Profile picture
Matthew Green
@matthew_d_green
, 10 tweets, 2 min read Read on Twitter
This article seems pretty worrying. Thread. nytimes.com/2019/01/25/tec…
Of the three Facebook messaging services (WhatsApp, FB Messenger, Instagram), only WhatsApp has default end-to-end encryption. FBM has optional encryption, and Instagram has bubkis. 2/
The article says that Facebook is going to tightly integrate the three services, in the sense that you can send messages from a user on one service to a user on another one. This could be wrong, but let’s assume it isn’t. 3/
The real question is: does this mean that the encryption on all three services will get upgraded to the quality of WhatsApp? Or will WhatsApp’s encryption be downgraded to allow compatibility? The latter would be a huge risk. 4/
FB’s current encryption on WA and FBM is very limited. It only supports one client (plus an optional desktop, which is kind of funky) and has no “native web-only” mode. Whereas the non-e2e messages support all that stuff. 5/
I suppose it’s possible that FB is going to massively upgrade all of its services to have mandatory e2e and they’ll solve all these problems somehow. But that seems like a risky bet. 6/
The second problem is that the increased access to metadata. As the article points out, WA users register with a telephone and FB users don’t. I suspect FB has already done a lot to link these identifiers together, but cross-app comms will be even more effective. 7/
(As an aside, I’ve always assumed that FB used 2FA mobile numbers to link WhatsApp accounts to an existing Facebook user. If true, this is scummy and bad for security. I’d love to be proven wrong.) 8/
Anyway, the summary is: this move could be potentially be good or bad for security/privacy. But given recent history and financial motivations of Facebook, I wouldn’t bet my lunch money on “good”. Now is a great time to start moving important conversations off those services. 9/9
PS: A quick addendum — FBM does now support e2e on multiple devices, my info was out of date. So this is slightly more plausible, but still seems hard to get right with optional e2e.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Matthew Green
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @matthew_d_green see all

Profile picture
Matthew Green
@matthew_d_green
I’ve lost a lot of trust in Google since they made logins mandatory in Chrome for reasons that didn’t make sense. Now they’re proposing a new security model that threatens ad blockers. google.com/amp/s/www.tech…
The Chrome devs are good people, but are proposing basically three lines of counterargument.

1. This is only a proposal, relax.
2. Regrettably, it’s necessary for security.
3. Unfortunately it’s too expensive to make exceptions for popular ad blockers.

I’ll walk through these.
1. “It’s just a proposal, posted for feedback.” This means now is actually a good time for people to *provide* feedback. In the past, Google has made unilateral changes, and refused to significantly walk them back when people revolted.
Read 7 tweets
Profile picture
Matthew Green
@matthew_d_green
This apt-get flaw seems auspiciously timed. justi.cz/security/2019/…
It’s always worth remembering that software updates are more than “download this static file and check a signature in a non-stupid way”.
Since I’m too lazy to make new tweets, here’s one from yesterday:
Read 3 tweets
Profile picture
Matthew Green
@matthew_d_green
A lot of people think TLS is unnecessary for software updates, provided the update mechanism already includes signing/verification. Unless you’re Microsoft, this seems like a big mistake.
The value of TLS is not that it’s the right protocol for this purpose. It’s that it’s a *standard* protocol that a lot of very smart people have looked at, and ditto (to a lesser extent) for many common implementations.
For example, apropos a conversation from this morning, here’s what the VideoLAN Wiki says about VLC’s software signing.
Read 5 tweets

