[cryptography] Reply to Zooko (in Markdown)
ali at packetknife.com
Sat Aug 17 14:00:45 EDT 2013
On Sat, Aug 17, 2013 at 1:50 PM, Jon Callas <jon at callas.org> wrote:
> I hope I don't sound like a broken record, but a smart attacker isn't going
> to attack there, anyway. A smart attacker doesn't break crypto, or suborn
> releases. They do traffic analysis and make custom malware. Really. Go look
> at what Snowden is telling us. That is precisely what all the bad guys are
> doing. Verification is important, but that's not where the attacks come from
> (ignoring the notable exceptions, of course).
Part of the problem is that most people can't even wrap their heads
around what a State or non-State Tier 1 Actor would even look like.
They bully, kill leaders, deny resources, .. heck, they kill ~users~
to dissuade use of a given tool.
Then on the flip side "we" think about design and architectural
aspects that don't even ever get the chance to be used against ~any~
adversary because we force too much philosophy down into a hole that
may have just one device, maybe just an iPhone - and limited to
connectivity to even use it.
I've called this the problem of "Western Sensibilities" where we seem
to forget the economics and geopolitics of the rest of the world.
Before getting heads wrapped around all these poles that are pretty
exclusive to the "haves" - go out to truly hostile territory and live
like a "have not" and try to build up the OPSEC routine you want,
complete with FOSS only and full audits, and work from the field that
way. It's non-trivial to say the least - even if you've done it a
hundred times from a hundred different American and European venues.
More information about the cryptography