Hacker News new | past | comments | ask | show | jobs | submit login

> The letter to Judge Kimba Wood stated that "the Government was advised that the FBI’s original electronic extraction of data from telephones did not capture content related to encrypted messaging applications, such as WhatsApp and Signal... The FBI has now obtained this material."

I don't get this. How could you possibly decrypt encrypted messages without WhatsApp or Signal's assistance?

Isn't the whole point of encryption that no-one can decrypt it unless they have the necessary keys?




Encryption in transit doesn't imply encryption at rest.

For instance, WhatsApp on Android will happily back up to Google Drive, if you allow it, and it does so in cleartext.


Media backups are not encrypted, but data is.

Backup key security is compromised by usability concerns (the need to restore the backup to a new phone without the old one).

https://blog.elcomsoft.com/2018/01/extract-and-decrypt-whats...


Ah, I know WhatsApp warns you about setting up backups that it's not subject to encryption, but I guess I took that to be the entirety and not just media. Which is still a big gap, since in 2018 we share lots of media in chats.

In any case you are right that if you can restore an "encrypted" backup onto a fresh phone without any info from the old one, then all the bits necessary to do are held by parties who can be legally compelled to give them up.


Last I checked it was really easy to get data out of a WhatsApp backup.

No special skills needed except running locating the file, running a command and connecting using SQLite or something.


Nothing on Google Drive is stored "in clear text".


If I put a file with certain content into Google Drive, then Google Drive, or a subpoena for my Google Drive data, will return exactly those contents.

Hence, it is reasonable to apply any distinction to the content as a user of Google Drive sees it, and not as it may be stored on the backend. Hence, if the data WhatsApp pushes to the Google Drive API is unencrypted (and we're talking about the data, not about the HTTPS-encapsulated form that passes over the network), it is reasonable to call it "in clear text", and it wouldn't be reasonable to call it encrypted.


It's clear to Google.


Unless you control the encryption keys in the communication, always assume it's accessible in plaintext.


...are you a Google Drive dev? How can you possibly make this statement?


It's maybe not stored in clear text, but it is at the very least stored in a form that Google can decrypt.

They would not be able to recover your data upon requesting a password reset, if they used proper end-to-end-encryption.


I'm pretty sure anything public on Google Drive is...


They probably decrypted it on the device through some brute force methods. This may be easy or difficult depending on the passcode/PIN used by the user on the device. This is a weak point from the user's side. They may have also obtained this from backups elsewhere that weren't encrypted or strongly encrypted.

There is no indication that they decrypted anything by breaking into the end-to-end transport/network encryption used by these apps.

P.S.: Your honest question (which wasn't snarky) was downvoted by some people for reasons I don't understand. Upvoted in an attempt to compensate. Such questions and responses can help more people learn about encryption and the protections necessary at different stages/layers.


>Isn't the whole point of encryption that no-one can decrypt it unless they have the necessary keys?

But if the person who knows the relevant keys willingly hands over appropriate passwords/etc. for a more lenient sentence then encryption is moot.


What a great point. They don't even have to publicize it, officially they just got the data by good hacking.


I haven't used Whatsapp or Signal, but you don't login every time you use the chat app, right? The phone could have just been unlocked by the owner or the PIN or pattern guessed, assuming the keys are stored on the device.


They are very different platforms, Signal offers on-device encryption if you choose to enable it, prompting for a password when starting Signal after rebooting the phone. It will also keep a quick lock option in the menu on Android phones so you can easily prevent unauthorized access.

I believe Whatsapp has made a few compromises in this regard, but obviously Michael Cohen didn't bother to use disappearing messages in Signal or encrypt his Signal DB, despite how easy it is to do.


This is a common misconception apparently, one that I've fallen prey to myself in the past. Signal removed the option to use the password lock and now uses Android's built-in lock screen functionality to provide auth.

That screen was never meant to serve an encryption role and Moxie recommends using Android's full disk encryption feature to ensure data confidentiality at rest.


You can also set Signal to ask for a password after a certain time.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: