Dear LeastAuthority and Silent Circle (aka Zooko and Jon),
I too know and like you both! I too admire your work, have tremendous confidence in your abilities, and it’s been amazing to watch your efforts, both sophisticated and useful, grow over time. I want to be customers of you both when I am less broke. Personally, I enjoy talking and hanging and hiking and all manner of things with you! (Zooko I really must go back to the mountains with you one day) That was a very sweet and erudite discussion of the problems of verifiability and technical trust and Open Source and Descartes and Godel. Seriously, I could totally have that talk with both of you while sipping nice port out of little crystal glasses.
But no one is going to attack the customers of either Silent Circle or Tahoe-LAFS by compelling you to deliver a malicious update. If they want to do it the hard way, they’re going to use an iTunes update or a Skype update or just attach a filed called interesting-shit.jpg.exe to a forged email to your customers. If they want to or can attack your customers the easy way, your customers will end up under fluorescent lighting in an airless room surround by buzzcuts with toothy rictus smiles. Your customers will have the distinct sense that while they’d like to see your customer’s computer/phone or else, they’re cool with or else for a while if your customers want to play that way.
The first way is of course stealthier, which is the real reason they go after hosted services, because that’s a stealthy way of monitoring communications, and gets you a historical record. (Which is also why I’m all like “No encrypted email! Encrypted email baaaad!” all the time.)
But if they’re going to own the endpoint, there’s no point in interfering with your two companies who are loud and skittish and likely to pull a “Ladar”.
They could own the end point any number of ways with off-the-shelf shit, and go home early for the weekend. If they really want to do bulk collection they’ll just send a malicious update of Angry Birds.
Seriously, attacking a target through your apps would be stupid and likely to get out. So they’re not going to. They’re going to use the vast number of easy weaponized apps built on top of the thriving 0day market to scoop not only every bit your targeted customers send you, but everyone else too. And it’s great! They won’t ever get caught for this. I don’t even have to provide links and evidence for what I’m saying because we all, everyone who works vaguely in this field, already know this.* But this is not just your customer’s problem, it’s your problem, too.
This all brings me to my point in my normally circuitous way. And Jon, you made this point in part, but for me, not nearly hard enough. These debates on crypto and code verification are actively beginning to annoy me, because malware/phishing is fucking terrible and the real fucking problem and everyone is ignoring it. I don’t mean you in particular are annoying me, but in general this tendency is. I worry watching two people as respected as you do this continues to distract people from our terrible problem. It’s like watching a couple gentlemen have a lengthy and erudite discussion on the merits of the front door’s lock while the back of the building is actually on fire.
I really do appreciate discussions of verifiability on an intellectual level. If I wasn’t also that kind of dork I would never have made it through the majority of my life hanging out with you people. I can sit around with friends trying to figure out when the halting problem comes into play in game situations. I teach writing with Shannon’s information theory in mind. I understand the dopamine rush of a *solution*. But we don’t have that luxury anymore, because everything and everyone is getting owned like crazy.
The answers to the malware problem are probably not verification. They are probably many answers, messy answers, and not always provable or even always effective. I think that’s why we don’t like them, because they aren’t elegant. And because we like to imagine malware can’t happen to us. It happens to people who don’t know better and live far away, but are also much more likely than us to do the kind of work that gets targeted by hostile actors.
I don’t mean to over-focus on you, because you guys aren’t close to the worst on this. We need to fix the industry’s incredibly broken threat model, because malware is everyone’s problem. You’re trying to protect your users’ data, period. Not just when it’s in your little mathematical garden, but before it gets there an after it leaves, because otherwise your mathematical garden is irrelevant to the real world. This problem is, for our kind, much harder than proving Godel wrong, because it’s tractable but huge and it’s messy and it will never, ever, ever feel right.
If we don’t start focusing some of our attention on malware, crypto is going to be irrelevant in yet another way.
Regards,
Quinn
* People who are not the people this is addressed to who would never make this mistake anyway, don’t even talk to me about AV. I mean, don’t even.
the worst thing is, the malware problem is going to get solved, for the 99% of people, in the next couple of years, and it will be through walled gardens of iOS/Android/Windows (Phone/Metro) app stores.
i say “the worst thing”, because it’s exactly that kind of centralization of authority/security that will enable governments to do exactly the things both you and them are most worried about.
so there, that’s in our future, and i’m pretty sure it’s almost inevitable.. so maybe some outside-the-box thinking is warranted..
Edit from Quinn: I agree with you, kind of, except for the part about anything getting solved. Walled gardens aren’t about security, they’re about UI. They provide no real security, but UI always wins. But that’s a rant for a different blog post.
ok, you are right, i should have put “solved” in quotes: “solved”.
but you are wrong about walled gardens providing no security. they do, to a large extent — because it effectively already is “solved” for most of the users of those platforms. white-listing and API restrictions solve most social engineering problems for 99% of users, 99% of the time (the “interesting-shit.jpg.exe” problem).
even the somewhat-lax security model of Android works to prevent malware from spreading. even after almost weekly warnings about android “security bug this” and “malware vulnerability that” for the last 4 years, we have yet to see a serious epidemic that would do some serious damage to a serious percentage of users (even 1% that last year’s OSX botnet got would be “serious”).
and the only commercial “open” platforms left: (desktop) Windows and OS X, are going to be phased out/discontinued in the next few years.
so yeah, almost “solved”..
Edit from Quinn: I’m going to disagree again, it just switches the vector of attack over time. Baseband security being what it is, and even the sim stuff that was demoed on Blackhat and OHM show the attack surface is a lot broader than app-based restrictions really address. If apps stop working, attacks just move around. Walled gardens on desktops are doomed to fail as long as people demand their word processors be turing complete.