Popular Messaging App ToTok Reportedly an Emirati Spy Tool (cnet.com) 19
A popular messaging app billed as a secure way to chat with friends and family is actually a spying tool used by the United Arab Emirates to track the activities of those who download it, The New York Times reported Sunday. From a report: The app, which debuted only a few months ago, has been downloaded millions of times around the world. The app is a mass surveillance tool, The Times reported, capable of monitoring every conversation, movement, relationship, appointment, sound and image of its users. The majority of the app's users are in the Emirates but recently surged in popularity in the US. An analysis and interviews with computer security experts suggest the company behind ToTok, Breej Holding, is a front for DarkMatter, an Abu Dhabi-based cyberintelligence and hacking firm that employs Emirati intelligence officials, former National Security Agency employees and former Israeli military intelligence operatives, The Times reported. The app was recently removed from the Apple and Google app stores, but it's still functional until users delete it from their device.
Is anyone surprised? (Score:3)
It was just a matter of âoewhoâ was behind this app....not when.
Re: (Score:2)
a matter of âoewhoâ was behind
Wat?
Re: (Score:1)
Only Google spies Google devices. (Score:1)
Closed source "secure privacy" tools ... (Score:5, Informative)
The plethora of closed-source "secure privacy" tools has always puzzled me. How can ANYONE trust a tool to be what it claims, rather than its opposite, if NOBODY can check it and sound the alarm?
You don't have to be a computer program expert and check it YOURSELF.
Same applies to the platform it runs on: How can you trust even a good tool on a compromised environment, where the in-the-clear side of an encrypted communication or stored contact list can be accessed as it goes by, analyzed, stored, and uploaded to your potential enemies?
Re:Closed source "secure privacy" tools ... (Score:4, Informative)
By in large the open source model works really well for *software*. You download your linux image, check the fingerprint, and trust that the vast number of eyes out there looking at the source will find any skulduggery.
The problem with these social media platforms is that the software is only part of the system. Somebody's got to provide the *services*, and providing *services* to other people doesn't follow the same scratch-you-own-itch-then-share logic. Providing services eats cash, which means service providers need revenue. If you're not providing the revenue, somebody interested in you is: advertisers, or in this case the state.
So the idea of a *free* privacy-oriented social media tool is economic bunk, unless it's ad-supported or has some other visible revenue source.
Just to put this in perspective, Facebook's average annual revenue per subscriber is $6. If everyone paid fifty cents a month you could have a version of Facebook that didn't spy on you; the client could be open source -- or at least inspectable source -- because there'd be nothing to hide. All the value of the service would be in the access to other subscribers. But if Facebook charged fifty cents a month it'd lose most of its subscribers. Somehow seeing that nickle leave your bank account every three days is more painful than all the ways Facebook secretly takes value out of your hide.
Agreed. But even open source is not enough. (Score:2)
The NSA getting backdoors into OpenSSL (that random number generator, DES formerly, RSA probably, RC4 likely, that keep-alive bug, ...) showed us, that "many eyes" is bullshit. ... remember that "Underhanded C" contest?
Not everyone looks at all code changes all the time. And even if
In the end, it is you and me, who would need to check ourselves!
But if readig T&C is a hassle, it's nothing compared to *this*!
So our last hope... is an independent audit.
But... unless *we* checked its independency and not be
Re:Agreed. But even open source is not enough. (Score:4, Interesting)
Have you looked at the OpenSSL source code? It's not like other source code. It's designed for maximum unreadability.
When I finally untangled how the RNG code worked inside OpenSSL, I stopped using it. It pretty much ensures 0 entropy on most platforms unless you override the inputs. I found similar problems with other SSLs (wolf, polar) when I was asked to review the RNG code for customers wanting to use those packages in certified systems.
Things may have changed, I haven't looked in recent months, but as recent as 2018, it was bad.
My general advice is don't use an off-the-shelf open source crypto library for random number generation and don't trust it to properly feed randomness into the protocols they implement. They are generally OK at the deterministic algorithms, but feed in your own randomness and do it properly. Don't know how to do it properly? Unsure of the best path? No problem, I wrote a book on it. ISBN in the sig below.
TANSTAAFL... you pay for that app somehow (Score:4, Interesting)
It is surprising to me how people grab and use "free" apps without thinking, not realizing that they are the product, and $DEITY knows who is slurping the data from the apps. You get what you pay for.
For a messaging app, best all around is something like Signal, with perhaps Telegram and MeWe after that. Why use stuff of dubious value?
Re: (Score:2)
You think payig means you won't be spied on? (Score:2)
If you do... (and you may not) ... Haaaahahahahahahaaa! *wipes away tears*
And yes, free can actually mean free!
But only outside of capitalism!
Like with FLOSS. Or like Linux and other similar open source.
As in: When everybody contributes, because we get a common advantage.
Because then, nobody's in it for the profit/theft. But for having a great tool, and for getting others to share, by sharing yourself, as everyone realized that that is more advsntageous thatn being a selfish lizard dick fighting for himself
Re: (Score:1)
It is surprising to me how people grab and use "free" apps without thinking, not realizing that they are the product, and $DEITY knows who is slurping the data from the apps. You get what you pay for.
For a messaging app, best all around is something like Signal, with perhaps Telegram and MeWe after that. Why use stuff of dubious value?
Don't forget "free" websites, such as google, or even Slashdot :)
Aren't they all? (Score:3)
Spying on us?
Re: (Score:3)
USA here. What's the difference? (Score:2)
Can you point out a signge sentator who didn't either enter or will leave through a revolving door with a corporate lobbyist? ... or that isn't aware how easily he is manipulated into being a pawn.
Then I will show you one that hides it well, thar surprisigly loses his elections via strange means, gets discredited, illegal stuff gets "found" on his computer,
Re: (Score:2)
Ron Wyden
Not alone (Score:2)
Corrected headline (Score:1)
Corrected headline: "Popular Messaging App Facebook Reportedly an American Spy Tool "
Made me wonder if WhatsApp is the same for the US. (Score:2)
And Telegram for Russia.
But then I realized the US has no government, but a corporate council, so "It's a Facebook spying tool" is equal to "It's a 'government' spying tool". ;)
And that there is nothing to wonder about with Russia. It's not like any Russian, or anyone else, would believe otherwise.