Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

WhatsApp Is Using IMEI Numbers As Passwords

Soulskill posted more than 2 years ago | from the security-through-handwavery dept.

Software 102

mpol writes "In the past, WhatsApp has been criticized over their insecure use of XMPP. Recently, new versions of their app have incorporated encryption. It seems the trouble isn't over yet for WhatsApp and its users. Sam Granger writes on his blog that WhatsApp is using IMEI numbers as passwords. This is at least the case with the Android app, but other platforms are probably using similar methods. Since someone's IMEI number is easily readable, this isn't really secret information that should be used for authentication."

Sorry! There are no comments related to the filter you selected.

Slashdot and Wikipedia are for fags. (-1)

Anonymous Coward | more than 2 years ago | (#41276593)

Not Gay Fags, no. Worse. I mean FAT, AUTISTIC, GEEKS!

Fapping to Little Ponies while compiling your Linux kernel for the 32nd time to hope your obscure wifi driver works. Slashdot, the worst of the internet since 1997. Wikipedia, putting [citation needed] on the blinding obvious. Admit you are all worse than reddit, fark and even 4chan if you are Slashdot user or Wikipedia editor.

Re:Slashdot and Wikipedia are for fags. (-1)

Anonymous Coward | more than 2 years ago | (#41278005)

Mitt, don't you have an election to steal?

Re:Slashdot and Wikipedia are for fags. (0)

Anonymous Coward | more than 2 years ago | (#41284139)

Mitt, don't you have an election to steal?

I prefer the term "finesse".


Re:Slashdot and Wikipedia are for fags. (0)

Anonymous Coward | more than 2 years ago | (#41286305)

I'm not FAT

Re:Slashdot and Wikipedia are for fags. (1)

mynameiskhan (2689067) | more than 2 years ago | (#41287877)

I hate name calling from behind the internet. Wassup Mr. Coward?

The Mind Has No Firewall (-1)

Anonymous Coward | more than 2 years ago | (#41276629)

âoeThe Mind Has No Firewallâ by Timothy L. Thomas. Parameters, Spring 1998, pp. 84-92.

The human body, much like a computer, contains myriad data processors. They include, but are not limited to, the chemical-electrical activity of the brain, heart, and peripheral nervous system, the signals sent from the cortex region of the brain to other parts of our body, the tiny hair cells in the inner ear that process auditory signals, and the light-sensitive retina and cornea of the eye that process visual activity.[2] We are on the threshold of an era in which these data processors of the human body may be manipulated or debilitated. Examples of unplanned attacks on the bodyâ(TM)s data-processing capability are well-documented. Strobe lights have been known to cause epileptic seizures. Not long ago in Japan, children watching television cartoons were subjected to pulsating lights that caused seizures in some and made others very sick.

Defending friendly and targeting adversary data-processing capabilities of the body appears to be an area of weakness in the US approach to information warfare theory, a theory oriented heavily toward systems data-processing and designed to attain information dominance on the battlefield. Or so it would appear from information in the open, unclassified press. This US shortcoming may be a serious one, since the capabilities to alter the data- processing systems of the body already exist. A recent edition of U.S. News and World Report highlighted several of these âoewonder weaponsâ (acoustics, microwaves, lasers) and noted that scientists are âoesearching the electromagnetic and sonic spectrums for wavelengths that can affect human behavior.â[3] A recent Russian military article offered a slightly different slant to the problem, declaring that âoehumanity stands on the brink of a psychotronic warâ with the mind and body as the focus. That article discussed Russian and international attempts to control the psycho-physical condition of man and his decisionmaking processes by the use of VHF-generators, âoenoiseless cassettes,â and other technologies.

An entirely new arsenal of weapons, based on devices designed to introduce subliminal messages or to alter the bodyâ(TM)s psychological and data-processing capabilities, might be used to incapacitate individuals. These weapons aim to control or alter the psyche, or to attack the various sensory and data-processing systems of the human organism. In both cases, the goal is to confuse or destroy the signals that normally keep the body in equilibrium.

This article examines energy-based weapons, psychotronic weapons, and other developments designed to alter the ability of the human body to process stimuli. One consequence of this assessment is that the way we commonly use the term âoeinformation warfareâ falls short when the individual soldier, not his equipment, becomes the target of attack.

Information Warfare Theory and the Data-Processing Element of Humans

In the United States the common conception of information warfare focuses primarily on the capabilities of hardware systems such as computers, satellites, and military equipment which process data in its various forms. According to Department of Defense Directive S-3600.1 of 9 December 1996, information warfare is defined as âoean information operation conducted during time of crisis or conflict to achieve or promote specific objectives over a specific adversary or adversaries.â An information operation is defined in the same directive as âoeactions taken to affect adversary information and information systems while defending oneâ(TM)s own information and information systems.â These âoeinformation systemsâ lie at the heart of the modernization effort of the US armed forces and other countries, and manifest themselves as hardware, software, communications capabilities, and highly trained individuals. Recently, the US Army conducted a mock battle that tested these systems under simulated combat conditions.

US Army Field Manual 101-5-1, Operational Terms and Graphics (released 30 September 1997), defines information warfare as âoeactions taken to achieve information superiority by affecting a hostileâ(TM)s information, information based-processes, and information systems, while defending oneâ(TM)s own information, information processes, and information systems.â The same manual defines information operations as a âoecontinuous military operation within the military information environment that enables, enhances, and protects friendly forcesâ(TM) ability to collect, process, and act on information to achieve an advantage across the full range of military operations. [Information operations include] interacting with the Global Information Environment . . . and exploiting or denying an adversaryâ(TM)s information and decision capabilities.â[4]

This âoesystemsâ approach to the study of information warfare emphasizes the use of data, referred to as information, to penetrate an adversaryâ(TM)s physical defenses that protect data (information) in order to obtain operational or strategic advantage. It has tended to ignore the role of the human body as an information- or data-processor in this quest for dominance except in those cases where an individualâ(TM)s logic or rational thought may be upset via disinformation or deception. As a consequence little attention is directed toward protecting the mind and body with a firewall as we have done with hardware systems. Nor have any techniques for doing so been prescribed. Yet the body is capable not only of being deceived, manipulated, or misinformed but also shut down or destroyedâ"just as any other data-processing system. The âoedataâ the body receives from external sourcesâ"such as electromagnetic, vortex, or acoustic energy wavesâ"or creates through its own electrical or chemical stimuli can be manipulated or changed just as the data (information) in any hardware system can be altered.

The only body-related information warfare element considered by the United States is psychological operations (PSYOP). In Joint Publication 3-13.1, for example, PSYOP is listed as one of the elements of command and control warfare. The publication notes that âoethe ultimate target of [information warfare] is the information dependent process, whether human or automated . . . . Command and control warfare (C2W) is an application of information warfare in military operations. . . . C2W is the integrated use of PSYOP, military deception, operations security, electronic warfare and physical destruction.â[5]

One source defines information as a âoenonaccidental signal used as an input to a computer or communications system.â[6] The human body is a complex communication system constantly receiving nonaccidental and accidental signal inputs, both external and internal. If the ultimate target of information warfare is the information-dependent process, âoewhether human or automated,â then the definition in the joint publication implies that human data-processing of internal and external signals can clearly be considered an aspect of information warfare. Foreign researchers have noted the link between humans as data processors and the conduct of information warfare. While some study only the PSYOP link, others go beyond it. As an example of the former, one recent Russian article described offensive information warfare as designed to âoeuse the Internet channels for the purpose of organizing PSYOP as well as for `early political warningâ(TM) of threats to American interests.â[7] The authorâ(TM)s assertion was based on the fact that âoeall mass media are used for PSYOP . . . [and] today this must include the Internet.â The author asserted that the Pentagon wanted to use the Internet to âoereinforce psychological influencesâ during special operations conducted outside of US borders to enlist sympathizers, who would accomplish many of the tasks previously entrusted to special units of the US armed forces.

