On Mon, Aug 6, 2012 at 8:43 PM, Jillian C. York <jilliancyork@gmail.com> wrote:

It's difficult. I'm not a technologist, but I understand the issues and the user needs well. My "type," I'd surmise, is few and far between.

The problem isn't that your type is few and far between - the problem is that InfoSec has almost wholly ignored ESTABLISHED activists. As if the techniques, acceptable risk levels, etc. are new issues. They're simply not.

Security experts have obvious reasons for being conservative, and I get that. Nevertheless, there are a lot of users who would benefit from a little bit of added security. The question, then, as I see it, is:

How do we provide that little bit while still making users aware of risks?

It's been my experience that providing these risks in-band is just not doable - and the target end-users don't have time to worry about it. So OPSEC has to be something that tools like Cryptocat don't assume responsibility for. These is InfoSec sacrilege but it's the way activists have traditionally had to work in the first place. As an example, lets say w/ Iran, you're never - ever - going to be able to address the OPSEC concerns of a given Internet cafe. What you can do instead is provide a tool that works from every possible cafe and trust the end-user to manage the OPSEC of their surroundings such that perimeter controls, MITM risks, etc. are mitigated another way. If that's not tenable for Nadim or his particular crowd then a shift from developer to activist needs to be made. Just like any other process, the product isn't out their for product's sake - it has "customers".. and it's not those people who think they need an easier lazier option to setting up OTR or PGP. BTW, you're not without understanding and support in the Security community. Meredith Patterson among others have batted this around with me on Twitter - and understand the economics of the situation fine. Good luck Nadim and friends, -Ali _______________________________________________ liberationtech mailing list liberationtech@lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?" You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE