[messaging] Value of deniability

[Natanael]

On Fri, Dec 12, 2014 at 4:36 PM, Eleanor Saitta <ella at dymaxion.org> wrote:
> On 2014.12.12 10.05, Natanael wrote:
>> I see this as a problem of education, not inherently of the
>> technology. There's no reason for anybody to find a text file
>> convincing without knowledge about where it comes from.
>
> If plan A involves "educate the whole world so they just get it",
> you're going to a) want a plan B in a hurry, and b) maybe want to hire
> a new planner.

(late reply, but its better than nothing)

If your plan A is "build a tool that can't be used wrong", you'll
never get out of the alpha stage. Chances are you might not even get
TO the alpha stage.

There's no such thing as education-free security. Look at
https://reddit.com/r/talesfromtechsupport - people will routinely
circumvent everything that's been put in place to protect them,
including falling for a phishing email's instructions to disable your
AV and running malware as admin. They enable external sources in
Android because of a popup and installs random apk's (app packages).
On iOS, you've got all the classic phishing attacks that aim for your
account credentials.

So you make it impossible to do anything bad? Your tool will be
useless, because it won't be possible to do anything good with it
either. Even with a dedicated keyring device like a Yubikey or
smartcard which is trivial to use with all their hardware, with no
possibility to extract key and with simple authentication mechanisms,
they'll forward chain mail and sign things they shouldn't and leak
their contact lists. With a fully dedicated communication device like
a hardened smartphone, all of the above will remain true, and chances
are they will ditch it completely for a less secure device (rendering
all your work useless) if it lacks features they want.

>> For myself, I've never yet been part of a discussion interesting
>> enough for deniability to matter. As in I'm still young and haven't
>> yet been making any negotiations with a potential employer in a
>> field where it matters, or anything else with high stakes.
>
> Wow, really?  It doesn't show at all in your understanding of this
> subject.

How mature. Once again, just because you haven't personally seen any
case where it makes a difference, it doesn't mean there never will be.
As said previously, removing deniability is what violates common
expectations, not its existance. Nobody expects that everything
they've ever said can be provably be held against them decades later.

My comparison to things like crumple zones in cars remains, and I'll
add another; fire zones in buildings. Just because you've never seen a
fire and the most common physical threat is something vastly
different, nobody would seriously build anything larger a few hundred
m^2 without firewalls and fire resistant doors to divide it into zones
that can contain fires to slow it down. Nobody would remove it because
you want them to spend that time working on something you prioritize
higher.

Also, I can't really figure out who your target audience is. Average
Joe? They don't honestly need much more than what already exists,
TextSecure and others works fine, even WhatsApp would honestly be
acceptable if they added the option for public key verification now
that they improved the cryptography.

Journalists and other people at high risk? Here's the thing, telling
these people they should use a tool any different from what Average
Joe uses will both be frequently ignored (you've already said above
you don't expect people to learn why) AND automatically put the rest
of them at higher risk as they'll flag themselves as targets. Look at
the NSA leaks, they track encrypted traffic and flag it, don't you
think every nation in the world with the technical capabilities is
doing that already too? If the tools can be told apart, the anonymity
set for those who need higher security will be laughable.

If you aren't willing to abandon the people at higher risk and who
needs higher security margins and better defence against a wide class
of attacks, you WILL want the standard tools to be secure against a
wide class of attacks and you WILL want the majority of people use
them even if they go far beyond what Average Joe needs. It is called
herd immunity!