Others, however, look beyond simple PSYOP ties to consider other aspects of the bodyâ(TM)s data-processing capability. One of the principal open source researchers on the relationship of information warfare to the bodyâ(TM)s data-processing capability is Russian Dr. Victor Solntsev of the Baumann Technical Institute in Moscow. Solntsev is a young, well-intentioned researcher striving to point out to the world the potential dangers of the computer operator interface. Supported by a network of institutes and academies, Solntsev has produced some interesting concepts.[8] He insists that man must be viewed as an open system instead of simply as an organism or closed system. As an open system, man communicates with his environment through information flows and communications media. Oneâ(TM)s physical environment, whether through electromagnetic, gravitational, acoustic, or other effects, can cause a change in the psycho-physiological condition of an organism, in Solntsevâ(TM)s opinion. Change of this sort could directly affect the mental state and consciousness of a computer operator. This would not be electronic war or information warfare in the traditional sense, but rather in a nontraditional and non-US sense. It might encompass, for example, a computer modified to become a weapon by using its energy output to emit acoustics that debilitate the operator. It also might encompass, as indicated below, futuristic weapons aimed against manâ(TM)s âoeopen system.â

Solntsev also examined the problem of âoeinformation noise,â which creates a dense shield between a person and external reality. This noise may manifest itself in the form of signals, messages, images, or other items of information. The main target of this noise would be the consciousness of a person or a group of people. Behavior modification could be one objective of information noise; another could be to upset an individualâ(TM)s mental capacity to such an extent as to prevent reaction to any stimulus. Solntsev concludes that all levels of a personâ(TM)s psyche (subconscious, conscious, and âoesuperconsciousâ) are potential targets for destabilization.

According to Solntsev, one computer virus capable of affecting a personâ(TM)s psyche is Russian Virus 666. It manifests itself in every 25th frame of a visual display, where it produces a combination of colors that allegedly put computer operators into a trance. The subconscious perception of the new pattern eventually results in arrhythmia of the heart. Other Russian computer specialists, not just Solntsev, talk openly about this âoe25th frame effectâ and its ability to subtly manage a computer userâ(TM)s perceptions. The purpose of this technique is to inject a thought into the viewerâ(TM)s subconscious. It may remind some of the subliminal advertising controversy in the United States in the late 1950s.

US Views on âoeWonder Weaponsâ: Altering the Data-Processing Ability of the Body

What technologies have been examined by the United States that possess the potential to disrupt the data-processing capabilities of the human organism? The 7 July 1997 issue of U.S. News and World Report described several of them designed, among other things, to vibrate the insides of humans, stun or nauseate them, put them to sleep, heat them up, or knock them down with a shock wave.[9] The technologies include dazzling lasers that can force the pupils to close; acoustic or sonic frequencies that cause the hair cells in the inner ear to vibrate and cause motion sickness, vertigo, and nausea, or frequencies that resonate the internal organs causing pain and spasms; and shock waves with the potential to knock down humans or airplanes and which can be mixed with pepper spray or chemicals.[10]

With modification, these technological applications can have many uses. Acoustic weapons, for example, could be adapted for use as acoustic rifles or as acoustic fields that, once established, might protect facilities, assist in hostage rescues, control riots, or clear paths for convoys. These waves, which can penetrate buildings, offer a host of opportunities for military and law enforcement officials. Microwave weapons, by stimulating the peripheral nervous system, can heat up the body, induce epileptic-like seizures, or cause cardiac arrest. Low-frequency radiation affects the electrical activity of the brain and can cause flu-like symptoms and nausea. Other projects sought to induce or prevent sleep, or to affect the signal from the motor cortex portion of the brain, overriding voluntary muscle movements. The latter are referred to as pulse wave weapons, and the Russian government has reportedly bought over 100,000 copies of the âoeBlack Widowâ version of them.[11]

However, this view of âoewonder weaponsâ was contested by someone who should understand them. Brigadier General Larry Dodgen, Deputy Assistant to the Secretary of Defense for Policy and Missions, wrote a letter to the editor about the âoenumerous inaccuraciesâ in the U.S. News and World Report article that âoemisrepresent the Department of Defenseâ(TM)s views.â[12] Dodgenâ(TM)s primary complaint seemed to have been that the magazine misrepresented the use of these technologies and their value to the armed forces. He also underscored the US intent to work within the scope of any international treaty concerning their application, as well as plans to abandon (or at least redesign) any weapon for which countermeasures are known. One is left with the feeling, however, that research in this area is intense. A concern not mentioned by Dodgen is that other countries or non-state actors may not be bound by the same constraints. It is hard to imagine someone with a greater desire than terrorists to get their hands on these technologies. âoePsycho-terrorismâ could be the next buzzword.

Russian Views on âoePsychotronic Warâ

The term âoepsycho-terrorismâ was coined by Russian writer N. Anisimov of the Moscow Anti-Psychotronic Center. According to Anisimov, psychotronic weapons are those that act to âoetake away a part of the information which is stored in a manâ(TM)s brain. It is sent to a computer, which reworks it to the level needed for those who need to control the man, and the modified information is then reinserted into the brain.â These weapons are used against the mind to induce hallucinations, sickness, mutations in human cells, âoezombification,â or even death. Included in the arsenal are VHF generators, X-rays, ultrasound, and radio waves. Russian army Major I. Chernishev, writing in the military journal Orienteer in February 1997, asserted that âoepsyâ weapons are under development all over the globe. Specific types of weapons noted by Chernishev (not all of which have prototypes) were:

A psychotronic generator, which produces a powerful electromagnetic emanation capable of being sent through telephone lines, TV, radio networks, supply pipes, and incandescent lamps.

An autonomous generator, a device that operates in the 10-150 Hertz band, which at the 10-20 Hertz band forms an infrasonic oscillation that is destructive to all living creatures.

A nervous system generator, designed to paralyze the central nervous systems of insects, which could have the same applicability to humans.

Ultrasound emanations, which one institute claims to have developed. Devices using ultrasound emanations are supposedly capable of carrying out bloodless internal operations without leaving a mark on the skin. They can also, according to Chernishev, be used to kill.

Noiseless cassettes. Chernishev claims that the Japanese have developed the ability to place infra-low frequency voice patterns over music, patterns that are detected by the subconscious. Russians claim to be using similar âoebombardmentsâ with computer programming to treat alcoholism or smoking.

The 25th-frame effect, alluded to above, a technique wherein each 25th frame of a movie reel or film footage contains a message that is picked up by the subconscious. This technique, if it works, could possibly be used to curb smoking and alcoholism, but it has wider, more sinister applications if used on a TV audience or a computer operator.

Psychotropics, defined as medical preparations used to induce a trance, euphoria, or depression. Referred to as âoeslow-acting mines,â they could be slipped into the food of a politician or into the water supply of an entire city. Symptoms include headaches, noises, voices or commands in the brain, dizziness, pain in the abdominal cavities, cardiac arrhythmia, or even the destruction of the cardiovascular system.

There is confirmation from US researchers that this type of study is going on. Dr. Janet Morris, coauthor of The Warriorâ(TM)s Edge, reportedly went to the Moscow Institute of Psychocorrelations in 1991. There she was shown a technique pioneered by the Russian Department of Psycho-Correction at Moscow Medical Academy in which researchers electronically analyze the human mind in order to influence it. They input subliminal command messages, using key words transmitted in âoewhite noiseâ or music. Using an infra-sound, very low frequency transmission, the acoustic psycho-correction message is transmitted via bone conduction.[13]

In summary, Chernishev noted that some of the militarily significant aspects of the âoepsyâ weaponry deserve closer research, including the following nontraditional methods for disrupting the psyche of an individual:

ESP research: determining the properties and condition of objects without ever making contact with them and âoereadingâ peoplesâ(TM) thoughts

Clairvoyance research: observing objects that are located just beyond the world of the visibleâ"used for intelligence purposes

Telepathy research: transmitting thoughts over a distanceâ"used for covert operations

Telekinesis research: actions involving the manipulation of physical objects using thought power, causing them to move or break apartâ"used against command and control systems, or to disrupt the functioning of weapons of mass destruction

Psychokinesis research: interfering with the thoughts of individuals, on either the strategic or tactical level

While many US scientists undoubtedly question this research, it receives strong support in Moscow. The point to underscore is that individuals in Russia (and other countries as well) believe these means can be used to attack or steal from the data-processing unit of the human body.

Solntsevâ(TM)s research, mentioned above, differs slightly from that of Chernishev. For example, Solntsev is more interested in hardware capabilities, specifically the study of the information-energy source associated with the computer-operator interface. He stresses that if these energy sources can be captured and integrated into the modern computer, the result will be a network worth more than âoea simple sum of its components.â Other researchers are studying high-frequency generators (those designed to stun the psyche with high frequency waves such as electromagnetic, acoustic, and gravitational); the manipulation or reconstruction of someoneâ(TM)s thinking through planned measures such as reflexive control processes; the use of psychotronics, parapsychology, bioenergy, bio fields, and psychoenergy;[14] and unspecified âoespecial operationsâ or anti-ESP training.

The last item is of particular interest. According to a Russian TV broadcast, the strategic rocket forces have begun anti-ESP training to ensure that no outside force can take over command and control functions of the force. That is, they are trying to construct a firewall around the heads of the operators.


At the end of July 1997, planners for Joint Warrior Interoperability Demonstration â(TM)97 âoefocused on technologies that enhance real-time collaborative planning in a multinational task force of the type used in Bosnia and in Operation Desert Storm. The JWID â(TM)97 network, called the Coalition Wide-Area Network (CWAN), is the first military network that allows allied nations to participate as full and equal partners.â[15] The demonstration in effect was a trade fair for private companies to demonstrate their goods; defense ministries got to decide where and how to spend their money wiser, in many cases without incurring the cost of prototypes. It is a good example of doing business better with less. Technologies demonstrated included:[16]

Soldiers using laptop computers to drag cross-hairs over maps to call in airstrikes

Soldiers carrying beepers and mobile phones rather than guns

Generals tracking movements of every unit, counting the precise number of shells fired around the globe, and inspecting real-time damage inflicted on an enemy, all with multicolored graphics[17]

Every account of this exercise emphasized the ability of systems to process data and provide information feedback via the power invested in their microprocessors. The ability to affect or defend the data-processing capability of the human operators of these systems was never mentioned during the exercise; it has received only slight attention during countless exercises over the past several years. The time has come to ask why we appear to be ignoring the operators of our systems. Clearly the information operator, exposed before a vast array of potentially immobilizing weapons, is the weak spot in any nationâ(TM)s military assets. There are few international agreements protecting the individual soldier, and these rely on the good will of the combatants. Some nations, and terrorists of every stripe, donâ(TM)t care about such agreements.

This article has used the term data-processing to demonstrate its importance to ascertaining what so-called information warfare and information operations are all about. Data-processing is the action this nation and others need to protect. Information is nothing more than the output of this activity. As a result, the emphasis on information-related warfare terminology (âoeinformation dominance,â âoeinformation carouselâ) that has proliferated for a decade does not seem to fit the situation before us. In some cases the battle to affect or protect data-processing elements pits one mechanical system against another. In other cases, mechanical systems may be confronted by the human organism, or vice versa, since humans can usually shut down any mechanical system with the flip of a switch. In reality, the game is about protecting or affecting signals, waves, and impulses that can influence the data-processing elements of systems, computers, or people. We are potentially the biggest victims of information warfare, because we have neglected to protect ourselves.

Our obsession with a âoesystem of systems,â âoeinformation dominance,â and other such terminology is most likely a leading cause of our neglect of the human factor in our theories of information warfare. It is time to change our terminology and our conceptual paradigm. Our terminology is confusing us and sending us in directions that deal primarily with the hardware, software, and communications components of the data-processing spectrum. We need to spend more time researching how to protect the humans in our data management structures. Nothing in those structures can be sustained if our operators have been debilitated by potential adversaries or terrorists whoâ"right nowâ"may be designing the means to disrupt the human component of our carefully constructed notion of a system of systems.



1. I. Chernishev, âoeCan Rulers Make `Zombiesâ(TM) and Control the World?â Orienteer, February 1997, pp. 58-62.

2. Douglas Pasternak, âoeWonder Weapons,â U.S. News and World Report, 7 July 1997, pp. 38-46.

3. Ibid., p. 38.

4. FM 101-5-1, Operational Terms and Graphics, 30 September 1997, p. 1-82.

5. Joint Pub 3-13.1, Joint Doctrine for Command and Control Warfare (C2W), 7 February 1996, p. v.

6. The American Heritage Dictionary (2d College Ed.; Boston: Houghton Mifflin, 1982), p. 660, definition 4.

7. Denis Snezhnyy, âoeCybernetic Battlefield & National Security,â Nezavisimoye Voyennoye Obozreniye, No. 10, 15-21 March 1997, p. 2.

8. Victor I. Solntsev, âoeInformation War and Some Aspects of a Computer Operatorâ(TM)s Defense,â talk given at an Infowar Conference in Washington, D.C., September 1996, sponsored by the National Computer Security Association. Information in this section is based on notes from Dr. Solntsevâ(TM)s talk.

9. Pasternak, p. 40.

10. Ibid., pp. 40-46.

11. Ibid.

12. Larry Dodgen, âoeNonlethal Weapons,â U.S. News and World Report, 4 August 1997, p. 5.

13. âoeBackground on the Aviary,â Nexus Magazine, downloaded from the Internet on 13 July 1997 from www.execpc.com/vjentpr/nexusavi.html, p.7.

14. Aleksandr Cherkasov, âoeThe Front Where Shots Arenâ(TM)t Fired,â Orienteer, May 1995, p. 45. This article was based on information in the foreign and Russian press, according to the author, making it impossible to pinpoint what his source was for this reference.

15. Bob Brewin, âoeDOD looks for IT `golden nuggets,â(TM)â Federal Computer Week, 28 July 1997, p. 31, as taken from the Earlybird Supplement, 4 August 1997, p. B 17.

16. Oliver August, âoeZap! Hard day at the office for NATOâ(TM)s laptop warriors,â The Times, 28 July 1997, as taken from the Earlybird Supplement, 4 August 1997, p. B 16.

17. Ibid.


Lieutenant Colonel Timothy L. Thomas (USA Ret.) is an analyst at the Foreign Military Studies Office, Fort Leavenworth, Kansas. Recently he has written extensively on the Russian view of information operations and on current Russian military-political issues. During his military career he served in the 82d Airborne Division and was the Department Head of Soviet Military-Political Affairs at the US Armyâ(TM)s Russian Institute in Garmisch, Germany.

[see the article on the Parameters portion of the Army Website.]

Re:The Mind Has No Firewall (-1)

Anonymous Coward | more than 2 years ago | (#41276891)


Re:The Mind Has No Firewall (3, Funny)

myowntrueself (607117) | more than 2 years ago | (#41278929)

âoeThe Mind Has No Firewallâ by Timothy L. Thomas. Parameters, Spring 1998, pp. 84-92.

The human body, much like a computer, contains myriad data processors. They include, but are not limited to, the chemical-electrical activity of the brain, heart, and peripheral nervous system, the signals sent from the cortex region of the brain to other parts of our body, the tiny hair cells in the inner ear that process...

