Skip to content

The Isoblog. Posts

What data does WhatsApp collect

Hangout opens.

S: Good morning, Kris, please excuse  me. You are using WhatsApp, I presume.

If so, how are you dealing with the problem of WhatsApp uploading the address book? Ignore it? Change config? Edit address book contacts?

Why I am asking: by not using WhatsApp, I am more and more out of the loop (school, parents, sport clubs, etc). At the moment I am trying to resist, proably being the last person on Planet Earth doing that.

Kris: Just use it. ‘Complete upload of the address book’ is untrue, and uninformed bullshit, btw. WhatsApp hashes stuff, and uploads the hashes. Hashes equal -> match.”

Kris: “What does WhatsApp collect (Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA) dating from 2013)

Out-of-network numbers are stored as one-way, irreversibly hashed values. WhatsApp uses a multi-step treatment of the numbers, with the key step being an “MD5” hash function. The phone number and a fixed salt value serve as input to the hash function, and the output is truncated to 53 bits and combined with the country code for the number. The result is a 64-bit value which is stored in data tables on WhatsApp’s servers.

The findings complain about that, because it is not perfect, but I personally believe that to be a pretty good compromise, making you discoverable without pasting the actual numbers all over the place.

S: Thanks, didn’t know that. Problem solved.

12 Comments

Mac OS 10.12 and ssh

Yeah, I know, it’s old, but I need this mostly as a memo to self: ssh key handling changed between MacOS 10.11. and 10.12.

What you probably want is the following magic in a generic Host block of your machines .ssh/config or /etc/ssh/ssh_config:

Host *
  UseKeyChain No
  AddKeysToAgent yes

This will store your SSH Keys in the agent, entering the password only once. It will not persist the keys on the machine, requiring that you authenticate and unlock the keys once after each restart.

Getting rid of persisted keys is complicated and requires some SQLite magic.

ssh-add -D -K
for f in ~/Library/Keychains/*/keychain-2.db
do 
  sqlite3 $f "delete from genp where agrp = 'com.apple.ssh.passphrases';"
done
2 Comments

Yay, backdoors

The EFF reminds us that the general direction of current US politics is full steam backwards, and damn the torpedoes.

Trump’s nominee for Attorney General, Sen. Jeff Sessions said on the topic of encryption backdoors

Encryption serves many valuable and important purposes. It is also critical, however, that national security and criminal investigators be able to overcome encryption, under lawful authority, when necessary to the furtherance of national-security and criminal investigations.

The EFF comments:

Despite Sessions’ “on the one hand, on the other” phrasing, this answer is a clear endorsement of backdooring the security we all rely on. It’s simply not feasible for encryption to serve what Sessions concedes are its “many valuable and important purposes” and still be “overcome” when the government wants access to plaintext.

So we are set to repeat the discussions from the crypto wars 25 years ago all over again. Math does not change, and the realities of key management aren’t, either.

6 Comments

Secure defaults kind of matter…

snyk writes on secure defaults:

Before version 2.6.0 hipster data “store” did not by default require authentication (wait, what?) and also did bind to * instead of 127.0.0.1.

As a result, by default, each MongoDB data “store” has been accessible from the entire internet.

Scanners such as Shodan provide an index to all such MongoDB installations on the entire Internet. Enterprising anonymous “hackers” have monetized this opportunity by accessing these installations over the Internet, encrypting the data and then accepting Bitcoin for the decryption password – or scamming the installations owner, assuming that people who put production data on internet-wide installations with unauthenticated access deserve to be conned and then conned over again.

Other hipster data stores, including Elastic Search, CouchDB and Redis, are known to have similar access properties. NoSQL might actually mean “NoSequrity”.

Leave a Comment

EU described own policy as ‘complete failure’

EU Observer reports on a five page internal note from the EU director-general at the commission’s internal market and industry department:

“Absolute NOx emissions of diesel vehicles under real driving conditions have hardly changed” despite “various” EU “steps”.

“On the road, a Euro 5 vehicle emits almost the same amount of NOx per km as a Euro 3 vehicle.”

The testing method, which is nothing like real road conditions, is mentioned as a contributing factor.

Leave a Comment

The mountain is melting…

Swiss magazine Blick reports that the Moosfluthbahn up to the Aletsch glacier is out of operation, because the glacier is melting under it. The station is brand new, and went into operation only last year.

The station up at the glacier had been constructed with the glacier melting in mind: It sits inside a concrete tub which can be righted with hydraulics. Engineering calculations have been made assuming 9 meters of movement in 25 years. The actual measured movement has been up to 0.7 meters per day, though.

The glacier is melting very rapidly, making the ground unstable. Similar things are happening all over the Alps.

Leave a Comment

To build or not to build… and if so, what.

Bloomberg has an article about the Car Manufacturer summit between Trump and US car manufacturers.

Basically, Trump needs manufacturing jobs for the people who voted for him, but the US car industry does not look good. More than 100 plants have been closing in the US under the last two presidents, and if one would be building cars in the US, plant and product would be looking a lot like… Tesla.

Which is not only defeating the point with regards to Job creation, because the plant would be mostly automated. It is also defeating the point of all the Oil people, which have been helping Trump as well, and which very much would like to see the US not transitioning into renewables before they get out of their superheated Carbon bubble.

Leave a Comment

Grumpy

So Python is a beautiful language, which is also kind of slow. And the more cores you have, the worse it gets, because of the GIL in the most popular implementations.

Other languages are much better at concurrency, one of them supposedly being Go. So Geeks at Google have been pondering the problem, and came up with a Python-to-Go compiler called Grumpy. Read more about it in their blog.

In rigged benchmarks it looks awesome, and under real world load it supposedly performs quite well.

But the best part is the Logo. Which looks like this:

 

Leave a Comment

Shit geeks say

So the Geeks at Datacenter Dynamics quote this geek:

“With a market of more than 80 million people within a roundtrip delay of 30 milliseconds, covering all major cities of Northern Europe, the Baltic states and western Russia, Stockholm is an ideal location for cloud players and other major data center actors,” …

So how many million people are within 30ms of you? 🙂

In other news, the more countries go renewable, the less they are charging for power (they may be charging for infrastructure, though). For data centers in Norway and Sweden, it appears that we are below 4 Cent/kWh now. Oh, and can we please use the exhaust heat from your computers to heat our capital, please?

5 Comments