X's new 'encrypted' XChat feature seems no more secure than the failure that came before it Elon Musk's X social media platform is rolling out a new version of its direct messaging feature that the platform owner said had a "whole new architecture," but as with many a Muskian proclamation, there's reason to doubt what's been said. Dubbed "XChat" (not to be confused with the venerable Linux/Windows IRC app of the …
More subtle than that, and he isn't keeping it a secret (at least, that will be his excuse - "We told you from the start")
> "Bitcoin style encryption."
As we all know, the closest the blockchain gets to encryption is the work involved in the hashing of the blocks, which is supposed to be a one-way calculation and proof that the copy of the chain you hold hasn't been tampered with. At least, as agreed by a quorum of all the miners*. Hence the issue with the 51% attack: if you hold 51% of whichever mechanism is being used (proof-of-whatever) then you can modify the contents of the blocks, recalculate the chain and everyone else will take your copy as Truth. The Bitcoin (or other) blockchain is an Immutable Ledger, but only for certain values of "immutable".
So we are being told that not only will your chat history be capable of being made public (at Twitter's discretion - oops, I mean when Twitter responds to a legitimate request from "an authority") it will do so with proof that that IS what you said because, look, our crypto-quality hashes can't be wrong, anyone can verify them. As if they were on "the Bitcoin blockchain". Only, cough, a certain someone happens to hold control over this particular "chain" and it might get recalculated once we have corrected your posts to show our Preferred Truth about what you said.
* Description courtesy of Really Quick And Shoddy Explanations Inc, on the basis that if you, gentle reader, do know how blockchain works then you don't need anything better to follow what I'm trying to say. And if you don't know how it works I'm not going to be able to explain it all in one comment. Either way, just go with me here.
begin 644 topsecrt.msg
UHJvYmFibHkgYnkgIkJpdGNvaW4tc3R5bGUgZW5jcnlwdGlvbiIgTXVzayBtZWFudCBNSU1FIGVuY29kaW5nLg==
M54A*=EEM1FEB2&MG66YK9TEK2G!D1TYV85<T=&,S4C5B1U5G6E<U:F-N;'=D
L1VQV8FE)9U185GIA>4)T6E=&=61#0DY353%&24=6=5DR.6MA5S5N3&<]/0H`
`
end
UHJvYmFibHkgYnkgIkJpdGNvaW4tc3R5bGUgZW5jcnlwdGlvbiIgTXVzayBtZWFudCBNSU1FIGVuY29kaW5nLg==M54A*=EEM1FEB2&MG66YK9TEK2G!D1TYV85<T=&,S4C5B1U5G6E<U:F-N;'=D
L1VQV8FE)9U185GIA>4)T6E=&=61#0DY353%&24=6=5DR.6MA5S5N3&<]/0H`
`
You bastard! Take back what you said about my mother!
I thought that was sort of the definition ofbeing in the Holy Roman Catholic Church? Yeah, I know about history, having three popes in parallel at one point and all that. Still, if you say the pope is wrong he has the power to excommunicate you, right? I know this is no longer a real problem, you are not considered fair game, they are not going to confiscate all your stuff (unless you are really powerful, then you can just tell them to f**k themselves, take the catholics stuff, outlaw them, create a new church, claim yourself to be head of that).
I don't really know, not my club as well... (though the new dude sounds interesting, at least he p**ses off the right people :D )
There are fringe groups who claim the Roman Catholic church as a hierarchy strayed into heresy in the 1960s, and only they spotted it. They say it's nothing to do with we-were-wrong-about-officially-approved-anti-Semitism, but then...
We can all be a card-carrying pope of the Discordian religion, so why not His Holiness Barry II of Milwaukee?
"There are fringe groups who claim the Roman Catholic church as a hierarchy strayed into heresy in the 1960s, and only they spotted it."
Using the local common language instead of Latin for services and other stuff was considered a ReallyBadMove and possibly blasphemy by many.
The numbers who care are reducing as crumbly and crinkly curmudgeons die off but they stil linger on a little.
From : https://en.wikipedia.org/wiki/Second_Vatican_Council
"Other changes that followed the council included the widespread use of vernacular languages in the Mass instead of Latin, the allowance of communion under both kinds for the laity, ..."
(unless you are really powerful, then you can just tell them to f**k themselves, take the catholics stuff, outlaw them, create a new church, claim yourself to be head of that)
You forgot "sell all their stuff to your toadies and burn anyone who disagrees at the stake".
C/O Henricus Octus.
<klaxon>
According to QI series P, 'Parts', the pope only craps in the woods...
'The Pope is not a Roman Catholic. The religious leader who officially uses the title of "Pope" is the head of the Coptic Orthodox Church in Alexandria. His official title is "Pope of Alexandria and Patriarch of All Africa on the Holy See of Saint Mark the Apostle". '
For it to be E2E, the key would have to be stored in the client and nowhere else. So if you can read DMs on the web and the mobile app, chances are it's not E2E. There are ways around that, but those ways mean they can probably retrieve the key. (Or have I missed something?)
I've just tried Whatsapp's web client. I had to explicitly link my phone to the web client, which involved menu options on my mobile and scanning QR codes. That, presumably, handles the key transfer necessary for E2E, and it required my explicit authorisation for it to happen.
But, last time I used Twitter, you could log in via web or mobile app using the same account + password, and DMs would just work. No explicit key transfer was necessary. So any encryption either has the key stored on their server, or can be transferred from one client to another without your express authorisation. Unless that model has changed, there's no security.
Will even MAGA people who are now big Musk fans trust him on this and be willing to follow him down his "everything app" train, even making purchases or doing banking with "X"?
I'm skeptical. I think they like him because he's willing to spend money on helping get republicans elected, mostly says the "right things", they see what he did with DOGE as mostly good. But I don't think they truly TRUST him the way they trust people who have been MAGA since Trump's first term. He knows he has zero chance of getting anyone on the left to trust his encrypted chat, let alone trust him with their banking, so in order to make his dream come true he has to get the MAGA people to want an X "everything app" en masse. I just don't see it. I think he's wasting a ton of time on this strange obsession of his.
"Or is this a "man" thing unrelated to actual intelligence?"
Come to think of it, he is trying to sell it to an audience that is worshipping a man who spends 80+% of his speaking time repeating he is better than the second coming of Jesus.[1]
So maybe this is just a smart marketing move for the target audience?
[1] Not in those words, because, how could Jesus even measure up to him?
That's clearly not true. He believed the long claimed republican propaganda that there was massive "waste, fraud and abuse" in the government to such an extent he seriously believed he would be able to cut $2 trillion from the budget! He wasn't able to even CLAIM 1/10th of that, and the actual number when you eliminated all the double counting and claims of canceling contracts that were already over was probably closer to 1/100th.
Say what you want about Marco Rubio but there's no way he was ever dumb enough to believe anything remotely like that was possible.
He might have done it with a first goal of shutting down all regulation/investigation into him and his businesses, but he really did think he could cut that much. On his way out the door he openly stated that he believed there was a lot more fraud, waste and abuse and was very surprised when he didn't find it.
Any idiot who can rub two brain cells together could have told him that just by looking at the budget. All the stuff he was looking into was the "discretionary" spending, which is a pretty small amount versus entitlements like SS & medicare, and not even that large when compared to interest on the debt and military spending. He made some wild claims about all these 150 year old people collecting SS but I note no one has presented even a SINGLE example of payments going out to one of these super centenarians and being received by someone else. Sure there are examples where someone's mom dies and the son buries her in the family plot in the back 40 and doesn't tell anyone. But that's harder and harder to do these days between regulations around family burials and all the electronic tracks even older people increasingly have that will trip them up when e.g. electronic medical records show mom hasn't been seen by any doctors for the past 10 years, that's kinda suspicious at age 98.
It is hilarious that Musk didn't even try to look in the two places most experts say the biggest waste fraud and abuse is. One, the military. Military contractors have been ripping off the government for years - those old enough remember the $30,000 toilet seats in the 80s. Though such savings would be in the tens of billions at best, it isn't like you can save hundreds even out a trillion dollar military budget. Then there's medicare, doctors and medical device providers get reimbursements for services or equipment never provided, often for patients who didn't even know they were be claimed as receiving them. Trump pardoned one of the biggest medicare fraudsters in history in his first term, so he's obviously not too concerned there.
"he's wasting a ton of time on this strange obsession of his."
Good isn't? Anything to keep the prat from causing more real harm.
Perhaps when X everything inevitabiy goes pear shaped he will pivot to Mars and sod off in that direction. I imagine the day after his leaving Earth his progeny will be queuing for deed poll forms.
Maybe, but he just bad mouthed trumps big beautiful spending bill which could cause issues. musk may be trying to appease the left at the moment as he is starting autonomous robo taxis death machines in austin I think this month. I live there, and its gruesome to think some unlucky soul, possibly me, will have their life taken by that sociopath.
