Torproject disease infects WhatsApp - User experience trumps(sic) security

[Anti Fag]

> Marina Brown catskillmarina at gmail.com
> Sat Feb 4 12:43:54 PST 2017
>
> It's not hard. People are just lazy and spoiled with their facebook messenger.

Fb messeger uses e2e encryption.

>
> Most users today value convenience over security.

Security increases convenience.

The problem is in your mind; the way you see the world; everything in 
opposition.

Fix that first.

Re: Torproject disease infects WhatsApp - User experience trumps(sic) security

[Marina Brown]

On 01/16/2017 01:38 AM, James A. Donald wrote:
> On 1/16/2017 1:28 PM, juan wrote:
>> people need to learn how to manage their keys - it's not hard...
> 
> Is hard.
> 
> We have been through this already.
> 

It's not hard. People are just lazy and spoiled with their facebook
messenger. Most users today value convenience over security. Whine,
whine, whine and that includes many so called power users.



signature.asc
Description: OpenPGP digital signature

Re: Torproject disease infects WhatsApp - User experience trumps(sic) security

[John Newman]

On Tue, Jan 17, 2017 at 03:33:11PM -0300, juan wrote:
> On Tue, 17 Jan 2017 12:18:36 -0500
> John Newman  wrote:
> 
> 
> > 
> > You can also serve your keys on a web server you control over HTTPS
> > with a legit signed certificate. $8 from comodo, free from the let's
> > encrypt people and startssl people
> 
>   Why is comodo more trustable than the let's encrypt bunch? 
> 

I don't see any reason it would be... I just mentioned comodo because
they are cheap and slightly less of a hassle than going with the free
CAs.

John 

Re: Torproject disease infects WhatsApp - User experience trumps(sic) security

[juan]

On Tue, 17 Jan 2017 12:18:36 -0500
John Newman  wrote:


> 
> You can also serve your keys on a web server you control over HTTPS
> with a legit signed certificate. $8 from comodo, free from the let's
> encrypt people and startssl people

Why is comodo more trustable than the let's encrypt bunch? 

Re: Torproject disease infects WhatsApp - User experience trumps(sic) security

[John Newman]

> On Jan 17, 2017, at 12:11 AM, Shawn K. Quinn  wrote:
> 
>> On 01/16/2017 11:00 PM, James A. Donald wrote:
>> Is hard.
>> 
>> Suppose I want to talk to you about something that is actually
>> important.  I ask you to email me your public key.  How do I know that
>> the key I receive is the key you sent?
> 
> If you think someone's monkeying with your email, then you don't do the
> key exchange that way, you do it in person or at the very least you
> verify it in person or over the phone.
> 
>> One solution is to make your public key as public as possible, affix it
>> to all your communications and never change it.
>> 
>> But you are not doing that.
> 
> That's what keyservers are for. Affixing the key to every message is a
> needless waste of space.
> 

You can also serve your keys on a web server you control over HTTPS with a 
legit signed certificate. $8 from comodo, free from the let's encrypt people 
and startssl people

This is one of the nice things about keybase.io.

> -- 
> Shawn K. Quinn 
> http://www.rantroulette.co
> http://www.skqrecordquest.com
> 

Re: Torproject disease infects WhatsApp - User experience trumps(sic) security

[Steve Kinney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



On 01/15/2017 01:33 PM, Razer wrote:
>> At issue is the way WhatsApp behaves when an end user's
>> encryption key changes. By default, the app will use the new key
>> to encrypt messages without ever informing the sender of the
>> change
>> 
>> Critics of Friday's Guardian post, and most encryption
>> practitioners, argue such behavior is common in encryption apps
>> and often a necessary requirement. Among other things, it lets
>> existing WhatsApp users who buy a new phone continue an ongoing
>> conversation thread.
> 
> 
> Ars Technica agrees: "Reported “backdoor” in WhatsApp is in fact a
> feature"
> 
> http://arstechnica.com/security/2017/01/whatsapp-and-friends-take-umbr
age-at-report-its-crypto-is-backdoored/

"For
> 
the attack to work well, it would require control of a WhatsApp
server, which is something most people would consider extraordinarily
difficult to do."

