-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I am separating this from my previous as I went into a rant. As we were designing Silent Text, we talked to a lot of people about what they needed. I don't remember who told me this anecdote, but this person went over to a colleague's office after they'd been texting to just talk. They walked into the colleagues office and noticed their phone open with a conversation plainly visible with someone else. A third party who was their mutual colleague was texting about that meeting. In short: Alice goes to Bob's office for a meeting and sees texts from Charlie about that meeting, including comments about Alice. There wasn't anything untoward about the texting. No insults about Alice or anything, but there was an obvious privacy loss here. What if it *had* been included an intemperate comment about our Alice? Alice said nothing about it to Bob, but I got an earful. That earful included the opinion that the threat of accidental disclosure of messages within a group of people is greater than either the messages "being plucked out of the air" or seizure and forensic groveling over the device. Alice's opinion was that when people have a secure communications channel, they loosen up and say things that are more dramatic than they would be otherwise. It's not that they're more honest, they're less honest. They're exaggerated to the point of hyperbolic at times. Alice said that she knew that she'd texted some things to Bob that she really wouldn't want the person she'd said them about to see them. They were said quickly, in frustration, and so on. It's not that they'd be taken out of context, it's that they'd be taken *in* context. It's interesting underlying the story, Alice suddenly saw Bob not as an ally in snark, but a threat -- the sort of person who leaves their phone unlocked on their desk. Bob, of course, would say something like that if the texts had been potentially offensive, he'd have locked his phone. This explanation would thus convince Alice that Bob is *really* not to be trusted with snark. This is incredibly perceptive, that the greatest security threat is not the threat from outside, it's the threat from inside. It is exactly Douglas Adams's point about the babelfish that by removing barriers to communication, it created more and bloodier wars than anything else. That's where "Burn Notice" came from. It's a safety net so that when Charlie texts Bob, "I'm tired of Alice always..." it goes away. What I find amusing is the reaction to it all around. There's a huge manic-depressive, bimodal reaction. Lots of people get ahold of this and they're like girls who've gotten ahold of makeup for the first time. ZOMG! You mean my eyelids can be PURPLE and SPARKLY? This is the same thing that happens when people discover font libraries or text-to-speech systems. For a couple of days that someone gets the new app, there's nothing but text messages that are self-destructing, purple, sparkly eyelids with font-laden Tourette's Syndrome with the Mission Impossible theme song playing in the background. (Note, if you are using Silent Text, you can't actually make the text purple, nor sparkly, nor change fonts. You need to put all of that in a PDF or an animated GIF -- and you will. This is a metaphor, not a requirements document.) The next thing that happens is that they are so impressed with some particularly inspired bit self-desctructing childishness that they take a screen shot. As they gaze at the screen shot, or sometimes just as they take the screen shot, light dawns. Oh. You mean.... Oh. Then the depressive phase kicks in. Back in the dark ages, PGP had the "For Your Eyes Only" feature. This is pretty much the ancestor of Burn Notice. Simultaneously useful and worthless. It's useful because it signals to your partner that this is not only secret but sensitive and does something to stop accidental disclosure. It is utterly ineffective against a hostile partner for many of the same reasons. We did all sorts of silly things with FYEO that included an anti-TEMPEST/Van Eck font, and other things. Silent Text actually has an FYEO feature that isn't exposed, thank heavens. I mention all of that because once you're in the depressive phase, it's easy to go down the same rathole we did with FYEO. I spent time researching if you can prevent screen shots on iOS (you can't). I did this while telling people that it was dumb because I can take a picture of my iPhone with my iPad. I held up my phone to video chat and said, "Here, see this? This is what you can do!" Sanity prevailed, but I think that fifteen years of FYEO helped a lot. When you stare into self-destructing messages, trying to figure out how make them really go away flawlessly, they stare back. You will end up trying to figure out how to do a destructive two-phase commit, what class libraries need to be patched so those that non-mutable strings inherit from mutable strings (not the other way around), all while a nagging voice whispers in the back of your head about how brave freedom fighters are gonna die because of this. After the depressive phase comes the patronizing, retributive phase in which it's clear that letting people delete potentially embarrassing messages is bad, because it's imperfect. Imperfect security is worse than plaintext. People have to learn self-control. Cue the Kalil Gibran quotes. People can't just say any old thing on a secure chat program because that leads to purple eyeshadow and thus inevitably to brave freedom fighters having their phones seized at borders, and then people will die -- all because we let them delete their incriminating messages. This phase makes so little sense that it's hard for me even to mock it. But the gist of that objection really is that it's bad to let people delete sensitive things because that will cause seizure of sensitive things. Otherwise sane people have said this to me, and they don't seem to see how funny they are. Nonetheless, there's two things that happen. On the one hand, there are people who think this cute, simple feature is the second coming of sliced bread. The other hand is the people who insist it must be impossible (because they've over-thought it) or evil (because security shouldn't be fun, let alone purple). There is a small point to the dour, greyfaced side of this, I admit. You cannot solve human problems with technology. Technology often just shuffles around the brilliance that humans have at shooting themselves in the foot. I'm well aware of Laotse's snarky comment that the invention of locks created burglary, and I often agree with him. But I think there has to be fun with security. We talk a lot about how security has to be usable, but I think fun is up there, too. If it's fun, people will use it. They make their mistakes cheaply, and in a reasonably safe environment. Most of all, they'll actually use it. That's been the challenge of the last couple decades, getting people to use it. People use things that they play with. I think thus that play is part of security, too. What's "groundbreaking" in what we're doing is that we're having fun and encouraging others to do so, too. Jon -----BEGIN PGP SIGNATURE----- Version: PGP Universal 3.2.0 (Build 1672) Charset: us-ascii wj8DBQFRFfWQsTedWZOD3gYRAmYJAKDJ8exiTiWgzMy11mp/FKEN8TXpUACdHTPW dHbRrgTqwb3R5oPHvWEC8Pg= =b3gk -----END PGP SIGNATURE----- _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE