Hi, this is getting absurdly long. I am going to answer this one part below. Dnia środa, 4 lutego 2015 00:54:07 Markus Ottela pisze:
And that changes... what exactly? This affects *any and all* desktop-usable security solutions, so let's just assume that this is the baseline we have to work with and assess the solutions on their own merits, eh?
No, let's not assume. I've a small desk but it's still able to handle the three laptops in a configuration that does not have the issue.
The community has already accepted the host security as part of snake oil check. What on earth is the check doing here if we should accept OS vulnerabilities as a "baseline"? If the product isn't going to address it, it better not neglect it at least, Tox doesn't do even that.
Answer A: Well then, do a damn pull request and fix it. With the amount of typing done in this thread already you could have done it 3 times over. :) Answer B: Can you please direct me towards any software that in your opinion does not have a problem with the "host security" part? A single example of any program, say any communication program, like IM, VoIP, e-mail client, etc, installable on a chosen operating system. Answer C (I think I'll go with this one): On a more serious vein, I see I'm dealing with a view that security is binary. That one can only be safe in a meaningful sence, when one has three laptops in a particular setup on their desk. Problem is, people DIE, NOW, because they use Skype. Not because they misjudged a particular way software A uses crypto primitive B or some such, but because they are using an inherently fucked up, security wise, software to communicate. Those people do not have the privilege of having a desk with 3 laptops, they often don't even have damn ADMIN RIGHTS on their laptop. Giving them a tool that works on their (insecure, I agree!!) platforms and yet LOWERS their exposure actually can save lives. This is something that has to be rammed into the heads of people with a baseball bat. Ideal setups don't exist, that's why they are "ideal". Here, have a read: https://medium.com/message/81e5f33a24e1 Especially this part: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Managing all the encryption and decryption keys you need to keep your data safe across multiple devices, sites, and accounts is theoretically possible, in the same way performing an appendectomy on yourself is theoretically possible. This one guy did it once in Antarctica, why can’t you? (...) So the question I put to hackers, cryptographers, security experts, programmers, and so on was this: What’s the best option for people who can’t download new software to their machines? The answer was unanimous: nothing. They have no options. They are better off talking in plaintext I was told, “so they don’t have a false sense of security.” Since they don’t have access to better software, I was told, they shouldn’t do anything that might upset the people watching them. But, I explained, these are the activists, organizers, and journalists around the world dealing with governments and corporations and criminals that do real harm, the people in real danger. Then they should buy themselves computers, I was told. That was it, that was the answer: be rich enough to buy your own computer, or literally drop dead. I told people that wasn’t good enough, got vilified in a few inconsequential Twitter fights, and moved on. Not long after, I realized where the disconnect was. I went back to the same experts and explained: in the wild, in really dangerous situations — even when people are being hunted by men with guns — when encryption and security fails, no one stops talking. They just hope they don’t get caught. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - I accept Tox could warn about some issues better. I accept that desktop security is a joke. But for the love of Dog, that is not what I am asking when I'm asking if Tox is a sane thing to look into. I'm asking about "do we know of serious security bugs or fuckups in this software". I am asking "can anybody point out any serious, SNAFU-level bugs in the protocol design". And so on.
I'm not trying to hijack this Tox discussion to say TFC is the solution. I'm trying to say it's pointless to create anything secure on a setup the features of which are limited(/rigged) to begin with.
That's why smartphone is part of the snake oil checklist.
How about we let stef talk about that himself. -- Pozdrawiam, Michał "rysiek" Woźniak Zmieniam klucz GPG :: http://rys.io/pl/147 GPG Key Transition :: http://rys.io/en/147