelnage]

Agreed 100% - but methinks NYT (and others) still look to them for technical guidance on some matters - however misguided that might be.

[tptacek]

The NYT has a _huge_ list of experts to contact for stories like this. They chose not to, in the interests of getting a salacious lede printed quickly.

[godelski]

Well I think they put out the article first and get experts to correct the finer points later. I don't agree this is the best tactic, but reporting first is important.

They have changed the title. Currently: "WikiLeaks Releases Trove of Alleged C.I.A. Hacking Documents"

[tptacek]

See for instance WaPo, where Greg Miller and Ellen Nakashima got Nicholas Weaver from ICIR on the record for analysis for the story. Compare with the NYT's original story, which had no disclosed expert sourcing. Maybe a habit we should all develop is to first scan these things to see who they got on the record to talk about it.

It's not hard for them. I'm not making this up: NYT has a huge list of experts to reach out to for stories. They just chose not to.

[throwawayish]

If I'm not mistaken then the NYT has shown in the past that it can get basic tech/security facts like these straight.

[deathhand]

Could you explain more about "misinformation is part of wikileaks' job"

[blfr]

And that it's not NYT's job while we're at it.

[germtone]

In contrast, running McCarthy type propaganda and smear campaigns against Julian Assange/Wikileaks is part of NYT's job.

https://www.nytimes.com/2017/01/04/us/politics/julian-assang...

https://www.nytimes.com/2017/01/08/business/media/assange-wi...

[soheil]

The word "effectively" is somewhat clarifying in WL's tweet as opposed to the outright misinformation in NYT's headline, also it's just a tweet and not an article headline from a major newspaper.

[trendia]

edit: apparently NYT had a different headline and changed it... ignore this post

The current title [0] is wrong, but NYTimes is relatively clear:

> Among other disclosures that, if confirmed, would rock the technology world, the WikiLeaks release said that the C.I.A. and allied intelligence services had managed to bypass encryption on popular phone and messaging services such as Signal, WhatsApp and Telegram. According to the statement from WikiLeaks, government hackers can penetrate Android phones and collect “audio and message traffic before encryption is applied.”

It depends on how you define "bypass". In my opinion, accessing data before encryption is a form of bypassing... but it doesn't necessarily mean they can decrypt an already encrypted signal.

[0] "WikiLeaks: CIA managed to bypass encryption on popular services Signal, WhatsApp " as of this writing

[t0dd]

They changed the headline: https://twitter.com/nytimes/status/839161021369573378

edit: A new tweet referencing the article: "WikiLeaks release said CIA managed to bypass encryption in mobile apps by compromising the entire phone"

[whatok]

They changed the tweet which I guess is factually correct but still misleading.

[27182818284]

When I read "bypass" I kind of read "go the alternate route. As in around the impasse" which in this case the impasse was encryption.

I think a lot of people in this thread are hating on NYTimes today for this headline because of the inaccurate WhatsApp encryption news stories of recent.

I could see myself being bothered if they had written that the encryption was "broken" or "cracked" as if you destroyed the boulder in your path. Bypass seems fine. Hacker News doesn't normally use bypass as a synonym for break, but for some reason today it i to the commentators

[acomar]

> I think a lot of people in this thread are hating on NYTimes today for this headline because of the inaccurate WhatsApp encryption news stories of recent.

More because we're all getting blown up with "Signal is broken" messages and have to answer them one by one because of misleading/disingenuous headlines. Yes, 'bypass' is technically correct but the implication of the headline is that the problem lies with the named apps. This is not true and actively problematic.

[squarefoot]

> No encryption was harmed by capturing the keystrokes and audio before it reaches the application.

Exactly, and some people including me thought about this possibility years ago. The most secure system in the universe can still be hacked very easily by a malicious closed driver because device drivers have the highest access level to the underlying hardware. Every information being produced: (virtual) keyboard writings, data, contacts, sensors data, GPS, audio, files, etc. I mean everything can be accessed a lot before it reaches the encryption code and be relayed to a 3rd party without the user even noticing.

This plague won't go away, not until enough people with enough influence will require hardware manufacturers to document their hardware in order to create OSS and trustworthy device drivers.

[senectus1]

yup, its a chicken/egg scenario.

[brudgers]

Eve operates in meat-space not a mathematical Flatland. Operationally, it does not matter how the message was read. The encryption system is compromised and users do not have practical alternatives.

The reality is that no matter how good the software engineers are; no matter how sound the algorithms; no matter how well funded the startup or open source project; it's completely outnumbered and completely out gunned. Nation states operate at a different scale and easily deployable encryption systems for novice users are white horse led brightly dressed musketeers drum marching to their general's firing line in the midst of a modern free fire zone.

To me, any secure communications systems that provides the convenience of app store downloads and over the air updates should be considered compromised. On the other hand, if someone thinks that a three letter agency might be interested in their communications and that person does not work for another three letter agency, they should probably assume that their signals are compromised if they are detected.

[idlewords]

They've corrected it; HN should do the same.

[woah]

Am I missing something? The actual headline is "WikiLeaks Releases Trove of Alleged C.I.A. Hacking Documents"

[perseusprime11]

NYT is pivoting to a model that brings it more clicks.

[Melk]

NYT corrected/changed the title. I don't get why they are getting the heat when wikileaks leaked the information.

[dwringer]

It is a disturbing trend lately for publishers to seemingly insert deliberate fallacies into their headlines just to get more people engaged, causing them to pop up on more social media timelines.

[perseusprime11]

Well they want to become Drudge before Drudge becomes them.

[mtgx]

I agree. They should be called out on it. The headline is basically "fake news."

[revelation]

Seems like the headline is perfectly fine. The software on the device you don't own is bypassed, resulting in encryption being ineffective? That seems like a highly critical issue for whoever owns the software.

Step the fuck up Google. Android security is an embarrassment.

[idlewords]

The headline mentions specific apps; readers will remember that those apps are "insecure". Very dangerous.

[throwaway743824]

They are insecure from the perspective of protecting people from targeted government surveillance though. The security model doesn't support it.