Whisper.sh is insecure

The Guardian is reporting today that the supposedly secure and anonymous social media app, Whisper.sh, has been secretly collecting user info, including location data, and sharing it with both the US and British intelligence services.

All apps that are meant to be secure, should be open source, and should have built-in end to end encryption. Anything less than that, should be automatically deemed insecure.

The lavabit case has shown us, that if a company is located in America, they will be compelled by authorities to track users and hand over that info.

As a cryptography and computer security expert, I have never understood the current fuss about the open source software movement. In the cryptography world, we consider open source necessary for good security; we have for decades. Public security is always more secure than proprietary security. It's true for cryptographic algorithms, security protocols, and security source code. For us, open source isn't just a business model; it's smart engineering practice. ------Bruce Schneier, Crypto-Gram 9/15/1990

Just wanted to get this post up real quick, will update this later as I read more into this particular situation.


blockquote class=twitter-tweet data-partner=tweetdeckp1) Don#39;t use companies located in the US for any security application. a href=https://twitter.com/Whisper@Whisper/a app has a backdoor: a href=http://t.co/XSzXzwECPjhttp://t.co/XSzXzwECPj/a a href=https://twitter.com/hashtag/infosec?src=hash#infosec/a a href=https://twitter.com/hashtag/bitcoin?src=hash#bitcoin/a/pmdash; CoinPrices.io (@CoinpricesIO) a href=https://twitter.com/CoinpricesIO/status/522775531520294912October 16, 2014/a/blockquote script async src=//platform.twitter.com/widgets.js charset=utf-8/script

blockquote class=twitter-tweet data-partner=tweetdeckp2) Security apps should be a href=https://twitter.com/hashtag/opensource?src=hash#opensource/a amp; the company should be located outside of US. Looking at you a href=https://twitter.com/CyberDustApp@CyberDustApp/a amp; a href=https://twitter.com/mcuban@mcuban/a. a href=https://twitter.com/hashtag/infosec?src=hash#infosec/a a href=https://twitter.com/hashtag/btc?src=hash#btc/a/pmdash; CoinPrices.io (@CoinpricesIO) a href=https://twitter.com/CoinpricesIO/status/522776042243883011October 16, 2014/a/blockquote script async src=//platform.twitter.com/widgets.js charset=utf-8/script

blockquote class=twitter-tweet data-partner=tweetdeckp3) Otherwise it is just false promise of security. Check out a href=https://twitter.com/surespot@surespot/a for a truly secure messenger. a href=https://twitter.com/CyberDustApp@CyberDustApp/a a href=https://twitter.com/mcuban@mcuban/a a href=https://twitter.com/hashtag/infosec?src=hash#infosec/a a href=https://twitter.com/hashtag/bitcoin?src=hash#bitcoin/a/pmdash; CoinPrices.io (@CoinpricesIO) a href=https://twitter.com/CoinpricesIO/status/522776274117611520October 16, 2014/a/blockquote script async src=//platform.twitter.com/widgets.js charset=utf-8/script

blockquote class=twitter-tweet data-partner=tweetdeckp4) Same goes for VPNs. Don#39;t use any located in US. Such as a href=https://twitter.com/buyvpnservice@buyvpnservice/a, use a href=https://twitter.com/bolehvpn@bolehvpn/a or a href=https://t.co/JxNC3D0ZGYhttps://t.co/JxNC3D0ZGY/a instead. a href=https://twitter.com/hashtag/infosec?src=hash#infosec/a a href=https://twitter.com/hashtag/btc?src=hash#btc/a/pmdash; CoinPrices.io (@CoinpricesIO) a href=https://twitter.com/CoinpricesIO/status/522776966790135808October 16, 2014/a/blockquote script async src=//platform.twitter.com/widgets.js charset=utf-8/script


We do not serve ads. Tips are always appreciated: 18wJZi9JLA5xBB6xe93PKtexzZjmZc6wb6


Disclaimer: Coinprices.io and the author of this post are not affiliated with any products, events, companies, or any other entity covered in this piece. This post does not constitute an endorsement or guarantee of the listed products in any way. It is merely intended to provide information to our users.