Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] TrueCrypt Alternatives?

Eleanor Saitta ella at
Thu Oct 2 13:28:11 PDT 2014

Hash: SHA256

On 2014.10.02 20.39, Greg wrote:
> There are different types of deniable encryption systems, with
> very _different_ deniability properties.

What you're failing to see here, I think, is that your adversary is
almost never a cryptographer.  You adversary is a goon who likes to
crush fingers, who's heard a rumor that your tool lets people hide
things from him.

He doesn't like it when people hide things from him.

He thinks you're hiding something from him.

He's going to keep crushing your fingers until you prove to him that
you aren't.

You don't have that many fingers left.

> Unlike you, I've done my homework and researched the deniability 
> properties of encryption systems and why some are better than 
> others.

Field outcomes aren't about math.  That's the point I'm trying to make

The precautionary principle and a Do No Harm approach to software
development are incredibly important when looking at the requirements
specification of security tools intended to be used in a hostile
environment.  I cannot stress this strongly enough.

Real-world field experience is the only reasonable and reliable guide
for determining the appropriate design of security systems; anything
else is at best a amateur[1].  For novel capabilities, *careful* field
testing in moderate risk environments is necessary to establish a
baseline.  Building a real loop with existing training programs to
ensure that you get field feedback when systems are used is similarly

Building software because it's cool is fine, as are projects we do
because we believe in them, but at a certain point, there's a bar.
Recommending your tools for use in the field in hostile environments
is that bar.  Beyond that bar, we have an ethical obligation to
attempt to act in a professional manner.


[1]: I mean this in the literal sense of the word, not to be in any
way demeaning.  There are requirements for professionalism in this
field; operational field outcomes reviews are as much a requirement as
proper code review, cryptoanalytic review, UX testing, QA, and good

- -- 
Ideas are my favorite toys.


More information about the liberationtech mailing list