[liberationtech] dark mail alliance

[adrelanos]

phreedom at yandex.ru:
> On Monday, November 04, 2013 01:17:49 PM Jonathan Wilkes wrote:
>> On 11/04/2013 05:28 AM, phreedom at yandex.ru wrote:
>>> On Sunday, November 03, 2013 04:06:11 PM Bill Woodcock wrote:
>>>>> On Nov 3, 2013, at 3:30, "phreedom at yandex.ru" <phreedom at yandex.ru>
>>>>> wrote:
>>>>>
>>>>> I don't see how "pasting over" a QR code in a way that's not easily
>>>>> detectable is somehow harder than pasting over a domain/email, or
>>>>> printing a real-looking fake ad and pasting it over the real one.
>>>>
>>>> A QR code is already isolated in an opaque white square.  It's single
>>>> color, and moreover, that color is black. And it's smaller than a
>>>> billboard.
>>>>
>>>> By contrast, a textual URL or email address will be in a specific
>>>> typeface,
>>>> probably matched to the rest of the billboard. It's also likely
>>>> size-matched to other text. Most importantly, it's likely printed right
>>>> over a patterned and colored background.
>>>>
>>>> While you're correct that you can address, to some degree, all of those
>>>> issues by wheatpasting over the entire billboard, provided you're at
>>>> least
>>>> as competent a visual designer as the person who executed the original
>>>> ad,
>>>> which is easier to print and transport? A full-color billboard, or a
>>>> black-on-white sheet of tabloid-sized paper?
>>>>
>>>> To put this all in more practical terms, since these issues were not
>>>> apparent to you, you're a less-skilled visual designer than anyone who
>>>> would be paid to produce an advertisement. Therefore, you would not be
>>>> capable of covertly coopting their advertisement. Yet you'd still be
>>>> perfectly capable of successfully pasting over their QR code without
>>>> anyone
>>>> being the wiser.
>>>
>>> I can't talk about others, but I'd be quite suspicious if I saw a second
>>> layer of paper exactly where the qr code is located. If such attacks
>>> gained momentum, I guess people would be more careful.
>>
>> Now you are climbing up on a billboard and inspecting the QR code
>> personally as a way to prove human readable addresses are a solution
>> looking for a problem?
> 
> Can you name a specific attack which actually happened, and which involved 
> altering an ad url in any way or posting a fake physical ad? Are we talking 
> about something that actually exists? It's not like an ad by microsoft can't 
> point to a legitimately-looking domain name which isn't microsoft.com eg 
> getthefacts.com
> 
>> You already mentioned the idea of domain names that aren't "as
>> widely-known" as others.  "Widely-known" is a feature-- that feature
>> doesn't exist with QR codes so you clearly understand the issue. I'm not
>> saying that issue cannot be solved, nor that the current domain name
>> system is immune to exploits.  But if you don't understand the benefits
>> of human readable addresses you're likely to end up with a less secure
>> system to replace it.
> 
> I understand also that:
>  * these benefits exist for maybe top 100 domains
>  * it's usual for well-known entities to use campaign-specific domain names
>  * even if you know the entity name to be $NAME, the domain can still be 
> $NAME.com, $NAME.org, $NAME-project.org, get$NAME.com etc
> 
> The "security" of physical ads is pretty much about the cost/benefit, and 
> that's why we don't see such attacks in the first place.
> 
>> (Especially when the smartphones people must use
>> to read the QR code in the first place are almost all locked down and
>> not under the user's own control.)
> 
> There are gateways like tor2web.org and onion.to, and these can be encoded 
> into the QR code for compatibility purposes since there's 1:1 mapping beween 
> darknet and gateway urls.
> 
> For all practical purposes, the DNS replacement is already available in the 
> form of tor hidden services, tested and known to be quite reliable.
> 
> The status-quo is:
> 1) you pay money to get a DNS record which:
>    a) can be revoked at will by a number of entities
>    b) requires you to identify yourself, unless you're willing to play spy 
> games(and noone know for how much longer the loopholes will exist, see (a))
>    c) requires you to be able to pay, which may exclude "children" who can't 
> get the bank account/card, residents of sanctioned countries.
> 
> 2) you get a ssl cert, with MITM-by-advanced-adversary as an inherent 
> "security feature". This also may come with random and potentially ridiculous 
> hops to jump thru, the list is subject to change
> 
> 3) wait for hours/days for payments to complete and records to propagate.
> 
> Tor hidden service:
>  1) add 2 lines to torrc, or use vidalia to do the same
>  2) grab the service address from tor's dir
>  3) the service goes online in 5-10 minutes, with encryption and 
> authentication always on.
> 
> HTTP gateway is available for legacy platforms.
> 
> Bookmarking and address book features are widely available thus making the 
> appearance of the url itself not that important.
> 
> Both client and service can opt to drop their half of the circuit, which turns 
> it into a more or less direct tcp connection, with nat traversal capabilities. 
> Yes there are caveats, yes tor devs are spending their effort on making tor 
> hide users, rather than optimizing "we don't want no anonymity" use cases, but 
> the foundation is solid.
> 
> The only known issue that bothers me is that tor doesn't let you keep the root 
> keys for the service offline. A 2-level setup would be really nice, tor devs. 
> pretty please?
> 
> 
> For all I care, the solution has been available for several years.

I strongly agree with you. Tor hidden services are awesome. Their
concept is great. The implementation need some love [1], but there
aren't any conceptual issues. Just no one is working on it.

- no need to trust a registrar
- can't be taken away without physically owning the server
- free registration
- free end-to-end encryption without relying on the CA cartel

Just too awesome.

> It works well, but I'm afraid that getting it adopted would require the 
> current gatekeepers to step up abuses by a couple orders of magnitude.

I am afraid, you're probably right. Unless you can manage to advocate
those advantages?

Do you think the FreedomBOX developers know about your "use
non-anonymous Tor hidden services for DNS" idea?

> The only known issue that bothers me is that tor doesn't let you keep
the root
> keys for the service offline. A 2-level setup would be really nice,
tor devs.
> pretty please?

Not sure, but perhaps there was a feature request of this. Probably
conceptually possible as well. Just no one working on it.

[1] https://blog.torproject.org/blog/hidden-services-need-some-love