----- Forwarded message from ianG <iang@iang.org> ----- Date: Sat, 17 Aug 2013 11:52:58 +0300 From: ianG <iang@iang.org> To: cryptography@randombit.net Subject: Re: [cryptography] LeastAuthority.com announces PRISM-proof storage service User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130801 Thunderbird/17.0.8 On 16/08/13 22:11 PM, zooko wrote:

On Tue, Aug 13, 2013 at 03:16:33PM -0500, Nico Williams wrote:

...

Nothing really gets anyone past the enormous supply of zero-day vulns in their complete stacks. In the end I assume there's no technological PRISM workarounds.

I agree that compromise of the client is relevant. My current belief is that nobody is doing this on a mass scale, pwning entire populations at once, and that if they do, we will find out about it.

My goal with the S4 product is not primarily to help people who are being targeted by their enemies, but to increase the cost of indiscriminately surveilling entire populations.

Now maybe it was a mistake to label it as "PRISM-Proof" in our press release and media interviews! I said that because to me "PRISM" means mass surveillance of innocents. Perhaps to other people it doesn't mean that. Oops!

My understanding of PRISM is that it is a voluntary & secret arrangement between the supplier and the collector (NSA) to provide direct access to all information. By 'voluntary' I mean that the supplier hands over the access, it isn't taken in an espionage or hacker sense, or leaked by an insider. I include in this various techniques of court-inspired voluntarianism as suggested by recent FISA theories [0]. I suspect it is fair to say that something is PRISM-proof if: a) the system lacks the capability to provide access b) the operator lacks the capacity to enter into the voluntary arrangement, or c) the operator lacks the capacity to keep the arrangement (b) secret The principle here seems to be that if the information is encrypted on the server side without the keys being held or accessible by the supplier, then (a) is met [1]. Encryption-sans-keys is an approach that is championed by Tahoe-LAFS and Silent Circle. Therefore I think it is reasonable in a marketing sense to claim it is PRISM-proof, as long as that claim is explained in more detail for those who wish to research. In this context, one must market ones product, and one must use simple labels to achieve this. Otherwise the product doesn't get out there, and nobody is benefited. iang [0] E.g., the lavabit supplier can be considered to have not volunteered the info, and google can be considered to have not volunteered to the Chinese government. [1] In contrast, if an operator is offshore it would meet (b) and if an operator was some sort of open source distributed org where everyone saw where the traffic headed, it would lack (c).

Regards,

Zooko

_______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography

_______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5