On 12/05/2016 04:05 PM, T. Mark wrote: > I continue to procrastinate in finding these posts by "Moxie" et al.. just > haven't much spare time. Hopefully that can change.
Moxie seems reasonable, generates plenty of attacks from the cryptonerds, which generally haven't managed to improve security on 1% as many clients as Moxie has. The basic problem is really good security is so painful to use that 0.01% of the world will use it daily. Like say PGP. Signal seems to be focusing more on the 99.99% and protecting users from dragnet style bulk surveillance. If the NSA is willing to intercept hardware before you get it, exploit it after you get it, and customize attacks specifically against you signal isn't going to save you. However if you are just a civilian trying to avoid ransomware, sniffing, monitoring, and whatever privacy invading technologies signal is a great start. > Sorry for presuming Hangouts. I don't have service hooked up to my > Androids-- > no desire to enrich rip-off Wireless Companies nor be triangulated by > dirtboxes > nor really a pressing need to be online or in-contact all the time. I > suppose I > could run Android on my laptop & goof around with apps when online, but > haven't > got 'round to it. Increasing chromeboxes (cheap laptops running ChromeOS) can run android as well, and don't require a sim or a GPS. > For sure-- I balk whenever someone directs me to The Play Store to get an > app.. never felt comfortable Registering My Device with them which is > required > to gain access. F-Droid is nice, but not adopted widely enough as yet. I F-droid seems embarrassingly insecure. Binaries aren't reproducible (you can't be sure what you get is what was intended) *AND* they aren't signed with the developer keys. So 100% of the trust is with the f-droid folks, which of course makes them a particularly juicy target. Which is why Moxie doesn't want to A) publish in f-droid or B) let others publish clients using their servers. Imagine if someone said to you "Hey, upload your email to me, skip you PGP key, just use mine. Trust me... we do it well". Hopefully you would laugh in their face. Googles play store on the other hand uses the developers key. So you can be sure that whatever you run is bit identical to what the developer published. That's how keys are supposed to work. So whisper systems can be very sure that what people get is what they publish. Sure, a google unencumbered store would be awesome. But f-droid's security is embarrassing. Again Moxie went with the pragmatically more secure solution over the philosophically more appealing one. > eventually found org.aclu.mobile.justice.ca* on one of the 3rd party sites > that > hosts .apk's, though, so now I guess I can livestream questionable incidents > if Random APK downloads or sideloads is another horrible practice that Moxie doesn't want to get involved with. Complex, error prone, insecure, and not end user friendly. Finding a random APK and a random post about how to install it doesn't lead to good security practices by random users. Last thing you should be trying to train random users on is DNS (and DNSEC), http/https (when to trust it and when to not), chain of trust, crypto checksums, etc. Anything more than download and install only software from https://play.google.com is likely to significantly lessen your target audience. > I happen to be in a free hotspot. (Maybe someone going to the EFF event can > ask > if they can ask ACLU to get hip to F-Droid? But I wont get my hopes up-- just > saw where ACLU did a live q&a on F*book Video.. (don't get me started!)) I recommend building from source or using https://play.google.com. Trusting random 3rd parties to make and distribute APKs is just as bad as installing some random screensaver.exe you found on the web and running it as root on a windows box. _______________________________________________ vox-tech mailing list [email protected] http://lists.lugod.org/mailman/listinfo/vox-tech
