[vox-tech] any OTR preferences?

Bill Broadley bill at broadley.org
Mon Dec 5 23:24:15 PST 2016


On 12/05/2016 04:05 PM, T. Mark wrote:
> I continue to procrastinate in finding these posts by "Moxie" et al.. just
> haven't much spare time.  Hopefully that can change.

Moxie seems reasonable, generates plenty of attacks from the cryptonerds, which
generally haven't managed to improve security on 1% as many clients as Moxie has.

The basic problem is really good security is so painful to use that 0.01% of the
world will use it daily.  Like say PGP.  Signal seems to be focusing more on the
99.99% and protecting users from dragnet style bulk surveillance.

If the NSA is willing to intercept hardware before you get it, exploit it after
you get it, and customize attacks specifically against you signal isn't going to
save you.  However if you are just a civilian trying to avoid ransomware,
sniffing, monitoring, and whatever privacy invading technologies signal is a
great start.

> Sorry for presuming Hangouts.  I don't have service hooked up to my Androids-- 
> no desire to enrich rip-off Wireless Companies nor be triangulated by dirtboxes
> nor really a pressing need to be online or in-contact all the time.  I suppose I
> could run Android on my laptop & goof around with apps when online, but haven't
> got 'round to it.

Increasing chromeboxes (cheap laptops running ChromeOS) can run android as well,
and don't require a sim or a GPS.

> For sure--  I balk whenever someone directs me to The Play Store to get an
> app..  never felt comfortable Registering My Device with them which is required
> to gain access.  F-Droid is nice, but not adopted widely enough as yet.  I

F-droid seems embarrassingly insecure.  Binaries aren't reproducible (you can't
be sure what you get is what was intended) *AND* they aren't signed with the
developer keys.  So 100% of the trust is with the f-droid folks, which of course
makes them a particularly juicy target.  Which is why Moxie doesn't want to A)
publish in f-droid or B) let others publish clients using their servers.

Imagine if someone said to you "Hey, upload your email to me, skip you PGP key,
just use mine.  Trust me... we do it well".  Hopefully you would laugh in their
face.

Googles play store on the other hand uses the developers key.  So you can be
sure that whatever you run is bit identical to what the developer published.
That's how keys are supposed to work.  So whisper systems can be very sure that
what people get is what they publish.

Sure, a google unencumbered store would be awesome.  But f-droid's security is
embarrassing.  Again Moxie went with the pragmatically more secure solution over
the philosophically more appealing one.

> eventually found  org.aclu.mobile.justice.ca* on one of the 3rd party sites that
> hosts .apk's, though, so now I guess I can livestream questionable incidents if

Random APK downloads or sideloads is another horrible practice that Moxie
doesn't want to get involved with.  Complex, error prone, insecure, and not end
user friendly.  Finding a random APK and a random post about how to install it
doesn't lead to good security practices by random users.  Last thing you should
be trying to train random users on is DNS (and DNSEC), http/https (when to trust
it and when to not), chain of trust, crypto checksums, etc.  Anything more than
download and install only software from https://play.google.com is likely to
significantly lessen your target audience.

> I happen to be in a free hotspot.  (Maybe someone going to the EFF event can ask
> if they can ask ACLU to get hip to F-Droid?  But I wont get my hopes up-- just
> saw where ACLU did a live q&a on F*book Video.. (don't get me started!))

I recommend building from source or using https://play.google.com. Trusting
random 3rd parties to make and distribute APKs is just as bad as installing some
random screensaver.exe you found on the web and running it as root on a windows box.



More information about the vox-tech mailing list