-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Aug 17, 2013, at 11:00 AM, Ali-Reza Anghaie <a...@packetknife.com> wrote:
> On Sat, Aug 17, 2013 at 1:50 PM, Jon Callas <j...@callas.org> wrote:
>> I hope I don't sound like a broken record, but a smart attacker isn't going
>> to attack there, anyway. A smart attacker doesn't break crypto, or suborn
>> releases. They do traffic analysis and make custom malware. Really. Go look
>> at what Snowden is telling us. That is precisely what all the bad guys are
>> doing. Verification is important, but that's not where the attacks come from
>> (ignoring the notable exceptions, of course).
>
> Part of the problem is that most people can't even wrap their heads
> around what a State or non-State Tier 1 Actor would even look like.
> They bully, kill leaders, deny resources, .. heck, they kill ~users~
> to dissuade use of a given tool.
>
> Then on the flip side "we" think about design and architectural
> aspects that don't even ever get the chance to be used against ~any~
> adversary because we force too much philosophy down into a hole that
> may have just one device, maybe just an iPhone - and limited to
> connectivity to even use it.
>
> I've called this the problem of "Western Sensibilities" where we seem
> to forget the economics and geopolitics of the rest of the world.
>
> Before getting heads wrapped around all these poles that are pretty
> exclusive to the "haves" - go out to truly hostile territory and live
> like a "have not" and try to build up the OPSEC routine you want,
> complete with FOSS only and full audits, and work from the field that
> way. It's non-trivial to say the least - even if you've done it a
> hundred times from a hundred different American and European venues.
I've had the privilege on several occasions to talk to people who really do
this stuff. A couple of things really stuck with me:
* "Don't patronize us. We know what we're doing, we know what we're up
against." The guy who told me this had his brother murdered horribly. His
tradecraft was basic and elegant.
* Simple, usable countermeasures are best because they have to be used by the
sort of person who decided yesterday that they're not going to take it any
more. They're newly-minted heroes who a threat to themselves and others if they
screw up what they're doing. We asked them what they'd like most and the answer
was SSL on websites. This was after Diginotar and we'd been talking about
advanced threats, so we were a bit taken aback. They explained that the biggest
problems are people putting stuff on websites as well as mistakes like making
calendar entries for times and places of meetings.
That put a fine point on the admonition not to patronize them. Heck, the
adversaries don't have to crack anything sophisticated when they can just sniff
CalDAV.
Jon
-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii
wj8DBQFSD/qksTedWZOD3gYRAsj7AKCXuWr60RLPvsFXVtHzDGZUOS/fuwCgvK6m
6X311tAwXg+lYZD2TAOZAm0=
=C0O6
-----END PGP SIGNATURE-----
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
