To bo0od and Shiva’s messages — Signal has received millions of dollars in Congressionally allocated funds to foster secure communications in Iran and similar countries. As a taxpayer, and quite frankly as someone who actually talks to those non-elite communities, it’s not asking much for their tools to actually work, especially when there are real solutions.
On Thu, Feb 25, 2021 at 12:41 PM bo0od <[email protected]> wrote: > signal can do nothing from what you said and can do everything the > opposite and still no problem. > > software developers have no liability,responsibility,guarantees of what > you get when you use their software. > > its from signal devs kindness that they even typed anything to answer > this matter. > > i dunno why some ppl think that software and software developers should > take the responsibility of anything. > > Collin Anderson: > > All this debate over whether Signal could use a better bridge protocol is > > fine, but distracts from the core problem — Signal Proxy is of little > > consequence and is a slight of hand trick to avoid taking on further > > burdens to address 80 million vulnerable people (a community Signal was > > long funded to support) being cut off. > > > > Signal could invest that time into providing another cloud service for > > meek-style circumvention. It did not. Instead it told users, who > generally > > have no connection to Iran to run bridge and post solicitations on > blocked > > social media. How is that a serious idea to pitch to people? > > > > The aughts called and it wants its internet freedom agenda back. > > > > On Wed, Feb 24, 2021 at 11:41 PM Adam Fisk <[email protected]> wrote: > > > >> > >> On Wed, Feb 24, 2021 at 8:19 PM Harry Halpin <[email protected]> > wrote: > >> > >>> Again, if Sergey - who seems to be a perfectly nice Ph.D. student - > wants > >>> to fix TLS, that's fine. I would support fixes to TLS as would any > sensible > >>> person, including Moxie. > >>> > >> > >> So just so we're on the same page, Sergey is a perfectly nice Ph.D. > >> student whose code was deployed on more phones globally than Moxie's up > >> until a few months ago. It's deployed almost exclusively in censored > >> regions, in contrast to Signal which is deployed almost exclusively in > >> uncensored regions. > >> > >> Making TLS more censorship resistant at the IETF level is great. I'm not > >> sure what vulnerabilities you specifically have in mind, but to me the > most > >> promising is Encrypted Client Hellos ( > >> https://tools.ietf.org/html/draft-ietf-tls-esni-09) that especially > Nick > >> Sullivan at Cloudflare has been pushing with great success. > >> > >> While I agree we should vigorously pursue approaches like that, it won't > >> help people in the most censored regions today. Sergey's code is > actually a > >> core piece of bypassing real world censorship now. > >> > >> > >>> But that's not Signal's problem - TLS bugs are a lower-level network > >>> level protocol whose bugs Signal inherits when it tries to use TLS. > Sergey > >>> should approach the TLS 1.3 Working Group at the IETF, no try to garner > >>> attention for himself via media releases over his github comments. This > >>> reminds me of the Israeli "security" firm that claimed they had > "hacked" > >>> Signal by simply accessing the keys in the phone, which can be done to > >>> *any* app on phone that has a rootkit that doesn't use > >>> some-yet-not-really-working secure enclave. > >>> > >> > >> Right. Signal's problem is that they were blocked in Iran. Their > solution > >> to that problem attempts to use TLS in a way that doesn't work. You're > >> basically thinking of TLS in the way that Signal is thinking of TLS, > which > >> is limited and the heart of the problem. > >> > >> Sergey hardly tried to garner attention for himself -- heck his last > name > >> was never even mentioned anywhere I saw. I happened to realize it must > be > >> him just based on his first name and the nature of the analysis. > >> > >> > >>> > >>> There are literally *no* server that is not susceptible to active > probes > >>> and machine-learning based traffic analysis attacks. If Sergey had a > kind > >>> of solution that actually did what Adam claimed it did "anti-censorship > >>> tools that actually work at scale in censored regions are not > susceptible > >>> to active probes" then all of China would be using it. As it doesn't > exist, > >>> people aren't using them. > >>> > >> > >> I never mentioned anything about machine-learning based traffic > analysis, > >> which is a different problem, but the most disturbing reality is that > there > >> are "anti-censorship tools that actually work at scale in censored > regions > >> are not susceptible to active probes", but it turns out that a very > small > >> minority of Chinese actually have much interest in the censored > internet. > >> Could the tools that work in China capture more of them? Sure, but there > >> are all sorts of other issues in China too, such as distribution. It's > also > >> very dangerous for people in China to work on those tools. > >> > >> One that's been growing recently is v2ray. There's a reason it has over > >> 30K stars on GitHub: https://github.com/v2ray/v2ray-core > >> > >> > >>> > >>> Censorship is a very hard problem, which is why Shava is basically > right. > >>> Cutting-edge usable tech here is still I believe obfs4proxy, and it's > >>> well-known defeatable by nation-state level adversaries. > >>> > >> > >> This is actually the fundamental issue -- there is a huge asymmetry of > >> information between the more conventional security community and the > people > >> who work on bypassing censorship, largely because the techniques that > work > >> are largely kept secret. The "cutting-edge" usable tech at one time was > >> obfs4proxy, but it's been probably 7 years or so since that was the > case. > >> The people who know what the cutting edge usable tech is are those who > >> deploy it at scale, but you're not likely to read about it anywhere. > >> > >> > >>> I do support the usage of Tor, and Tor also is susceptible to the > precise > >>> same kinds of attacks Signal is and thus doesn't work in China, Iran, > and > >>> many other places. Furthermore, it's not resistant to NSA-style traffic > >>> analysis. But it is by better than most shady VPNs and proxies, and I > hope > >>> people use it where their nation-state hasn't starting censoring it > yet. > >>> Same with Signal. Most VPNs that work in these countries work insofar > as > >>> they are easily susceptible to attacks (i.e. see Moxie's older work on > bugs > >>> in PPTP or the myriad of authentication issues facing OpenVPN, > >>> fingerprinting of Wireguard...). Again, more work is needed but aim > work in > >>> productive way, not cheap media hit pieces on Signal or Tor. > >>> > >> > >> Yeah so that's where the asymmetry of information kicks in. The VPNs > that > >> work in the most censoring countries that are easily susceptible to > attacks > >> stopped working long ago. China in particular has stepped up its game in > >> crazy ways in the last couple of years. > >> > >> Tor is incredible, and I support Tor's work all day long, but as you say > >> it is not used widely in the most censoring countries. Other tools are. > >> > >> -Adam > >> > >> -- > >> -- > >> President > >> Brave New Software Project, Inc. > >> https://lantern.io <https://www.getlantern.org> > >> A998 2B6E EF1C 373E 723F A813 045D A255 901A FD89 > >> -- > >> Liberationtech is public & archives are searchable from any major > >> commercial search engine. Violations of list guidelines will get you > >> moderated: https://lists.ghserv.net/mailman/listinfo/lt. Unsubscribe, > >> change to digest mode, or change password by emailing > >> [email protected]. > >> > >> > > -- > Liberationtech is public & archives are searchable from any major > commercial search engine. Violations of list guidelines will get you > moderated: https://lists.ghserv.net/mailman/listinfo/lt. Unsubscribe, > change to digest mode, or change password by emailing > [email protected]. > -- *Collin David Anderson* averysmallbird.com | @cda | Washington, D.C.
-- Liberationtech is public & archives are searchable from any major commercial search engine. Violations of list guidelines will get you moderated: https://lists.ghserv.net/mailman/listinfo/lt. Unsubscribe, change to digest mode, or change password by emailing [email protected].
