One standard step in designing almost any security system is to define a threat mode. What attacks are to be expected? What resources will attackers have? What skills? What access to the system? And so on.
One common way for systems to fail is when someone attacks in a way that is outside the threat model. The database system that is heavily secured against outside intruders, but not adequately against a dishonest admin or a trojan that takes over a manager's machine. The bulletproof vest that does not stop a knife, etc. It seems to me our model must be some sort of hybrid, because there are quite a few threats. One threat is commercial tracking, the whole mess involving advertiser cookies, data collection by the major players whether MSN messaging, Gmail, Facebook, Twitter, ... There are already at least partial defenses against that: TOR, browser settings, ... A related issue is lack of user control. I cannot talk to my friends via Facebook or Twitter without making that conversation public in some ways. There's a whole set of design problems there, which some people are already tackling: Diaspora, StatusNet, etc. What can the Box bring to that party? Another related issue is forced disclosure. The US government has been demanding Twitter records in relation to WikiLeaks. Last I heard, that was still before the courts. In another case, lawyers for a UK football player claiming libel are demanding records, via a US court. Whatever the outcome in those particular cases, we need to consider that class of threat, and not just from the US gov't or British libel laws. There are legal defenses against some of them in some countries. In other places, legal resistance would be futile or even dangerous. The only technical defenses I know of are either to not keep records in the first place or to routinely and effectively delete them after a short time. Those affect the ability to manage spam, which is a problem on most social networks. I'm not sure what else they affect either in general system administration or in the specific tools we need for users to manage trust and privacy. The user's computers can be a threat. Consider the average student at a Chinese university, one of the ones I've taught English to. Her computer is most likely a laptop running (a "pirate" copy of) Windows XP. If there is an anti-virus product installed, it is most likely the Chinese "Rising Anti-Virus", with Kapersky a distant second and no-one else in the running. There's about a 20% chance she has none at all. If she routinely uses the Box from that machine, what are the additional threats? Perhaps we cannot defend her data in that case, but can we at least minimize the damage to other users of that Box? Can we guarantee she cannot harm users of other Boxes? Governments cam be a threat. Right now, the US government is chasing WikiLeaks with considerable zeal. There are plenty of other examples of governments getting quite aggressive about things they deem threats to national security. There are also quite a few examples of people being prosecuted for things they have said or written that are just not allowed in some country. Today's Slashdot mentions a case in Thailand; the guy faces 15 years for each count of insulting the royal family. If a major government is disturbed enough about something people are doing with the Boxes, that is a serious threat indeed. At that point, the attackers can be expected to be professionals with huge resources and enough time to research and plan clever attacks. _______________________________________________ Freedombox-discuss mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
