The Ultimate Bad Take: Bloomberg's Leonid Bershidsky Thinks A WhatsApp Vulnerability Proves End To End Encryption Is Useless

from the no,-no,-wrong,-wrong dept

Bloomberg has really been on a roll lately with getting security stories hellishly wrong. Last fall it was its big story claiming that there was a supply chain hack that resulted in hacked SupermMicro chips being used by Amazon and Apple. That story has been almost entirely debunked, though Bloomberg still has not retracted the original. Then, just a few weeks ago, it flubbed another story, claiming that the presence (years ago) of telnet in some Huawei equipment was a nefarious backdoor, rather than a now obsolete but previously fairly common setup for lots of equipment for remote diagnostics and access.

The latest is an opinion piece, rather than reporting, but it's still really bad. Following yesterday's big revelation that a big security vulnerability was discovered in WhatsApp, opinion columnist Leonid Bersidsky declared it as evidence that end-to-end encryption is pointless. This is, to put it mildly, a really, really bad take. The whole article is a confused jumble of mostly nonsense, mixed with stuff that was already widely known and irrelevant:

The discovery that hackers could snoop on WhatsApp should alert users of supposedly secure messaging apps to an uncomfortable truth: “End-to-end encryption” sounds nice — but if anyone can get into your phone’s operating system, they will be able to read your messages without having to decrypt them.

Um. Duh? The whole point of end-to-end encryption is that it protects messages in transit and not at rest. That's the whole "end-to-end" bit. At the ends it's decrypted. You can also encrypt content on a device -- this is what the FBI is so annoyed about regarding Apple's iPhone encryption -- but to argue that end-to-end encryption is pointless because it doesn't do what it's not supposed to do in the first place is crazy.

It gets worse:

“End-to-end encryption” is a marketing device used by companies such as Facebook to lull consumers wary about cyber-surveillance into a false sense of security.

It is true that some people confuse "end-to-end encryption" with perfect security, which it is not. But it is simply wrong (laughably so) to say that it's merely a "marketing device." In actuality, end-to-end encryption is a hugely important part of what keeps your data protected when you communicate online. It provides real security for the conditions it's designed to provide security for -- and not other conditions, such as the one the hack takes advantage of.

Bershidsky complaining about on-device malware reading your WhatsApp messages as being evidence that end-to-end encryption is pointless is like arguing that you should never wear seatbelts because they won't protect you if you drive off a cliff. Seatbelts protect you in lots of common scenarios, but might not protect you in extreme scenarios like driving off a cliff. And end-to-end encryption protects you in lots of messaging scenarios, but won't protect you if someone can install something directly on your device.

The tug of war between tech firms touting end-to-end encryption as a way to avoid government snooping and state agencies protesting its use is a smokescreen. Government and private hackers are working feverishly on new methods to deploy malware with operating system-wide privileges.

It's not a "smokescreen." It's dealing with one type of attack. It's bizarre to suggest that end-to-end encryption is useless because there are some advanced ways that people can get around it, ignoring all the other ways that it helps protect most people. End-to-end encryption does much more to protect tons of people, and saying that we can ignore it just because it doesn't stop all attacks is really dangerous.

Bloomberg should be ashamed to be publishing such dangerous nonsense. It is the equivalent of anti-vax nonsense, telling people not to protect themselves.

Filed Under: at rest, cybersecurity, encryption, end to end encryption, in transit, leonid bersidsky, vulnerabilities
Companies: bloomberg, facebook, whatsapp


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Stephen T. Stone (profile), 14 May 2019 @ 12:15pm

    It is the equivalent of anti-vax nonsense

    Would that make end-to-end encryption “anti-hax”?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 May 2019 @ 12:18pm

    How much are the security services paying them to publish this nonsense, as they will benefit if people are scared away from encryption.

    reply to this | link to this | view in chronology ]

    • icon
      Anonymous Anonymous Coward (profile), 14 May 2019 @ 12:51pm

      Re:

      Nothing, this kind of reporting is part and parcel of the stenography service offered by big media to the government...for access.

      reply to this | link to this | view in chronology ]

  • icon
    Bamboo Harvester (profile), 14 May 2019 @ 12:38pm

    Reminds me....

    ...of a friend who discovered it was possible to open his fancy electronic safe if you had access to the battery compartment.

    YES, it can be done. On a bench, with several million dollars of gear and a lot of computing time.

    I told him that if he was worried about that level of "hacking", he's already so screwed he shouldn't worry about it.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 14 May 2019 @ 1:33pm

      Re: Reminds me....

      YES, it can be done. On a bench, with several million dollars of gear and a lot of computing time.
      I told him that if he was worried about that level of "hacking", he's already so screwed

      The gear cost and technical difficulty might protect him. Don't count on computing time as a deterrent. The bad guys can use botnets for that.

      reply to this | link to this | view in chronology ]

      • icon
        Bamboo Harvester (profile), 14 May 2019 @ 1:56pm

        Re: Re: Reminds me....

        My point to him, and in regards to this article, is that the amount of man-hours and tech required to open the safe or intercept and decrypt an end to end encrypted data transfer means...