I was half expecting this to turn into another 'MyCleanPC' spam post.

Re:The Mind Has No Firewall (1)

maxwell demon (590494) | more than 2 years ago | (#41283145)

Actually the mind has a very effective firewall, as everyone has experienced who tried to convince someone else that his believe system is wrong. However, like any firewall, it can only keep off threats if configured properly.

Re:The Mind Has No Firewall (0)

Anonymous Coward | more than 2 years ago | (#41284193)

I just upgrade my firewall to Fox News 3.2.

Seriously? (4, Insightful)

thePowerOfGrayskull (905905) | more than 2 years ago | (#41276641)

The intent of this blog post is not give “hackers” or “scriptkiddies” any funny ideas, but merely for awareness.

And yet , after reading the blog post, I see he made no mention of warning whatsapp, giving them a chance to alter this, etc.

Nicely done with the "responsible disclosure".

Re:Seriously? (4, Insightful)

Lehk228 (705449) | more than 2 years ago | (#41276663)

responsible disclosure is something earned by responsible actions on the part of developers.

do something retarded and you deserve to have it blow up in your face like that

Re:Seriously? (1)

watice (1347709) | more than 2 years ago | (#41276713)

wow. sorry i didn't spend my last mod point on you. Realer words have never been typed.

Re:Seriously? (0)

Anonymous Coward | more than 2 years ago | (#41276851)

Right, did whatsapp provide responsible notice regarding what they had planned to do? Or is this a one way street?

Re:Seriously? (5, Insightful)

Anonymous Coward | more than 2 years ago | (#41277263)

Only part of the security community believes in responsible disclosure, a large portion of the community is for 'full disclosure', like the post in question here.

Great example: Security Researchers point out 29 vulnerabilities in Java 7 to Oracle in April, with Proof of Concept code and everything. Oracle patches 2 of the vulnerabilities in the June update. Someone else finds some of the same flaws and exploits them in the wild. Oracle only fixed them after they were being actively exploited. Turns out, the fixes were band aid at best, with a little refactoring, Security Explorations (the Polish researchers in question) updates their Proof of Concept code, all of the exploits still work even after Oracles 'patch'.

Without the huge public pressure from public disclosure, Oracle just ignores the vulnerabilities.

Re:Seriously? (3, Insightful)

Hatta (162192) | more than 2 years ago | (#41279519)

"Responsible disclosure" is a completely disingenuous term. Full disclosure is the only responsible route.

Re:Seriously? (1)

kelemvor4 (1980226) | more than 2 years ago | (#41284159)

Well.. it's Oracle. Did you really expect them to provide good support?

Re:Seriously? (5, Insightful)

Anonymous Coward | more than 2 years ago | (#41277549)

So, let's allow a bunch of people to get hacked because the developer doesn't meet your standards. That's not a dick move at all.

Re:Seriously? (1)

Anonymous Coward | more than 2 years ago | (#41277949)

Maybe people will start being more careful about which companies they trust.

Re:Seriously? (1)

Anonymous Coward | more than 2 years ago | (#41278689)

The "dick move" here would be to let people remain ignorant about the fact that they are using a "dick" company. Whether they mentioned it to whatsapp or not is entirely inconsequential to the much larger issue of whatsapp being total morons when it comes to security in the first place.

If my neighbour was worried about security, locks his doors but I notice he always leaves the bathroom window open, I would mention that to him, pointing out his security problem. But if he buys a big sturdy security gate and plops it down on his driveway without even connecting it to his fence, then I'm more likely to laugh about him over a beer with my mates. Stupidity doesn't deserve feedback.

But if I then saw someone giving their valuables to my neighbour for "safe keeping", you can bet your ass I'd mention that to them, not to my neighbour. He's already proven he doesn't take it seriously.

Re:Seriously? (2)

Hatta (162192) | more than 2 years ago | (#41279535)

The person who delays announcement of a security hole is allowing a bunch of people to get hacked. If a "security researcher" found the hole, you have to assume a black hat has as well. Make the announcement immediately, so those affected can take the affected systems offline immediately, or make other arrangements.

Failing to announce vulnerabilities immediately is a dick move that only protects the people that made the vulnerable product.

Re:Seriously? (1)

JoeMerchant (803320) | more than 2 years ago | (#41281797)

Failing to announce vulnerabilities immediately is a dick move that only protects the people that made the vulnerable product.

Wrong, it protects and benefits the black hats who are using the vulnerability even more...

Re:Seriously? (4, Insightful)

DMiax (915735) | more than 2 years ago | (#41282031)

since the app did not pop out of nowhere but someone wrote it, I have to assume that WhatsApp already knows that they are using IMEI as passwords and they are clearly ok with that. It's not a bug or something that slipped in. It is not a side effect of another decision: it is how they intended it to work and it is stupid. The only people who don't know are the current and prospective users, hence full disclosure.

Re:Seriously? (1)

LingNoi (1066278) | more than 2 years ago | (#41285039)

Regardless of it being a dick move..

> So, let's allow a bunch of people to get hacked because the developer doesn't meet your standards.

If it's breakable then it's just poor security. This isn't tabs or spaces. This is either you can break into someones account or you can't.

Re:Seriously? (2)

mwvdlee (775178) | more than 2 years ago | (#41278379)

Responsible disclosure has nothing to do with the developer, it's meant to protect it's users.

Re:Seriously? (1)

r1348 (2567295) | more than 2 years ago | (#41283969)

Not so much. The best way to protect users is to let them know that the programs they're using are insecure.
For what we know, a black hat might have discovered this vulnerability (of the moronic kind) months ago and already exploiting it in the wild without user knowledge. Full disclosure fixes this lack of information, the developer now should really fix the app.

Re:Seriously? (1)

2fuf (993808) | more than 2 years ago | (#41278845)

The problem with this attitude is that the end users gets the shit poured over them, as a retribution for the developers' lack of responsibility.

What kind of dick do you have to be to think that's fair?

Re:Seriously? (1)

Pausanias (681077) | more than 2 years ago | (#41285409)

Why would anyone ever want to user WhatsApp over google voice is something I don't get.

Re:Seriously? (1)

monzie (729782) | more than 2 years ago | (#41286255)

I wish I had mod points. You hit the bulls' eye there. Developers cannot be stupid and then expect others to be kind to them. Yes I develop mobile apps as well - and If I ever do something this stupid, I deserve to have it blow in my face.

Re:Seriously? (5, Insightful)

Anonymous Coward | more than 2 years ago | (#41276703)

If an app's security is so clueless, it's quite arguably more responsible to give them maximum public humiliation by not allowing the producer to water down the announcement with a PR show about fixing a flaw they never should have allowed to ship.

Yup, the app's users are /possibly/ more exposed to script kiddies briefly (the flaw may be well know outside the greater public already), but that's offset is having more people made safer by just dropping the app in revulsion. Also it inflicts maximum pain on the producer for a bonehead move; sometime maximizing the negative-feedback part of learning is real important.

It's not a simple call to make. I like responsible disclosure, but it's just not always a black-white call.

Also, "so what?" -- by that I mean only we're always going to have a percentage of people who simply say 'this shit is broken' without contacting the producer. That's got to be factored into developing anything, and glaring at the messenger is pointless. It's a fact of the social milieu.

Re:Seriously? (2, Informative)

MrHanky (141717) | more than 2 years ago | (#41276719)

Meh. It's a proprietary extension to a free protocol, with lock-in included. Fuck them.

Re:Seriously? (0)

Anonymous Coward | more than 2 years ago | (#41276725)

I recently installed the BlueStacks Android emulator on Windows and then joined WhatsApp. Their authentication SMS obviously failed but I was given an option for WhatsApp to call and give me a code which I could use to confirm via the BlueStacks instance. Therefor any IMEI number from my cellphone could not have been used as a password.

Re:Seriously? (0)

Anonymous Coward | more than 2 years ago | (#41278673)

And this is relevant to the vast majority who are using their cellphones for this exactly how?

Re:Seriously? (1)

burne (686114) | more than 2 years ago | (#41283287)

Your IMEI is 00-000000-000000. Remember that the checksum calculation is optional.

Re:Seriously? (0)

Anonymous Coward | more than 2 years ago | (#41276789)

Sorry, but what obligation does the blog owner have to WhatsApp?

I dont work for free, and I dont expect the blog owner to either.

warning? (4, Insightful)

kenorland (2691677) | more than 2 years ago | (#41276795)

What good would a "warning" do? This isn't some accidental security slip-up, it's a sign of utter incompetence.

Re:warning? (0)

Anonymous Coward | more than 2 years ago | (#41277471)

You misunderstand what the disclosure is for. You seem to think it's to be nice to the software developers.. a chance to fix their mistake.

that is NOT what disclosure is for.

Disclosure is to give the software developer a chance to fix the problem and issue a patch before hackers become aware of the issue. It is to be nice to the USERS of the software. The people who had no say in how it was developed.

Say FU to the developers for being incompetent.. fine. Their idiots anyway, I don't care.

But why do you feel the need to say FU to the software users, who had no idea that the software was vulnerable, and now may need to deal with hackers exploiting the problem.

Re:warning? (0)

Anonymous Coward | more than 2 years ago | (#41278401)

With such a gaping hole it's quite likely that hackers have already found the vulnerability and are already exploiting it or working on exploits. Don't be so sure you're protecting users by keeping it quiet.

"Responsible" disclosure is responsible only if the vulnerability is not too obvious. The disadvantage of alerting the bad guys must be weighed against the advantage of putting pressure on the vendor to make repairs as quickly as possible.

In this case the hole is big and the vendor has shown incompetence or indifference in such a big way that it does not give much confidence in how they will respond if they are not forced to respond adequately. Making it explode in their face may be what this vendor needs to become aware of the importance of security, and it puts pressure on them to take it seriously (which they obviously haven't until now, otherwise they would have built a better authentication method). Despite the risks of a full public disclosure this may actually be the best thing to do for the users.

Re:warning? (0)

Anonymous Coward | more than 2 years ago | (#41278835)

Disclosure is to give the company's lawers time to send you a letter.

Re:warning? (0)

Anonymous Coward | more than 2 years ago | (#41281765)

>Disclosure is to give the software developer a chance to fix the problem and issue a patch before hackers become aware of the issue.

Hah, with a black market in the billions about that, fat chance. They already knew.

Re:Seriously? (0)

Anonymous Coward | more than 2 years ago | (#41276849)

The auth method has been publicly available since at least May 29th, as per the README here https://github.com/venomous0x/WhatsAPI/blob/63639eafc9a08fd308df72458f1381ec8899940d/README.md

Re:Seriously? (5, Informative)

kylegordon (159137) | more than 2 years ago | (#41276859)

There's no need for responsible disclosure when it's been around for months on Github.

Just check https://github.com/venomous0x/WhatsAPI/blob/63639eafc9a08fd308df72458f1381ec8899940d/README.md [github.com] and you'll see.

Re:Seriously? (0)

Anonymous Coward | more than 2 years ago | (#41277069)

Some of this is out of date, though. If you look at packet sniffs on the latest versions, it's not cleartext as this doc says.

Re:Seriously? (0)

Anonymous Coward | more than 2 years ago | (#41277731)

Who said it's cleartext? The readme on github from 3 months ago says

The password is hashed and happened to be an MD5’d, reversed-version of the mobile’s IMEI (International Mobile Equipment Identity) or equivalent unique ID

Same in TFA:

your password is likely to be an inverse of your phones IMEI number with an MD5 cryptographic hash thrown on top of it (without salt).


Re:Seriously? (0)

Anonymous Coward | more than 2 years ago | (#41278077)

I'm not talking about the password, dumbass. Read the whole readme.

Re:Seriously? (0)

Anonymous Coward | more than 2 years ago | (#41285337)

Up until 2 days ago, at least, the cleartext servers still worked. They most likely still do, except that they've changed some bits in the authentication method, so the third-party APIs can't work for a little while until someone figures out what bits changed to what.

Re:Seriously? (2)

Bogtha (906264) | more than 2 years ago | (#41276883)

I see he made no mention of warning whatsapp

This isn't an accidental security vulnerability, they deliberately designed their system this way. They obviously already knew their system works this way.

Re:Seriously? (0)

Anonymous Coward | more than 2 years ago | (#41276987)

And yet , after reading the blog post, I see he made no mention of warning whatsapp, giving them a chance to alter this, etc.

Dude, Whatsapp has a terrible track record when it comes to security. Embarassment is the only thing they might take seriously. Originally they used the cell phone number as the authenticator. The IMEI is a slight improvement.

But Whatsapp still copies your entire address book (you should have read the terms & conditions) and spams your contacts.

But I still don't get why whatsapp is so popular. It's just instant messaging. But there are lots of IM networks with a large user base (google, ICQ, MSN, etc) that also work with non-mobile devices.

Whatsapp only works with mobile devices, and brings nothing new to the table.

Re:Seriously? (1)

carlos92 (682924) | more than 2 years ago | (#41277433)

The only thing new it brings to the table is that it feels more like a replacement of SMS. It's easy to install (they obviously prioritized ease of use over security) and it works with your contacts that are already stored on the phone.

Re:Seriously? (0)

Anonymous Coward | more than 2 years ago | (#41277553)

Nicely done with the "jumping to conclusions and being an ass without knowing anything about the situation".

Re:Seriously? (0)

Anonymous Coward | more than 2 years ago | (#41277777)

I tutor math students on my own time, for free. If a math student is obviously not attempting to work the problem, I avoid him like the plague. He will only either: 1. Expect me to teach him basic concepts he should already know (and will nod his head even if he doesn't get it thus ensuring everything I say that follows sails over his head). 2. Try to get me to do the work for him.

If you contact someone who has made no apparent effort to learn anything about security and try to discuss a security problem they are likely to do the same thing (and probably won't pay you, either).

Re:Seriously? (1)

noh8rz9 (2716595) | more than 2 years ago | (#41280199)

whats whatsapp? i've never heard of it. is it on the app store?

Re:Seriously? (1)

lindi (634828) | more than 2 years ago | (#41281591)

I have never used whatsapp but I was still fully aware that they use IMEI as a password. This was no secret.

Re:Seriously? (1)

DMiax (915735) | more than 2 years ago | (#41281979)

Sure, they should have alerted WhatsApp that they programmed their system to use IMEI as passwords...

Hey! I just noticed that you wrote your comment and pushed the submit button and now everyone can read your thoughts! Are you aware of that?

What's WhatApp? (0)

Anonymous Coward | more than 2 years ago | (#41276645)

And who cares what is uses for passwords?

What the fuck is WhatsApp? (0)

Anonymous Coward | more than 2 years ago | (#41276649)

And why should I care?

Also. Get off my lawn.

I love the last line of the article (5, Insightful)

Meshach (578918) | more than 2 years ago | (#41276653)

The intent of this blog post is not give “hackers” or “scriptkiddies” any funny ideas, but merely for awareness.

Yes and porn is watched for the acting.

Re:I love the last line of the article (2, Funny)

Anonymous Coward | more than 2 years ago | (#41276671)

Yes and porn is watched for the acting.

porn with acting is called drama on HBO


Re:I love the last line of the article (3, Insightful)

Viceice (462967) | more than 2 years ago | (#41277589)

Porn _IS_ watched for the acting. Because it sure isn't watched for the plot, story or any other production value.

Re:I love the last line of the article (0)

Anonymous Coward | more than 2 years ago | (#41278377)

Porn _IS_ watched for the acting. Because it sure isn't watched for the plot, story or any other production value.

At least they're good about filling in the plot holes.

I call... (1)

msauve (701917) | more than 2 years ago | (#41276655)

Acronym abuse! If you use an acronym, spell it out the first time you use it, or expect your communications to be taken as nonsense.

Re:I call... (0)

Anonymous Coward | more than 2 years ago | (#41276705)

There could also be some more description in the summary such as what WhatsApp is!

Re:I call... (0)

Anonymous Coward | more than 2 years ago | (#41276799)

Your problem might or might not be solved by RTFA.

Re:I call... (0)

Anonymous Coward | more than 2 years ago | (#41276817)

Would it be so hard to actually put it in the summary?

Re:I call... (0)

Anonymous Coward | more than 2 years ago | (#41276909)

Look, if you're completely uninformed about a subject on a technical website, maybe you ought to quit complaining and just read the damn article. Summaries are already full of mistakes as it is, the last thing we need is a bunch of redundant acronym explanation crap because people are ignorant and can't bother clicking the URLs.

Re:I call... (1)

AuMatar (183847) | more than 2 years ago | (#41277167)

If you're on a tech website and reading an article about cell phones without knowing what an IMEI is, you're hopeless to begin with. It's a common enough acronym that no, they shouldn't spell it out- you should stop being a dumbass.

Re:I call... (0)

Anonymous Coward | more than 2 years ago | (#41277399)


Re:I call... (1)

msauve (701917) | more than 2 years ago | (#41279237)


Re:I call... (1)

bipbop (1144919) | more than 2 years ago | (#41277801)

i don't think that's true. People should be expected to raise themselves to minimum standards, not meet them ahead of time. After all, it's basically effortless to look it up and learn what it means, and lazy evaluation in reading slashdot doesn't have any negative consequences I can think of.

Re:I call... (1)

MikeBabcock (65886) | more than 2 years ago | (#41278069)

The number of people who ask me what acronyms and even plain English words mean while in front of an Internet-connected PC or smart phone just astounds me. I keep saying "Google it" and they keep looking at me stupid.

So you type the word you're looking up into Google, hit enter, and voila, its probably the first result.

Re:I call... (1)

AuMatar (183847) | more than 2 years ago | (#41278649)

If you type " define" its almost always the first result. Works well for acronyms too.

Re:I call... (1)

AuMatar (183847) | more than 2 years ago | (#41278659)

That was supposed to be "<word> define".  Fuck slashcode, I posted it at plain old text.

Re:I call... (0)

Anonymous Coward | more than 2 years ago | (#41278687)

This would be what Preview is for, Holmes. (And character entities.)

Re:I call... (0)

Anonymous Coward | more than 2 years ago | (#41281659)

You call it minimum standard, yet readers ought to raise to it by reading TFA. Kinda useless argument.

And I agree. If someone reads an article about mobile phone equipment and doesn't know what an IMEI is AND doesn't have the mental capacity to do a Google search, he has absolutely no point for argument.

Nobody Seems To Notice and Nobody Seems To Care (-1)

Anonymous Coward | more than 2 years ago | (#41276657)

Nobody Seems To Notice and Nobody Seems To Care - Government & Stealth Malware

In Response To Slashdot Article: Former Pentagon Analyst: China Has Backdoors To 80% of Telecoms 87

How many rootkits does the US[2] use officially or unofficially?

How much of the free but proprietary software in the US spies on you?

Which software would that be?

Visit any of the top freeware sites in the US, count the number of thousands or millions of downloads of free but proprietary software, much of it works, again on a proprietary Operating System, with files stored or in transit.

How many free but proprietary programs have you downloaded and scanned entire hard drives, flash drives, and other media? Do you realize you are giving these types of proprietary programs complete access to all of your computer's files on the basis of faith alone?

If you are an atheist, the comparison is that you believe in code you cannot see to detect and contain malware on the basis of faith! So you do believe in something invisible to you, don't you?

I'm now going to touch on a subject most anti-malware, commercial or free, developers will DELETE on most of their forums or mailing lists:

APT malware infecting and remaining in BIOS, on PCI and AGP devices, in firmware, your router (many routers are forced to place backdoors in their firmware for their government) your NIC, and many other devices.

Where are the commercial or free anti-malware organizations and individual's products which hash and compare in the cloud and scan for malware for these vectors? If you post on mailing lists or forums of most anti-malware organizations about this threat, one of the following actions will apply: your post will be deleted and/or moved to a hard to find or 'deleted/junk posts' forum section, someone or a team of individuals will mock you in various forms 'tin foil hat', 'conspiracy nut', and my favorite, 'where is the proof of these infections?' One only needs to search Google for these threats and they will open your malware world view to a much larger arena of malware on devices not scanned/supported by the scanners from these freeware sites. This point assumed you're using the proprietary Microsoft Windows OS. Now, let's move on to Linux.

The rootkit scanners for Linux are few and poor. If you're lucky, you'll know how to use chkrootkit (but you can use strings and other tools for analysis) and show the strings of binaries on your installation, but the results are dependent on your capability of deciphering the output and performing further analysis with various tools or in an environment such as Remnux Linux. None of these free scanners scan the earlier mentioned areas of your PC, either! Nor do they detect many of the hundreds of trojans and rootkits easily available on popular websites and the dark/deep web.

Compromised defenders of Linux will look down their nose at you (unless they are into reverse engineering malware/bad binaries, Google for this and Linux and begin a valuable education!) and respond with a similar tone, if they don't call you a noob or point to verifying/downloading packages in a signed repo/original/secure source or checking hashes, they will jump to conspiracy type labels, ignore you, lock and/or shuffle the thread, or otherwise lead you astray from learning how to examine bad binaries. The world of Linux is funny in this way, and I've been a part of it for many years. The majority of Linux users, like the Windows users, will go out of their way to lead you and say anything other than pointing you to information readily available on detailed binary file analysis.

Don't let them get you down, the information is plenty and out there, some from some well known publishers of Linux/Unix books. Search, learn, and share the information on detecting and picking through bad binaries. But this still will not touch the void of the APT malware described above which will survive any wipe of r/w media. I'm convinced, on both *nix and Windows, these pieces of APT malware are government in origin. Maybe not from the US, but most of the 'curious' malware I've come across in poisoned binaries, were written by someone with a good knowledge in English, some, I found, functioned similar to the now well known Flame malware. From my experience, either many forum/mailing list mods and malware developers/defenders are 'on the take', compromised themselves, and/or working for a government entity.

Search enough, and you'll arrive at some lone individuals who cry out their system is compromised and nothing in their attempts can shake it of some 'strange infection'. These posts receive the same behavior as I said above, but often they are lone posts which receive no answer at all, AT ALL! While other posts are quickly and kindly replied to and the 'strange infection' posts are left to age and end up in a lost pile of old threads.

If you're persistent, the usual challenge is to, "prove it or STFU" and if the thread is not attacked or locked/shuffled and you're lucky to reference some actual data, they will usually attack or ridicule you and further drive the discussion away from actual proof of APT infections.

The market is ripe for an ambitious company or individual to begin demanding companies and organizations who release firmware and design hardware to release signed and hashed packages and pour this information into the cloud, so everyone's BIOS is checked, all firmware on routers, NICs, and other devices are checked, and malware identified and knowledge reported and shared openly.

But even this will do nothing to stop backdoored firmware (often on commercial routers and other networked devices of real importance for government use - which again opens the possibility of hackers discovering these backdoors) people continue to use instead of refusing to buy hardware with proprietary firmware/software.

