On 03/18/2017 09:04 PM, Rich Kulawiec wrote:
On Fri, Mar 17, 2017 at 09:54:48AM +1100, Morgan Reed wrote:
I'd submit that this is tantamount to saying "it's impossible to make a 100% secure system so why bother even trying".
Then you're not grasping my point. Let me try again.
I suggest that you re-read what I've written *and* consider as well the disclosures of the past week vis-a-vis smartphones and their encrypted communications applications.
In particular, note that entities like Whisper and Signal have been, as I've said for years, peddling snake-oil. They cannot possibly deliver on their promises *even if they do everything they say they can do* because all of it is immediately and completely undercut if the underlying system is compromised.
Open Whisper Systems and Signal provide what they state, End-to-End encryption. Applications and technologies like these make mass surveillance harder, as passively sniffing traffic is no longer viable. Shifting the attacker to actively compromise devices is an overall improvement.
Which is exactly what the disclosures of Vault 7 show everyone, although it's not really news to anyone who's been paying attention. Intelligence agencies, vulnerability brokers, organized cybercrime, and others have been knocking themselves out to hack everything for years -- and whaddaya know, they've succeeded. This set of disclosures is merely the latest, and it and all the other ones to date are merely the tip of the iceberg.
Obviously protection against state actors is hard 1. However thats not the only threat source that there are reasons to protect against. There are plenty of threat actors for which sniffing traffic to a plaintext mailing list might be easy, however overcoming a well setup encrypted mailing list system would be quite hard.
So what I am saying, and what I hope is obvious, is that you cannot build a secure system on top of an insecure one.
This isn't about not being able to build a 100% secure system: as a long-time security professional, I'm fully aware that's impossible and that the best we can do is to stack the deck in our favor. This is about building a system that is known 0% secure from the start.
The system security only increases in this case. It's security is obviously debatable against state actors/equivalent threats, there it might not improve much, but improves significantly against other threats.
I think, in the end, this will serve the community poorly -- because people who don't grasp the contemporary security landscape will deploy it, will rely on it, and will not understand that they lost the game before they even started to play it. This will have consequences.
This assumes that those people are not currently relying on plaintext mailing lists or any other insecure messaging technology. I think it is quite obvious, from the nature of a mailing list, that every subscriber can read all messages. With proper documentation about security of endpoint devices and security of mailing lists, I think this feature has viable use-cases.
-Jan