[vox-tech] any OTR preferences?

Bill Broadley bill at broadley.org
Wed Nov 30 22:39:10 PST 2016 

On 11/30/2016 05:33 PM, T. Mark wrote:
>   I've got a couple of Keybase.io "invites" laying around, & never got around to
> offering them at a social gathering or such, so I'll offer them here.  This
> raises the technical question I have though, which I'm sure some of the many
> sharp people on this list might have thoughts about:
>   Does anyone have a take on trustworthiness of Keybase?  

I'd rate them pretty highly, except for one small detail.  Last I checked their
default was to suck your GPG private key into keybase.  Which is pretty evil.
They support not doing that, but it's not the default.

> Also would like
> analyses of Signal (which I just heard deemed inadvisable--  damned if I can
> remember where, all the sudden, but I found this
> https://sandervenema.ch/2016/11/why-i-wont-recommend-signal-anymore
> <https://sandervenema.ch/2016/11/why-i-wont-recommend-signal-anymore/>

That's a pretty controversial post.  Heavily debated in various forums.  I
mostly disagree with it.  Additionally Moxie has come around on a few issues.

Maybe lugod should have a Crypto discussion as kind of a part #2 to the
EFF/Crypto talk.

But generally:
* Moxie is smart and very well respected
* signal is very well respected
* cryptonerds like to point fingers and lobby for their pet feature, often
ignoring why said feature damages the cause and results in approximately zero
users.  Just like PGP.
* Said cryptonerds often hem, and haw.  Bitch and complain.  Yet somehow have
nothing better to recommend.

Additionally that post wasn't particularly accurate, or at least they weren't
accurate when the read them.  He doesn't seem to really understand how signal
works, or how GCM is used.

> which
> among other things mentions that there's a non-OpenSource part to it, which gets
> in the way of what else I want to ask everyone: "HAVE YOU perused the source
> code on these??"  And I could swear I used to see Signal recommended in the

Well the beauty of E2E encryption is you don't have to trust the server.  Of
course for this to be a big complaint you'd really want to offer something
better... like?

Some people discussed this and poked around in the github repo and foudn c++
code that looks quite a bit like the server code (for the java based client):

https://github.com/WhisperSystems/Signal-Android/tree/master/jni/redphone

Not sure if that was added before or after the blog post.

> twitter bio-blurb of either @csoghoian (ACLU genius) or @ggreenwald  on Twitter
> -- but now they're back to mentioning only PGP.  So much for that fad I guess..
> what does appear new is wire.com -- now with in-browser functionality (but only

wire is cool, up in coming, pretty recently I heard mention of the e2e
encryption being pretty mature.  People really seem to like it, because it
doesn't need GCM.  But GCM basically only says "wakeup", it's not a message
transport.  Google does NOT know who you are talking to, or what you are saying,
or even the length of your message.

The cryptonerd complaints about GCM have been amazing... all ignoring that the
signal folks said they would accept an alternative implementation with webhooks.
 Suddenly there's silence.

Additionally the power, and bandwidth needed for wire.com might well prevent you
from reaching the millions of users that you are trying to protect.

Generally people seem hopeful of tox and wire in the future.  But today it seems
like signal is much more trustworthy on the crypto front.

> the client sees my microphone in the Linux distro I'm running) ..  this is
> ballyhooed due to it being hosted in Switzerland which boasts the best privacy
> laws on-planet, they say.  What it is: the trustworthy alternative to Goo

Who needs privacy laws when nothing leaves your phone/desktop/laptop but
encrypted bits?  I'd say encryption over someone's promised privacy policy any day.

g
> Hangouts, I'm hoping!  Conferencing audio/video (not sure about max participants
> on a call) over secure protocol.  So if anyone has auditing chops or knows of
> audits/viewpoints regarding any of these, do tell. 

Heh, video conf seems to barely work without encryption, I'd be surprised if
anything really secure worked great today.  Sure, keep it on the wish list.

> btw, I myself haven't been using Keybase much since signing up..  I was using
> its copy/paste-codeblobs-into-your-CLI option for awhile until trying its
> installable client..  the latter of which was even a bit scarier given that it

My favorite for that is termbin:
bill at home:~/imp$ echo "hello world" | tb
http://termbin.com/ewr94

bill at work:~/imp$ curl http://termbin.com/ewr94
hello world

Not for anything confidential of course.  For that I use scp/ssh, or signal.

> installed a line in .bashrc, thus firing it up on every boot-- & it's like its
> own fuse-fs which creates major load.  Did this without asking, so I commented
> out that line pretty quickly.

Yeah, keybase is well written by clued folks, but does play a bit fast and loose.

For anything serious I'd go with signal over keybase.  Keybase is mostly for
cryptonerds to play with.  Stimulate new ideas/features/services.  Not something
I'd recommend all your friends/family install, unless thye are really curious.

Signal on the other hand is way way way better than most random chat programs.

> 
> --
> https://twitter.com/linuxusergroup
> 
> 
> _______________________________________________
> vox-tech mailing list
> vox-tech at lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech
>

More information about the vox-tech mailing list