Tox.im

rysiek rysiek at hackerspace.pl
Tue Feb 3 15:59:06 PST 2015 

Hi,

this is getting absurdly long.

I am going to answer this one part below.

Dnia środa, 4 lutego 2015 00:54:07 Markus Ottela pisze:
> > And that changes... what exactly? This affects *any and all*
> > desktop-usable
> > security solutions, so let's just assume that this is the baseline we have
> > to work with and assess the solutions on their own merits, eh?
> 
> No, let's not assume. I've a small desk but it's still able to handle
> the three laptops in a configuration that does not have the issue.
> 
> The community has already accepted the host security as part of snake
> oil check. What on earth is the check doing here if we should accept OS
> vulnerabilities as a "baseline"? If the product isn't going to address
> it, it better not neglect it at least, Tox doesn't do even that.


Answer A:
Well then, do a damn pull request and fix it. With the amount of typing done 
in this thread already you could have done it 3 times over. :)

Answer B:
Can you please direct me towards any software that in your opinion does not 
have a problem with the "host security" part? A single example of any program, 
say any communication program, like IM, VoIP, e-mail client, etc, installable 
on a chosen operating system.

Answer C (I think I'll go with this one):
On a more serious vein, I see I'm dealing with a view that security is binary. 
That one can only be safe in a meaningful sence, when one has three laptops in 
a particular setup on their desk.

Problem is, people DIE, NOW, because they use Skype. Not because they 
misjudged a particular way software A uses crypto primitive B or some such, 
but because they are using an inherently fucked up, security wise, software to 
communicate.

Those people do not have the privilege of having a desk with 3 laptops, they 
often don't even have damn ADMIN RIGHTS on their laptop. Giving them a tool 
that works on their (insecure, I agree!!) platforms and yet LOWERS their 
exposure actually can save lives.

This is something that has to be rammed into the heads of people with a 
baseball bat. Ideal setups don't exist, that's why they are "ideal".

Here, have a read:
https://medium.com/message/81e5f33a24e1

Especially this part:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Managing all the encryption and decryption keys you need to keep your data 
safe across multiple devices, sites, and accounts is theoretically possible, 
in the same way performing an appendectomy on yourself is theoretically 
possible. This one guy did it once in Antarctica, why can’t you?

(...)

So the question I put to hackers, cryptographers, security experts, 
programmers, and so on was this: What’s the best option for people who can’t 
download new software to their machines? The answer was unanimous: nothing. 
They have no options. They are better off talking in plaintext I was told, “so 
they don’t have a false sense of security.” Since they don’t have access to 
better software, I was told, they shouldn’t do anything that might upset the 
people watching them. But, I explained, these are the activists, organizers, 
and journalists around the world dealing with governments and corporations and 
criminals that do real harm, the people in real danger. Then they should buy 
themselves computers, I was told.

That was it, that was the answer: be rich enough to buy your own computer, or 
literally drop dead. I told people that wasn’t good enough, got vilified in a 
few inconsequential Twitter fights, and moved on.

Not long after, I realized where the disconnect was. I went back to the same 
experts and explained: in the wild, in really dangerous situations — even when 
people are being hunted by men with guns — when encryption and security fails, 
no one stops talking. They just hope they don’t get caught.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

I accept Tox could warn about some issues better. I accept that desktop 
security is a joke. But for the love of Dog, that is not what I am asking when 
I'm asking if Tox is a sane thing to look into.

I'm asking about "do we know of serious security bugs or fuckups in this 
software". I am asking "can anybody point out any serious, SNAFU-level bugs in 
the protocol design". And so on.

> I'm not trying to hijack this Tox discussion to say TFC is the solution.
> I'm trying to say it's pointless to create anything secure on a setup
> the features of which are limited(/rigged) to begin with.

> That's why smartphone is part of the snake oil checklist.

How about we let stef talk about that himself.

-- 
Pozdrawiam,
Michał "rysiek" Woźniak

Zmieniam klucz GPG :: http://rys.io/pl/147
GPG Key Transition :: http://rys.io/en/147
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 931 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20150204/0250ed68/attachment-0002.sig>

More information about the cypherpunks mailing list