On 04.02.2015 01:59, rysiek wrote:
Hi,
this is getting absurdly long.
I am going to answer this one part below.
Dnia środa, 4 lutego 2015 00:54:07 Markus Ottela pisze:
And that changes... what exactly? This affects *any and all* desktop-usable security solutions, so let's just assume that this is the baseline we have to work with and assess the solutions on their own merits, eh? No, let's not assume. I've a small desk but it's still able to handle the three laptops in a configuration that does not have the issue.
The community has already accepted the host security as part of snake oil check. What on earth is the check doing here if we should accept OS vulnerabilities as a "baseline"? If the product isn't going to address it, it better not neglect it at least, Tox doesn't do even that.
Answer A: Well then, do a damn pull request and fix it. With the amount of typing done in this thread already you could have done it 3 times over. :)
Answer B: Can you please direct me towards any software that in your opinion does not have a problem with the "host security" part? A single example of any program, say any communication program, like IM, VoIP, e-mail client, etc, installable on a chosen operating system. TFC stands for Tinfoil Chat. cs.helsinki.fi/u/oottela/tfc.pdf // pages 9 and 10 explain how why
Answer C (I think I'll go with this one): On a more serious vein, I see I'm dealing with a view that security is binary. That one can only be safe in a meaningful sence, when one has three laptops in a particular setup on their desk.
Problem is, people DIE, NOW, because they use Skype. Not because they misjudged a particular way software A uses crypto primitive B or some such, but because they are using an inherently fucked up, security wise, software to communicate. It depends on your threat model and how technically skilled your adversary is. If adversarial government decides to buy malware from say, Hacking Team
Those people do not have the privilege of having a desk with 3 laptops, they often don't even have damn ADMIN RIGHTS on their laptop. Giving them a tool that works on their (insecure, I agree!!) platforms and yet LOWERS their exposure actually can save lives. If you're not in control of the laptop, you shouldn't be trusting your
Tox developer team were not interested in implementing it in similar fashion. Using three computers was the main obstruction: A successor for Skype that makes the headlines is the one that you get everyone to use because it's easy to setup. It wouldn't get any attention nor media coverage if it wasn't free as in 'next, yes, next, next, install'. I'd rather not meddle with Tox source: to quote the Norton's article you posted "C is good for two things: being beautiful and creating catastrophic 0days in memory management." Tox is written in C, by people who seem to have limited understanding on computer security and programming. I do too, but a least I selected an approach that doesn't require 0-day free code, or OS. there is no key exfiltration risk. TCB is the Trusted Computing Base, the system responsible for cryptographic operations. that automatically replaces Tox IDs inside unencrypted emails to those owned by the state, it'll still get you killed unless you know what you're doing. Just telling the user to meet the contact and exchange Tox ID in person is enough not to get MITM'd. Just warning the user about not saying the most sensitive stuff on Tox might be enough to not to get killed. life on it; Tox does very little if there's a keylogger present, neither does TFC if you're not in control of the two TCB computers.
This is something that has to be rammed into the heads of people with a baseball bat. Ideal setups don't exist, that's why they are "ideal".
Here, have a read: https://medium.com/message/81e5f33a24e1
Especially this part:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Managing all the encryption and decryption keys you need to keep your data safe across multiple devices, sites, and accounts is theoretically possible, in the same way performing an appendectomy on yourself is theoretically possible. This one guy did it once in Antarctica, why can’t you? That part sounds like infomercial trying to overcomplicate a problem.
You need one device to store the (a)symmetric encryption keys (TCB 1) You need another to store the (a)symmetric decryption keys (TCB 2) You need third one to transmit encrypted messages. You need data diodes to enforce unidirectional communication between the devices. That's all.
So the question I put to hackers, cryptographers, security experts, programmers, and so on was this: What’s the best option for people who can’t download new software to their machines? The answer was unanimous: nothing. They have no options. They are better off talking in plaintext I was told, “so they don’t have a false sense of security.” Since they don’t have access to better software, I was told, they shouldn’t do anything that might upset the people watching them. But, I explained, these are the activists, organizers, and journalists around the world dealing with governments and corporations and criminals that do real harm, the people in real danger. Then they should buy themselves computers, I was told.
That was it, that was the answer: be rich enough to buy your own computer, or literally drop dead. I told people that wasn’t good enough, got vilified in a few inconsequential Twitter fights, and moved on. The issue is global whether it's occupy movement fighting against economic segregation in the West, or dissidents in 3rd world countries. The difference is the threat model. In west it's HSAs, in poor countries, MSAs at top, unless it's the US doing surveillance against Afghans etc.
Not long after, I realized where the disconnect was. I went back to the same experts and explained: in the wild, in really dangerous situations — even when people are being hunted by men with guns — when encryption and security fails, no one stops talking. They just hope they don’t get caught.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
I accept Tox could warn about some issues better. I accept that desktop security is a joke. But for the love of Dog, that is not what I am asking when I'm asking if Tox is a sane thing to look into.
I'm asking about "do we know of serious security bugs or fuckups in this software". I am asking "can anybody point out any serious, SNAFU-level bugs in the protocol design". And so on. I get what you mean. You're trying to evaluate the skillset of developers in terms of how things are implemented and programmed. I'm trying to say they've a bigger job to do and so far they have failed at it.