[cryptography] OTR and deniability

Thu Jul 14 04:53:28 PDT 2011

On 14/07/11 12:37 PM, Ai Weiwei wrote:
> Hello list,
>
> Recently, Wired published material on their website which are claimed to be logs of instant message conversations between Bradley Manning and Adrian Lamo in that infamous case. [1] I have only casually skimmed them, but did notice the following two lines:
>
>      (12:24:15 PM) bradass87 has not been authenticated yet. You should authenticate this buddy.
>      (12:24:15 PM) Unverified conversation with bradass87 started.
>
> I'm sure most of you will be familiar; this is evidence that a technology known as Off-the-Record Messaging (OTR) [2] was used in the course of these alleged conversations.
>
> I apologize if this is off topic or seems trivial, but I think a public discussion of the merits (or lack thereof) of these alleged "logs" from a technical perspective would be interesting.

I believe it is germane to anyone designing crypto protocols to understand 
how they actually impact in user-land.  This particular one is a running 
sore for me because of its outrageous claim of deniability.

> The exact implications of the technology may not be very well known beyond this list. I have carbon copied this message to the defense in the case accordingly.
>
> If I understand correctly, OTR provides deniability, which means that these alleged "logs" cannot be proven authentic.

The *claim made by OTR is to provide technological deniability* as opposed 
to any non-technological status.  Its non-technical deniability is zilch.

Unfortunately, outside the technology, it is trivial to prove the logs as 
authentic.  This is confusing for the technologists as they are trying to 
create a perfect security product, and they believe that technology rules.  
What they've failed to realise is that real life provides some trivial 
bypasses, and in this situation, they may very well be creating more harm 
-- by sucking people into a false sense of security.

Design of security systems is tough, it is essential to include the human 
elements in the protocol, elsewise we end up with elegant but useless 
features.  Sometimes we enter into danger, as is seen with OTR or BitCoin, 
where a technological elegance causes people to lose their common sense and 
grasp of reality.

> In fact, the OTR software is distributed with program code which makes falsifying such "logs" trivial. Is this correct?

Dunno.  Could be.  Evidence of a false sense of security, to me.

> What do you think?  ....

On the specific legal case:  well, nothing we see in open press will  
really be reliable.  You're looking at the USG going for broke against a  
couple of lonely mixed up people who USG mistakenly let near a TS site.  It 
will be a total mess.  Mincemeat, fubar, throw away the key.  The case will 
see all sorts of mud thrown up, with both sides trying their darndest to 
muddy the waters.

>From the external pov, there will be no clarity.  Nothing really to say or 
think, except, ... don't make that mistake?  Relying on crypto blahblah 
promises like OTR or PGP when you're about to release a wikileaks treasure 
trove doesn't sound like rational thinking to me.

iang
_______________________________________________
cryptography mailing list
cryptography at randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE