Although we could narrow the discussion "is platform x secure enough for threat model y", the scope is wider than that, and was presented by Jonathan Zittrain in his "the end of crypto" talk - https://www.youtube.com/watch?v=3ijjHZHNIbU - I'm sure many of you have seen it
[ Remark: I know that what he says towards the end of the talk is embarrassingly misguided (see https://dubiousdod.org/go/TheEndOfCrypto for my 0.002BTC worth), but the first hour is a must watch if you haven't seen it yet ] The question Zittrain asks is "how can we trust end to end crypto if we don't own the end points"? Obviously systems are too complex for most people to really figure out what's exactly running on their computer, and modern systems (from smart phones to unity) make it harder and harder for users (even "power users") to peek under the hood. This is how we've ended up with app stores, "secure boot", and other forms of authoritarian solutions. This doesn't guarantee anything (vulnerabilities and malware are not necessarily detected), but at least it gives a "not my department" kinda peace of mind :) Someone else has power (and - theoretically - responsibility) over my private machine, and that power is bound to end up in the hands of power seekers (and indeed it does). So what's the alternative? Train every granny to be a security ninja? Probably not, but instead of the "never jailbreak - or you won't be protected" meme, I'd rather see solutions that offer jailbreak *and* an alternative "safety net". Not an alternative authoritarian "good guy app-store" (because power is power is power), but something similar to [say] debian's apt - where a user (or the user's tech support) can add/remove software sources. Not saying apt is the solution, but being able to choose more than one "store" is what freedom is all about. If we could give end users a phone that only installs stuff approved by [say] "Guardian Project Clearing House", they'd already have a "pretty secure phone". A smart user could add "Whisper Systems" or "My Ngo" as sources (would require safeguards like phone-specific password, QR-code certificate, etc.). This requires two things that [IMHO] don't exist yet: an OS (based on android, b2g, linux, etc. or maybe something new) that supports multi-authority code signing (and effectively prevents rogue code from running), and then - a few clearing-houses that provide a rich enough "app bazaar". This may seem like utopia, but remember that where we are today seemed like dystopia a decade ago :) Personally, I believe we [the FLOSS crowd] can do it. Are we not legion? :)
-- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
