[liberationtech] Encrypted Pastebins: Attack Vectors against ezcrypt.it and 0bin.net

carlo von lynX lynX at time.to.get.psyced.org
Sat Jan 18 17:51:18 PST 2014 

On Sat, Jan 18, 2014 at 01:52:07AM +0700, Uncle Zzzen wrote:
> In that case, we shouldn't trust anything unless it's [hopefully]
> hostile-player-proof P2P, then we're back to "confiscate the hard drive"
> times.

There's one acceptable compromise left.. the one that the Tor
architecture employs... dumb relays that do useful work and
have no idea either they are doing or who they are doing it for.

> Or would they pwn all desktops as well? (I assume all phones are pwned by
> definition :) ).

My impression from 30c3 etc is that personal computers still aren't
as easily mass p0wnable as (virtual) servers and routers. Firewalls
may actually work sometimes. Operating systems may actually not be
broken sometimes. Hardware backdoors may exist but not be used in
massive way as it would compromise their effectivity.

I presume Mr Schneier is right saying that if the nation state actor
is after *your* device, then the likelihood is high it will find its
way in (especially if you use a collaborating operating system). This 
threat model only worries me if it could be applied against entire
nations in a warfare situation, which it might.

> > it is reasonable to argue that the web browser is such a complex
> > monster it is impossible to secure. i presumed that to be obvious
> > but maybe it should be mentioned for completeness.
> 
> IMHO the answer is projects like https://www.syndie.de/ that deliberately
> have a "lame html browser" as the gui, and all crypto is done outside the
> DOM.

Yes, RetroShare has HTML-compatible rich text everywhere, but no actual
web browser. We were considering something similar for secushare, too.
It's a pattern. Recover the spirit of the web and throw away the
cancerogenous parts.

> I know Syndie is not a realtime app (and chats/etc. would need some more
> functionality), but maybe it's a good idea to build "app-specific secure
> browsers" (that can't browse http[s]: urns directly) from the bottom up,
> hopefully with a saner language than javascript to control them.
> 
> Are there any "browsers" like this out there?

Yes, ever since the mid 90s.. but you probably never heard of them or
of the fact they support this feature.  ;-)


-- 
	    http://youbroketheinternet.org
 ircs://psyced.org/youbroketheinternet

More information about the liberationtech mailing list