[cryptography] "Meet the groundbreaking new encryption app set to revolutionize privacy..."

Jon Callas jon at callas.org
Fri Feb 8 23:06:55 PST 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I am separating this from my previous as I went into a rant.

As we were designing Silent Text, we talked to a lot of people about what they
needed. I don't remember who told me this anecdote, but this person went over
to a colleague's office after they'd been texting to just talk. They walked
into the colleagues office and noticed their phone open with a conversation
plainly visible with someone else. A third party who was their mutual
colleague was texting about that meeting.

In short: Alice goes to Bob's office for a meeting and sees texts from Charlie
about that meeting, including comments about Alice.

There wasn't anything untoward about the texting. No insults about Alice or
anything, but there was an obvious privacy loss here. What if it *had* been
included an intemperate comment about our Alice? Alice said nothing about it
to Bob, but I got an earful. That earful included the opinion that the threat
of accidental disclosure of messages within a group of people is greater than
either the messages "being plucked out of the air" or seizure and forensic
groveling over the device. Alice's opinion was that when people have a secure
communications channel, they loosen up and say things that are more dramatic
than they would be otherwise. It's not that they're more honest, they're less
honest. They're exaggerated to the point of hyperbolic at times. Alice said
that she knew that she'd texted some things to Bob that she really wouldn't
want the person she'd said them about to see them. They were said quickly, in
frustration, and so on. It's not that they'd be taken out of context, it's
 that they'd be taken *in* context.

It's interesting underlying the story, Alice suddenly saw Bob not as an ally
in snark, but a threat -- the sort of person who leaves their phone unlocked
on their desk. Bob, of course, would say something like that if the texts had
been potentially offensive, he'd have locked his phone. This explanation would
thus convince Alice that Bob is *really* not to be trusted with snark.

This is incredibly perceptive, that the greatest security threat is not the
threat from outside, it's the threat from inside. It is exactly Douglas
Adams's point about the babelfish that by removing barriers to communication,
it created more and bloodier wars than anything else.

That's where "Burn Notice" came from. It's a safety net so that when Charlie
texts Bob, "I'm tired of Alice always..." it goes away.

What I find amusing is the reaction to it all around. There's a huge
manic-depressive, bimodal reaction. Lots of people get ahold of this and
they're like girls who've gotten ahold of makeup for the first time. ZOMG! You
mean my eyelids can be PURPLE and SPARKLY? This is the same thing that happens
when people discover font libraries or text-to-speech systems. For a couple of
days that someone gets the new app, there's nothing but text messages that are
self-destructing, purple, sparkly eyelids with font-laden Tourette's Syndrome
with the Mission Impossible theme song playing in the background. (Note, if
you are using Silent Text, you can't actually make the text purple, nor
sparkly, nor change fonts. You need to put all of that in a PDF or an animated
GIF -- and you will. This is a metaphor, not a requirements document.)

The next thing that happens is that they are so impressed with some
particularly inspired bit self-desctructing childishness that they take a
screen shot. As they gaze at the screen shot, or sometimes just as they take
the screen shot, light dawns. Oh. You mean.... Oh. Then the depressive phase
kicks in.

Back in the dark ages, PGP had the "For Your Eyes Only" feature. This is
pretty much the ancestor of Burn Notice. Simultaneously useful and worthless.
It's useful because it signals to your partner that this is not only secret
but sensitive and does something to stop accidental disclosure. It is utterly
ineffective against a hostile partner for many of the same reasons. We did all
sorts of silly things with FYEO that included an anti-TEMPEST/Van Eck font,
and other things. Silent Text actually has an FYEO feature that isn't exposed,
thank heavens.

I mention all of that because once you're in the depressive phase, it's easy
to go down the same rathole we did with FYEO. I spent time researching if you
can prevent screen shots on iOS (you can't). I did this while telling people
that it was dumb because I can take a picture of my iPhone with my iPad. I
held up my phone to video chat and said, "Here, see this? This is what you can
do!"

Sanity prevailed, but I think that fifteen years of FYEO helped a lot. When
you stare into self-destructing messages, trying to figure out how make them
really go away flawlessly, they stare back. You will end up trying to figure
out how to do a destructive two-phase commit, what class libraries need to be
patched so those that non-mutable strings inherit from mutable strings (not
the other way around), all while a nagging voice whispers in the back of your
head about how brave freedom fighters are gonna die because of this.

After the depressive phase comes the patronizing, retributive phase in which
it's clear that letting people delete potentially embarrassing messages is
bad, because it's imperfect. Imperfect security is worse than plaintext.
People have to learn self-control. Cue the Kalil Gibran quotes. People can't
just say any old thing on a secure chat program because that leads to purple
eyeshadow and thus inevitably to brave freedom fighters having their phones
seized at borders, and then people will die -- all because we let them delete
their incriminating messages. This phase makes so little sense that it's hard
for me even to mock it. But the gist of that objection really is that it's bad
to let people delete sensitive things because that will cause seizure of
sensitive things. Otherwise sane people have said this to me, and they don't
seem to see how funny they are.

Nonetheless, there's two things that happen. On the one hand, there are people
who think this cute, simple feature is the second coming of sliced bread. The
other hand is the people who insist it must be impossible (because they've
over-thought it) or evil (because security shouldn't be fun, let alone
purple). There is a small point to the dour, greyfaced side of this, I admit.
You cannot solve human problems with technology. Technology often just
shuffles around the brilliance that humans have at shooting themselves in the
foot. I'm well aware of Laotse's snarky comment that the invention of locks
created burglary, and I often agree with him.

But I think there has to be fun with security. We talk a lot about how
security has to be usable, but I think fun is up there, too. If it's fun,
people will use it. They make their mistakes cheaply, and in a reasonably safe
environment. Most of all, they'll actually use it. That's been the challenge
of the last couple decades, getting people to use it. People use things that
they play with. I think thus that play is part of security, too. What's
"groundbreaking" in what we're doing is that we're having fun and encouraging
others to do so, too.

	Jon


-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii

wj8DBQFRFfWQsTedWZOD3gYRAmYJAKDJ8exiTiWgzMy11mp/FKEN8TXpUACdHTPW
dHbRrgTqwb3R5oPHvWEC8Pg=
=b3gk
-----END PGP SIGNATURE-----
_______________________________________________
cryptography mailing list
cryptography at randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

More information about the cypherpunks-legacy mailing list