Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Privacy Google Apple

Popular Messaging App ToTok Reportedly an Emirati Spy Tool (cnet.com) 19

A popular messaging app billed as a secure way to chat with friends and family is actually a spying tool used by the United Arab Emirates to track the activities of those who download it, The New York Times reported Sunday. From a report: The app, which debuted only a few months ago, has been downloaded millions of times around the world. The app is a mass surveillance tool, The Times reported, capable of monitoring every conversation, movement, relationship, appointment, sound and image of its users. The majority of the app's users are in the Emirates but recently surged in popularity in the US. An analysis and interviews with computer security experts suggest the company behind ToTok, Breej Holding, is a front for DarkMatter, an Abu Dhabi-based cyberintelligence and hacking firm that employs Emirati intelligence officials, former National Security Agency employees and former Israeli military intelligence operatives, The Times reported. The app was recently removed from the Apple and Google app stores, but it's still functional until users delete it from their device.
This discussion has been archived. No new comments can be posted.

Popular Messaging App ToTok Reportedly an Emirati Spy Tool

Comments Filter:
  • by Ronin Developer ( 67677 ) on Monday December 23, 2019 @11:26AM (#59550350)

    It was just a matter of âoewhoâ was behind this app....not when.

    • by SeaFox ( 739806 )

      a matter of âoewhoâ was behind

      Wat?

    • Yes. That there is no 'FIX' or patch out for this state sponsored malware. All AV signatures should flag it. Now it is in busted status, time to turn it into dead meat. there is SHUTUP10 for Windows, PIHOLE, and there should be a shutup app for this one as well. Now if only there is a hardware patch, so that the camera and mike can be fed an objectionable loop. Maybe Israel can provide a free patch to defang this app, and send a message to its makers.
  • And maybe Facebook. BUT THAT'S IT!
  • by Ungrounded Lightning ( 62228 ) on Monday December 23, 2019 @11:39AM (#59550396) Journal

    The plethora of closed-source "secure privacy" tools has always puzzled me. How can ANYONE trust a tool to be what it claims, rather than its opposite, if NOBODY can check it and sound the alarm?

    You don't have to be a computer program expert and check it YOURSELF.

    Same applies to the platform it runs on: How can you trust even a good tool on a compromised environment, where the in-the-clear side of an encrypted communication or stored contact list can be accessed as it goes by, analyzed, stored, and uploaded to your potential enemies?

    • by hey! ( 33014 ) on Monday December 23, 2019 @12:23PM (#59550562) Homepage Journal

      By in large the open source model works really well for *software*. You download your linux image, check the fingerprint, and trust that the vast number of eyes out there looking at the source will find any skulduggery.

      The problem with these social media platforms is that the software is only part of the system. Somebody's got to provide the *services*, and providing *services* to other people doesn't follow the same scratch-you-own-itch-then-share logic. Providing services eats cash, which means service providers need revenue. If you're not providing the revenue, somebody interested in you is: advertisers, or in this case the state.

      So the idea of a *free* privacy-oriented social media tool is economic bunk, unless it's ad-supported or has some other visible revenue source.

      Just to put this in perspective, Facebook's average annual revenue per subscriber is $6. If everyone paid fifty cents a month you could have a version of Facebook that didn't spy on you; the client could be open source -- or at least inspectable source -- because there'd be nothing to hide. All the value of the service would be in the access to other subscribers. But if Facebook charged fifty cents a month it'd lose most of its subscribers. Somehow seeing that nickle leave your bank account every three days is more painful than all the ways Facebook secretly takes value out of your hide.

    • The NSA getting backdoors into OpenSSL (that random number generator, DES formerly, RSA probably, RC4 likely, that keep-alive bug, ...) showed us, that "many eyes" is bullshit.
      Not everyone looks at all code changes all the time. And even if ... remember that "Underhanded C" contest?
      In the end, it is you and me, who would need to check ourselves!
      But if readig T&C is a hassle, it's nothing compared to *this*!
      So our last hope... is an independent audit.
      But... unless *we* checked its independency and not be

      • by TechyImmigrant ( 175943 ) on Monday December 23, 2019 @02:26PM (#59551090) Homepage Journal

        Have you looked at the OpenSSL source code? It's not like other source code. It's designed for maximum unreadability.

        When I finally untangled how the RNG code worked inside OpenSSL, I stopped using it. It pretty much ensures 0 entropy on most platforms unless you override the inputs. I found similar problems with other SSLs (wolf, polar) when I was asked to review the RNG code for customers wanting to use those packages in certified systems.

        Things may have changed, I haven't looked in recent months, but as recent as 2018, it was bad.

        My general advice is don't use an off-the-shelf open source crypto library for random number generation and don't trust it to properly feed randomness into the protocols they implement. They are generally OK at the deterministic algorithms, but feed in your own randomness and do it properly. Don't know how to do it properly? Unsure of the best path? No problem, I wrote a book on it. ISBN in the sig below.

  • by ctilsie242 ( 4841247 ) on Monday December 23, 2019 @11:52AM (#59550434)

    It is surprising to me how people grab and use "free" apps without thinking, not realizing that they are the product, and $DEITY knows who is slurping the data from the apps. You get what you pay for.

    For a messaging app, best all around is something like Signal, with perhaps Telegram and MeWe after that. Why use stuff of dubious value?

    • This is not so much about a "free" app that monetizes your contacts data through advertising than it is about a federation of monarchies that want to maintain control over a population.
    • If you do... (and you may not) ... Haaaahahahahahahaaa! *wipes away tears*

      And yes, free can actually mean free!
      But only outside of capitalism!
      Like with FLOSS. Or like Linux and other similar open source.
      As in: When everybody contributes, because we get a common advantage.
      Because then, nobody's in it for the profit/theft. But for having a great tool, and for getting others to share, by sharing yourself, as everyone realized that that is more advsntageous thatn being a selfish lizard dick fighting for himself

    • It is surprising to me how people grab and use "free" apps without thinking, not realizing that they are the product, and $DEITY knows who is slurping the data from the apps. You get what you pay for.

      For a messaging app, best all around is something like Signal, with perhaps Telegram and MeWe after that. Why use stuff of dubious value?

      Don't forget "free" websites, such as google, or even Slashdot :)

  • by nospam007 ( 722110 ) * on Monday December 23, 2019 @11:53AM (#59550442)

    Spying on us?

  • Facebook and Whatsapp require the same permissions. GPS, microphone, contacts. Just saying.
  • Corrected headline: "Popular Messaging App Facebook Reportedly an American Spy Tool "

  • And Telegram for Russia.

    But then I realized the US has no government, but a corporate council, so "It's a Facebook spying tool" is equal to "It's a 'government' spying tool".
    And that there is nothing to wonder about with Russia. It's not like any Russian, or anyone else, would believe otherwise. ;)

/earth: file system full.

Working...