[messaging] Exposing MITM attacks socially engineered through group chat introductions

carlo von lynX lynX at i.know.you.are.psyced.org
Sat Jan 31 04:16:02 PST 2015

Jeff hit reply and accidentally answered to me only.
I am citing him with permission.

On Sat, Jan 31, 2015 at 12:01:50PM +0100, Jeff Burdges wrote:
> I’d probably just display a warning explaining that, if Bob does not mind revealing to Carol that Eve introduced Alice to Bob, then he should mention that fact in the introduction message, or at least mention that the contact being introduce was introduced by someone else.  
> In that way, the client itself would not spread any less-local social graph information, but some users would learn to include their evaluation of not merely an introducers trustworthiness but also their op sec.

I doubt you can teach people about opsec this way, but it's
worth a try I guess..   :)

> > I think there is a question of threat model here. Tools like
> > Pond or secushare should protect groups of people from bulk
> > surveillance, but that doesn't mean the tools need to be
> > 100% safe from individual targeted social treason.
> Yes, the priority should be avoiding revealing any more social graph information than absolutely necessary.  If however anyone knows any cute token trick then that’s interesting as an academic question. 

I intended the opposite of what you say. Social threat is not a
scenario we should be worried about since the threat is the
anti-social bulk surveillance going on outside our circles.
Thus I find it a reasonable and also potentially more popular
improvement to provide a cozy Facebook-like social network
experience within such circles, not act paranoid on friends of
friends. I think libtech-type activists overshoot on the needs
of the general population, thus tools like Pond remain insider 
stuff and actually make it worse using them as an activist, as
they single you out. If the default behaviour is to share social
graph, then normal population has more fun using the tool - thus
it also provides better cover for activists who merely need to be 
able to opt out of the social graph exposure.

> p.s.  I address a technical questions arising from the difference between the public identity key and public key in pond here :
> https://github.com/agl/pond/pull/161#issuecomment-72166080

Oh look, a commercial social network at the heart of activist
tool development. This is the kind of stuff I would want to
happen over a distributed free social network instead of github.

bnagy's comment looks like an example of overshoot. Metadata is
a problem because it is being public. It must not be treated as a
problem when it moves about the intended social circles if these
tools are intended to grow popular. Glad ioerror sounds more 
optimistic on the issue.

The idea of having a Pond public fingerprint doesn't sound good
to me either, but I haven't thought it through. The dangers of
social infiltration are probably minor compared to the risk of
deanonymization and categorization of Pond users.

  E-mail is public! Talk to me in private using Tor.
  torify telnet loupsycedyglgamf.onion		DON'T SEND ME
          irc://loupsycedyglgamf.onion:67/lynX  PRIVATE EMAIL
         http://loupsycedyglgamf.onion/LynX/    OR FACEBOOGLE

More information about the Messaging mailing list