On 8/04/2015 14:33 pm, Christoph Anton Mitterer wrote:
On Wed, 2015-04-08 at 09:23 -0400, Phillip Hallam-Baker wrote:
Crypto is not an iPhone.
Mine is.
Believing that you're secure with a proprietary driven system, from a
company which is known to have worked with mass surveillance
organisation (and if it's just because they were forced so by law), is
naive - at best.
No, it's security modelling. It all depends on what the business model
is, which defines the threats that one has to deal with. There are
plenty of people out there that don't care about the mass surveillance
and there are plenty of people in here who do care about it. The reason
that people out there don't care about mass surveillance is because they
(a) don't see the harm or (b) have bigger harms to worry about.
Sometimes valid reasons, sometimes not.
We have to remember that the old CIA was something that was taught to us
back in the 1990s out of military models. E.g., it made sense to
consider the MITM as a big commsec threat when our only experience was
MITMs in aggressive military actions -- armies against armies. But the
Internet was different, we had different threat actors, different values
under protection, and different incentives.
There are probably more people out there that don't want authentication
than do, or more precisely they want nymity. Canonically, recall all
the people (eg) Manning who were caught over the net, and had recorded
chat sessions used as evidence against. Having unattributable,
untraceable content is actually a goal for many.
And things like twitter show how confidentiality isn't really the thing,
but they still put everything over the HTTPS so that at least the
passive surveillance is turned into active surveillance.
etc etc. Your enemy may be the NSA. But for most people most of the
time, it's others: aggressive ex-spouses, parents who spy, business
partners stealing money, teenagers getting into trouble with photos, etc
etc.
iang
ps; And to echo Phil, my crypto is iPhone too - end-to-end secure
payments systems. 'cept, Java only runs on Android ;)
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp