Re: FD mailing list died. Time for new one (or something better!)
On Thu, Mar 20, 2014 at 3:18 AM, coderman <coderman@gmail.com> wrote:
a modest and proportionate proposal, ... finding someone with strong reputation and good judgement to publicly validate and speak to the efforts of the equally reputable but absolutely anonymous service operator? ... now that's a hard sell ... *grin*
if finding said operators for a dedicated service is hard then finding a quorum to run mixmasterminions as intake to hidden list likely just as peril fraught. note that a local only (hidden only) mailer would be easy enough to extend to link to incoming mix messages, if/when desired, in addition to Usenet intake, as also mentioned. a persistent and available store of disclosures (late comers seeking archives) is a critical requirement. your threat model is the nation state intelligence community tailored operations teams. [see also: malware list DoS on orig Stuxnet payload xmit, belgian cyptographers blowing up bullruns, etc.] - every other adversary is a cake walk in comparison.** --- in a sense, the robust full-disclosure replacement problem is fundamentally the secure whistleblower leak site problem is fundamentally the "user friendly, fails safe, default always anon" communication problem. "this is a global problem" "you are the firefighters", "..." --- ** so, what happened at DEF CON 22 was, ...
On Thu, Mar 20, 2014 at 9:55 AM, coderman <coderman@gmail.com> wrote:
...
as some earlier experiments on ad-hoc usability observations, win desktop user with technical ability able to download and verify signatures on TBB within ~6m, including pubkey and digest based verification. bootstrapping and verifying correct Tor use in the browser to a check site consumed another 4min. downloading pidgin with otr and configuring to use ccc.de with encryption, create new account on server yes, enable OTR, generate key and note fingerprint, set settings to always enforce OTR and don't log OTR chats (if not already defaulted to don't save) consumed another 6min. in total, 16min to bootstrap private end-to-end messaging over Tor anonymity network. not bad! bridge and obfuscated proxy support now also as easy (mostly :) --- for mobile space, the experience with a different guinea pig was similar with Orbot and ChatSecure(Gibberbot), ~10-15min to provision new client. --- configuring hidden services securely is where things currently fall apart, as I have not been able to walk a new user through this process without significant difficulties and confusion. this is essentially on par with encrypted email using the usual suspects, which i also could not successfully walk a new user through without significant difficulties and configurations prone to silent catastrophic failures to encrypt. --- this is why xmpp with otr is called out for consistent usability and availability benefits over standard email or listserv (on osx, win, *nix, android, ios, windows phone, ?) as for how long to deploy? time an ansible playbook the definitive answer. till then! [ more than a cypherpunk hacker day, less than a cypherpunk hacker month... probably. ]
participants (1)
-
coderman