Gotta agree with others who note consensus as a problem...the reason (in my view) being that risk assessment is imperative and that no single guide can respond to various risk models.
On Tue, Aug 7, 2012 at 1:25 AM, Luke Allnutt <[email protected]> wrote: > > With Frank's message in mind, do list members have thoughts about the best > dumbed-down guide for activists to stay safer online? > > I know EFF, MobileActive, and Movements.org have done some good work in > this field, but wondered whether there is a consensus on a good short, > easy-to-understand document for activists? > > Luke > > > > > *<[email protected]>* > Sent by: [email protected] > > 08/07/2012 07:19 AM > To > "Moxie Marlinspike" <[email protected]>, > [email protected] > cc > Subject > Re: [liberationtech] What I've learned from Cryptocat > > > > > Hey guys, > > I appreciate the importance and depth of this discussion. But I also wish > to underscore that most of the people who are at risk are not using any > tools whether they be CrytoCat, PGP, GChat or others for the simple reason > that they either cannot figure them out, or don't have time to figure them > out, or both. And I am talking about people at risk in many different > nations. > > No doubt the functional security of tools is an indispensable, essential > concern. Ignoring any vulnerabilities is dangerous, indeed. But the > usability of the same tools and making them accessible to non-technologists > is just as big a concern, in my view. I know you guys think that many such > users including Western journalists are simply lazy. But many, if not most > of the available tools are simply not intuitive, or not as much as most > technologists who already know how to use them seem to think. > > How many people on this list have spent time asking non-technologists and > other users who have tried, but have since given up even trying to use > tools like PGP? Or have examined how new users interact with such tools? I > have a great deal of respect for this community. But to be honest it seems > to me that neither the technologists nor the donors have spent much time > asking such questions. > > If a novice user make a mistake in PGP, for example, it's over. Options > are not intuitive if you don't already know them. And if you hit the wrong > button, you can end up at a deadend with no guidance how to get back on > track. Trust me. I know. And I am not trashing PGP. I know well and fully > appreciate it's value and I have used it and continue to use it hostile > environments. And I also know that users and only users can make crucial > choices during use for their own security. I get that, too. But most > digital security tools still do not do a good job of laying out, let alone > explaining the options. And I say that with respect for the value of the > tools and options themselves. > > Cryptocat is one of the most user-friendly tools out there, and I think > Nadim deserves credit for the effort. Of course, the vulnerabilities must > be fixed before anyone should use it in a hostile environment. Although the > level of vulnerability might also depend on the nature of the threat in any > particular environment. But I also think we need to spend as much time > making tools accessible as we do making them secure if we are going to > reach the people who really need them. And right now few if any of these > tools are having the reach that we all agree is needed. And that is an > issue largely of usability. > > I think with more constructive collaboration we would achieve both. We > need to. Thanks. > > Best, Frank > > Frank Smyth > Executive Director > Global Journalist Security > *[email protected]* <[email protected]> > Tel. + 1 202 244 0717 > Cell + 1 202 352 1736 > Twitter: @JournoSecurity > Website: *www.journalistsecurity.net* <http://www.journalistsecurity.net/> > *PGP Public Key* <http://www.journalistsecurity.net/franks-pgp-public-key> > > > > Please consider our Earth before printing this email. > > *Confidentiality Notice*: This email and any files transmitted with it > are confidential. If you have received this email in error, please notify > the sender and delete this message and any copies. If you are not the > intended recipient, you are notified that disclosing, copying, distributing > or taking any action in reliance on the contents of this information is > strictly prohibited. > > > > -------- Original Message -------- > Subject: Re: [liberationtech] What I've learned from Cryptocat > From: Moxie Marlinspike <*[email protected]* <[email protected]> > > > Date: Mon, August 06, 2012 10:29 pm > To: *[email protected]*<[email protected]> > > > > > On 08/06/2012 06:59 PM, Eleanor Saitta wrote: > > Except that with your harm mitigation, you push many potential users > > back to plaintext, where they are guaranteed to be owned. What > > percentage of potential cryptocat users would the plugin version have to > > stop from using the tool for you to accept that there was a place for > > the non-plugin version? > > Let's stop using the word "plaintext," because my understanding is that > none of the chat services we're speaking of transmit data in the clear. > As I see it, there are currently three possible vectors for attack with > "existing" web-based chat services: > > 1) SSL interception. > 2) Server compromise. > 3) Server operator. > > The technology in CryptoCat v1 does not address any of these three > vectors, and all of them remain possible. My position is that it's > actually more susceptible to attack via #1 and #2 than existing > web-based chat solutions. I believe your position is that it improves > on vector #3 by virtue of being not-Facebook. (I'm curious how you > measure #3 in comparison to GChat.) > > If we postulate that CryptoCat does improve vector #3 by virtue of being > not-Facebook, it isn't a result of the technology, but simply that we've > agreed Nadim has a better monitoring/interception track record than > Facebook. If that's something you think is valuable, it actually seems > like it'd potentially be better served by having someone like the EFF or > Riseup host a web-based and SSL-protected chat service, without brining > any additional cryptography confusion into the mix. A trust project, > not a cryptography project. > > Unfortunately for me, I'd rather depend on cryptography than people. > But I believe that CryptoCat is actually well positioned to drive > changes in the ecosystem that will allow them to really improve on those > three vectors in time. I think it's difficult to experiment in public > with security tools, however, and that it's a sage decision to make a > secure solution available (CryptoCat v2) and work on reducing friction > while maintaining security from there. > > - moxie > > -- * > **http://www.thoughtcrime.org* <http://www.thoughtcrime.org/> > _______________________________________________ > liberationtech mailing list* > **[email protected]* <[email protected]> > > Should you need to change your subscription options, please go to: > * > **https://mailman.stanford.edu/mailman/listinfo/liberationtech*<https://mailman.stanford.edu/mailman/listinfo/liberationtech> > > If you would like to receive a daily digest, click "yes" (once you click > above) next to "would you like to receive list mail batched in a daily > digest?" > > You will need the user name and password you receive from the list > moderator in monthly reminders. You may ask for a reminder here: * > https://mailman.stanford.edu/mailman/listinfo/liberationtech*<https://mailman.stanford.edu/mailman/listinfo/liberationtech> > > > Should you need immediate assistance, please contact the list moderator. > > Please don't forget to follow us on > *http://twitter.com/#!/Liberationtech*<http://twitter.com/#!/Liberationtech> > _______________________________________________ > > liberationtech mailing list > [email protected] > > Should you need to change your subscription options, please go to: > > https://mailman.stanford.edu/mailman/listinfo/liberationtech > > If you would like to receive a daily digest, click "yes" (once you click > above) next to "would you like to receive list mail batched in a daily > digest?" > > You will need the user name and password you receive from the list > moderator in monthly reminders. You may ask for a reminder here: > https://mailman.stanford.edu/mailman/listinfo/liberationtech > > Should you need immediate assistance, please contact the list moderator. > > Please don't forget to follow us on http://twitter.com/#!/Liberationtech > > > _______________________________________________ > liberationtech mailing list > [email protected] > > Should you need to change your subscription options, please go to: > > https://mailman.stanford.edu/mailman/listinfo/liberationtech > > If you would like to receive a daily digest, click "yes" (once you click > above) next to "would you like to receive list mail batched in a daily > digest?" > > You will need the user name and password you receive from the list > moderator in monthly reminders. You may ask for a reminder here: > https://mailman.stanford.edu/mailman/listinfo/liberationtech > > Should you need immediate assistance, please contact the list moderator. > > Please don't forget to follow us on http://twitter.com/#!/Liberationtech > -- *+1-857-891-4244 |** jilliancyork.com | @jilliancyork * "We must not be afraid of dreaming the seemingly impossible if we want the seemingly impossible to become a reality" - *Vaclav Havel*
_______________________________________________ liberationtech mailing list [email protected] Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?" You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech
