[liberationtech] dark mail alliance

Mon Nov 4 10:17:49 PST 2013

On 11/04/2013 05:28 AM, phreedom at yandex.ru wrote:
> On Sunday, November 03, 2013 04:06:11 PM Bill Woodcock wrote:
>>> On Nov 3, 2013, at 3:30, "phreedom at yandex.ru" <phreedom at yandex.ru> wrote:
>>>
>>> I don't see how "pasting over" a QR code in a way that's not easily
>>> detectable is somehow harder than pasting over a domain/email, or
>>> printing a real-looking fake ad and pasting it over the real one.
>> A QR code is already isolated in an opaque white square.  It's single color,
>> and moreover, that color is black. And it's smaller than a billboard.
>>
>> By contrast, a textual URL or email address will be in a specific typeface,
>> probably matched to the rest of the billboard. It's also likely
>> size-matched to other text. Most importantly, it's likely printed right
>> over a patterned and colored background.
>>
>> While you're correct that you can address, to some degree, all of those
>> issues by wheatpasting over the entire billboard, provided you're at least
>> as competent a visual designer as the person who executed the original ad,
>> which is easier to print and transport? A full-color billboard, or a
>> black-on-white sheet of tabloid-sized paper?
>>
>> To put this all in more practical terms, since these issues were not
>> apparent to you, you're a less-skilled visual designer than anyone who
>> would be paid to produce an advertisement. Therefore, you would not be
>> capable of covertly coopting their advertisement. Yet you'd still be
>> perfectly capable of successfully pasting over their QR code without anyone
>> being the wiser.
> I can't talk about others, but I'd be quite suspicious if I saw a second layer
> of paper exactly where the qr code is located. If such attacks gained
> momentum, I guess people would be more careful.

Now you are climbing up on a billboard and inspecting the QR code 
personally as a way to prove human readable addresses are a solution 
looking for a problem?

You already mentioned the idea of domain names that aren't "as 
widely-known" as others.  "Widely-known" is a feature-- that feature 
doesn't exist with QR codes so you clearly understand the issue. I'm not 
saying that issue cannot be solved, nor that the current domain name 
system is immune to exploits.  But if you don't understand the benefits 
of human readable addresses you're likely to end up with a less secure 
system to replace it.  (Especially when the smartphones people must use 
to read the QR code in the first place are almost all locked down and 
not under the user's own control.)

As far as Namecoin being a buggy DHT... there's a rather large bounty if 
Maxim wants to shows us a critical bug in the Bitcoin network.  But I 
agree the cost of buying addresses is an issue. It's an issue with the 
current system, too, but if everyone's going to expend all this 
electricity hashing blocks then it should really be a more substantial 
improvement than it seems to be.  (Not to mention name squatting issues.)

-Jonathan

>
> Most of ads tend to be quite simplistic and lacking any of unintentional anti-
> tampering features you mention, yet it doesn't look like hijacking attacks
> happen on a massive scale.
>
> Besides this, I highly doubt that being friendly to ads is somehow the most
> important feature, or at least nearly as important than having a permanent ID
> that can't be hijacked because the service terms changed or some bureaucrat
> signed a paper.
>
> I'm saying this as someone who makes it a point to ignore spam and
> "untargetted ads", so maybe I miss something useful...
>