• vacuumflower@lemmy.sdf.org
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    37
    ·
    23 days ago

    I don’t think you understand anything you wrote about. Signal is open source,

    I don’t think you should comment on security if “open source” means anything to you in that regard. For finding backdoors binary disassembly is almost as easy or hard as looking in that “open source”. It’s very different for bugs introduced unintentionally, of course.

    Also why the hell are you even saying this, have you looked at that source for long enough? If not, then what good it is for you? Magic?

    I suppose you are an illustration to the joke about Raymond’s “enough eyeballs” quote, the joke is that people talking about “enough eyeballs” are not using their eyeballs for finding bugs\backdoors, they are using them and their hands for typing the “enough eyeballs” bullshit.

    “Given enough good people with guns, all streets in a town are safe”. That’s how this reads for a sane person who has at least tried to question that idiotic narrative about “open source” being the magic pill.

    Stallman’s ideology was completely different, sort of digital anarchism, and it has some good parts. But the “open source” thing - nah.

    is publicly audited by security researchers,

    Exactly, and it’s not audited by you, because you for the life of you won’t understand WTF happens there.

    Yes, it’s being audited by some security researchers out there, mostly American. If you don’t see the problem you are blind.

    and publishes its protocol, which has multiple implementations in other applications.

    No, there are no multiple implementations of the same Signal thing. There are implementations of some mechanisms from Signal. Also have you considered that this is all fucking circus and having a steel gate in a flimsy wooden fence? Or fashion, if that’s easier to swallow.

    Can you confidently describe what zero-knowledge means there, how is it achieved, why any specific part in the articles they’ve published matters? If you can’t, what’s the purpose of it being published, it’s like a schoolboy saying “but Linux is open, I can read the code and change it for my needs”, yeah lol.

    Security researchers generally agree that backdoors introduce vulnerabilities that render security protocols unsound.

    Do security researches have to say anything on DARPA that funds many of them? That being an American military agency.

    And on how that affects what they say and what they don’t say, what they highlight and what they pretend not to notice.

    In particular, with a swarm of drones in the sky at some point, do you need to read someone’s messages, or is it enough to know that said someone connected to Signal servers 3 minutes ago from a very specific location and send one of those drones. Hypothetically.

    Other than create opportunities for cybercriminals to exploit, they only serve to amplify the powers of the surveillance state to invade the privacy of individuals.

    Oh, the surveillance state will be fine in any case!

    And cybercriminals we should all praise for showing us what the surveillance state would want to have hidden, to create the false notion of security and privacy. When cybercriminals didn’t yet lose the war to said surveillance state, every computer user knew not to store things too personal in digital form on a thing connected to the Internet. Now they expose everything, because they think if cybercriminals can no longer abuse them, neither can the surveillance state.

    Do you use Facebook, with TLS till its services and nothing at all beyond that? Or Google - the same?

    Now Signal gives you a feeling that at least what you say is hidden from the service. But can you verify that, maybe there’s a scientific work classified yet, possibly independently made in a few countries. This is a common thing with cryptography, scientific works on that are often state secret.

    You are also using AES with NSA-provided s-boxes all the time.

    I suggest you do some playing with cryptography in practice. Too few people do, while it’s very interesting and enlightening.

    • lmmarsano@lemmynsfw.com
      link
      fedilink
      English
      arrow-up
      10
      ·
      edit-2
      23 days ago

      I don’t think you should comment on security if “open source” means anything to you

      Anyone can look at the source, brah, and security auditors do.

      For finding backdoors binary disassembly is almost as easy or hard as looking in that “open source”.

      Are you in the dark ages? Beyond code review, there are all kinds of automations to catch vulnerabilities early in the development process, and static code analysis is one of the most powerful.

      Analysts review the design & code, subject it to various security analyzers including those that inspect source code, analyze dependencies, check data flow, test dynamically at runtime.

      There are implementations of some mechanisms from Signal.

      Right, the protocol.

