On Tue, Feb 03, 2015 at 10:34:16PM -0500, Yaron Greenwald wrote:
Why is it that everyone here rocks at threat models as long as they get to own a computer. Why is it that everyone here can consider everything from if a Global Passive Adversary is directly targeting you to if your
lets not forget the local active adversaries. finfisher sells to a lot of customers, not only the nsa has such capabilities - assuming you allude to the (5|9|many)eyes alliance with he GPA, or do you mean cloudflare?
next door neighbor is doing, I dunno, Van-Eck Phreaking or something like that, but can't *possibly* consider the use case of "my government can break into any computer it wants, and I'm running from netcafe to netcafe, and just need them to not be able to find me for the next one or two weeks".
A keylogger only compromises you once they find the logs to read --
hackingteam has that market covered i guess.
But say they've got a thumb drive with their data and software, two legs (or one, or none, depending, I suppose), a car, and the driving will to *keep running and fighting*.
"You shouldn't be trusting your life" my rear. Half of these people are expecting a knock on their door every day. You think they're gonna just give up because they can't be Perfectly Cryptographically Secure?
indeed. however they also endanger their support networks and if the brave sacrifice themselves for some community which is compromised in the mean time because of the 'immma compromised already' attitude does not advance their cause very much if there's no one left to die for. furthermore cryptographically secure is as the 7 rules show only one aspect, as long as people can be tricked with spear-phishing emails or fancy linkedin pages to install malware. crypto means only one thing, increasing the likelihood of malware instead of in-transit interception of plaintext communication. which brings us directly to host security and its dismal state. how many of these brave souls have updated their gear lately? how much malware is running on those hosts? how many believe that antivirus is something positive and not a system level backdoor?
So we can give up on them, or we can give them whatever help they can get. Two. Choices.
so by definition not having control over a device means the device can do whatever it wants within the limits of its capabilities. so this means you cannot ensure confidentiality, authenticity, anonymity, etc. the probability of a device acting against the will/interest of its user is pretty high already considering only commercial adversaries. however if the person is one of special interest because of 1/ the person itself is interesting or 2/ the person is one with weak security standards and in close proximity to persons of interest, in this case the probability of the device acting against the interest of the user is quite higher. so of course if your threat model is currently the littlesis one, then rot13 does protect you against 90% of adversaries. however disregarding more advanced adversaries can reduce your future agency against them enormously. like john travolta by the time scientology became an adversary for him, they had all the compromise to bind him. the other point that is ignored, is the asymmetry in the capabilities and modus operandi of the opposing adversaries. if we are considering the model of the arabian spring where you have people against some regime. the government has the monopoly of violence, and other stuff, that makes them able to work extralegally, also there's experience for many years in suppression of mass movements (look at cointelpro, or how the occupy movement got nowhere). on the other side, for citizens one of the expensive tools there exists in such an asymmetric setting is the sacrifice, like the soviets in the 2nd world war everyone gets ammunition but only 1 out of 5 soldiers a gun. the others get an order of inheritance of the gun. worked quite well, however it was very wasteful and tragic. of course losses can be cut, but they require efforts and resources that like the soviets, avg people hypnotized by us propaganda lack.
...sorry for ranting. But, like, could we *please* at least consider scenarios where people don't control their computer? Instead of just
i did a bit of that consideration i hope. let me ask you what scenarios can you envision where there is no control of devices and thus no authenticity, confidentiality, etc? and yet useful for people above the littlesis adversary model? i think the context of the littlesis model is of little interest in this community though.
totally dismissing them off-hand? Like, there *is* stuff they can do, and there *is* stuff we can do for them.
can you be a bit more specific what you mean, and why you think that it would be efficient? what are your metrics for "success" or "efficiency"? let me try too: there's a few things that can be done, 1/ eliminate all snakeoil 2/ educate the few people that are actually doing things 3/ most importantly go harass the vendors that profit from the sabotaged infrastructure that these brave souls trust blindly. i'm sorry, the fact that we have not much to protect ourselves with is mostly due to the profit silicon valley, they wanted as fast as much users as possible, sacrificing everything for their quarterly profits, the externalities of this as it can be euphemised are on the victims. to do real stuff, the opsec is very hard and will be limited to only a few, and even most of them will fall, so everyone should expect to be owned and the wider consequences of that. although i think it's a great idea to raise the general costs for adversaries, i think this is much more expensive than you think. as an attacker i'll attack the cheapest way possible to maximise my results, surely. so when you start raising the cost of the cheapest way, i do not care about this until the cost is higher than the second cheapest attack. in which case it becomes the cheapest, and i use that. if i do my job well, i will continue a bit the old attack, so i force you to overspend on that defense, and make my life easier for some more time.
And it's just... *wrong* to just say "go hang".
i don't know where this comes from, but this is indeed wrong if anyone ever implied that, and it's not only a journalistic tool. lastly - allow me to naively exaggerate a bit - i think such regular "why can't you save us all" is very distracting in a community that is allegedly about writing code, not mails. our resources are limited and we are already motivated to work on this stuff. having to explain things over and over again should be handled by the people enjoying publicity and attention, not those enjoying good math, code and obscurity. -- otr fp: https://www.ctrlc.hu/~stef/otr.txt