Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] TrueCrypt Alternatives?

Eleanor Saitta ella at dymaxion.org
Thu Oct 2 13:28:11 PDT 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 2014.10.02 20.39, Greg wrote:
> There are different types of deniable encryption systems, with
> very _different_ deniability properties.

What you're failing to see here, I think, is that your adversary is
almost never a cryptographer.  You adversary is a goon who likes to
crush fingers, who's heard a rumor that your tool lets people hide
things from him.

He doesn't like it when people hide things from him.

He thinks you're hiding something from him.

He's going to keep crushing your fingers until you prove to him that
you aren't.

You don't have that many fingers left.

> Unlike you, I've done my homework and researched the deniability 
> properties of encryption systems and why some are better than 
> others.

Field outcomes aren't about math.  That's the point I'm trying to make
here.

The precautionary principle and a Do No Harm approach to software
development are incredibly important when looking at the requirements
specification of security tools intended to be used in a hostile
environment.  I cannot stress this strongly enough.

Real-world field experience is the only reasonable and reliable guide
for determining the appropriate design of security systems; anything
else is at best a amateur[1].  For novel capabilities, *careful* field
testing in moderate risk environments is necessary to establish a
baseline.  Building a real loop with existing training programs to
ensure that you get field feedback when systems are used is similarly
critical.

Building software because it's cool is fine, as are projects we do
because we believe in them, but at a certain point, there's a bar.
Recommending your tools for use in the field in hostile environments
is that bar.  Beyond that bar, we have an ethical obligation to
attempt to act in a professional manner.

E.

[1]: I mean this in the literal sense of the word, not to be in any
way demeaning.  There are requirements for professionalism in this
field; operational field outcomes reviews are as much a requirement as
proper code review, cryptoanalytic review, UX testing, QA, and good
documentation.

- -- 
Ideas are my favorite toys.
-----BEGIN PGP SIGNATURE-----

iF4EAREIAAYFAlQttVsACgkQQwkE2RkM0woj9gD/c1eOZvCwwNcElcYKb9fHrIb6
KRnpWph84MhD9N8e9e0A/0UtT0GzwTTyFbI2h3l7jPjIsqnwRn3rmKgpx8DRX7L1
=oYU9
-----END PGP SIGNATURE-----



More information about the liberationtech mailing list