On 17-05-13 10:52, bpmcontrol wrote:
On 05/17/2013 04:19 AM, Eugen Leitl wrote:
On Fri, May 17, 2013 at 10:26:07AM +0300, ianG wrote:
Is it unreasonable for us to expect Skype to go another way? Are
we asking too much?
It is unreasonable for an closed source product by a commercial
vendor to go any other way.
Makes perfect sense. as its sometimes required by law, other times
required to keep the users safe or companies away from legal harm.
Yes, I consider it unreasonable and harmful. Each device must be secured
to act only in the interests of its owner.
It works both ways:
If a company (say a bank) needs to monitor it traders, it can so with
company provided equipment for trading. The bank stays in control of the
equipment and what can be done with it. Every personal email sent over
company equipment can and probably will be monitored by the compliance
department. Notice, the bank is in control of all software on the
trading computer, the trader has no control of it.
The private phones/computers/tablets of the employees are in control of
the people. It cannot me monitored by the bank. But, using the personal
phone for business deals is a firing offense.
BYOD is a privacy and security disaster in the making. Especially with
electronics getting cheaper all the time. Best to avoid that snake pit.
Fortunately, we have more or less useful open source/P2P
alternatives which can be be forked if they start going sideways.
I do wonder, can we reasonably expect that integrity of open source
software today? Im not blaming anyone, let me explain: The threat of
forking or noticing any wrong doing was probably enough in previous
years. But these days, software is much bigger, back doors are much
subtler, and worst of all - There is a lot of money to be made if
you know of a back door. So the temptation of putting one has grown.
Has the community's ability to review code for such issues grown
proportionally? I use more code in a day than I can reasonably review
in a life time. (Not that I'm any example, but I think the point is
clear.) I cant even pay for someone else to review it, since if they
do find a bug, they can sell it for much more than what I can give
them.
Of course, I may just be paranoid, as I cant prove anything of the
sort.
This calls for better operating systems: minix.org, genode.org,
Keykos -> eros-os.org -> coyotos.org. Probably many more. With these
operating systems it will be much harder for an attacker to get to run
his code. And it is easier for users to use it correctly and safely.
On top of those OSes we can deploy <a
href="http://eccentric-authentication.org/>"Eccentric Authentication</a>.
Regards, Guido Witmond.
--
Perfect crypto on untrusted hardware equals snake oil crypto on
trustworthy hardware.
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