      Can you confidently describe

      Stop right there: I don’t need to. It’s wide open for review by anyone in the public including independent security analysts who’ve reviewed the system & published their findings. That suffices.

      Do security researches have to say anything on DARPA that funds many of them?

      They don’t. Again, anyone in the public including free agents can & do participate. The scholarly materials & training on this aren’t exactly secret.

      Information security analysts aren’t exceptional people and analyzing that sort of system would be fairly unexceptional to them.

      Oh, the surveillance state will be fine in any case!

      Even with state-level resources, it’s pretty well understood some mathematical problems underpinning cryptography are computationally beyond the reach of current hardware to solve in any reasonable amount of time. That cryptography is straightforward to implement by any competent programmer.

      Legally obligating backdoors only limits true information security to criminals while compromising the security of everyone else.

      I do agree, though: the surveillance state has so many resources to surveil that it doesn’t need another one.

      • vacuumflower@lemmy.sdf.org
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        11
        ·
        23 days ago

        In short - something “everyone being able to look upon” is not an argument. The real world analogies are landmines and drug dealers and snake oil.

        Even with state-level resources, it’s pretty well understood some mathematical problems underpinning cryptography are computationally beyond the reach of current hardware to solve in any reasonable amount of time.

        You are not speaking from your own experience, because which problems are solved and which are not is not solely determined by hardware you have to do it by brute force. Obviously.

        And nation states can and do pay researchers whose work is classified. And agencies like NSA do not, for example, provide reasoning for their recommended s-boxes formation process. For example.

        Solving problems is sometimes done analytically, you know. Mostly that’s what’s called solving problems. If that yields some power benefits, that can be classified, you know. And kept as a state secret.

        Are you in the dark ages? Beyond code review, there are all kinds of automations to catch vulnerabilities early in the development process, and static code analysis is one of the most powerful.

        People putting those in are also not in the dark ages.

        Stop right there: I don’t need to. It’s wide open for review by anyone in the public including independent security analysts who’ve reviewed the system & published their findings. That suffices.

        There are things which were wide open for review by anyone for thousands of years, yet we’ve gotten ICEs less than two centuries ago, and electricity, and so on. And in case of computers, you can make very sophisticated riddles.

        So no, that doesn’t suffice.

        They don’t.

        Oh, denial.

        Again, anyone in the public including free agents can & do participate. The scholarly materials & training on this aren’t exactly secret.

        There have been plenty of backdoors found in the open in big open source projects. I don’t see how this is different. I don’t see why you have to argue, is it some religion?

        Have you been that free agent? Have you participated? How do you think, how many people check things they use? How often and how deeply?

        Information security analysts aren’t exceptional people and analyzing that sort of system would be fairly unexceptional to them.

        Yes, but you seem to be claiming they have eagle eyes and owl wisdom to see and understand everything. As if all of mathematics were already invented.

        Legally obligating backdoors only limits true information security to criminals while compromising the security of everyone else.

        It’s not about obligating someone. It’s about people not working for free, and those people working on free (for you) stuff might have put in backdoors which it’s very hard to find. Backdoors usually don’t have the “backdoor” writing on them.

        I do agree, though: the surveillance state has so many resources to surveil that it doesn’t need another one.

        Perhaps the reason they have so many resources is that they don’t miss opportunities, and they don’t miss opportunities because they have the resources.

    • 0x0@lemmy.zip
      link
      fedilink
      English
      arrow-up
      6
      arrow-down
      2
      ·
      23 days ago

      You sound paranoid but it doesn’t mean you aren’t right, at least to some extent.
      So what’s your solution for secure messaging?

      • vacuumflower@lemmy.sdf.org
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        5
        ·
        23 days ago

        Getting rid of monoculture via transports and cryptography being pluggable (meaning that the resulting system would be fit for sneakernet as well as for some kind of federated relays as well as something Kademlia-based, the point is that the common standard would describe the data structure, not transports and verification and protection).