NK
On Mon, Apr 29, 2013 at 9:23 PM, Jacob Appelbaum <ja...@appelbaum.net>wrote: > Griffin Boyce: > > Jacob Appelbaum <ja...@appelbaum.net> wrote: > > > >>> You already know this, but for the benefit of the list <snip> > >> > >> Unless these are on a BES server - it's all insecure - if it is on a BES > >> server, it may still be insecure depending on a few factors. > >> > > > > Depends on whether they enable SMS logging, but that only requires > > setting a flag. Phone call metadata is stored by default. The multitude > of > > things stored on / synced with is extensive, and includes email, address > > book, browser history, and list of all apps installed. It can also > access > > the Password Keeper file remotely (you'd still need to brute force the > main > > password, but it's likely trivial). > > > > Right - so without a BES server - the entire cell phone network would > get this data, with a few exceptions. > > > If a user sets up sync, someone spoofing their phone could retrieve the > > whole shebang, including all messages. > > Spoofing? I mean, I suspect impersonating a phone requires knowledge of > secret keys on the telephone. So to own the phone as you suggest, I > think you'd have to have the phone already or control the BES. > > > > >> What REALLY scares me about this is how many medical providers use > >>> Blackberry products in their practices. > >> Well, sure. It would be as bad as every other BlackBerry device > >> normally. A real joy, I tell you. > >> > > > > Maybe. I'd wager it's much worse. Depends on those affected. > > Ok... was there something here that I'm missing? If you can downgrade > the security that the BES would otherwise offer, you'd end up with... > the default BlackBerry "security" protections. > > > > > > >> There are obviously degrees of secure. > >> > > > > There are also degrees of availability/access/usability. As a tech guy > > with a lot of non-techy friends, the amount of work involved to get my > > close friends using Pidgin+OTR has been non-trivial. For many options, > > there are usability issues, class issues, that keep adoption pretty low. > > > > Install Gibberbot, OTR comes for free. The same is true for Adium. It > will soon be the case when I get around to importing pidgin-otr into > pidgin's hg repository. > > > And what does it mean to be one of a privileged subset who can get > ahold > > of eg a VOIP STE or buy a set of Cryptophones. For the first, you need > > connections, and for both you need to be an advanced user (not to mention > > have the money to afford them). Most people would picture the costs of > > adoption to be greater than the benefits of adoption. > > > > Neither requires an advanced user - both are so simple as to not require > anything beyond remembering a single password, which can even be set to > something simple, if you wanted. > > Yes, both are more expensive than free but compared to a BlackBerry > device with a BES? Negligible cost differences. > > > I suggest you check out Cryptophone > > > > > > I've considered getting a pair for my girlfriend and myself, but other > > options have proven to be a better fit. > > Oh? How so? What did you go with and how does it contrast? For example > the new Android Cryptophone has a baseband firewall - does your kit have > something similar? > > > > > GibberBot with OTR provides the same set of features without all of the > >> home rolled crypto problems, the web related problems or a third party > >> that you're not already using on a daily basis. > >> > > > > Well, I'm using it on a daily basis. We're both biased in different > > directions ;-) > > > > I'm not sure that I'd call my choice a bias. > > Many people use XMPP/Jabber already and they get federation for free - > just as they do with email and in some cases, it is the same address for > both email and Jabber. > > The crypto is similarly not subject to the bleeding edge Javascript > crypto world; I'm sure there are issues with everything though recently > the Stanford Javascript library did sorta accidentally break uh, what, > everything using it? > Why is there this rhetoric as if all of the bugs in JS crypto are unique to JS crypto? These breaks happen in other platforms too, but simply occur in different forms. However, overwhelmingly, the frequency and severity do compare. I think that there is a lot of optimism to be had if we look at the recent Pwn2Own results — Chrome's sandboxing prove exceptionally difficult to break, while Chrome OS was actually unbroken. These are web technologies and they are performing very impressively on the security front. Nothing is perfect, but there's also a selection and confirmation bias where we pretend that just because a class of security considerations is new, that it must therefore be more present in severity and frequency than other flaws. However it's largely, if of course never entirely, a matter of perception. > All the best, > Jacob > -- > Too many emails? Unsubscribe, change to digest, or change password by > emailing moderator at compa...@stanford.edu or changing your settings at > https://mailman.stanford.edu/mailman/listinfo/liberationtech >
-- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