"WhatsApp does not give governments a "backdoor" into its systems and
would fight any government request to create a backdoor."

without ever informing the sender of the change

without ever informing the sender of the change

without ever informing the sender of the change

... because that might confuse someone, might frighten someone, might
make someone to think about what they are doing, might shatter the
illusion that WhatsApp loves and cares for them and keeps them
perfectly safe forever and ever.  Asking the Consumer of an Experience
to think or act like a User wielding a Tool is the ultimate affront to
all that is good and holy in this, the best of all possible worlds.

Perfect helplessness, total dependency, and absolute safety are human
rights.  Accepting these rights into your life as free gifts is enough
to secure them for yourself and your posterity.  Kind, loving,
all-powerful corporations only want to make it just so, and all they
ask is a few screen taps or mouse clicks:  Just Say Yes.  Won't you
accept them into your heart and life?  It would be so cruel and unfair
to deny them the only thing they ask for in this world, a chance to
take care of you.




-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (GNU/Linux)

iQEcBAEBAgAGBQJYfjoHAAoJEECU6c5XzmuqBSQH/AwY+GaQcr8daHqFoADpwIT+
dl3xI94xjCEgoq9v9u5XMv+yOr5OJmup3tLeGvV0ePFa76/eNe1kL18WF1v70jeO
Uo7XFd6zzsWRrcT4tBkR38SKvdGyUIAmHMpfSIPCVWvOJHXWWXPE8u8bXl75EiDH
mZ366rQdU0tL9YyNjk86TyHWJ/MO37CbqAuy4YlmRfmsXVoeaG4JMtK+9cuxkUVh
bXC3tivjDJbR4NrHI8z+rysRFgeMUEtc8uil6YQPPZvn8ByGTHVjGNzvD22fZZDY
suEfsDM5/xcajOLjlS/NR6oBErM75hg1VarIEjQsU+VzeKA4bZWkq9Gd2xHWowM=
=f+PQ
-END PGP SIGNATURE-

Re: Torproject disease infects WhatsApp - User experience trumps(sic) security

[Shawn K. Quinn]

On 01/16/2017 11:00 PM, James A. Donald wrote:
> Is hard.
> 
> Suppose I want to talk to you about something that is actually
> important.  I ask you to email me your public key.  How do I know that
> the key I receive is the key you sent?

If you think someone's monkeying with your email, then you don't do the
key exchange that way, you do it in person or at the very least you
verify it in person or over the phone.

> One solution is to make your public key as public as possible, affix it
> to all your communications and never change it.
> 
> But you are not doing that.

That's what keyservers are for. Affixing the key to every message is a
needless waste of space.

-- 
Shawn K. Quinn 
http://www.rantroulette.com
http://www.skqrecordquest.com



signature.asc
Description: OpenPGP digital signature

Re: Torproject disease infects WhatsApp - User experience trumps(sic) security

[James A. Donald]

> people need to learn how to manage their keys - it's not hard...


On 1/17/2017 9:55 AM, StealthMonger wrote:

Yes!


We are crypto activists and crypto software developers, but somehow we 
do not seem to have a secure way to communicate with each other.


If not us, who?   I used to have your PGP keys, I don't think I have 
them any more.  I have not used PGP for a very long time, and neither 
have you.

Re: Torproject disease infects WhatsApp - User experience trumps(sic) security

[James A. Donald]

people need to learn how to manage their keys - it's not hard...


On 1/17/2017 9:55 AM, StealthMonger wrote:

Yes!


Is hard.

Suppose I want to talk to you about something that is actually 
important.  I ask you to email me your public key.  How do I know that 
the key I receive is the key you sent?


One solution is to make your public key as public as possible, affix it 
to all your communications and never change it.


But you are not doing that.

Re: Torproject disease infects WhatsApp - User experience trumps(sic) security

[StealthMonger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

juan  writes:


>   people need to learn how to manage their keys - it's not hard...

Yes!

This message needs to be repeated, reaffirmed, and reaffirmed again --
in any forum where there might be a receptive reader.

Managing keys should be no more difficult than maintaining an address
book, which lots of people do all the time.

>   people need to learn how to manage their keys - it's not hard...

>   people need to learn how to manage their keys - it's not hard...

Yes!

Yes!

- -- 


 -- StealthMonger 
Long, random latency is part of the price of Internet anonymity.

   anonget: Is this anonymous browsing, or what?
   
http://groups.google.ws/group/alt.privacy.anon-server/msg/073f34abb668df33?dmode=source=gplain

   stealthmail: Hide whether you're doing email, or when, or with whom.
   mailto:stealthsu...@nym.mixmin.net?subject=send%20index.html


Key: mailto:stealthsu...@nym.mixmin.net?subject=send%20stealthmonger-key

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.9 

iEYEARECAAYFAlh9M64ACgkQDkU5rhlDCl6NEQCfUCEH1btYTNCH1byfqstEVpMm
MEYAoJVFSmKcmCbOLd4v451+iVz6R+kE
=67xk
-END PGP SIGNATURE-

Re: Torproject disease infects WhatsApp - User experience trumps(sic) security

[juan]

On Mon, 16 Jan 2017 16:38:29 +1000
"James A. Donald"  wrote:

> On 1/16/2017 1:28 PM, juan wrote:
> > people need to learn how to manage their keys - it's not
> > hard...
> 
> Is hard.
> 
> We have been through this already.


I'm surprised you haven't figured out what the problem is.
What's missing is some whipping, lashing, spanking,
arm-twisting and the like, The Victorians got it right when
they tortured white children in schools. The best way for
people to learn stuff is by means of physical punishment. 

So perhaps you should get a law passed enacting beatings
proportional to lack of academic achievments.

Re: Torproject disease infects WhatsApp - User experience trumps(sic) security

[Razer]

On 01/15/2017 09:31 PM, Steve Kinney wrote:
>
>
> A work in progress:
>
> A Millenials' Digital Bill Of Rights
>
> We hold these truths to be self evident, that all First World Middle
> Class tweens, teens and 20-somethings are created superior, and are
> endowed by their Creator with certain inalienable digital rights
> including:
>
> To have their personal needs anticipated and met without effort on
> their part.
>
> To do exactly as they please at all times with no chance of
> destructive consequences.
>
> To maintain high bandwidth 24/7 ominplexed network participation with
> full privacy and security.
>
> To by protected from abuse of State and Corporate power by State and
> Corporate actors.
>
> Our up and coming Consumers did not choose these self- and mutually
> contradictory demands themselves; they have been indoctrinated by a
> seamless lifelong sales campaign, a uniform front of instant
> gratification product offerings and attractively packaged Experiences.
>  No "conspiracy" was required to implement this program; it arose
> naturally from commercial competition.  But this spontaneously
> self-organized Standard has been recognized, formalized, and is now
> consciously pursued by every significant vendor in the consumer
> electronics, software and network services sphere.  The market has
> spoken and the UX future is now.
>
> A monitored life for every consumer, in the cybernetic sense of the
> word monitored, has now become a conscious and calculated goal:  An
> egocasting bubble for every consumer, unbreakable walls of contempt
> and alienation between every pseudo-tribe, a navigation funnel for
> every human need, and a grand illusion of personal autonomy for every
> captive consumer.  All consumers shall be sold both aspirations and
> the fulfillment of those aspirations in an eternally self adjusting
> feedback cycle of surveillance and adaptive stimulation.
>
> Users?  Please.  General purpose programmable computers in private
> hands create problems, not Solutions.  Laughable wannabe-elitist
> Lusers are already being phased out of society, and good riddance.  We
> will of course need a /few/ thoroughly vetted and deeply dependent
> grunt workers to design and program devices to meet sales and
> marketing objectives.  There will also be deviant technophiliac rats
> in the walls of the global village, but exterminators make money you kno
> w.
>
>

> "And our children will live ... to see that perfect world in which
> there's no war or famine, oppression or brutality -- one vast and
> ecumenical holding company, for whom all men will work to serve a
> common profit, in which all men will hold a share of stock, all
> necessities provided, all anxieties tranquilized, all boredom amused."
> -Arthur Jensen

https://www.youtube.com/watch?v=jxiT30N6ti4

Text Available at American Rhetoric:
http://www.americanrhetoric.com/MovieSpeeches/moviespeechnetwork4.html

Re: Torproject disease infects WhatsApp - User experience trumps(sic) security

[James A. Donald]

On 1/16/2017 1:16 PM, Shawn K. Quinn wrote:

Alternatively, how about Viber redesigning their software such that
Alice and Bob can give each other their public keys without Viber
headquarters even having to get involved,


I have written such software.  Nobody wanted to use it.

