Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Privacy, data protection questions

Brian Conley brianc at
Tue Mar 26 16:24:33 PDT 2013

Rich, the point is simple, let me put it into a formula:

(civility + relevant advice) / length = degree to which people consider
your advice

My point is that you clearly have a lot of the second piece of this
formula, however your lack of the prior piece, and the lack of many people
on this list (myself included at times!) leads to us wasting our breath and
carpal tunnels, because the degree to which people are likely to consider
are advice is inversely proportional to our lack of civility.

Your second email is generally much increased in civility, but, frankly, I
didn't read all of it.

I understand smartphones are a disaster, but I also understand that
government surveillance has many of its own critical flaws. The capability
to do something technically is not the same as the ability to execute it
bureaucratically, socially, or practically.

Finally, I do look forward to your advice. I generally read most of your
comments on this list as I find them insightful, however in this case, I
was struck by your entirely hostile attitude.

It's clear you have a chip on your shoulder about this stuff, maybe because
you are angry people are getting funding for things you see as stupid or
fundamentally flawed, maybe for another reason, quite frankly all i care
about is how your attitude impacts my day.


On Tue, Mar 26, 2013 at 4:12 PM, Rich Kulawiec <rsk at> wrote:

> On Mon, Mar 25, 2013 at 10:57:10AM -0700, Brian Conley wrote:
> > Mostly I'm taking issue with your nonconstructive demeanor.
> Clearly you have no idea how I write when I'm being "nonconstructive". ;-)
> Think equal proportions Kingsfield[1], Vader, Snape.  Season to taste with
> HST and Mencken, serve at full boil.
> > I've not seen you take the Guardian Project to task for trying to
> > solve some of the same problems. I've not seen you take Tor project or
> > Whisper Systems to task.
> (a) There aren't enough hours in the day to provide extensive (security
> or other) critiques of everything that comes across here.   And there
> are other people whose expertise in certain areas dwarfs mine, so
> until/unless I close the gap, I'll defer to them.  Also I think I should
> occasionally STFU and listen.
> So I respond on-list when I feel that I have something useful to say,
> *usually* (but not always) when I think that has applicability beyond the
> particular topic-of-the-moment.  Hence my comments in re Silent Circle,
> which are far more about the inherent insecurity of closed source
> software than about the specifics of Silent Circle itself -- most of
> which I didn't pay any attention to because I think they're irrelevant.
> And speaking of applicability beyond the topic-of-the-moment:
> (b) If you read my message carefully you'll notice that I did in fact
> explicitly point out that while I was using this particular project as
> an example, it's by no means the only one facing the exact same issue.
> "Building a secure smartphone app" is presently equivalent to "trying
> to put the roof on a house whose foundation is sinking into quicksand
> and whose main floor is on fire".
> So what "constructive" thing could I possibly say?  The entire smartphone
> ecosystem is rotten to the core: the OS vendors care far more about
> advertising than privacy and security [2].  Well, and they care a lot
> about paying attorneys so that they can all sue each other. [3]  The app
> markets are loaded with malware, spyware, adware, and crap.  And more
> crap.  Also: still more crap.  Users will download and run any shiny thing
> they see, doubly so if it purports to enhance their "social experience" --
> much to the delight of the scammers and spammers running those operations.
> Telcos are happy to turn user tracking/surveillance/etc. into profit
> centers.  Governments want every scrap of data they can get from carriers
> and there's now an entire subindustry for software that extracts data
> from locked phones.
> D'ya think if I asked them very nicely and politely they'd all stop?
> *crickets*
> There is NOTHING "constructive" to be done here.  It's not a fixable
> situation at the moment or for the forseeable future.  The *only* thing
> to do, as far as I can tell, is to stop pretending it's otherwise and
> stop laboring under the delusion that smartphone apps have a chance in
> hell of being secure in mass deployment scenarios.
> (c) So to re-emphasize the more general point: no smartphone apps,
> UNLESS you can produce a viable, workable, scalable, defensible plan
> to keep the phones secure in the field.  Otherwise your app, whatever
> it does, and however nifty it is, is probably going to be undercut from
> the moment it's installed...or very soon thereafter, as soon as one or
> two governments your users are annoying decide to deploy countermeasures.
> (I think it's fair to say that, to a first approximation, the tempo
> and scale of their response will be proportional to the adoption
> rate and annoyance level.  Thus: the better your app and the more people
> that use it, the sooner you should expect the backlash.)
> And they don't *have* to crack your app if they 0wn the phones it runs on.
> (I sure wouldn't.  Too much work.  Very tedious.  Better to just hijack the
> phone, install a keystroke logger, and compromise *all* the apps.)
> (d) I don't think you [generic you] can come up with that plan (above)
> and execute it.  I think you have no shot whatsoever.  But if you want
> to take a crack at proving me wrong: be my guest.  I will be very surprised
> but happy if you succeed.  I may even buy you beers.  Good beers.
> (e) I *know* this is real unhappy news.  Sorry.  I didn't write the
> cruddy smartphone software.  I didn't write the malware.  I didn't create
> the situation.  I'm just pointing it out.  And yes, I know it would be
> much nicer to just go on creating app after app and rolling them out
> and pretending this problem doesn't exist, but ermmm...I think far more
> unpleasant things than mere words on a screen will happen if lots of
> people start betting their freedom and/or their lives on the security of
> their smartphones/apps.
> (f) And on that point ("pretending"), let me share with you one of the most
> valuable pieces of guidance that I've ever read.  I have it printed out
> and taped above where I'm working right now.  I think for many of the
> projects and initiatives discussed here, it's terrific advice.  So even
> if you think my analysis here isn't worth a load of fetid dingo's kidneys,
> well, at least there's this:
>         "The first step is to measure whatever can be easily measured.
>         That is okay as far as it goes.
>         The second step is to disregard that which can't be measured
>         or give it an arbitrary quantitative value.  This is artificial
>         and misleading.
>         The third step is to presume that what can't be measured easily
>         really isn't very important.  This is blindness.
>         The fourth step is to say that what can't be easily measured
>         doesn't exist.  This is suicide."
>         --- social scientist Daniel Yankelovich describes the "McNamara
>         Fallacy"; quoted by Jay Harris, former publisher of the San Jose
>         Mercury News, in a speech explaining why he resigned his post.
> (g) So do you wanna spend your time trying to convince me to change my
> writing style (hint: success probability == low) OR would you like to
> focus on the substance of my remarks -- because *if* I'm right, then
> Bad Things are going to ensue as soon as various governments figure out
> that exploiting smartphones is a cheap, effective and scalable tactic for
> undermining communication among their opponents.  Morever, they will be
> Bad Things that are (largely) independent of the cleverness of apps and
> their supporting infrastructure, i.e. they're not going to be fixable
> by the developers.  Which means years of work and piles of money spent
> developing OverthrowYourDictator v1.2 will be rendered moot and, worse,
> people running it may well face unhappy fates.
> This may have already happened.
> ---rsk
> [1] I suspect some of you who are younger may not get the reference.
> Therefore, let me introduce you to Professor Kingsfield:
> [2] For example:
> [3] Mike Masnick has a brilliant illustration of this:
> --
> Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at companys at or changing your settings at


Brian Conley

Director, Small World News

m: 646.285.2046

Skype: brianjoelconley
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the liberationtech mailing list