[tptacek]

An irreconcilable difference between you and I on this point: you think it's a good thing if people use bad crypto instead of no crypto, and I don't.

I don't think bad crypto makes the global adversary go "aw, shit, we better target someone else". I think it makes them go "excellent, something else we can get a secret appropriation to go break".

[exelius]

There's a difference between bad crypto and easier to use crypto. Just because it isn't 100% secure all the time doesn't mean it's not useful. If they have to go through the trouble of breaking each individual message rather than just gathering everything in a dragnet; that's good enough in my mind. You have to make mass surveillance expensive enough that it's no longer worth it.

You as an individual cannot fight a state actor. It doesn't matter how secure your crypto is; they can hold a gun to your head and force you to give up the key (or in more civilized countries, throw you in prison forever). If you become an individual target to a state actor, there is literally nothing you can do to stop them unless another state actor is willing to protect you: they have the resources of an entire economy behind them and there's no security solution you can cobble together that will be able to keep them out.

Even Snowden, who practices a paranoid level of OpSec, just assumes his electronic communications are being read. The only reason the CIA hasn't done an extrajuducial rendition on him is that he is living under the protection of another state actor (Russia).

[_delirium]

My impression (I could be wrong) is that a lot of OTR users in particular are worried mainly about the local adversary: someone on the coffee-shop wifi, or the corporate IT administrator, sniffing their IM traffic. In that case you just have to have an encryption setup that's good enough to circumvent whatever analysis that class of adversary is likely to use.

[bad_user]

If a global adversary can do it, then it is only a matter of time before a local crime syndicate can do it as well, after all stealing credit cards and other sensitive info is a booming business.

And what really bothers me is that this will give people a false sense of security. At least right now I'm seeing regular folks refraining from exposing sensitive info online out of fear of evil hackers that are often the subject of news. So yes, I think unencrypted email is better than a solution that isn't secure.

[_delirium]

I agree, and I think that's especially a good argument for email. For mail submission at least, I think most users for that use-case are now either using or moving to encrypted SMTP AUTH with certificate checking, which should be fairly robust on the local side (between you and your ISP/company), modulo the problems that exist with the CA system. For IM though I think lots of people are more worried about embarrassment than crime: someone grabbing & posting your cybersex logs online; or your comments about office politics (or an affair, or whatever) being read by snooping IT staff, that kind of thing. Some people specifically use IM for office-politics stuff rather than email, because they assume (probably correctly) that IT staff can more easily pry into their email.

Of course for that use-case you don't really need end-to-end encryption: an encrypted connection to the IM server would be fine, and maybe actually better. But a bunch of services don't support that (though Google Talk does).

[XorNot]

You need end-to-end encryption anytime the IM server isn't under your control. It's a reasonable assumption that if they could log everything, some manager somewhere has ordered them to do it regardless of legality.

[_delirium]

If the threat you're trying to protect against is your local IT sysadmin eavesdropping on your conversations about office politics, the fact that Google Talk may internally log your IMs is close to irrelevant. The NSA might be able to get those logs from Google, but your coworkers probably can't.

[click170]

This is a fair point and one I hear often, but can you be sure that for as long as you live, you will never have a reason to fear the global adversary?

I trust my government (within reason) at the moment but I'm not comfortable betting that they will never ever turn anti-gay and start coming after me.

[exelius]

I said this above, but I'll say it again here: if your government has identified you as a target, there's very little you can do but hide and hope you can find another government willing to protect you.

That said, crypto is useful in avoiding their gaze in the first place. For this, vulnerable crypto is better than nothing: assuming the vulnerable crypto requires a non-trivial and non-repeatable process to break, it's unlikely that even a state actor is going to bother breaking it for the entire population.

[alsetmusic]

> That said, crypto is useful in avoiding their gaze in the first place.

I'm not entirely sure that I agree. I've long thought that using encryption above and beyond what the average person employs would be a great way to appear on 'their' radar. I don't have the need, so I'm happy not trying to find out. That said, if everyone had strong encryption enabled by default, no one would stand out, which I support.

[bad_user]

Or you know, move to a country functioning under the rule of law. I don't get this mentality, but regardless, if you're paranoid then encrypt/decrypt your messages on a computer that's never connected to the Internet. There, problem solved.

[drcube]

That's what ROT-13 and secret decoder rings are for.

[romaniv]

This elitist attitude is why I have no faith in typical "security experts" improving the overall situation with communication security for normal people.

Widely adapted open-source "bad crypto" can: - Raise user's level of awareness about security. - Create a market that can later be serviced by better crypto. - Encourage creation of infrastructure that can be later used in better crypto. - Encourage investigation of better UI.

Also, other poster are right about increasing the difficulty of executing an attack.

[derefr]

> Widely adapted open-source "bad crypto" can ... raise user's level of awareness about security.

You know that study that showed that people wearing seatbelts drive more recklessly, effectively exactly compensating for the increase in safety provided by the seatbelts?

I have a feeling people who think they're using a secure cryptosystem will speak much more freely than those who don't--meaning that the net effect of convincing users to use "bad crypto" is giving the global passive adversary† more interesting morning reading.

† Do we have a name for this guy in cryptography placeholder terms yet? Nathan (the NSA agent), maybe?

[exelius]

> You know that study that showed that people wearing seatbelts drive more recklessly, effectively exactly compensating for the increase in safety provided by the seatbelts?

Err, the first part of that statement may be true, but I don't think anyone ever put forth a claim backed up by data that they cancelled eachother out. People may drive more recklessly with seatbelts, but the law undoubtedly saved a lot of lives. You may be thinking of motorcycle helmet laws; which seems more plausible given that high-speed motorcycle accidents are much more likely to be fatal regardless.

As for the "global passive adversary", I tend to side with the term "state actor" since the only entities with the power to collect data on that scale are governments as they can legally force every telecom company in their jurisdiction to install taps while keeping their existence classified.

You're probably right about the risk compensation here; with the caveat that anyone who rises above the level of a "common criminal" would simply not trust online communication at all. Islamist terror groups use a known-courier system for all planning and communication because they just assume all electronic communications are being monitored.

[romaniv]

I have a feeling people who think they're using a secure cryptosystem will speak much more freely than those who don't--meaning that the net effect of convincing users to use "bad crypto" is giving the global passive adversary† more interesting morning reading.

I'd rather have that than the society where everyone silently accepts global surveillance as a norm and treats any kind of self-expression that gets you into trouble as pure stupidity on the part of the speaker (e.g. blames the victim).

What we have right now is a vicious cycle. "Normal" people have no cryptographic capabilities. So they simply adapt their beliefs and behavior to this reality. This makes them think of themselves as different from people who do have cryptographic capabilities. This means they develop "us and them" mentality and can no longer empathize with anyone seeking any level of digital privacy. This means there is no popular support for crypto. So "normal" people have no cryptographic capabilities.

I believe that "consumer cryptography", even if it's weak, would break this cycle.

[lmm]

Any crypto is about increasing the cost to attackers. There's no perfect crypto, and even if there were we would still have the $5 wrench attack. Security enhancing crypto is anything which is more expensive for the attacker than for the implementer, and I think encrypting with an unauthenticated key is firmly in that category.