[scblock]

This is a dangerous headline because it implies that Signal was broken, which could lead to people moving to LESS SECURE SERVICES because they think the more secure one is broken. When in reality is the phone and OS.

They have similar end result for the phone in question, but headlines like this can lead to people being less secure on the whole.

[sqeaky]

Most users cannot tell the difference between between the Phone, OS, App and the signal (Let alone an app named Signal). Likely the journalists work with tech savvy to make sure their understood this and it was hard for them to make sense of gigabytes of technical jargon and noise.

Arguing this point at all is silly when many people, even many IT professionals don't know and don't care about the difference between bypassed and broken. This arguing detracts from the important news...

The CIA sees fit to ignore the security of Americans by not alerting the companies that make the software the CIA exploits. They do this to insure they can hack whoever they want, and there is no meaningful oversight and no ethical, economic or constitutional consideration.

[lvh]

That hardly matters if people's response is to use other, less secure things, as was the case with the Guardian and Whatsapp.

[sqeaky]

This is entirely a non-issue.

If group with the massive funding and pervasive reach like the CIA can operate with impunity it does not matter what app or what security you think you have.

[lvh]

Going from easy dragnet surveillance of unencrypted communications to having to use expensive to deploy, develop, maintain targeted attacks that get patched (with, on iOS, ridiculously high penetration rates) does not seem like a moot issue.

[sqeaky]

I don't see how this goes from one to the other. It seems that just about every Android and iOS device can be part of an "easy dragnet" without any app installed. If the wikileaks article is correct about the CIA having kept multiple 0-day exploits hidden for each OS, then breaking anything even remotely is a work ticket and not a research project for them.

The fine distinction of one app being singled out sucks, but it really is small potatoes here. The owner of the app should write the NYT and complain that their app was used inappropriately or perhaps write an editorial to get even more free advertising. The real news is that the CIA lied to Americans and the President so they could continue damaging American businesses, in the name of protecting America.

It sounds like we are not too far off from the CIA being able to write self spreading malware that allows monitoring they just haven't because... maybe it would be too easy to spot. Oh wait groups like the CIA did this already and rigged it to delete itself when not on one of their intended target's machines, stuxnet.

[lvh]

You made a specific claim: no app, easy dragnet, work ticket level, because tons of hidden 0days. I'm taking it as read that a publicly patched one doesn't count. Is there evidence for that claim in the actual documents?

Pending that, here is evidence of a counter claim. I'd repeat what tptacek said, but he's whittled it down better than I could: https://news.ycombinator.com/item?id=13811541

To cite Tony Arcieri, the only elite cryptanalysis trick in play here is "Android is a tire fire". Cue surprised gasp from security researchers.

Furthermore, you did not refute my central claim. Popping a Cisco 12k: read a bunch of unencrypted comms until detection. Target a specific person to get bit by a specific iOS exploit: maybe read some of the data until it gets patched. Surely you'll agree that one is drastically more expensive than the other?

[dogma1138]

People who care sufficiently about the security of their crypto don't use NYT or the guardian as an information source to base their opsec decisions on.

[sverige]

And the bonus to the CIA ignoring the deal the Obama administration made with Big Tech to disclose vulnerabilities is that now (apparently) all of the tools the CIA had accumulated are out in the wild, instead of being fixed.

[sqeaky]

I don't know why Obama allowed this, could he have had the CIA shut this stuff down he was the Chief Executive?

I wonder what this administration will do with this knowledge. It will be interesting to see trump respond too, rather than manufacture news.

[sverige]

Frankly, I am not sure if anyone in the White House has been able to truly control the intelligence agencies since the first Bush. And I say that only because he was a former CIA director, so he had a better chance of knowing where the control levers were hidden.

[acomar]

I've had friends and family reaching out to me all morning saying "Signal is broken, see the NYT." This headline is incredibly misinformed and misleading and I hope they issue a correction quickly.

[paradite]

I don't think your argument about less secure services is helpful to layman. By arguing that Whatsapp is more secure, you are giving people a false sense of security. A good way to phrase it would be "all messaging services are equally vulnerable to these kind of attacks, regardless of encryption."

[ProAm]

> because it implies that Signal was broken

It does mean Signal is pointless to use however. Why encrypt if your communications are picked up prior to encryption? Akin to putting your seat belt on after the car has crashed.

[unethical_ban]

No, no, no!

Defense in depth! Do you stop using TLS on your banking website every time a Windows 0day comes out?

[jacquesm]

Because your opponent might not be the CIA and because your phone might not be compromised.

So in that case switching to something less secure will instantly make your problems worse.

[ProAm]

Of course, Im only speaking in the context that you are worried about the CIA or other governments.

[jacquesm]

Even if you are worried about them it still does not mean that you have been compromised. And if you do worry about them: don't use your phone (or any computer, for that matter) for sensitive stuff.

[ProAm]

Of course, my original point was don't count on Signal to protect you. That was my whole point.

[cornholio]

"Akin to putting your seatbelt knowing full well a thermonuclear attack is always possible."

Yes, catastrophic compromise is possible, but that does not render all security measures moot. A precious few attackers have the capability for such attacks, they are very costly to develop and therefore very precious and well kept secrets, to be used on high profile targets.

Unless you are a spy, a terrorist, a state official with significant power or a dissident against the likes of Russia or China, end-to-end encryption like Signal will keep your communication private.

[ProAm]

> Unless you are a spy, a terrorist, a state official with significant power or a dissident against the likes of Russia or China, end-to-end encryption like Signal will keep your communication private.

Maybe, if one person can do it so can others. It would be foolish to assume you are safe just because the US government doesn't deem you a person of interest. It might be far fetched, but now that the world knows it's possible to bypass encryption you cannot ignore the fact that Signal may not work at all.

[cloakandswagger]

I'm sure someone savvy enough to use end-to-end encrypted communication channels will switch to less secure methods based off of a headline /s

[derefr]

It's not really that savvy people would be switching away; it's that non-savvy friends/family of savvy people who read this article now will have a slight negative connotation to those product names, so if their savvy friend/relative tries to convince them to switch to either of them, they might say no for stupid reasons.

This is the point of the majority of propaganda, really: it's not to convince the people who know anything about the issue; it's to prejudice the people who don't, so that it'll be harder for the people in the know to communicate the facts to them.

[FabHK]

In particular because the App Store features not only the usual suspects (Skype, Allo, ...), but many other somewhat random apps (Gonzo, BabelNet, Kissapp, 5s, ...) promising encrypted chat, and people might think, "hmm, WhatsApp and Signal are insecure, it says so in the NY Times, so let's try one of these"

[scblock]

It already happened with Whatsapp and the Guardian's irresponsible reporting. Organizers and protesters switching to unencrypted messaging or even SMS, because of the perception that Whatsapp was hacked. Someone savvy enough to use end to end encryption may be someone who values privacy, but there's not reason to assume they are also someone who is themselves a security expert. The point of apps like Whatsapp and Signal working to make end to end encryption easy for the average person is to increase encrypted messaging use, not make everyone a security expert.

[mmrezaie]

Well, it would be really dangerous if they have put a headline that did not make normal people not read it. I do not see this as click bait, and I see this as a usual signal for the mainstream to be aware.

Also, if you these people read only the title, then the problem is not any sort of text, you should fix those people first. No matter what words were chosen they will most likely make the wrong judgment.

[cmdrfred]

If people really require security from state level agencies perhaps they should read more than the headline.