        ...If you have a legitimate worry about it, you're already under a microscope by the NSA, CIA, FBI, and every other TLA group.

        NOTHING is secure if you've got the money, manpower, etc. to unsecure it. You take reasonable precautions - enough that your neighbors can't see or read it, and, preferably, that the local law enforcement can't easily break.

        reply to this | link to this | view in chronology ]

        • icon
          Scary Devil Monastery (profile), 15 May 2019 @ 3:44am

          Re: Re: Re: Reminds me....

          "NOTHING is secure if you've got the money, manpower, etc. to unsecure it. You take reasonable precautions - enough that your neighbors can't see or read it, and, preferably, that the local law enforcement can't easily break."

          True enough. For most apartment doors a simple crowbar WILL break them down in short order. And yet no one has ever earnestly suggested upgrading that standard because the status quo serves well to discourage casual would-be trespassers/thieves - which for most people is all they'll ever risk encountering.

          And that's the same with computer security. As long as circumventing your security takes any effort at all you will remain reasonably safe as long as you aren't a high-profile target at which point it's dubious if anything will keep you safe.

          reply to this | link to this | view in chronology ]

          • icon
            Bamboo Harvester (profile), 15 May 2019 @ 8:16am

            Re: Re: Re: Re: Reminds me....

            "True enough. For most apartment doors a simple crowbar WILL break them down in short order. "

            Not any of my apartments. Vertical bolts aren't all that expensive and are simple to install.

            Like I said, reasonable precautions.

            And, before some AC jumps me on them, YES, they do add to the value, therefor I can charge higher rents - because of the sense of higher security.

            reply to this | link to this | view in chronology ]

            • icon
              Scary Devil Monastery (profile), 16 May 2019 @ 6:47am

              Re: Re: Re: Re: Re: Reminds me....

              "Not any of my apartments. Vertical bolts aren't all that expensive and are simple to install."

              Unless the door itself is pretty well built - made of steel, for instance, a healthy adult with a proper tool can still take it down.

              The point being that a door - or window - WILL be defeated by anyone who insists on getting in and is willing to bring a crowbar, sledgehammer, or ladder. That said there's a difference between a door you can stomp open with a few full-weight kicks and one requiring a 12-lb sledge or heavy crowbar to open.

              My point being that reasonable precautions will ward off every casual would-be intruder, while still remaining useless vs any determined intruder.

              reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 15 May 2019 @ 8:21am

            Re: Re: Re: Re: Reminds me....

            For most apartment doors … the status quo serves well to discourage casual would-be trespassers/thieves … And that's the same with computer security. As long as circumventing your security takes any effort at all you will remain reasonably safe as long as you aren't a high-profile target

            That's really not true, and automation is the difference (plus a lower risk of getting caught). If a million houses have the same cheap lock, there aren't enough criminals to break into all of them. But you might be surprised how quickly an unpatched Windows XP installation or old router will be compromised after connecting to the internet. Untargeted attacks are much more likely to hit you in the digital realm—ransomware for example.

            reply to this | link to this | view in chronology ]

            • icon
              Scary Devil Monastery (profile), 16 May 2019 @ 6:54am

              Re: Re: Re: Re: Re: Reminds me....

              "That's really not true, and automation is the difference (plus a lower risk of getting caught). If a million houses have the same cheap lock, there aren't enough criminals to break into all of them. But you might be surprised how quickly an unpatched Windows XP installation or old router will be compromised..."

              I wouldn't be surprised, no. If your OS is badly patched and your firewall is leaky then you're already deep in "no effort required" territory.

              If compromising your PC requires anything more than someone somewhere running random port scans however, you're fairly safe - until someone deliberately targets your specific PC.

              In the example mentioned in the OP Bloomberg actually states a scenario where you already have a compromised PC as a reason not to trust end-to-end encryption. Which assumes that from the get-go you've already messed up very basic security measures to begin with.

              reply to this | link to this | view in chronology ]

      • icon
        Scary Devil Monastery (profile), 15 May 2019 @ 3:38am

        Re: Re: Reminds me....

        <i>"The gear cost and technical difficulty might protect him. Don't count on computing time as a deterrent. The bad guys can use botnets for that."</i>

        It's a pretty simple equation, really. If the potential intruder has access to the lock for an extended period of time, that lock will be opened. It's why DRM is such an inherently flawed concept.

        When it concerns a physical safe the real security comes from two things - that it will take a long time to unlock without the key or code, and that it's too cumbersome to easily remove from the premises.

        reply to this | link to this | view in chronology ]

  • icon
    discordian_eris (profile), 14 May 2019 @ 12:43pm

    Bloomberg has acquired the same reputation as Tim Wakefield, and its so-called "Tech-reporting' should be treated the same way.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 May 2019 @ 12:48pm

    He's not wrong. If someone points this kind of firepower at you, end-to-end encryption will do absolutely nothing for you. Then again, you're probably not that interesting. In which case end-to-end encryption will most likely do nothing for you. There is a very narrow zone of being "not quite interesting but of some interest" where end-to-end encryption might just do exactly what you hope it will do for you, and almost none of us are in it.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 14 May 2019 @ 1:02pm

      Re:

      Literally nobody anywhere is suggesting that end-to-end encryption is panacea, or that it negates the need for defense-in-depth or proper opsec.

      He's wrong, and so are you.

      reply to this | link to this | view in chronology ]

    • icon
      Scary Devil Monastery (profile), 15 May 2019 @ 3:51am

      Re:

      "He's not wrong. If someone points this kind of firepower at you, end-to-end encryption will do absolutely nothing for you. Then again, you're probably not that interesting."

      Well, when you're discussing actual on-device malware the analogue in the real world would be that of trying to secure your apartment while an accomplice of the would-be burglar is sitting on your couch drinking tea and waiting calmly for you to go to bed so he can open the door.

      There are plenty of ways to compromise a PC to the point where encryption won't matter since there's a malware app reading your keystroke inputs and streaming your monitor cam to an undisclosed recipient...

      ...even so that's not an argument against end-to-end encryption.

      It's an argument for sensible security habits. Noscript/ublock as a permanent browser addon, not installing untrusted applications, never running or opening downloads without an AV scan, etc.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 15 May 2019 @ 8:22am

        Re: Re:

        not installing untrusted applications

        What does this mean? To a computer security professional, any application that can compromise your security is "trusted" by definition. To a layperson, I don't think it means much of anything; how should they decide what's "untrusted"?

        reply to this | link to this | view in chronology ]

        • icon
          Scary Devil Monastery (profile), 16 May 2019 @ 7:01am

          Re: Re: Re:

          "To a layperson, I don't think it means much of anything; how should they decide what's "untrusted"?"

          Trust, but Verify.

          Before installing any app, run it past your regular AV and a separate malware-dedicated client. Spybot or Malwarebytes, for instance.
          And never be a beta tester - installing an app on release day. Make sure it's past its first few weeks.

          Be aware that if the site you got the app from seems shady, with some odd, obviously RNG-generated URL or which offers a deal too good to be true...then it probably is just that.

          Online as offline you can't ever guarantee your safety. But you CAN avoid being an easy mark.

          reply to this | link to this | view in chronology ]

  • identicon
    Pixelation, 14 May 2019 @ 12:49pm

    On that note...

    A Boeing plane crashed, all planes are useless!

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 14 May 2019 @ 1:01pm

      Re: On that note...

      Even worse. A Boeing plane crashed, so your Toyota's airbags and seatbelts are useless.

      reply to this | link to this | view in chronology ]

    • icon
      Scary Devil Monastery (profile), 15 May 2019 @ 3:53am

      Re: On that note...

      "A Boeing plane crashed, all planes are useless!"

      More like "If the pilot is drunk or stoned the plane will likely crash. Therefore air travel is hazardous and useless".

      It's not an honest argument Bloomberg's using there.

      reply to this | link to this | view in chronology ]

  • identicon
    Bob, 14 May 2019 @ 1:01pm

    Sounds like Bloomberg's Leonid Bershidsky is a fucking hack.

    reply to this | link to this | view in chronology ]

  • identicon
    Agammamon, 14 May 2019 @ 1:43pm

    Isn't Bloomberg the guys who have twice now cried wolf over Chinese supply chain hacking?

    I wouldn't take anything they say regarding technology seriously.

    Don't take this as me crapping on 'fucking Millennials' as a group, but from what I'm seeing in journalism they just . . . they just all suck.

    No standards and there doesn't seem to be any editors or sub-editors checking their work. Bloomberg is just putting out longer versions of click-bait articles with no care as to the damage its doing to the publication's reputation as long as it gets people talking (and linking).

    reply to this | link to this | view in chronology ]

    • identicon
      Agammamon, 14 May 2019 @ 1:45pm

      Re:

      Though it turns out, that this particular guy is my age. So I guess he's just a hack. They're everywhere.

      reply to this | link to this | view in chronology ]

      • icon
        Jeffrey Nonken (profile), 14 May 2019 @ 6:15pm

        Re: Re:

        47? Pfft. Kids these days.

        Young punks. Get off my phone!

        reply to this | link to this | view in chronology ]

        • icon
          Bamboo Harvester (profile), 15 May 2019 @ 1:08pm

          Re: Re: Re:

          Hey, I like it when the former firebrand "activists" hit about forty, and the week or so after they've sent their kids across the country to college realize...

          ...THEIR parents sent THEM off to college like that to get RID of them and their "causes" for a few years while they grew up...

          /s

          reply to this | link to this | view in chronology ]

  • icon
    Jeffrey Nonken (profile), 14 May 2019 @ 6:21pm

    He should google The Nirvana Fallacy, then give up on technical journalism and go live in a yurt.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Cowherd, 15 May 2019 @ 4:10am

    “Locking your door” sounds nice — but if anyone can get into your house, they will be able to steal your stuff without having to unlock it.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 May 2019 @ 4:42am

    Close Leonid, but ...

    So, end-to-end is working fine, but someone has compromised your phone. Leonid goes "end-to-end doesn't work". Dude, just ditch the phone.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.