[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Social-media antipathy (was Re: How i can optimize my operating system?)

On Thu, 18 Mar 2021 12:49:27 -0300
riveravaldez <riveravaldezmail@gmail.com> wrote:

> I'm getting pretty confuse with these statements.
> 
> On 3/18/21, Celejar <celejar@gmail.com> wrote:
> > (...)
> > I definitely share your concerns about Facebook (although perhaps not
> > quite your vehemence), but making **blatantly incorrect** assertions like
> > the claim that Facebook is one of the ends of WhatsApp's E2E encryption
> > does not help our cause.
> (...)
> > WhatsApp **apparently** has genuine end-to-end encryption, using the
> > Signal protocol, and neither of the ends is Facebook.
> >
> > Of course, it's closed source, so **we can't know for sure what's really
> > in there**, and I certainly won't use it, but as far as **anyone knows**, it
> > is **the real deal**:
> 
> I added all the '**' to emphasize with precision what I find unacceptable.
> Taking them as a whole they are simply absurd, in a very rigorous, logic
> sense.
> 
> Am I wrong in this, and altogether they conform a serious and reasonable
> argument?
> 
> Because as far as I used to know, once you put one foot in closed-source
> clients territory you're no longer speaking about security but insecurity.
> The whole discussion becomes irrelevant, you're simply **having faith**
> - **in Facebook**, to make it even more intense - , which is, by definition,
> the opposite of reason, science or self-verified-security.
> 
> Is that I'm completely wrong in this?
> 
> How can anyone **know** that WA's claimed E2E encryption is **the real
> deal**?

I agree that no one "knows," in the sense of absolute epistemological
certainty. But we don't live our lives based upon epistemological
certainty - we make assumptions, or assign rough probabilistic weights
to the likelihood of various things.

Is an open source communications software package worthless if the
hardware it's running on isn't open and hasn't been audited? You
certainly can't "know" that it's secure! And even if all your hardware
and software is open, if you haven't audited it *yourself*, how can you
"know" it's secure? The answer is trust - you trust that someone would
notice problems if there are any, and that the auditors aren't lying,
and you assign a low probability to the contrary possibilities.

In the same vein, someone might reasonably assume that if Moxie talks
like this about WhatsApp, then it is likely trustworthy:

https://signal.org/blog/whatsapp/
https://signal.org/blog/whatsapp-complete/

(Of course, the first one is from around the very beginning of the
Facebook days, and the second one is still five years ago.)

The bottom line: no, I don't "know" that WhatsApp is secure, but
neither do I "know" that anything I run is. One makes decisions about
what to use based upon a variety of criteria, including how much one
trusts various people and institutions.

And FWIW, I don't use WhatsApp, in part because I don't trust it /
Facebook - but not primarily because I think they may be blatantly lying
about E2E, but more because of more subtle implementation details and
decisions that I, who am not a cryptographer, won't even think to
consider or fully understand.

Celejar
Reply to: