-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I am separating this from my previous as I went into a rant.
As we were designing Silent Text, we talked to a lot of people about what they
needed. I don't remember who told me this anecdote, but this person went over
to a colleague's office after they'd been texting to just talk. They walked
into the colleagues office and noticed their phone open with a conversation
plainly visible with someone else. A third party who was their mutual colleague
was texting about that meeting.
In short: Alice goes to Bob's office for a meeting and sees texts from Charlie
about that meeting, including comments about Alice.
There wasn't anything untoward about the texting. No insults about Alice or
anything, but there was an obvious privacy loss here. What if it *had* been
included an intemperate comment about our Alice? Alice said nothing about it to
Bob, but I got an earful. That earful included the opinion that the threat of
accidental disclosure of messages within a group of people is greater than
either the messages "being plucked out of the air" or seizure and forensic
groveling over the device. Alice's opinion was that when people have a secure
communications channel, they loosen up and say things that are more dramatic
than they would be otherwise. It's not that they're more honest, they're less
honest. They're exaggerated to the point of hyperbolic at times. Alice said
that she knew that she'd texted some things to Bob that she really wouldn't
want the person she'd said them about to see them. They were said quickly, in
frustration, and so on. It's not that they'd be taken out of context, it's
that they'd be taken *in* context.
It's interesting underlying the story, Alice suddenly saw Bob not as an ally in
snark, but a threat -- the sort of person who leaves their phone unlocked on
their desk. Bob, of course, would say something like that if the texts had been
potentially offensive, he'd have locked his phone. This explanation would thus
convince Alice that Bob is *really* not to be trusted with snark.
This is incredibly perceptive, that the greatest security threat is not the
threat from outside, it's the threat from inside. It is exactly Douglas Adams's
point about the babelfish that by removing barriers to communication, it
created more and bloodier wars than anything else.
That's where "Burn Notice" came from. It's a safety net so that when Charlie
texts Bob, "I'm tired of Alice always..." it goes away.
What I find amusing is the reaction to it all around. There's a huge
manic-depressive, bimodal reaction. Lots of people get ahold of this and
they're like girls who've gotten ahold of makeup for the first time. ZOMG! You
mean my eyelids can be PURPLE and SPARKLY? This is the same thing that happens
when people discover font libraries or text-to-speech systems. For a couple of
days that someone gets the new app, there's nothing but text messages that are
self-destructing, purple, sparkly eyelids with font-laden Tourette's Syndrome
with the Mission Impossible theme song playing in the background. (Note, if you
are using Silent Text, you can't actually make the text purple, nor sparkly,
nor change fonts. You need to put all of that in a PDF or an animated GIF --
and you will. This is a metaphor, not a requirements document.)
The next thing that happens is that they are so impressed with some
particularly inspired bit self-desctructing childishness that they take a
screen shot. As they gaze at the screen shot, or sometimes just as they take
the screen shot, light dawns. Oh. You mean.... Oh. Then the depressive phase
kicks in.
Back in the dark ages, PGP had the "For Your Eyes Only" feature. This is pretty
much the ancestor of Burn Notice. Simultaneously useful and worthless. It's
useful because it signals to your partner that this is not only secret but
sensitive and does something to stop accidental disclosure. It is utterly
ineffective against a hostile partner for many of the same reasons. We did all
sorts of silly things with FYEO that included an anti-TEMPEST/Van Eck font, and
other things. Silent Text actually has an FYEO feature that isn't exposed,
thank heavens.
I mention all of that because once you're in the depressive phase, it's easy to
go down the same rathole we did with FYEO. I spent time researching if you can
prevent screen shots on iOS (you can't). I did this while telling people that
it was dumb because I can take a picture of my iPhone with my iPad. I held up
my phone to video chat and said, "Here, see this? This is what you can do!"
Sanity prevailed, but I think that fifteen years of FYEO helped a lot. When you
stare into self-destructing messages, trying to figure out how make them really
go away flawlessly, they stare back. You will end up trying to figure out how
to do a destructive two-phase commit, what class libraries need to be patched
so those that non-mutable strings inherit from mutable strings (not the other
way around), all while a nagging voice whispers in the back of your head about
how brave freedom fighters are gonna die because of this.
After the depressive phase comes the patronizing, retributive phase in which
it's clear that letting people delete potentially embarrassing messages is bad,
because it's imperfect. Imperfect security is worse than plaintext. People have
to learn self-control. Cue the Kalil Gibran quotes. People can't just say any
old thing on a secure chat program because that leads to purple eyeshadow and
thus inevitably to brave freedom fighters having their phones seized at
borders, and then people will die -- all because we let them delete their
incriminating messages. This phase makes so little sense that it's hard for me
even to mock it. But the gist of that objection really is that it's bad to let
people delete sensitive things because that will cause seizure of sensitive
things. Otherwise sane people have said this to me, and they don't seem to see
how funny they are.
Nonetheless, there's two things that happen. On the one hand, there are people
who think this cute, simple feature is the second coming of sliced bread. The
other hand is the people who insist it must be impossible (because they've
over-thought it) or evil (because security shouldn't be fun, let alone purple).
There is a small point to the dour, greyfaced side of this, I admit. You cannot
solve human problems with technology. Technology often just shuffles around the
brilliance that humans have at shooting themselves in the foot. I'm well aware
of Laotse's snarky comment that the invention of locks created burglary, and I
often agree with him.
But I think there has to be fun with security. We talk a lot about how security
has to be usable, but I think fun is up there, too. If it's fun, people will
use it. They make their mistakes cheaply, and in a reasonably safe environment.
Most of all, they'll actually use it. That's been the challenge of the last
couple decades, getting people to use it. People use things that they play
with. I think thus that play is part of security, too. What's "groundbreaking"
in what we're doing is that we're having fun and encouraging others to do so,
too.
Jon
-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii
wj8DBQFRFfWQsTedWZOD3gYRAmYJAKDJ8exiTiWgzMy11mp/FKEN8TXpUACdHTPW
dHbRrgTqwb3R5oPHvWEC8Pg=
=b3gk
-----END PGP SIGNATURE-----
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
