-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2014.10.02 20.39, Greg wrote: > There are different types of deniable encryption systems, with > very _different_ deniability properties.
What you're failing to see here, I think, is that your adversary is almost never a cryptographer. You adversary is a goon who likes to crush fingers, who's heard a rumor that your tool lets people hide things from him. He doesn't like it when people hide things from him. He thinks you're hiding something from him. He's going to keep crushing your fingers until you prove to him that you aren't. You don't have that many fingers left. > Unlike you, I've done my homework and researched the deniability > properties of encryption systems and why some are better than > others. Field outcomes aren't about math. That's the point I'm trying to make here. The precautionary principle and a Do No Harm approach to software development are incredibly important when looking at the requirements specification of security tools intended to be used in a hostile environment. I cannot stress this strongly enough. Real-world field experience is the only reasonable and reliable guide for determining the appropriate design of security systems; anything else is at best a amateur[1]. For novel capabilities, *careful* field testing in moderate risk environments is necessary to establish a baseline. Building a real loop with existing training programs to ensure that you get field feedback when systems are used is similarly critical. Building software because it's cool is fine, as are projects we do because we believe in them, but at a certain point, there's a bar. Recommending your tools for use in the field in hostile environments is that bar. Beyond that bar, we have an ethical obligation to attempt to act in a professional manner. E. [1]: I mean this in the literal sense of the word, not to be in any way demeaning. There are requirements for professionalism in this field; operational field outcomes reviews are as much a requirement as proper code review, cryptoanalytic review, UX testing, QA, and good documentation. - -- Ideas are my favorite toys. -----BEGIN PGP SIGNATURE----- iF4EAREIAAYFAlQttVsACgkQQwkE2RkM0woj9gD/c1eOZvCwwNcElcYKb9fHrIb6 KRnpWph84MhD9N8e9e0A/0UtT0GzwTTyFbI2h3l7jPjIsqnwRn3rmKgpx8DRX7L1 =oYU9 -----END PGP SIGNATURE----- -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