On Android: the keyboard app most likely will read them and send the messages you type off to Google, at least the ones you type yourself. You know, for improving and personalising predictive text writting for you. I caught predictive text doing that before when typing SMS, it filled in things it most likely could have only learned from "training" predictive text on what I typed exclusively in previous SMS. Since then, out with Android for messages.
For the messages you receive, the process is a bit more complicated. Google "needs" to read that on the sending device in order to "train" its algorythms. That works best if the sender uses Android too.
Using alternative keyboard apps isn't a(n easy) workaround to avoid this. Most if not all of those still use Google's keyboard app as the underlying software so it still has access to all your writting (including passwords and codes) "for training purposes". I could be wrong, but very hard to turn off Google predictive typing "convenience services offered to you" could be nothing less then an always active keyboard logger sending everything you type to Google office, so called with your permission if you didn't manage to lock down Google predictive text very well in its cage (if there even is a cage to lock it in).
"neither fish nor foul." Nice typo. ;)
"His base is confused, his haters are confused." And crucially he himself is utterly confused.
The Beatles lyrics are rather apt.
"Sitting in his Nowhere Land, / Making all his nowhere plans for nobody."
"He’s as blind as he can be, / Just sees what he wants to see,"
In one of his photographs taken recently at the end of his DoGE reign of error, he can be seen for what he fundamentally is - a podgy, balding middle aged painfully ordinary male who in another decade could do a passable Mr Magoo impression. I can believe his mortality scares him shitless and the knowledge that even gazillions of dollars won't ultimately make one jot of difference†.
† his reputed intake of especial K is very likely will make a difference albeit negatively.
Musk may have been telling the truth.....
End to End Bitcoin Ledger style of Encryption....
The Bitcoin ledger is open and free for all to use....
So probably Musk is telling the truth.. Bitcoin style encryption (none) of chats, so his AI can learn from how people communicate....
Similar in how one can say end to end PTSN style encryption ( ie no encryption). Marketing speak: what sounds better? No encryption... or PTSN style encryption?
You guys, you're all just misunderstanding what he said!
Musk thinks the world revolves around X! It is the be all and END all of everything. Therefore, when someone sends a direct message on X, they are sending it to X! X might then forward it on to whoever was the intended target, but that's just a side effect. All the messages belong to X!
Therefore to End to End is not a lie, one End is the user sending the message, the other End is X receiving the message. And the message is completely encrypted in that journey! Then there is a second End to End, which is X's End sending the message on to the recipient, with them being the other End. Again, it's encrypted the whole way!
What do you mean, you dont want X to be able to read the messages. But if Elon and his pet AI cant read your messages, they'll get lonely. You wouldnt want Elon to be lonely would you? Would YOU???
(Joke icon, but I absolutely would not be surprised if this was the weasel words plan behind this...)
"(Joke icon, but I absolutely would not be surprised if this was the weasel words plan behind this...)"
I don't know if your narrative applies in this case, though I'd not be surprised if it did. It does point out that it's important to understand the reality behind digital services vs. what they are trying to deniably infer. A privacy policy published by a firm that makes club management software will use terms such as "customer" and the members of the group will read that and believe they are the "customer" when it's the club that's the customer so most of what's below that first paragraph of definitions doesn't apply to them. Too many people think that a "privacy policy" is an assurance that their data will be protected when it can often be a declaration of how the company is going to package and sell the info (Dollar Shave Club).
It's like the ambassador that visits Terminus and seems to be implying that the Empire is still their protector when it turns out that everything discussed and said adds up to zero. The ambassador was extremely talented in saying nothing using lots of words. Just like legal documents.
This post has been deleted by its author
E2E for ordinary citizens can only work to shield your messages in transit from companies for data harvesting and from opportunistic people who mean you harm, iow it raises the bar preventing cheap solutions at scale (mass information harvesting).
A US tech company offering E2E is anathem, because the messages are still exposed, just only to the company.
It's quite smart from the company's perspective, because the harvested data is now more valuable due to selective scarcity.
Second, any authenticity and confidentiality stops at the device, and there are quasi no consumer level secure phones on the market.
And yet a lot of people will buy into it, and eventually find out that it does not do at all what they thought, and then the method, not the implementation or dubious intent will be blamed (e.g. SignalGate).
If a nation state would want to promote privacy for their citizens, they could mandate that all messaging apps use open source, audited E2E protocols, and the apps themselves should be audited (if not open). Most states are in fact trying to break encryption, so it'll stay a dream, and privacy will remain in the hands of a few burnt out individuals and massive tech companies.
"A US tech company offering E2E is anathem, because the messages are still exposed, just only to the company."
No. By definition, a US company offering E2E doesn't see the messages, because there is E2E. If they can see them, then they are lying about offering E2E, and their nationality has nothing to do with it because the lying, which is criminal fraud, is the problem.
Of course, there are limitations to what E2E provides, but from your comment, you are not giving it credit for those things it actually can do. You're also misinterpreting the point of Signalgate. That was not people concerned about the use of Signal because there's a problem with the app. It was people concerned about the use of tools other than the ones that are supposed to be used because using other tools makes it a little too easy to accidentally add in someone who shouldn't be added in or, as in one case, it makes it really easy to deliberately include someone who shouldn't be included. It was about their actions, not the app itself.
"No. By definition, a US company offering E2E doesn't see the messages, because there is E2E. If they can see them, then they are lying about offering E2E, and their nationality has nothing to do with it because the lying, which is criminal fraud, is the problem."
LGlethal's joking comment is good at pointing out that one needs to define what the end points are. If there's a company in the middle that can read the messages, have they defined that "end to end" means while in transit only? Many unlimited cell phone contracts define "unlimited" to have limits when they could just say "36GB of Data", "3,600 minutes talk time" and "5,000 text messages" per month. The fine print will enumerate those limits while the bold-type advert reads "unlimited everything".
While any company can try that in court, they are not guaranteed to win. That's why Musk isn't claiming E2E on his thing; he isn't offering it, and if he lied about having it, he might get a big lawsuit like Zoom did when they lied about offering it. A vague "Bitcoin-style encryption" which means nothing is much easier to defend and hopefully sounds good to the kind of people he wants to start trusting it.
The only use I could imagine blockchain could have here would be ensuring non-repudiability.
A digest of the message signed by both parties placed on the ledger by the recipient could prove the message was received (and sent) before the entry was made.
I would have thought exactly what you don't want with an E2EE chat application - rather you would want plausible deniability.
Better people than Musk† even when taking the greatest care have royally screwed up encryption. Just a simple detail can completely subvert a cryptosystem.
† arguably most of the planet.
WhatsApp is not truly end-to-end encrypted.
End-to-end encryption means the only copy of any user's decryption key is strictly outside the delivery platform and in the user's control. Messages arriving on the recipient's device are still encrypted, with the final decryption being performed on that device -- or, ideally, messages would be transferred via a one-way link to another, offline device for final decryption.
But with WhatsApp, you can change your device, re-register the new one on your account, and all your previously-sent messages remain readable. That means WhatsApp must be keeping a handy copy of your decryption key on their own servers. Because if they weren't, then registering a new device would mean your previously-received messages might be lost for all time, unless you were able somehow to transfer over the decryption key from your old device to the new one. (Not that loss of sent messages, in and of itself, is not necessarily any guarantee of security; a truly evil person would set up their system to look as though the final decryption was external to the delivery platform, and deliberately not provide any facility to recover previously-sent messages, even although they were still keeping copies of every user's decryption key and able to read everything.)
Basically, if you want to be sure anything you are sending through a communications channel is not going to be read in transit, it must be encrypted before it enters that channel, and not decrypted until after it leaves that channel. Which, for sure, is mightily inconvenient -- but you invariably sacrifice security when you choose convenience (and some might say you deserve neither).
"As far as I remember, you need to connect the old and new devices in order to retrieve message history on the new device."
If you are replacing an old unit after dropping it in the loo, it would mean losing all of that. Like all things with somebody in the middle, you have almost no control so don't rely on them helping you at all.
I don't use WhatsApp, but as I understand the mechanism, you can only recover your messages if you transfer them and the key used to decrypt them from your old device to your new device. If your old device gets smashed before you get a new device, I think all you can do is regain control of the account so you can send new messages, but the old ones are lost. That is how proper E2E encryption would look. Of course, as you say, it doesn't prove that WhatsApp doesn't have a copy of the messages and a way to decrypt them, but there would be no way to know that unless you had and read the source to everything. You have to choose whether to trust the people who made it, and while I don't think they're lying about that part, I have other trust problems with them so I don't use their app anyway.
The brain-damaged potato known as elon musk is absolutely obsessed with the letter X. And he's obessed with crypto. Nobody needs yet another chat platform built on dubious tech from a dubious human. He can't be trusted and it's worth remembering that the higher up you are, the harder you fall.
I hope he fails and falls.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