Related threads

Profile picture
DespicableDrew
@DespicableDrew
#THREAD: the #Epstein case vs the #MichaelJackson case: for those talking about "getting away" with "crimes", let's take a look at how (white) privilege really works. And why nobody talks about Epstein, while #MJ is being subjected to another slanderous mockumentary. (1)
For a good comparison, we'll take a look at the timeline of the #Epstein case versus that of the #MJ case. You'll see the differences in approach, treatment and mediatic consequences by yourself. #JusticeforMJ #ExposeTheLiars (2)
miamiherald.com/news/local/art…
As per screenshot 1, the parents of #Epstein's alleged victim, a 14-y.o. girl, reported the alleged crime to the police. In 1993, the first allegations against MJ started with an extortion plan and a search for a "highly profitable settlement". (3) More: themichaeljacksonallegations.com/the-1993-alleg…
Read 40 tweets
Profile picture
Ora Basta
@giuslit
Cristalline parole di @adam_tooze sull’assenza di significato economico dell’attuale discussione tra la Commissione e l’Italia. Una corsa folle in cui #Ue forse vincerà ed il giorno dopo si renderà conto di averci portato fuori dalla #UE. #thread
nytimes.com/2018/12/05/opi…
In qualsiasi modo finisca, quindi anche se Italia cedesse, le conseguenze politiche di questa disputa si riveleranno disastrose per l’Europa che si è messa a giocare un gioco pericoloso.
La pretesa della Commissione di chiederci tagli di bilanci fonda sull’assunto che il nostro Paese è in fase espansiva, quindi può sostenere dei tagli. Tutto ciò è in palese contraddizione con la realtà.
Read 12 tweets
Profile picture
Revathi Rajeevan
@RevathiRajeevan
#Thread
#Sabarimala #FemaleReporters
Those accusing our organisations of sending female reporters to gain trp, you should know this. When we give them the slightest hint that things are not okay, first thing they tell us is "waha se niklo fataafat (leave from there immediately).
Saw a tweet that said only national channel reporters were attacked. Not Malayalam channels (later they were also targetted), because the latter have common sense. Yes, they do. Because they know you well? For those outside, Kerala is/was god's own country full of literates. Hmm.
Most reporters covering south for national channels are women. Same with @thenewsminute . All 6 reporters covering 5 south Indian states for @CNNnews18 are women. When additional reporters are required during a major news event, reporters from the nearest bureau are sent.
Read 9 tweets
Profile picture
Carola Frediani
@carolafrediani
🔴Facebook ha avuto un problema di sicurezza che ha esposto 50 mln di utenti. Altri 40 a rischio. Per questo 90 mln di utenti devono fare di nuovo il login. Storia in divenire qui comunicato Facebook newsroom.fb.com/news/2018/09/s…
Facebook dice di non sapere origine o identità degli attaccanti e di dover valutare ancora la portata, riferisce il NYT. Ad essere stati sottratti i token di accesso attraverso una vulnerabilità (che sarebbe stata chiusa) nytimes.com/2018/09/28/tec…
No accesso a password, no accesso ai messaggi privati o alle carte di credito degli utenti, ha detto Facebook in conferenza stampa, aggiungendo di stare lavorando con l’Fbi. Comunque bruttissima storia. Info via Reuters
Read 12 tweets
Profile picture
Jikku Varghese Jacob
@Jikkuvarghese
#Thread #KeralaFloods Detailed thread to document the historic efforts of various online groups in rescue and relief operations. Trust me, Whatsapp and Google sheets were the powerful weapons we had. Pic: An online control room set by NRKs in house at Abu Dhabi (1/n)
It was the time we truly realised the power of social media and instant messaging services with regard to disaster management. Many were stranded on roof-tops without any other contact to the world other than their mobile phones. Whatsapp brilliantly solved the issue. (2/n)
Before going in detail let me point out the problem statements. 1) Govt issued some helpline numbers but most of them were busy with numerous calls 2) Thousands of SOS requests flooded in social media which were not addressed in a systematic manner, hence turned spams (3/n)
Read 26 tweets
Profile picture
Sarah Donaldson
@sarah_donaldson
#Facebook thread:
Ahead of Zuckerberg's Congress testimony, a quick revision guide.
All you need to know about Facebook (and why you should be concerned), brought to you by the Observer/Guardian's investigation into data and democracy...
Hard to believe it was less than a month ago that @carolecadwalla broke the story about GSR harvesting 50m+ Facebook profiles for @CamAnalytica to use in political campaigning:
Revealed: 50 million Facebook profiles harvested for Cambridge Analytica.. theguardian.com/news/2018/mar/…
Via the first major interview with @CamAnalytica whistleblower @chrisinsilico which explained Facebook had known about the leak for at least 18months and detailed Robert Mercer / Steve Bannon's central roles ‘I made Bannon’s psychological warfare tool’: theguardian.com/news/2018/mar/…
Read 26 tweets

Trending hashtags

#DarkToLight #Cohen #email #Khashoggi #Liberal #Kushner #KeralaFloods #Russians #RogerStoneArrest #emails #uncool #Republican #NeverAgain #MagnitskyAct #CambridgeAnalytica #Yemen #Black #khasoggi #Manafort #Lukoil #Assange #Reuters #RenaissanceTech #Airbnb #NewJersey
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!