On 20/05/13 20:08 PM, Mark Seiden wrote:
(i know that at least jake and ian understand all the nuances here, probably
better than me.)
bus still, i would like you to consider, for a moment, this question:
suppose there were a service that intentionally wanted to protect recipients of
communications
from malicious traffic? when i was at $big_provider, i spent an awful lot of
time and energy
communicating with colleagues and sharing threat intelligence about bad guys.
i.e. accumulating reputation information about the counterparties.
any mechanism to do this (that i could think of, anyway) presents a possible
risk to
those communicants who want no attributable state saved about their
communication.
either these are privacy freaks (not intended pejoratively: for whatever
reason, they're
entitled to be…) … or criminals.
Right. I definitely agree and I'm in that business myself -- designing
a system that is oriented towards protecting our customers as much from
themselves as from their enemies. And, I haven't even got e2e-in-chat
as yet so some claim of hypocrisy might stick.
To be fair to skype, if and when they decided to rollback their e2e, how
would they have broached this to users? I have an answer for my world,
but it isn't a trivial plugin that skype or a similar company could
download&rollout; I don't know how your regular business would attack
this situation.
Has there been any successful case study of a security vendor rolling
back a security feature? Or is the ostrich strategy the only known way?
it's really hard to engineer systems that will satisfy the needs of privacy
freaks while still
protecting the naive, and not at the same time equip criminal enterprises.
most of us
seem to be willing to engineer to trust ourselves (the operators of the
facility) to have
good taste in protecting all but the criminals. only a few of us are willing
to go as far as
"you can trust us because you don't have to".
Yeah. One of the bigger issues that we have to deal with here is that
classical CIA is not really appropriate. For historical reasons, we
picked up the standard practices from the military a long time ago, and
the history of the 1990s and 2000s has shown us that more is needed than
some form of cryptographic self-entertainment.
i still believe microsoft is trying to do the right thing here for 99*% of
their users,
but they can't help but get slammed because they haven't been crystal clear
about
it, hiding the activity with weasel words and legalese in their TOS. i also
agree that
relying on an old and inapplicable security review would be a deceptive
practice.
i agree with ian that telling people what your system does so they can manage
their own
risks (transparency) is a good middle ground. (but it also enables criminals
to know how
to avoid detection, not a society good).
That latter point -- that criminals would understand our system if we
told them -- I think I disagree with. IMHO criminals are actually far
better at this job than we are. They are far more discerning, far more
economic, and they have better incentives. A better track record, and
better pay.
(so now we all know, skype is not suitable for privacy freaks or criminals!
woo hoo.)
The question is, is it useful for anyone in a privacy sense? Let's do
some quick analysis. Which is the most likely scenario to attack the
ordinary person: NSA snooping, court subpoena, private litigation with
business partner or family member snooping?
I'd posit it is in reverse order. Protecting your node against the
person you're talking to is far more important. To some extent this
means setting the caching on your skype IM settings to low, and cleaning
it out; but it also means that if you are in business or any court
situation (divorce? abuse? insider trading?) you now have to consider
that the other party can now subpoena against skype.
(btw, keep in mind that any hosting provider can inspect hosted web content on
their backends,
which would show nothing in web access logs. their TOS doubtless permits that.
there
is nothing that i know of that requires your hosted content or your site
activity to not be looked at
by your provider, unless stored communication is involved, and even then there
are provider
exceptions such as for malware and AV scanning.)
You are right, and I expect Skype to invoke the TOS defence.
But this also tells us we're already in trouble. For several reasons.
If TOS need to be drawn on to be able to do things that are a surprise
to the user, then the explanation hasn't been very good. Also, TOS as a
defence is a strong signal that USA-lawyer-itis has struck deep into the
security department, and we now have a foil or facade to hide the real
security model. Further, TOS is a burden on all users, who don't
understand them, and typically won't read them because they don't
explain what the users need to know.
The standard of mud in TOS is the CA/Browser business. E.g., they
provide nothing, they charge a lot, they engage in cartels to keep their
franchise alive, and they blithely avoid the real, documented and
expensive attacks on users. Pop quiz -- can anyone identify the value
to users in TOS or practices documents?
http://en.wikipedia.org/wiki/Extended_Validation_Certificate#PKI-Me-Harder
Is the CA-anti-standard one to which Microsoft/Skype aspires? I had
actually thought that Microsoft had understood the lesson of the 2000s
by now and realised that security was not just a media wash or a TOS
deception, and that in part their loss of market to Apple was because
Apple took security more seriously (look Mum, still no viruses...).
The Skype revelation has me a bit surprised.
iang
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
