Markus Ottela oottela at
Tue Feb 3 17:40:02 PST 2015

On 04.02.2015 01:59, rysiek wrote:
> Hi,
> this is getting absurdly long.
> I am going to answer this one part below.
> Dnia środa, 4 lutego 2015 00:54:07 Markus Ottela pisze:
>>> And that changes... what exactly? This affects *any and all*
>>> desktop-usable
>>> security solutions, so let's just assume that this is the baseline we have
>>> to work with and assess the solutions on their own merits, eh?
>> No, let's not assume. I've a small desk but it's still able to handle
>> the three laptops in a configuration that does not have the issue.
>> The community has already accepted the host security as part of snake
>> oil check. What on earth is the check doing here if we should accept OS
>> vulnerabilities as a "baseline"? If the product isn't going to address
>> it, it better not neglect it at least, Tox doesn't do even that.
> Answer A:
> Well then, do a damn pull request and fix it. With the amount of typing done
> in this thread already you could have done it 3 times over. :)
Tox developer team were not interested in implementing it in similar 
fashion. Using three computers was the main obstruction: A successor for 
Skype that makes the headlines is the one that you get everyone to use 
because it's easy to setup. It wouldn't get any attention nor media 
coverage if it wasn't free as in 'next, yes, next, next, install'.

I'd rather not meddle with Tox source: to quote the Norton's article you 
"C is good for two things: being beautiful and creating catastrophic 
0days in memory management."

Tox is written in C, by people who seem to have limited understanding on 
computer security and programming. I do too, but a least I selected an 
approach that doesn't require 0-day free code, or OS.

> Answer B:
> Can you please direct me towards any software that in your opinion does not
> have a problem with the "host security" part? A single example of any program,
> say any communication program, like IM, VoIP, e-mail client, etc, installable
> on a chosen operating system.
TFC stands for Tinfoil Chat.  // pages 9 and 10 explain how why 
there is no key exfiltration risk.
TCB is the Trusted Computing Base, the system responsible for 
cryptographic operations.

> Answer C (I think I'll go with this one):
> On a more serious vein, I see I'm dealing with a view that security is binary.
> That one can only be safe in a meaningful sence, when one has three laptops in
> a particular setup on their desk.
> Problem is, people DIE, NOW, because they use Skype. Not because they
> misjudged a particular way software A uses crypto primitive B or some such,
> but because they are using an inherently fucked up, security wise, software to
> communicate.
It depends on your threat model and how technically skilled your 
adversary is.
If adversarial government decides to buy malware from say, Hacking Team 
that automatically
replaces Tox IDs inside unencrypted emails to those owned by the state, 
it'll still get you killed unless you know what you're doing.

Just telling the user to meet the contact and exchange Tox ID in person 
is enough not to get MITM'd.
Just warning the user about not saying the most sensitive stuff on Tox 
might be enough to not to get killed.

> Those people do not have the privilege of having a desk with 3 laptops, they
> often don't even have damn ADMIN RIGHTS on their laptop. Giving them a tool
> that works on their (insecure, I agree!!) platforms and yet LOWERS their
> exposure actually can save lives.
If you're not in control of the laptop, you shouldn't be trusting your 
life on it; Tox does very little if there's a keylogger present, neither 
does TFC if you're not in control of the two TCB computers.

> This is something that has to be rammed into the heads of people with a
> baseball bat. Ideal setups don't exist, that's why they are "ideal".
> Here, have a read:
> Especially this part:
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> Managing all the encryption and decryption keys you need to keep your data
> safe across multiple devices, sites, and accounts is theoretically possible,
> in the same way performing an appendectomy on yourself is theoretically
> possible. This one guy did it once in Antarctica, why can’t you?
That part sounds like infomercial trying to overcomplicate a problem.

You need one device to store the (a)symmetric encryption keys (TCB 1)
You need another      to store the (a)symmetric decryption keys (TCB 2)
You need third one to transmit encrypted messages.
You need data diodes to enforce unidirectional communication between the 
devices. That's all.

> So the question I put to hackers, cryptographers, security experts,
> programmers, and so on was this: What’s the best option for people who can’t
> download new software to their machines? The answer was unanimous: nothing.
> They have no options. They are better off talking in plaintext I was told, “so
> they don’t have a false sense of security.” Since they don’t have access to
> better software, I was told, they shouldn’t do anything that might upset the
> people watching them. But, I explained, these are the activists, organizers,
> and journalists around the world dealing with governments and corporations and
> criminals that do real harm, the people in real danger. Then they should buy
> themselves computers, I was told.
> That was it, that was the answer: be rich enough to buy your own computer, or
> literally drop dead. I told people that wasn’t good enough, got vilified in a
> few inconsequential Twitter fights, and moved on.
The issue is global whether it's occupy movement fighting against 
economic segregation in the West,
or dissidents in 3rd world countries. The difference is the threat 
model. In west it's HSAs, in poor countries,
MSAs at top, unless it's the US doing surveillance against Afghans etc.

> Not long after, I realized where the disconnect was. I went back to the same
> experts and explained: in the wild, in really dangerous situations — even when
> people are being hunted by men with guns — when encryption and security fails,
> no one stops talking. They just hope they don’t get caught.
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> I accept Tox could warn about some issues better. I accept that desktop
> security is a joke. But for the love of Dog, that is not what I am asking when
> I'm asking if Tox is a sane thing to look into.
> I'm asking about "do we know of serious security bugs or fuckups in this
> software". I am asking "can anybody point out any serious, SNAFU-level bugs in
> the protocol design". And so on.
I get what you mean. You're trying to evaluate the skillset of 
developers in terms of
how things are implemented and programmed. I'm trying to say they've a 
bigger job
to do and so far they have failed at it.

More information about the cypherpunks mailing list