Many people will say, "the only safe computer is the one disconnected from any network, wireless, wired, LAN, internet, intranet" but I have seen and you can search yourself for and read about satellite, RF, temperature, TEMPEST (is it illegal in your part of the world to SHIELD your system against some of these APT attacks, especially TEMPEST? And no, it's not simply a CRT issue), power line and many other attacks which can and do strike computers which have no active network connection, some which have never had any network connection. Some individuals have complained they receive APT attacks throughout their disconnected systems and they are ridiculed and labeled as a nutter. The information exists, some people have gone so far as to scream from the rooftops online about it, but they are nutters who must have some serious problems and this technology with our systems could not be possible.

I believe most modern computer hardware is more powerful than many of us imagine, and a lot of these systems swept from above via satellite and other attacks. Some exploits take advantage of packet radio and some of your proprietary hardware. Some exploits piggyback and unless you really know what you're doing, and even then... you won't notice it.

Back to the Windows users, a lot of them will dismiss any strange activity to, "that's just Windows!" and ignore it or format again and again only to see the same APT infected activity continue. Using older versions of sysinternals, I've observed very bizarre behavior on a few non networked systems, a mysterious chat program running which doesn't exist on the system, all communication methods monitored (bluetooth, your hard/software modems, and more), disk mirroring software running[1], scans running on different but specific file types, command line versions of popular Windows freeware installed on the system rather than the use of the graphical component, and more.

[1] In one anonymous post on pastebin, claiming to be from an intel org, it blasted the group Anonymous, with a bunch of threats and information, including that their systems are all mirrored in some remote location anyway.

[2] Or other government, US used in this case due to the article source and speculation vs. China. This is not to defend China, which is one messed up hell hole on several levels and we all need to push for human rights and freedom for China's people. For other, freer countries, however, the concentration camps exist but you wouldn't notice them, they originate from media, mostly your TV, and you don't even know it. As George Carlin railed about "Our Owners", "nobody seems to notice and nobody seems to care".

[3] http://www.stallman.org/ [stallman.org]

Try this yourself on a wide variety of internet forums and mailing lists, push for malware scanners to scan more than files, but firmware/BIOS. See what happens, I can guarantee it won't be pleasant, especially with APT cases.

So scan away, or blissfully ignore it, but we need more people like RMS[3] in the world. Such individuals tend to be eccentric but their words ring true and clear about electronics and freedom.

I believe we're mostly pwned, whether we would like to admit it or not, blind and pwned, yet fiercely holding to misinformation, often due to lack of self discovery and education, and "nobody seems to notice and nobody seems to care".


Schneier has covered it before: power line fluctuations (differences on the wire in keys pressed).

There's thermal attacks against cpus and temp, also:

ENF (google it)

A treat (ENF Collector in Java):

sourceforge dot net fwdslash projects fwdslash nfienfcollector

No single antimalware scanner exists which offers the ability to scan (mostly proprietary) firmware on AGP/PCI devices (sound cards, graphics cards, usb novelty devices excluding thumb drives), BIOS/CMOS.

If you boot into ultimate boot cd you can use an archane text interface to dump BIOS/CMOS and examine/checksum.

The real attacks which survive disk formats and wipes target your PCI devices and any firmware which may be altered/overwritten with something special. It is not enough to scan your hard drive(s) and thumb drives, the real dangers with teeth infect your hardware devices.

When is the last time you:

Audited your sound card for malware?
Audited your graphics card for malware?
Audited your network card for malware?

Google for:

* AGP and PCI rootkit(s)
* Network card rootkit(s)
* BIOS/CMOS rootkit(s)

Our modern PC hardware is capable of much more than many can imagine.

Do you:

* Know your router's firmware may easily be replaced on a hacker's whim?
* Shield all cables against leakage and attacks
* Still use an old CRT monitor and beg for TEMPEST attacks?
* Use TEMPEST resistant fonts in all of your applications including your OS?
* Know whether or not your wired keyboard has keypresses encrypted as they pass to your PC from the keyboard?
* Use your PC on the grid and expose yourself to possible keypress attacks?
* Know your network card is VERY exploitable when plugged into the net and attacked by a hard core blackhat or any vicious geek with the know how?
* Search out informative papers on these subjects and educate your friends and family about these attacks?
* Contact antimalware companies and urge them to protect against many or all these attacks?

Do you trust your neighbors? Are they all really stupid when it comes to computing or is there a geek or two without a conscience looking to exploit these areas?

The overlooked threat are the potential civilian rogues stationed around you, especially in large apartment blocks who feed on unsecured wifi to do their dirty work.

With the recent news of Russian spies, whether or not this news was real or a psyop, educate yourself on the present threats which all antimalware scanners fail to protect against and remove any smug mask you may wear, be it Linux or OpenBSD, or the proprietary Windows and Mac OS you feel are properly secured and not vulnerable to any outside attacks because you either don't need an antivirus scanner (all are inept to serious attacks) or use one or several (many being proprietary mystery machines sending data to and from your machine for many reasons, one is to share your information with a group or set database to help aid in threats), the threats often come in mysterious ways.

Maybe the ancients had it right: stone tablets and their own unique language(s) rooted in symbolism.


I'm more concerned about new rootkits which target PCI devices, such as the graphics card and the optical drives, also, BIOS. Where are the malware scanners which scan PCI devices and BIOS for mismatches? All firmware, BIOS and on PCI devices should be checksummed and saved to match with others in the cloud, and archived when the computer is first used, backing up signed firmware.

When do you recall seeing signed router firmware upgrades with any type of checksum to check against? Same for PCI devices and optical drives and BIOS.

Some have begun with BIOS security:

http://www.biosbits.org/ [biosbits.org]

Some BIOS has write protection in its configuration, a lot of newer computers don't.


"Disconnect your PC from the internet and don't add anything you didn't create yourself. It worked for the NOC list machine in Mission Impossible"

The room/structure was likely heavily shielded, whereas most civvies don't shield their house and computer rooms. There is more than meets the eye to modern hardware.


subversion hack:

network card rootkits and trojans
pci rootkits
packet radio
xmit "fm fingerprinting" software
"specific emitter identification"

how many malware scanners scan bios/cmos and pci/agp cards for malware? zero, even the rootkit scanners. have you checksummed/dumped your bios/cmos and firmware for all your pci/agp devices and usb devices, esp vanity usb devices in and outside the realm of common usb devices (thumbdrives, external hdds, printers),

Unless your computer room is shielded properly, the computers may still be attacked and used, I've personally inspected computers with no network connection running mysterious code in the background which task manager for windows and the eqiv for *nix does not find, and this didn't find it all.

Inspect your windows boot partition in *nix with hexdump and look for proxy packages mentioned along with command line burning programs and other oddities. Computers are more vulnerable than most would expect.

You can bet all of the malware scanners today, unless they are developed by some lone indy coder in a remote country, employ whitelisting of certain malware and none of them scan HARDWARE devices apart from the common usb devices.

Your network cards, sound cards, cd/dvd drives, graphics cards, all are capable of carrying malware to survive disk formatting/wiping.

Boot from a Linux live cd and use hexdump to examine your windows (and *nix) boot sectors to potentially discover interesting modifications by an unknown party.


Re:Nobody Seems To Notice and Nobody Seems To Care (1)

viperidaenz (2515578) | more than 2 years ago | (#41276867)

Don't forget your tinfoil hat

This is why Apple got rid of the UDID... (1)

SuperKendall (25149) | more than 2 years ago | (#41276677)

Even though the UDID was not supposed to be used for authentication like purposes, some app developers were leaning on it... really better to just make apps create a UUID themselves and make use of that. Of course, then for authentication you need a real login of some kind.

