[Freedombox-discuss] Identity management

Mike Rosing eresrch at eskimo.com
Thu Feb 23 19:47:15 UTC 2012 

On Thu, 23 Feb 2012, Daniel Kahn Gillmor wrote:

> Perhaps we're talking about different things.  If your confidentiality
> and your identity are protected by a low-entropy secret, then a computer
> that can afford to burn a bunch of cycles can simply brute-force search
> all possible secrets until it stumbles across the one you use.
>
> You do need high-entropy secrets if you want to protect users from brute
> force attacks.
>
> And unfortunately, humans are terrible at precisely remembering
> high-entropy secrets.

Agreed.  The problem I see is that to get to the high entropy data the
low entropy human has to enter something to unlock it.  If the data is
on a disk, brute force attack can find it.  If the data is ephemeral,
brute force attack can replicate it.

> i'm not sure why you call this a "crypto keyboard" -- i would look at it
> more as a laptop, smartphone, or other device that is fully under the
> control of the user.  This is the TPC concept in a nutshell.

If the laptop spits out data in the clear, it can be monitored. 
Demonstrations of RF pickup from reasonable distances have been done for
many years. Just because the terminal is "clean" doesn't help if the 
person using it is a high value target.  This is a threat level model
problem - each level of threat requires defense.  I'd think I want to 
carry the freedombox with me wherever I go to ensure it's clean, and that 
everything that comes out of it is secured.

> i'm not sure your last sentence follows from the one before it.  Humans
> can be engaged by processes that take longer than 3 seconds.  look at
> the amount of time wasted every day on social networking!

Yes, people are entertained by things which don't require thinking.  If 
they have to think longer than 3 seconds about security, they won't be
secure.  I don't see any inconsistency with human behavior there.

> When talking about these things, it's worth distinguishing between
> anonymous and pseudonymous communications.
>
> There are a few normal situations where fully-anonymous communications
> are warranted (e.g. leaks, or other situations where the material being
> presented can speak for itself).  In most communications between humans,
> however, you would like to be able to know who you're talking to, at
> least to the level of "this is the same person i argued with about the
> merits of horseradish on sandwiches back in August".
>
> This is particularly true if you care about being able to have
> confidential communications; without knowing who the other endpoint of
> the communications is, how can you say that your communications are
> confidential?

You can't.  You can't know if the person you met at a signing party is
a spy until after bad things happen.  You can't know if the person you
communicated with is alone every time you link to them.  Until we have
Neuromancer level inter-brain coms I don't think we'll be able to ensure
confidentiality.

> This is another situation where having a TPC (or any other "cognitive
> prosthetic" like the freedombox) comes in handy -- the trusted device
> can help you to correlate communications between different peers,  and
> maybe even keep track yourself of the relationships between those peers.

If I program my freedombox, I can trust it.  If I hand a freedombox to 
someone, they have to trust me.  Ensuring we can create trusted devices is 
non-trivial, especially since "trust" is a complicated human quality.

> If we can help freedombox users to reach those ideals, yes, i think that
> would be a good thing.  "Security" itself is too vague of a word,
> though, and i don't think it communicates anything particularly useful
> or human-meaningful on its own.  I'd prefer it if we (and the freedombox
> UI) could refer explicitly to the relevant underlying concepts
> (confidentiality, authenticity, anonymity, etc) instead of just "security".

Yes, and in addition the user needs to know the threat level they can 
defend against, and more importantly the threat level they can _not_ 
defend.  A person leaking state secrets in Syria is different than a 
whisle blower at a factory in the USA.  One is just a lot harder than the 
other.

Patience, persistence, truth,
Dr. mike

More information about the Freedombox-discuss mailing list