Re: [liberationtech] scrambler

Jonathan Wilkes Fri, 30 Aug 2013 11:34:01 -0700

On 08/30/2013 01:51 PM, Michael Hicks wrote:

Thank you so much we appreciate your opinion and facts. would you haveany recommendations? something we could fix? the whle purpose of thissoftware is to give the American people privacy and not have to worryabout the NSA's spying.

The American people are going to have to worry about wide-netsurveillance into the foreseeable future,because it is the result of "wide-net" ignorance about the benefits anddrawbacks of one's metadata and a

large body of one's online messages having zero marginal cost.

Furthermore, some of the tools that have cropped up from that ignoranceare ingrained and not possible todo in a privacy-preserving manner. Look at the consequences of the NSAgiving access to such a large numberof contractors, and compare that to the Facebook user with a thousandfriends. If a person wants to givethat large a level of access to their data, the network design isessentially irrelevant. The data _will_ get used andabused by third parties, not only in ways detrimental to the author ofthe data but probably also in ways the

author didn't anticipate (and possibly far into the future).

Last but not least, those centralized networks are designed to make itsocially awkward to protect oneself. Mostpeople would worry about offending people if they went from 1,000friends to somewhere between 10 and 20.

That's because, unlike the networks, people are moral actors.

What might be effective is a movement to get a bunch of people to cuttheir amount of Facebook friends down to some agreed upon number. Notonly for reasons of resisting surveillance, but also of improving our lives

and making the Facebook Wall more meaningful-- i.e., fighting spam.

If everyone does it at the same time, hurt feelings are much lesslikely. And that would make a much biggerimpact on surveillance than one-time pads, because it would affect thebottom line of a very poorly-designed

social network.

Best,
Jonathan


------------------------------------------------------------------------
*From:* Michael Hicks <scramblerencrypt...@yahoo.com>
*To:* liberationtech <liberationtech@lists.stanford.edu>
*Sent:* Friday, August 30, 2013 1:43 PM
*Subject:* Re: [liberationtech] scrambler

it's the purpose so that it is Unable to be hacked. trying to usecomplete privacy for the American people. It's the same thing used bygovernment we know cuz our software designer works for DOD.


------------------------------------------------------------------------
*From:* "konfku...@riseup.net" <konfku...@riseup.net>
*To:* liberationtech <liberationtech@lists.stanford.edu>
*Sent:* Friday, August 30, 2013 6:33 AM
*Subject:* Re: [liberationtech] scrambler

I'm really astonished. The method he uses to implement the one-time pad is
plain ridiculous. A complete lookup table which maps each possible byte to
another is consumed per byte transferred, making the pad 256 times (which
could even be optimized to 255) larger than the message.

The author has no clue at all.

> Quoting the Scrambler website:
> "The drawback of the one-time cypher pad encryption method is that to
> encrypt a message without reusing the one-time cypher pad requires it to
> be 256 times the size of the message. Encrypting a one megabyte file
> without reusing the one-time cypher pad requires it to be 256 megabytes.
> While it is recommended that you do not reuse one-time cypher pads,
> Scrambler will do so."
>
> The author doesn't understand how to construct one-time pads, and flouts
> the most important rule of using them. Avoid this software like the
> plague.
>
> Cheers,
> Michael
>
> Seth David Schoen <sch...@eff.org <mailto:sch...@eff.org>> wrote:
>
>>Michael Hicks writes:
>>
>>> ok so I guess I just send u guys the links and u check out my software
>>> and Vet it? This was made for people to be able to protect their
>>> privacy and the NSA can't hack it No One can it's impossible. all the
>>> information is at scrambler.webs.com
>>
>>It's true that no one can crack a one-time pad, which your software
>>claims to implement.  A one-time pad might be useful for some people,
>>though it's possible that they shouldn't then use a computer to encrypt
>>and decrypt, because using a computer introduces new vulnerabilities
>>(like radiofrequency emanations and remote software exploits).
>>
>>There might still be cryptographic vulnerabilities in the random number
>>generation that your software uses. There was recently a high-profile
>>vulnerability in the random number generation provided by the Java
>>implementation on Android, which allowed keys to be compromised.  If
>>there were a similar vulnerability in the Java implementations people
>>use with your software, it might have similar consequences -- which
>>might not be the fault of your software, but might still undermine its
>>security.
>>
>>A one-time pad is probably not very useful to most people who need to
>>communicate securely because they have to find a safe way, ahead of
>>time, to distribute and store the key material with each potential
>>party that they may communicate with. That's a pretty heavy burden,
>>especially when people are meeting new contacts and wanting to
>>communicate with those contacts (without having been able to arrange
>>a prior physical key distribution).
>>
>>It also doesn't integrate easily with any form of communications
>>other than exchanging files, although it would be possible to extend
>>it to other things like e-mail or IM if you could manage the sequence
>>numbers properly to avoid reusing key material (something our existing
>>protocols don't really help with).
>>
>>If you read _Between Silk and Cyanide_, there's a good and interesting
>>historical account of wartime military use of one-time pads.  One of
>>the messages seems to be that it was quite expensive and cumbersome,
>>though perhaps well worth it for the particular application.  It's hard
>>to imagine many audiences prepared to actually bear these costs for
>>many of their communications today. We already see people complaining
>>about the effort and overhead of things like PGP merely because some
>>aspects of the key management are made explicit to the user.  For
>>one-time pads _every_ aspect of key management is made explicit -- and
>>manual, and requiring the exchange of physical objects!
>>
>>My intuition is that people who feel that one-time pads are necessary
>>should probably learn to operate them by hand, the way the SOE agents
>>in that book did.
>>
>>--
>>Seth Schoen  <sch...@eff.org <mailto:sch...@eff.org>>
>>Senior Staff Technologist https://www.eff.org/
>>Electronic Frontier Foundation https://www.eff.org/join
>>815 Eddy Street, San Francisco, CA 94109      +1 415 436 9333 x107
>>--
>>Liberationtech is a public list whose archives are searchable on Google.
>> Violations of list guidelines will get you moderated:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
>> Unsubscribe, change to digest, or change password by emailing moderator
>> at compa...@stanford.edu. <mailto:compa...@stanford.edu.>
> --
> Liberationtech is a public list whose archives are searchable on Google.
> Violations of list guidelines will get you moderated:

> https://mailman.stanford.edu/mailman/listinfo/liberationtech.Unsubscribe,

> change to digest, or change password by emailing moderator at
> compa...@stanford.edu. <mailto:compa...@stanford.edu.>
>


--

Liberationtech is a public list whose archives are searchable onGoogle. Violations of list guidelines will get you moderated:https://mailman.stanford.edu/mailman/listinfo/liberationtech.Unsubscribe, change to digest, or change password by emailingmoderator at compa...@stanford.edu. <mailto:compa...@stanford.edu.>

--

-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] scrambler

Reply via email to