Ex-WhatsApp cybersecurity head says Meta endangered billions of users

Posted by mdhb 5 days ago

Ex-WhatsApp cybersecurity head says Meta endangered billions of users(www.theguardian.com)

346 points | 183 commentspage 2

sudahtigabulan 4 days ago|

> In his whistleblower complaint, Baig is requesting reinstatement, back pay and compensatory damages, along with potential regulatory enforcement action against the company.

If the company is so bad (it is), why does he want back?!

'Just pay me the salaries I "missed", and keep them coming.' The regulatory action is just "potential".

I have no sympathy for Meta, but this guy...

saagarjha 4 days ago||

Companies are not relationships where once they're your ex they are never worth interacting with ever again. If you are doing good work and then HR pushes you out, then it is reasonable to sue the company to get them to pay you damages and then go back to doing what you were before with the protection that they won't do it again.

sudahtigabulan 4 days ago||

The point I tried to make was not that he should be resentful about being kicked out, but that he doesn't really care that Meta is unethical and endangers billions.

Even if nothing changes (the regulatory action is optional), he's happy to contribute (he insists, in fact). Even among people who don't want him there.

mapotofu 4 days ago||

The points you’re making are personal attacks about the whistleblower. They don’t focus on the substance of the accusations (insecurity). Instead, they focus on your idea of their career motivations and their personality.

Nevermark 4 days ago|||

He got fired unjustly. For trying to do something good. (His position.)

Any full remedy would require his position is reinstated.

If he wins the right to be reinstated, he will be happy to negotiate a payment instead. He is made whole.

What about any of that lacks sensible motives?

sudahtigabulan 4 days ago||

Nothing, but there's something in your comment that was not in the article:

> he will be happy to negotiate a payment instead.

This, indeed, sounds way more normal than wanting to keep working for the evil company, and in a toxic environment.

It hasn't occurred to me that one can change their mind and choose a different compensation after the court decision like that.

Nevermark 3 days ago||

Yes, it isn't stated because that point is moot until he is awarded remedy.

You don't negotiate with what you don't have yet. But the idea that he or they would actually want to resume working together is beyond unlikely. They will be happy to pay for him to go away, if that's the only way they can legally get rid of him.

skybrian 4 days ago||

Maybe so he can quit properly? I wonder how these lawsuits work? Maybe a lawyer would know.

coppsilgold 4 days ago||

When it comes to e2e encryption it's important for the ends to be static (not web apps) and auditable (open source, reproducible builds) because the software running on the ends can trivially compromise anything going trough either of them. It can be as simple as a script being loaded from the server into a runtime such as Lua (closed source app). Or custom javascript delivered (web app).

When these conditions aren't met, any e2e encryption claim can be dismissed out of hand. This does not mean the service offers no value, it just means it cannot be trusted to keep anything confidential.

alex1138 5 days ago||

I've seen some people right here on HN say that Whatsapp was an inspired acquisition and Zuck is a great product guy, knows what to buy and who to hire

Counterpoint: he's a monopolist and scummy person (https://news.ycombinator.com/item?id=1692122) who refuses to stop (https://arstechnica.com/tech-policy/2019/09/snapchat-reporte...) from the early days onwards (https://news.ycombinator.com/item?id=1169354)

https://news.ycombinator.com/item?id=15007454

mgh2 5 days ago||

> A Meta spokesperson, Andy Stone, wrote on Threads, the company’s text-based social network: “Sadly this is a familiar playbook in which a former employee is dismissed for poor performance and then goes public with distorted claims that misrepresent the ongoing hard work of our team.”

Skeletons keep piling up while PR try to dismiss them

neilv 5 days ago|

That quote is brilliant.

Corporate communications has playbook damage control responses, and this quote seems to be suggesting that the quoted response is one of them (it's "familiar").

Whether "former employees" are sketchily operating from playbooks, who knows. Because PR playbook-sounding statements don't have a lot of credibility.

Nevermark 4 days ago||

Innocent until proven guilty.

Or the PR team undermines their own credibility with a stock and specious fact-free non-response.