Re:This is why Apple got rid of the UDID... (0)

Anonymous Coward | more than 2 years ago | (#41277003)

Even popular apps like pandora. Learned that one the hard way with a used iphone.

Re:This is why Apple got rid of the UDID... (1)

petsounds (593538) | more than 2 years ago | (#41277363)

Same thing with Social Security Numbers; they were never supposed to be used as a Federal identification number, but companies wanted to track people in a more consistent manner and there was no alternative. In both cases, that doesn't forgive the companies for using these numbers.

Not Quite (1)

Anonymous Coward | more than 2 years ago | (#41276701)

To be fair, they are using the MD5 of the IMEI. Not just the IMEI in plain text. But I think people are more worried about someone getting their WhatsApp info from the IMEI, and not the other way around.

Anybody who cares about their security... (0)

Anonymous Coward | more than 2 years ago | (#41276947)

Anybody who cares about their security with mobile texting should be using one of the services out there that are designed for it, like Gliph or TigerText.

WhatsApp has had security problems in the past, and it seems like their users really don't care.

nice app to use this (0)

Anonymous Coward | more than 2 years ago | (#41277001)


Always the same stupid, stupid mistakes (3, Insightful)

gweihir (88907) | more than 2 years ago | (#41277107)

Why are these people not asking _one_ person that understands security before implementing the same tired old stupid mistakes again? There is not even space for responsible disclosure here. The only things to tell users is to stay away from this insecure trash. If they make beginners mistakes like these, there is likely no way to fix this app without a complete re-design.

Re:Always the same stupid, stupid mistakes (1)

StripedCow (776465) | more than 2 years ago | (#41277217)

In case you didn't notice, these days companies are only after the quick buck. This means that they target as large a group of people as they can with minimal effort. This in turn means that security, for example, gets neglected. In other words, the reason is companies have found out that they can exploit the following concept:


Re:Always the same stupid, stupid mistakes (2)

ahoog (640678) | more than 2 years ago | (#41277333)

They don't even have to ask. After years of doing mobile security audits, we complied 42+ best practices for secure mobile development and posted it free online. It's just that secure development takes extra time (and talent) and very few are willing to make that commitment. https://viaforensics.com/resources/reports/best-practices-ios-android-secure-mobile-development/ [viaforensics.com]

Re:Always the same stupid, stupid mistakes (1)

Anonymous Coward | more than 2 years ago | (#41277453)

13 and 14 are kind of bullshit. If an "attacker" can modify your code, you've already lost. Obfuscating your code to make it harder to crack the binary is not security, it's obfuscation. It might give comfort to those seeking solutions to the impossible problems (DRM, copy protection) but in the end it won't help you beyond preventing the most casual/unskilled crackers, and it will make your job as a developer harder.

Basically if you can't trust the integrity of your own address space you've lost, there is no sense in denying it by making your code harder to read.

Re:Always the same stupid, stupid mistakes (1)

gweihir (88907) | more than 2 years ago | (#41280207)

They are not BS, they are shifting attacker effort. Depending on your attacker model, that may or may not make the app more secure. Unfortunately that is worth far less than it seems can even lower security.

Unfortunately, it looks like most attackers are not that rational (the Homo economicus is a nice theoretical model, but unfortunately complete BS in practice, as there are basically none of these creatures around) and will keep at one target a lot longer than is economically viable. That means simple obfuscation techniques may keep the kiddies out that do not get it, but no advanced attacker will be impressed in the least. (As you rightfully point out.) As targeted attacks are on the raise (and these are not done by incompetent kiddies in general), obfuscation techniques are even worse then BS, as they create a false sense of security.

I know from personal experience that it is extremely hard to explain the non-value of such techniques that seem to work on first glance to non-experts (read: managers) and to explain to them that their level of preparedness is actually far, far lower than they think. If that explanation fails, these techniques make the system actually less secure, because other steps that would have helped are not undertaken. After all, "it is already secured".

So, calling this BS is far too nice ;-)=)

Re:Always the same stupid, stupid mistakes (1)

gnasher719 (869701) | more than 2 years ago | (#41282409)

One goal should always be to make an attack expensive. That doesn't help _your_ app very much, but it helps _everyone_. If it was more expensive to attack _your_ app, then the attacker has less money or time to spend on attacking other apps, and if other apps are more expensive to attack, then anyone who attacked those apps has less money and time to attack your app.

The perfect app would be one that is actually safe, but looks as if it could be attacked successfully, making an attacker waste their time. So obfuscation as _first_ line of defense is useful. Not as protection, but as a drain on the bad guys' money.

In a way it's useful (1)

Z00L00K (682162) | more than 2 years ago | (#41277631)

But they should use the IMSI number, not the IMEI number. And combine it with a password, then you get into a better level of security than with only a password since you are using something you have.

However with the recent rise in malicious apps for phones using the phone for anything secure is risky.

New password (0)

Anonymous Coward | more than 2 years ago | (#41277647)

Couldnt they just use said IMEI and mix user name or or another mix inside of the imei for the password to keep the a identifier unique?

Re:New password (0)

Anonymous Coward | more than 2 years ago | (#41281937)

The issue is having something unguessable, not something unique.

modc up (-1)

Anonymous Coward | more than 2 years ago | (#41278153)

How is the GNNA time wholesome and

If they aren't doing anything wrong... (0)

Anonymous Coward | more than 2 years ago | (#41278245)

"If they aren't doing anything wrong, what have they got to hide? Why do they need to encrypt things?"

Any discussion about security has to have that in there somewhere. This time I got there before the NSA dude...

Apple removed UDID (1)

gnasher719 (869701) | more than 2 years ago | (#41278611)

Anyone who writes mobile apps _must_ have noticed that Apple is removing the APIs to read UDIDs (Universal Device Identifiers) - because of privacy concerns, and because using a device to identify a user is stupid in the first place. IMEI numbers are supposed to be unchangeable, so they are UDIDs as well, so it is obvious that the reasons why UDIDs shouldn't be used apply to IMEI numbers as well.

I don't write Android code, but I would be sure that they have some easy means for an app to generate a UUID (Universally Unique Identifier) and stash it away safely, which is what an app should use.

Not on Windows Phone 7 (0)

Anonymous Coward | more than 2 years ago | (#41278631)

This isn't a problem on WP7 (can't speak for 8). We needed the IMEI on a project, and only signed OEM applications can get access to it. iOS has UUID access for applications to get around this, as does WP7, but that generally raises issues around privacy.

Issues with IMEI are a bit heavier than UUID style usage. You can block an entire phone globally by reporting the phone stolen with the IMEI to participating carriers. This is irreversible. Malicious though, and rather unlikely. What's more likely is your IMEI can be sold to fake phone manufacturers, which if they ever appear on the same network as your phone simultaneously, both will get blocked globally.

IMEI not just "easily readable" (2)

richard.cs (1062366) | more than 2 years ago | (#41278637)

The IMEI is not just "easily readable" it's sent unencrypted whenever a call is made. This was a deliberate design choice, it could have been sent after the encrypted connection was established but the writers of the specification chose otherwise - the motivations for this have never been explained but a lot of people have drawn their own conclusions.

In any case my point is that it's even easier than TFA suggests to obtain someone's IMEI.

Missing tag (-1)

Anonymous Coward | more than 2 years ago | (#41278669)

Why doesn't slashdot have a tag "morons"? I had to check if this was a joke, it's too stupid to be true...

Jitsi (1)

Hatta (162192) | more than 2 years ago | (#41279559)

So when is Jitsi going to get an android port?

It should NOT be used for authentication (0)

Anonymous Coward | more than 2 years ago | (#41285815)

"Since someone's IMEI number is easily readable, this isn't really secret information that should be used for authentication."

I think this should read that IMEI numbers should not be used for authentication.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?