[FoRK] [liberationtech] DecryptoCat

Eugen Leitl eugen at leitl.org
Tue Jul 9 07:32:01 PDT 2013


----- Forwarded message from Jacob Appelbaum <jacob at appelbaum.net> -----

Date: Tue, 09 Jul 2013 13:45:35 +0000
From: Jacob Appelbaum <jacob at appelbaum.net>
To: liberationtech at lists.stanford.edu
Subject: Re: [liberationtech] DecryptoCat
Reply-To: liberationtech <liberationtech at lists.stanford.edu>

Maxim Kammerer:
> On Tue, Jul 9, 2013 at 11:39 AM, Michael Rogers
> <michael at briarproject.org> wrote:
>> Google and Mozilla wouldn't have to run
>> competitions to find holes in their own browsers. There wouldn't be a
>> multi-million-dollar 0day black market.
> 
> You are talking about huge projects with complex design, where the
> architecture itself is a source of security issues. Not to mention
> that WebKit and Mozilla weren't engineered for security to begin with.
> 
>> It wouldn't be possible for
>> the NSA (according to Snowden) to "simply own" the computer of any
>> person of interest.
> 
> Offtopic, but I didn't see any indication in that last paragraph of
> Jacob's interview that Snowden talks about exploiting computers. In
> general, Snowden for some reason is usually terribly vague for someone
> who apparently exhibits excellent command of English language (from my
> non-native speaker's POV).

I think he very clearly stated it:

Interviewer: What happens after the NSA targets a user?

Snowden: They're just owned. An analyst will get a daily (or scheduled
based on exfiltration summary) report on what changed on the system,
PCAPS 9 of leftover data that wasn't understood by the automated
dissectors, and so forth. It's up to the analyst to do whatever they
want at that point -- the target's machine doesn't belong to them
anymore, it belongs to the US government.

If it isn't clear - he is saying that once a user is targeted for
surveillance - their computer systems (and networks) are compromised by
the NSA in a variety of ways. This includes memory corruption bugs,
obviously.

> 
>> Writing secure software is much, much harder than simply writing
>> comments, writing tests and coding defensively.
> 
> This is a thread about Cryptocat. Cryptocat is a web frontend for a
> couple of protocols. Yes, it is that easy.

The protocol that has the most trouble is the homebrewed multi-party
crypto. Though some of the underlying bits obviously impact the rest of it.

All the best,
Jacob
--
Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5


More information about the FoRK mailing list