[liberationtech] What I've learned while preparing a mobile security curriculum

Thu Aug 16 05:03:01 PDT 2012

Hi Brian,

Your post is thought-provoking, and your assertions about TrueCrypt and
Textsecure also bring up some issues beyond the (succinctly articulated)
facts to which you alluded ( a brief example of which is Moxie's
response about the Textsecure, from the developer's perspective)

I am including some observations from the 'intermediary' perspective of
those of us who are providing the trainings on a daily basis, and are
'curating' the resources in a digestible form for our audience namely
HRDs, Bloggers, journalists in peril, etc.

Take the issue you raised with TrueCrypt (to which there is no argument
about its validity or seriousness from me).

We have a 'baby/bathwater' issue, meaning that we are constantly faced
with the prospect of capacity-building and motivating adoption of these
tools, WITHOUT alienating the people we are training.  As important as
your assertion about 'journaling file systems' and truecrypt is,
getting into this level of detail depending on the context and the
persons being trained (but unfortunately more often than not) will risk
it being never used at all.

(note: disabusing about calling anyone 'baby' in use of this metaphor)

What rings true of what you say  is the imperative that those who do
train and or are providing these resources are constantly updating
themselves about the issues being discovered, and making appropriate
decisions regarding when and to whom this knowledge can be transferred.
(for instance, in a training to an organization whose support person
with IT experience is present and can readily absorb the difference
between FAT32 and NTFS).

As an aside, SIAB will add to the Truecrypt section a mitigation from
elsewhere in the toolkit, namely 'wiping' of free space in case of a
volume-password change [bracing for a firestorm or maybe flowerpetal
storm of responses on this...]

Also to point out that maintaining manuals like Security in A Box (you
referred as 'Frontline Defenders manual') is a task that is impossible
without inputs such as your post, discussions here, and the welcome
notes/critiques of many contributors from this list. Nevertheless, we
still have to do the balancing act of how much technical information to
convey while retaining the attention of a non-technical person, who are
the ones to dismiss or adapt a measure for their own security, and this
decision often hinges on keeping their interest in intricacies they
don't groove on as much as devs and techies do.

-ali
Program Director - Privacy and Expression
Tacticaltech
securityinabox.org

On 08/14/2012 12:16 AM, Moxie Marlinspike wrote:
> 
> 
> On 08/13/2012 09:18 AM, Brian Conley wrote:
>> I'd love your thoughts, you may also be interested in some of the issues
>> I've noted with TextSecure and Truecrypt, and how they may provide
>> lessons to all of us involved in developing better tools and training
>> for activists, journalists, etc.
> 
> Hey Brian, at this point this is simply a bug we've been unable to
> reproduce.  I don't know that it fits into the thesis that we've traded
> security for usability here, since it should be fixable (if we can
> confirm it) without altering the usability profile of the app at all.
> 
> And I also don't know that it qualifies as "serious," since it only
> manifests itself when the screen is locked (mission accomplished).
> 
> - moxie
> 