One Article Review
| Source |  Errata Security |
|---|---|
| Identifiant | 378377 |
| Date de publication | 2017-06-25 23:23:44 (vue: 2017-06-25 23:23:44) |
| Titre | A kindly lesson for you non-techies about encryption |
| Texte | The following tweets need to be debunked: The answer to John Schindler's question is:every expert in cryptography doesn't know thisOh, sure, you can find fringe wacko who also knows crypto that agrees with you but all the sane members of the security community will not.Telegram is not trustworthy because it's partially closed-source. We can't see how it works. We don't know if they've made accidental mistakes that can be hacked. We don't know if they've been bribed by the NSA or Russia to put backdoors in their program. In contrast, PGP and Signal are open-source. We can read exactly what the software does. Indeed, thousands of people have been reviewing their software looking for mistakes and backdoors. Being open-source doesn't automatically make software better, but it does make hiding secret backdoors much harder.Telegram is not trustworthy because we aren't certain the crypto is done properly. Signal, and especially PGP, are done properly.The thing about encryption is that when done properly, it works. Neither the NSA nor the Russians can break properly encrypted content. There's no such thing as "military grade" encryption that is better than consumer grade. There's only encryption that nobody can hack vs. encryption that your neighbor's teenage kid can easily hack. Those scenes in TV/movies about breaking encryption is as realistic as sound in space: good for dramatic presentation, but not how things work in the real world.In particular, end-to-end encryption works. Sure, in the past, such apps only encrypted as far as the server, so whoever ran the server could read your messages. Modern chat apps, though, are end-to-end: the servers have absolutely no ability to decrypt what's on them, unless they can get the decryption keys from the phones. But some tasks, like encrypted messages to a group of people, can be hard to do properly.Thus, in contrast to what John Schindler says, while we techies have doubts about Telegram, we don't have doubts about Russia authorities having access to Signal and PGP messages.Snowden hatred has become the anti-vax of crypto. Sure, there's no particular reason to trust Snowden -- people should really stop treating him as some sort of privacy-Jesus. But there's no particular reason to distrust him, either. His bland statements on crypto are indistinguishable from any other crypto-enthusiast statements. If he's a Russian pawn, then so too is the bulk of the crypto community.With all this said, using Signal doesn't make you perfectly safe. The person you are chatting with could be a secret agent -- especially in group chat. There could be cameras/microphones in the room where you are using the app. The Russians can also hack into your phone, and likewise eavesdrop on everything you do with the phone, regardless of which app you use. And they probably have hacked specific people's phones. On the other hand, if the NSA or Russians were widely hacking phones, we'd detect that this was happening. We haven't.Signal is therefore not a guarantee of safety, because nothing is, and if your life depends on it, you can't trust any simple advice like "use Signal". But, for the bulk of us, it's pretty damn secure, and I trust neither the Russians nor the NSA are reading my Signal or PGP messages.At first blush, this @20committ |
| Envoyé | Oui |
| Condensat | @20committee ability about above absolutely access accidental advice agent agrees all also among answer anti any app apps are aren attempting authorities automatically backdoors basics because become been being better bland blush bonus:so bottom break breaking breaks bribed bug bugs bulk but bystanders cameras/microphones can case certain change chat chatting climate community consensus consumer content contrast could course crazy crypto cryptography damn debunked:the decrypt decryption depends detect different disagreement distrust does doesn don done doubts dramatic easily eavesdrop either encrypted encryption end end: endpoint enough enthusiast especially every everyone everything exactly example expert expertise experts exploiting far find first following fringe from general get gives globe good grade group guarantee hack hacked hacking hand happening hard harder has hatred have haven having here hiding him his how ignoring impossible indeed indistinguishable instead is:every jesus john judge just justify keys kid kindly know knows lecture lesson let life like likewise long looking made make mankind matter members merit messages might military minds mistakes modern much need neighbor neither nobody non nor not nothing nsa obtuse only open opine opining other others out outside partially closed particular partisanship past pawn people perfectly person pgp phone phones point pointing possible post presentation pretty privacy probably program properly put question quite ran read reading real realistic reality really reason regardless responses reviewing room russia russian russians safe safety said same sane say saying says scenes schindler scientists secret secure security see server servers set should signal simple snowden software some sort sound source space: speak specific spread statements stop stress such sure talk tasks techies teenage telegram than them then there therefore these they thing things thisoh those though thousands thus time too treating true trust trustworthy truth tv/movies tweet tweet appears tweets unknown unless use using vax view virtually wacko warming weight what when where whether which who whoever wide widely widespread will words work working works world you your |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.