I simplified end user key management as much as I could, but it was not 
that simple.

Torproject disease infects WhatsApp - User experience trumps(sic) security

[Big 'Uns]

> On Sun, Jan 15 2017 21:31:59 -2100
> "Steve Kinney"  wrote:
>
> A Millenials' Digital Bill Of Rights

Yeah, because gen y created all the shit tech and related laws.

Get fukt, lol !

Re: Torproject disease infects WhatsApp - User experience trumps(sic) security

[Steve Kinney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



On 01/15/2017 03:39 PM, Spencer wrote:
> Hi,
> 
>> 
>> Razer: Torproject disease infects WhatsApp - User experience
>> trumps(sic) security
>> 
> 
> Security is a usability issue.
> 
>> "failure to obtain permission"
> 
> "Better to ask forgiveness ..."
> 
> An increasing usability "feature" trend.
> 
> Wordlife, Spencer

A work in progress:

A Millenials' Digital Bill Of Rights

We hold these truths to be self evident, that all First World Middle
Class tweens, teens and 20-somethings are created superior, and are
endowed by their Creator with certain inalienable digital rights
including:

To have their personal needs anticipated and met without effort on
their part.

To do exactly as they please at all times with no chance of
destructive consequences.

To maintain high bandwidth 24/7 ominplexed network participation with
full privacy and security.

To by protected from abuse of State and Corporate power by State and
Corporate actors.

Our up and coming Consumers did not choose these self- and mutually
contradictory demands themselves; they have been indoctrinated by a
seamless lifelong sales campaign, a uniform front of instant
gratification product offerings and attractively packaged Experiences.
 No "conspiracy" was required to implement this program; it arose
naturally from commercial competition.  But this spontaneously
self-organized Standard has been recognized, formalized, and is now
consciously pursued by every significant vendor in the consumer
electronics, software and network services sphere.  The market has
spoken and the UX future is now.

A monitored life for every consumer, in the cybernetic sense of the
word monitored, has now become a conscious and calculated goal:  An
egocasting bubble for every consumer, unbreakable walls of contempt
and alienation between every pseudo-tribe, a navigation funnel for
every human need, and a grand illusion of personal autonomy for every
captive consumer.  All consumers shall be sold both aspirations and
the fulfillment of those aspirations in an eternally self adjusting
feedback cycle of surveillance and adaptive stimulation.

Users?  Please.  General purpose programmable computers in private
hands create problems, not Solutions.  Laughable wannabe-elitist
Lusers are already being phased out of society, and good riddance.  We
will of course need a /few/ thoroughly vetted and deeply dependent
grunt workers to design and program devices to meet sales and
marketing objectives.  There will also be deviant technophiliac rats
in the walls of the global village, but exterminators make money you kno
w.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (GNU/Linux)

iQEcBAEBAgAGBQJYfFrPAAoJEECU6c5XzmuqWXsH/0UQdNb5I0E5+IMjVWigXoru
hFyYzgpta1NjON+iZRf5McZgAgHcf4Y0rG1qxjbSGdMdqYGXgy73NO4CDaJ/XJm2
qBAvp2tS1WMo6e515le/2xmyTOgQHOtD0zpsHvlF4O9DE3/o0AqdZ5odErpIL6iy
BWKrwT80a0gVtnKjFbw69cFYnbc/4NKjtMgYTbcBn2u3hK4Bb/PQ0MiosRlkU2qY
M0VaPnuUFalOVdo+mjplu0JMaUVm+qAftmi0fGVzq+otSO0pOsVt456vV/0IuhvY
FXl+VR/5oQbcZ49WdGo6trZqCsS2sjpwx0r1LVwvWGvn7f55AT2ETQPXATGJGSs=
=kKkR
-END PGP SIGNATURE-

Re: Torproject disease infects WhatsApp - User experience trumps(sic) security

[juan]

On Mon, 16 Jan 2017 12:58:20 +1000
"James A. Donald"  wrote:

> then the CIA can be in the middle as Ann and Bob send messages to
> each other.  Ann thinks she is sending a message to Bob, but actually
> she is sending it to the CIA, which then resends it to Bob.
> 
> To prevent this,


people need to learn how to manage their keys - it's not hard...

Re: Torproject disease infects WhatsApp - User experience trumps(sic) security

[Shawn K. Quinn]

On 01/15/2017 08:58 PM, James A. Donald wrote:
> At present three hundred million people communicate by Viber.
> 
> When you install Viber, it generates a secret key and a public key and
> sends the public key to Viber headquarters.
> 
> When Ann wants to message Bob, Viber headquarters sends Ann's client
> Bob's public key, and Bob's client Ann's public key.
> 
> And then they can message each other, no one on the network, not even
> Viber headquarters, can know what they are saying to each other.
> 
> Unfortunately Viber could send Ann a public key belonging to the CIA as
> Bob's key and Bob another key belonging to the CIA as Ann's key, and
> then the CIA can be in the middle as Ann and Bob send messages to each
> other.  Ann thinks she is sending a message to Bob, but actually she is
> sending it to the CIA, which then resends it to Bob.
[...]

Alternatively, how about Viber redesigning their software such that
Alice and Bob can give each other their public keys without Viber
headquarters even having to get involved, if that's what they want? Or,
alternatively, use some other mutually trusted (by both Alice and Bob)
third party server to negotiate the key exchange.

This was poor design by Viber, especially if there's no way for Bob to
verify Alice's key is the same one he has in his Viber client and vice
versa. One has to wonder if it was designed this way by Viber on purpose.

I guess the lesson here is "don't use Viber, use something else".

-- 
Shawn K. Quinn 
http://www.rantroulette.com
http://www.skqrecordquest.com



signature.asc
Description: OpenPGP digital signature

Re: Torproject disease infects WhatsApp - User experience trumps(sic) security

[James A. Donald]

On 1/16/2017 11:04 AM, James A. Donald wrote:

Similarly, it is possible to ensure that the mapping between public keys
and IDs looks the same for everyone in the world, preventing MIM attacks
without burdening the user to manage his public keys himself.


At present three hundred million people communicate by Viber.

When you install Viber, it generates a secret key and a public key and 
sends the public key to Viber headquarters.


When Ann wants to message Bob, Viber headquarters sends Ann's client 
Bob's public key, and Bob's client Ann's public key.


And then they can message each other, no one on the network, not even 
Viber headquarters, can know what they are saying to each other.


Unfortunately Viber could send Ann a public key belonging to the CIA as 
Bob's key and Bob another key belonging to the CIA as Ann's key, and 
then the CIA can be in the middle as Ann and Bob send messages to each 
other.  Ann thinks she is sending a message to Bob, but actually she is 
sending it to the CIA, which then resends it to Bob.


To prevent this, to deny itself this capability, Viber could maintain a 
rolling global hash representing the current mapping between ids and 
public keys, and all past mappings between ids and public keys, and when 
it sends Ann the key for Bob, sends Ann the hash path connecting Bob's 
mapping to the current rolling hash for the entire world and all of history.


We have several mutually hostile people and organizations monitoring 
this rolling hash, for example the KGB, the CIA, Wikileaks, and Trump's 
security guy (who I think is one of his sons or grandsons). Your 
software picks an organization at random.  The user could intervene and 
pick one, or pick several, but ordinarily will not.


Suppose Viber headquarters arranges for the CIA to spy on Ann and Bob. 
If Ann and Bob's Viber clients have both picked the CIA for their source 
for the rolling hash, then they are out of luck, but if one of them has 
picked the KGB and the other has picked the CIA, then the one that picks 
the KGB will get the correct version of the rolling hash, in which case 
the attempted man in the middle attack will fail, and that Viber 
headquarters is collaborating with the CIA will be exposed to the KGB, 
to Ann, and to Bob.


Thus Viber could prove it is not spying on its users.

