Moxie Marlinspike profiled in WSJ. Obama thinks secure messaging apps like the one he built are “a problem.”

Reminds me of that cartoon.

A Mafia boss yells at his subordinates in a meeting room. “When I told you to do a bank, I meant robbing one, not establishing one!”

…the joke predates the Financial Crisis, so we could forgive the boss his naivety.

3 Likes

We’re now soon going to see a movie where the ‘good guys’ use tachyon-laser-nanotomography to read invisible bumps on glass to catch the ‘bad guys’. You heard the techno-babble here first.

2 Likes

Moxie seems like good people and I’m glad someone’s continuing to fight the Good Fight, but did y’all check out his sailing video from about 4 years ago?

[Hold Fast][1] on Vimeo

Moxie’s so Gibsonian it hurts.
[1]: https://vimeo.com/15351476

2 Likes

Please describe/explain “Gibsonian”?

1 Like

In this context, something that could be easily described by author William Gibson.

Other contexts, “Gibsonian” could refer to Psychologist James Gibson, who suggested that studies were highly dependent on environment, and that laboratory experiments were fundamentally flawed. His work contributed greatly to a school of thought called Ecological Psychology.

1 Like

Strange attacks are entertaining, but they are also used. Deriving messages from listening to keyboard strokes is probably a CS 300 level problem at best. Extracting messages written on paper on glass… If it were a quiet room and you had a mic, since keys are usually hex, I bet there is a timing attack you could use by listening.

Time to upgrade to super smooth gel pens!

2 Likes

Those may leave residues of volatiles on the glass. Don’t forget to wipe it.

2 Likes

But then there’s always the possibility that your man in the middle (I always picture one of the Beagle Boys from the old Diney comics popping up out of a garbage can) sends a fake message along the reverse channel, indicating successful reception of an un-tampered package?

There’s just no end …

2 Likes

It would certainly be better if there were more sources of funding available; but unless there are, I’m not sure that there are any other arrangements that would actually be an improvement.

If the State Department wants to buy PR, they have a variety of options. Washington is crawling with specialists in the area who will push whatever you are willing to pay for; and they also have the option of assorted international feel-good programs designed to advance American interests.

The various projects attempting to do security and privacy have fewer options; and also would be of neither public discourse value nor of technical value if it weren’t for the fact that they actually produce stuff good enough to annoy the surveillance feds. If the product did not exist, or was so immature as to be effectively unusable, who would listen to the public statements of the people behind it at all?(I’m having trouble even determining the last time somebody asked the FreeNet project to speak some truth to power, because the project is so obscure).

There’s also the fact that the availability of good technological tools forces the US surveillance enthusiasts to behave hypocritically, in a way that other flavors of support for other people’s pesky activists do not. It is quite easy to praise the brave ‘activists’ and ‘freedom fighters’ abroad; while condemning the ‘traitors’, ‘radicals’, and ‘terrorists’ at home; and also pretty easy to ignore anyone who calls you hypocritical for doing so.

It’s a great deal harder(increasingly impossible, now that even fairly poor and squalid repressive-regimes-who-aren’t-our-freedom-buddies can afford at least moderately sophisticated spying tools) to provide those brave activists abroad with tools that are actually good enough to help them, without also causing James Comey to turn a funny shade of purple. This isn’t as good as having the tools available and fed by enough hands that they can afford to bite any one of them in public; but it still is an enforced PR hit. The State Department can ensure that those they are funding largely talk as though surveillance and oppression are things that happen abroad; but they can’t build tools worth using to protect yourself from the bad guys without building tools good enough to make the ‘good guys’ frothing mad. That is arguably a more useful lesson than most commentators would be able to deliver.

3 Likes

You have to authenticate the message in some way. E.g. sending back hash of the data in the package with added hash of an object both Alice and Bob have but Eve does not.

1 Like

Citation wanted.

Moxie is, indeed, good people. Better than most in the security business, especially in regards to ethics.

2 Likes

I am gonna put some bounds on this comment: it is specifically about symmetric keys, since what I originally replied to was a critique of one time pads.

You never, ever send your key over one channel. Ever. We all in the crypto business know this. You split your keys and use channels that can be predicted by your recipient but not an intermediate (unless they have infiltrated the recipient, which is a different issue).

And the proof of a correct key distribution is the encrypted com itself.

As an aside, Thales makes some of the most frustrating hardware and software. But I am torn between PKI and symmetric key systems.

Symmetric removes (most, not all, see ZMKs) chaining, but chaining makes distribution and cycling easier.

I’m getting a headache :smiley:

2 Likes

I’m having trouble finding any. However, in looking for something, I found a blog post by Moxie Marlinspike, in which he’s clearly being evenhanded with his criticisms of governments in the course of discussing SSL certificating authorities:

So looking at this strictly in terms of quantity feels a little too simplistic for me. Much has been made about the fact that the DHS or the Chinese government have their own CA in that list, but certainly, if the DHS or the Chinese government were made to be the only valid CA, people might feel similarly annoyed, even though the quantity would be low.

So my statement was unfair to Moxie Marlinspike, and I apologize for that.

Yes, I’m familiar with that post. :smile:

I have the (mis)fortune to have to work on a product that contains one of the root CA stores so I get to hear a lot of off-kilter ranting about how evil they are (and some spot on ranting too). Moxie was well known before Whisper Systems for work on certificate and certificate issues.

http://www.thoughtcrime.org/blog/authenticity-is-broken-in-ssl-but-your-app-ha/

He even tried to propose an alternative system called “Convergence”:

1 Like

The notaries thing of the Convergence system remind me of my idea of signing the certificates via GPG, using web-of-trust approach.

There would be no CAs, or they could be used as a supplementary system. Each certificate has its detached signature on the server, in a file with standardized name (like favicon.ico or robots.txt already do). There can be an arbitrary number of signings on the signature, and the signees can be further verified by the web-of-trust approach. The signature file/data structure could even be served within the connection, as a field in the certificate structure, for non-HTTP transactions.

Edit: The Monkeysphere Project is doing something quite similar, and unlike me they got it past the stage of just-an-idea.

This topic was automatically closed after 5 days. New replies are no longer allowed.