[troyjfarrell]

I agree that everyone, even security researchers, will make mistakes. But there are people who survive with state-level actors in their threat model. These people probably 1) do not post their threat model and mitigations in easy-to-Google places and 2) have the help of one or more other state-level actors.

[saagarjha]

Well it’s twofold: one is that security researchers will use bad passwords and click in shady links just like anyone else, and the second part is that even people with state-level adversaries that are actively trying to avoid getting hacked (journalists, whistleblowers, the like) get hacked anyways because they…carry an up-to-date flagship. There really doesn’t seem to be actual protections against a determined state actor short of not using computers…

[i_am_proteus]

"Basically, you’re either dealing with Mossad or not-Mossad. If your adversary is not-Mossad, then you’ll probably be fine if you pick a good pass-word and don’t respond to emails from ChEaPestPAiNPi11s@virus-basket.biz.ru. If your adversary is the Mossad, YOU’RE GONNA DIE AND THERE’S NOTHING THAT YOU CAN DO ABOUT IT. The Mossad is not intimidated by the fact that you employ https://. If the Mossad wants your data, they’re going to use a drone to replace your cellphone with a piece of uranium that’s shaped like a cellphone, and when you die of tumors filled with tumors, they’re going to hold a press conference and say “It wasn’t us” as they wear t-shirts that say “IT WAS DEFI-NITELY US,” and then they’re going to buy all of your stuff at your estate sale so that they can directly look at the photos of your vacation instead of reading your insipid emails about them."[0]

[0]https://scholar.harvard.edu/files/mickens/files/thisworldofo...

[tialaramex]

I feel like James had the deadline wrong in his calendar and this article is what "Right, sorry, I'll get it over to you by the end of the day" looks like when there is not in fact already a pretty much complete piece that just needs some polish but instead an empty Word document and half an idea in your head.

Like so many people, James is pretty confident that anything he doesn't understand (including apparently elliptic curve cryptography) is probably unimportant, and that the solution to his pressing problems is just to make something he knows isn't possible easy (remembering a separate strong random password for every site) so the people who are working on stuff James doesn't understand ought to work on that instead.

This piece was written, I think, slightly before BCP 188 ("Pervasive Monitoring Is an Attack") but to me it feels as though that's the answer to it. Yes, the NSA (or Mossad, but realistically the NSA) could definitely win if that's what it came down to, you or them. But that's very rarely the situation. Their budget, though large, is finite, and your value, even if large, is also finite. If snooping every word said on the telephone by an American costs 5¢ per citizen, why wouldn't the NSA do it? Worth a shot. But if it costs $5000 per citizen that's gonna blow their budget, and for what? So that's what BCP 188 is about, the question isn't whether you're dealing with "Mossad or not-Mossad" it's whether you are the Protagonist or just another extra. We can't make it impossible for a sophisticated and resourceful adversary to succeed, but we can make it very expensive so that they are obliged to choose their shots.

[buran77]

> But if it costs $5000 per citizen that's gonna blow their budget

The end result is that they split the type of surveillance between "cheap" blanket surveillance, and targeted surveillance for the targets that are deemed valuable enough, while also striving to drive the "per target" price down.

Mass surveillance offers a good opportunity for economy of scales, and gives you a very granular estimate of how valuable a particular target is.

[saagarjha]

I mean, it is pretty clear the piece is supposed to be burlesque, right? Do you actually think James is trying to write about how cryptography is totally useless and we should just give up?

[tialaramex]

It's certainly busking, which, I dunno if this is a regular column he did, but if so as commissioning editor I'd be pretty unhappy with that. I was serious that this feels like it was churned out at pace.

I can't see a way to interpret this that doesn't come back to, fix passwords and stop bothering with this other stuff. In some forms (e.g. satire) you are supposed to sneak in an actual point you wanted to make (e.g. Swift's "Modest Proposal" lists the things Swift thinks would actually work, pretending to dismiss them as inferior to eating babies). But I believe in Burlesque it is considered satisfactory just to point and laugh. I didn't laugh, maybe that's on me.

[saagarjha]

So, just for context, he wrote a number of these: https://mickens.seas.harvard.edu/wisdom-james-mickens. They're joke articles meant to satirize some field of computer science; cryptography isn't the only topic he discusses.

[michaelt]

Y'all are getting help from your governments?