Tag Archive for: Bloomberg’s

The Ultimate Bad Take: Bloomberg’s Leonid Bershidsky Thinks A WhatsApp Vulnerability Proves End To End Encryption Is Useless

/in

Bloomberg has really been on a roll lately with getting security stories hellishly wrong. Last fall it was its big story claiming that there was a supply chain hack that resulted in hacked SupermMicro chips being used by Amazon and Apple. That story has been almost entirely debunked, though Bloomberg still has not retracted the original. Then, just a few weeks ago, it flubbed another story, claiming that the presence (years ago) of telnet in some Huawei equipment was a nefarious backdoor, rather than a now obsolete but previously fairly common setup for lots of equipment for remote diagnostics and access.

The latest is an opinion piece, rather than reporting, but it’s still really bad. Following yesterday’s big revelation that a big security vulnerability was discovered in WhatsApp, opinion columnist Leonid Bersidsky declared it as evidence that end-to-end encryption is pointless. This is, to put it mildly, a really, really bad take. The whole article is a confused jumble of mostly nonsense, mixed with stuff that was already widely known and irrelevant:

The discovery that hackers could snoop on WhatsApp should alert users of supposedly secure messaging apps to an uncomfortable truth: “End-to-end encryption” sounds nice — but if anyone can get into your phone’s operating system, they will be able to read your messages without having to decrypt them.

Um. Duh? The whole point of end-to-end encryption is that it protects messages in transit and not at rest. That’s the whole “end-to-end” bit. At the ends it’s decrypted. You can also encrypt content on a device — this is what the FBI is so annoyed about regarding Apple’s iPhone encryption — but to argue that end-to-end encryption is pointless because it doesn’t do what it’s not supposed to do in the first place is crazy.

It gets worse:

“End-to-end encryption” is a marketing device used by companies such as Facebook to lull consumers wary about cyber-surveillance into a false sense of security.

It is true that some people confuse “end-to-end encryption” with perfect security, which it is not. But it is simply wrong (laughably so) to say that it’s merely a “marketing device.” In actuality, end-to-end encryption is a hugely important part of what keeps your data protected when you communicate online. It provides real security for the conditions it’s designed to provide security for — and not other conditions, such as the one the hack takes advantage of.

Bershidsky complaining about on-device malware reading your WhatsApp messages as being evidence that end-to-end encryption is pointless is like arguing that you should never wear seatbelts because they won’t protect you if you drive off a cliff. Seatbelts protect you in lots of common scenarios, but might not protect you in extreme scenarios like driving off a cliff. And end-to-end encryption protects you in lots of messaging scenarios, but won’t protect you if someone can install something directly on your device.

The tug of war between tech firms touting end-to-end encryption as a way to avoid government snooping and state agencies protesting its use is a smokescreen. Government and private hackers are working feverishly on new methods to deploy malware with operating system-wide privileges.

It’s not a “smokescreen.” It’s dealing with one type of attack. It’s bizarre to suggest that end-to-end encryption is useless because there are some advanced ways that people can get around it, ignoring all the other ways that it helps protect most people. End-to-end encryption does much more to protect tons of people, and saying that we can ignore it just because it doesn’t stop all attacks is really dangerous.

Bloomberg should be ashamed to be publishing such dangerous nonsense. It is the equivalent of anti-vax nonsense, telling people not to protect themselves.

Permalink | Comments | Email This Story

Techdirt.

Detailed And Thorough Debunking Of Bloomberg’s Sketchy Story About Supply Chain Hack

/in

Last week we noted that the general consensus at this point is that Bloomberg screwed up its story about a supposed supply chain hack, in which it was claimed that Chinese spies hacked Supermicro chips that were destined for Apple and Amazon. Basically everyone is loudly denying the story, and many are raising questions about it. In our comments, some of you still seemed to want to believe the article, and argued (without any evidence) that the US and UK governments, along with Amazon and Apple, were flat out lying about all of this. I pointed out a few times that that’s not how things work. Also untrue is the idea that many floated that the US government was forcing Apple and Amazon to lie. That also is not how things work (for those who don’t believe this, please check your First Amendment case history).

Anyway, over at Serve the Home, Patrick Kennedy has one of the most thorough and comprehensive debunkings of the Bloomberg story, detailing how incredibly implausible the story is. Kennedy’s write-up is very detailed, including lots of pictures and detailed drawings of how networks are set up. Here’s just a little snippet as an example:

The next inaccuracy to this paragraph is the line describing BMCs as “giving them access to the most sensitive code even on machines that have crashed or are turned off.” That is not how this technology works.

Baseboard management controllers or BMCs are active on crashed or turned off servers. They allow one to, for example, power cycle servers remotely. If you read our piece Explaining the Baseboard Management Controller or BMC in Servers BMCs are superchips. They replace a physical administrator working on a server in a data center for most tasks other than physical service (e.g. changing failed hard drives.)

At the same time, the sensitive data on a system is in the main server complex, not the BMC. When the BMC is powered on, hard drives, solid state drives, the server’s CPU (for decrypting data) and memory are not turned on. If you read our embedded systems reviews, such as the Supermicro A2SDi-16C-HLN4F 16-core Intel Atom C3955 mITX Motherboard Review, we actually publish power figures for when a system is on versus when the BMC only is active. In that review, the BMC powered on utilizes 4.9W of power. SSDs each have idle power consumption generally above 1W and hard drives use considerably more even at idle. The point here is that when the server’s BMC is turned on, and the server is powered off, it is trivially easy to measure that the attached storage is not powered on and accessible.

When a server is powered off it is not possible to access a server’s “most sensitive code.” OS boot devices are powered off. Local storage is powered off for the main server. Further encrypted sensitive code pushed from network storage is not accessible, and a BMC would not authenticate.

This line from the Bloomberg is technically inaccurate because a powered off server’s storage with its sensitive code has no power and cannot be accessed.

There is much, much more in the piece, and it is well worth reading if you still think Bloomberg was on to something with its story.

So far, Bloomberg has stood by its story, even though it increasingly seems clear that its reporters — Michael Riley and Jordan Robertson — were in over their heads. It is possible that something questionable happened, but it almost certainly did not happen the way they described it. The fact that Bloomberg has refused to recognize any of these concerns is incredibly damning for Bloomberg’s reputation.

Permalink | Comments | Email This Story

Techdirt.