Re: Torproject disease infects WhatsApp - User experience trumps(sic) security

[Shawn K. Quinn]

On 01/15/2017 06:15 PM, Razer wrote:
> If you really need security a small learning curve is acceptable and
> attainable. I also see an insidious trend towards cutting out 32 bit
> machines, Meaning po folk ain't entitled. 64 bit isn't inherently more
> secure that 32 bit should be 'left behind' for any reason beside... dast
> I say... "User base"? (Dast dast!) at the expense of the niche that
> really needs the security. Poor folks in authoritarian dictatorships and
> such lorded over by US installed strongmen.

The move towards 64-bit is not about security, but about the fact that
32-bit hardware is becoming increasingly more rare. My friend's 64-bit
PC has a BIOS copyright date in 2006, and by no means is he usually an
early adopter of new technology; by 2010 if not earlier it was much
easier to get a new system that was 64-bit capable than one that
specifically was not. I decommissioned my last 32-bit PC in 2011, and
the only time I might need the 32-bit version of something is to run it
in a VM on my laptop (it can only do 32-bit VMs, not 64-bit).

For most code which does not actually require a 64-bit processor to run,
it should be possible to compile 32-bit binaries. However we are moving
towards a world where 64-bit is the rule not the exception and 32-bit is
today what 16-bit was in, say, 20 years ago (1997-ish).

-- 
Shawn K. Quinn 
http://www.rantroulette.com
http://www.skqrecordquest.com



signature.asc
Description: OpenPGP digital signature

Re: Torproject disease infects WhatsApp - User experience trumps(sic) security

[James A. Donald]

On 1/16/2017 10:15 AM, Razer wrote:

If you really need security a small learning curve is acceptable and
attainable.


No it is not.  And proof is that it is not in fact attained.

Further a small learning curve is not needed.  We can in fact have zero 
clicks security - placing the burden on designers and developers, not users.


For example phishing could easily be abolished by making all passwords 
zero knowledge password protocol under the hood and placing logins in 
the chrome.


Well, not easily because we would have to rewrite existing standards and 
redo much existing software, but easily for the end user, who would 
scarcely notice that anything had changed.


Similarly, it is possible to ensure that the mapping between public keys 
and IDs looks the same for everyone in the world, preventing MIM attacks 
without burdening the user to manage his public keys himself.

Re: Torproject disease infects WhatsApp - User experience trumps(sic) security

[Razer]

On 01/15/2017 12:39 PM, Spencer wrote:
> Hi,
>
>>
>> Razer:
>> Torproject disease infects WhatsApp -
>> User experience trumps(sic) security

> Security is a usability issue.

If you really need security a small learning curve is acceptable and
attainable. I also see an insidious trend towards cutting out 32 bit
machines, Meaning po folk ain't entitled. 64 bit isn't inherently more
secure that 32 bit should be 'left behind' for any reason beside... dast
I say... "User base"? (Dast dast!) at the expense of the niche that
really needs the security. Poor folks in authoritarian dictatorships and
such lorded over by US installed strongmen.

Rr

>
>> "failure to obtain permission"
>
> "Better to ask forgiveness ..."
>
> An increasing usability "feature" trend.
>
> Wordlife,
> Spencer
>
>
>
>
>
>
>

Torproject disease infects WhatsApp - User experience trumps(sic) security

[Spencer]

Hi,



Razer:
Torproject disease infects WhatsApp -
User experience trumps(sic) security



Security is a usability issue.


"failure to obtain permission"


"Better to ask forgiveness ..."

An increasing usability "feature" trend.

Wordlife,
Spencer

Torproject disease infects WhatsApp - User experience trumps(sic) security

[Razer]

> At issue is the way WhatsApp behaves when an end user's encryption key
> changes. By default, the app will use the new key to encrypt messages
> without ever informing the sender of the change
>
> Critics of Friday's Guardian post, and most encryption practitioners,
> argue such behavior is common in encryption apps and often a necessary
> requirement. Among other things, it lets existing WhatsApp users who
> buy a new phone continue an ongoing conversation thread.


Ars Technica agrees: "Reported “backdoor” in WhatsApp is in fact a feature"

http://arstechnica.com/security/2017/01/whatsapp-and-friends-take-umbrage-at-report-its-crypto-is-backdoored/