Remember when I wrote an article called Mobile Security Is An Oxymoron? If you’re a normal first world person, you would have forgotten it while you read it because apparently that message just is too painful to hear.
Well, hear it again. This time it relates to the Wikileaks cirque du jour. Looking at Bruce Schneier’s newsletter I wondered if I could find anything about the CIA using phones as a vector for infiltration.
The first link was the Wikileaks dump itself (maybe best to avoid that one). But the very next link was this New York Times article whose 6th paragraph suggests someone in the room may have just stepped in a huge pile of elephant dung. (Not that there’s an elephant in the room! There probably isn’t! Don’t panic!)
In one revelation that may especially trouble the tech world if confirmed, WikiLeaks said that the C.I.A. and allied intelligence services have managed to compromise both Apple and Android smartphones, allowing their officers to bypass the encryption on popular services such as Signal, WhatsApp and Telegram. According to WikiLeaks, government hackers can penetrate smartphones and collect "audio and message traffic before encryption is applied."
Of course my reaction to that is disbelief. Not at the revelation that smartphones are fundamentally insecure, which should be obvious to anyone who knows anything about computer security. My disbelief comes from knowing exactly how much this would trouble the tech world if confirmed. (Hint: it was immediately confirmed on first principles in 2007 and only one wingnut seemed to find it troubling.)
No, the tech world doesn’t care. They are in more denial than anyone. Of course ordinary people don’t care about cryptographic esoterica but to know that the tech people have written this off as just a necessary price to be paid for the putative wonders of small computers is extremely troubling. The only argument here seems to be that "Well, everybody, really, billions of people, essentially everybody now has a guy in their attic listening to everything they do." (Don’t scoff.)
But should people who understand computer security accept this? Accept computers into their intimate lives that they do not control? Perhaps between Silicon Valley and the spook agencies, a critical mass of would-be defenders are working for the predators. That’s my only explanation.