I think the point of these is to dodge the even guiltier look of “no comment”. And signal there won’t be any potentially costly cooperative engagement from their side to their shareholders.

They don’t expect to be believed.

palata 5 days ago||

I hate Meta as much as the next person, but it feels like "endangering billions of users" is exagerating here. The complaint is pretty much that WhatsApp engineers can access metadata (NOT the content of the messages).

This said, WhatsApp is not open source, so it's impossible for users to verify how the encryption works, so users have to trust that it's properly end-to-end encrypted.

If you care about privacy (and you should), then you should use Signal instead of WhatsApp.

ryandrake 5 days ago||

The metadata of someone's communications can be almost as damning as the content. I would guess that if the FBI could merely have a list of who their suspect contacted over an app, and when, they'd have 90% of what they wanted.

rhizome 4 days ago|||

My understanding is that in the vast majority of investigations law enforcement will be satisfied in learning only who you're talking to, i.e. "just metadata" is fine, and dangerous.

3eb7988a1663 4 days ago||

It seems reasonable. Even those who are sloppy with their opsec probably do not detail the entirety of the plan via digital mechanisms. Being able to identify likely collaborators is probably sufficient to infer some specifics of an activity.

palata 4 days ago|||

> I would guess that if the FBI could merely have a list of who their suspect contacted over an app, and when

Well with WhatsApp they most definitely can, but it has never been a secret. WhatsApp always had access to the metadata (whereas Signal makes a lot of effort to reduce the metadata they have access to). In ~2016 WhatsApp integrated the Signal protocol to add end-to-end encryption, but did nothing about the metadata.

Again: if you care about privacy, use Signal.

mynameisash 4 days ago|||

> The complaint is pretty much that WhatsApp engineers can access metadata (NOT the content of the messages).

I don't even take this statement at face value. It's trivially easy to include models on client side that can do some message classification and treat that as "metadata" that would give insight into the content of the message.

alehlopeh 4 days ago||

Metadata includes notifications, which often include the text of the message.

palata 4 days ago||

Pretty sure this is wrong, at least in the case of WhatsApp.

If an app sends the message content in clear through the notifications, then it is badly designed, period.

varenc 4 days ago||

Agreed. As I recall the way notifications work on Signal/WhatsApp is the app receives some silent notification that wakes it up, then the app does its crypto thing, and then it locally triggers the notification with the decrypted content you see. In iOS land your app needs a special entitlement to work this way. It also means if you're on very heavy group chats your battery will drain faster.

If WhatsApp central servers could push a notification to your phone that contained your actual message content, it couldn't be E2EE.

alehlopeh 4 days ago||

Fair point. For E2EE messaging apps, metadata often includes encrypted message content. As others have stated, the unencrypted metadata (eg. message recipient) can be potentially be damning enough on its own.

tamimio 4 days ago||

I never trusted fecebook which is why I never created an account or used any of its products (old Instagram placeholder only), except last year, I made a small startup and wanted to use Instagram to promote it. Despite using the other old account to avoid potential false flagging as spam, immediately after creating it I got banned and had to submit a personal picture holding a book or whatever to verify I am real. I did that although it's not a personal account. Regardless, a few seconds after submitting the picture and verifying my number it got permanently banned. So far this is understandable, maybe it's all an automated process which is expected. However, I wanted to get in touch with support, in any form or shape, only to find out that there's none, and apparently the only way to actually fix something within fecebook is knowing someone who knows someone who works there. LOL, really big LOL!! A company that size operating like an underground syndicate is a total joke and totally untrustworthy. Bottom line: Never trust anything from fecebook, no matter what they say, do not.

ipython 5 days ago||

I’m sure WhatsApp’s recent “secure by design” media and ad blitz is totally unrelated to these accusations …

1vuio0pswjnm7 4 days ago||

Baig v Meta Platforms, Inc.

Complaint:

https://storage.courtlistener.com/recap/gov.uscourts.cand.45...

kelipso 4 days ago|

Wasn’t using Whatsapp that got a bunch of people droned by Israel? You should just assume your metadata at the very least is getting leaked to all US friendly intelligence agencies if you are using a US based service.

More comments...