WhatsApp Blunder

I spend much of my effort on this blog discussing how privacy is something more than just security. That it involves respecting cultural norms, ensuring appropriate uses of data, encouraging transparency and other things that aren’t strictly technical, but all of that is meaningless if you are sloppy with your security. WhatsApp is about to find that out.

There is speculation circulating that WhatsApp used the same AES symmetric key, for all clients, to encrypt all of its chats. The news originated from a Tweet by Nadim Kobeissi of Diaspora revealing the key and calling out WhatsApp. If what Nadim alleges is the case, that is going to be a big bummer for the WhatsApp team as well as Facebook who are in the processes of acquiring them.

The story will unfold, or won’t, over the coming days and it could get interesting. It is worth remembering that cryptography is one of those things that is so powerful yet so easy to get wrong. This could be a case in point.

Note: If you are new to cryptography check out my two part primer.
Part 1
Part 2


Now read this

Target and PCI Compliance

Krebs on Security is reporting today that the Target breach was perpetrated by their HVAC contractors: Last week, Target told reporters at The Wall Street Journal and Reuters that the initial intrusion into its systems was traced back to... Continue →