stef s at
Wed Feb 4 09:14:06 PST 2015

On Tue, Feb 03, 2015 at 10:34:16PM -0500, Yaron Greenwald wrote:
> Why is it that everyone here rocks at threat models as long as they get
> to own a computer. Why is it that everyone here can consider everything
> from if a Global Passive Adversary is directly targeting you to if your

lets not forget the local active adversaries. finfisher sells to a lot of
customers, not only the nsa has such capabilities - assuming you allude to the
(5|9|many)eyes alliance with he GPA, or do you mean cloudflare?

> next door neighbor is doing, I dunno, Van-Eck Phreaking or something
> like that, but can't *possibly* consider the use case of "my government
> can break into any computer it wants, and I'm running from netcafe to
> netcafe, and just need them to not be able to find me for the next one
> or two weeks".
> A keylogger only compromises you once they find the logs to read --

hackingteam has that market covered i guess.

> But say they've got a thumb drive with their data and software, two legs
> (or one, or none, depending, I suppose), a car, and the driving will to
> *keep running and fighting*.
> "You shouldn't be trusting your life" my rear. Half of these people are
> expecting a knock on their door every day. You think they're gonna just
> give up because they can't be Perfectly Cryptographically Secure?

indeed. however they also endanger their support networks and if the brave
sacrifice themselves for some community which is compromised in the mean time
because of the 'immma compromised already' attitude does not advance their
cause very much if there's no one left to die for.

furthermore cryptographically secure is as the 7 rules show only one aspect,
as long as people can be tricked with spear-phishing emails or fancy linkedin
pages to install malware. crypto means only one thing, increasing the
likelihood of malware instead of in-transit interception of plaintext
communication. which brings us directly to host security and its dismal state.
how many of these brave souls have updated their gear lately? how much malware
is running on those hosts? how many believe that antivirus is something
positive and not a system level backdoor?

> So we can give up on them, or we can give them whatever help they can
> get. Two. Choices.

so by definition not having control over a device means the device can do
whatever it wants within the limits of its capabilities. so this means you
cannot ensure confidentiality, authenticity, anonymity, etc. the probability
of a device acting against the will/interest of its user is pretty high
already considering only commercial adversaries. however if the person is one
of special interest because of 1/ the person itself is interesting or 2/ the
person is one with weak security standards and in close proximity to persons
of interest, in this case the probability of the device acting against the
interest of the user is quite higher. so of course if your threat model is
currently the littlesis one, then rot13 does protect you against 90% of
adversaries. however disregarding more advanced adversaries can reduce your
future agency against them enormously. like john travolta by the time
scientology became an adversary for him, they had all the compromise to bind

the other point that is ignored, is the asymmetry in the capabilities and
modus operandi of the opposing adversaries. if we are considering the model of
the arabian spring where you have people against some regime. the government
has the monopoly of violence, and other stuff, that makes them able to work
extralegally, also there's experience for many years in suppression of mass
movements (look at cointelpro, or how the occupy movement got nowhere). on the
other side, for citizens one of the expensive tools there exists in such an
asymmetric setting is the sacrifice, like the soviets in the 2nd world war
everyone gets ammunition but only 1 out of 5 soldiers a gun. the others get an
order of inheritance of the gun. worked quite well, however it was very
wasteful and tragic. of course losses can be cut, but they require efforts and
resources that like the soviets, avg people hypnotized by us propaganda lack.

> ...sorry for ranting. But, like, could we *please* at least consider
> scenarios where people don't control their computer? Instead of just

i did a bit of that consideration i hope. let me ask you what scenarios can
you envision where there is no control of devices and thus no authenticity,
confidentiality, etc? and yet useful for people above the littlesis adversary
model? i think the context of the littlesis model is of little interest in
this community though.

> totally dismissing them off-hand? Like, there *is* stuff they can do,
> and there *is* stuff we can do for them.

can you be a bit more specific what you mean, and why you think that it would
be efficient? what are your metrics for "success" or "efficiency"?

let me try too: there's a few things that can be done, 1/ eliminate all
snakeoil 2/ educate the few people that are actually doing things 3/ most
importantly go harass the vendors that profit from the sabotaged
infrastructure that these brave souls trust blindly. i'm sorry, the fact that
we have not much to protect ourselves with is mostly due to the profit silicon
valley, they wanted as fast as much users as possible, sacrificing everything
for their quarterly profits, the externalities of this as it can be euphemised
are on the victims. to do real stuff, the opsec is very hard and will be
limited to only a few, and even most of them will fall, so everyone should
expect to be owned and the wider consequences of that. 

although i think it's a great idea to raise the general costs for adversaries,
i think this is much more expensive than you think. as an attacker i'll attack
the cheapest way possible to maximise my results, surely. so when you start
raising the cost of the cheapest way, i do not care about this until the cost
is higher than the second cheapest attack. in which case it becomes the
cheapest, and i use that. if i do my job well, i will continue a bit the old
attack, so i force you to overspend on that defense, and make my life easier
for some more time.

> And it's just...
> *wrong* to just say "go hang".

i don't know where this comes from, but this is indeed wrong if anyone ever
implied that, and it's not only a journalistic tool.

lastly - allow me to naively exaggerate a bit - i think such regular "why
can't you save us all" is very distracting in a community that is allegedly
about writing code, not mails. our resources are limited and we are already
motivated to work on this stuff. having to explain things over and over again
should be handled by the people enjoying publicity and attention, not those
enjoying good math, code and obscurity. 

otr fp:

More information about the cypherpunks mailing list