[Air-L] fwd: about trsst
Geert Lovink
geert at desk.nl
Mon Aug 19 07:18:32 PDT 2013
> From: carlo von lynX <lynX at time.to.get.psyced.org>
> Subject: Re: <unlike-us> about trsst
> Date: 19 August 2013 12:09:46 PM GMT+02:00
> To: unlike-us at listcultures.org
>
> By looking at the technical hints in http://www.trsst.com/paper/
> I deduce that Trsst provides for various possibilities for the
> NSA to influence a system designed that way:
>
> - Automate monitoring of the majority of Internet servers
> using direct memory access and scanning for encryption
> keys and unencrypted materials or other systemic weak
> points. Access to hoster infrastructure is obtained by
> Patriot Act or similar measures.
> - Similar to the attack recently operated against Freedom
> Hosting, modify server memory in order to insert malicious
> Javascript code into the "client software" such that a
> cleartext copy of the message is delivered to the server
> where it can be captured (This method works also with
> crypto.cat, heml.is and mailPile and it leaves no trace
> of corruption on the hard disks of the server). A
> surveillance can thus be established without a regular
> user being able to notice.
> - Additionally, since regular HTTPS is employed, the attacker
> can do man-in-the-middle attacks against the users by
> creating valid false certificates. So the malicious code
> can also be inserted via HTTPS and the unencrypted text
> captured and stripped before it reaches the server.
> - Some users can operate a complete node on their machines,
> which means that their crypto transactions are as safe as
> the computer they are using, but that won't be helpful if
> everybody else in their social network uses a hackable web
> interface.
> - From the description, no forward secrecy is planned for
> the system, so the NSA can in any case simply seize a user's
> computer to get at her private key and decrypt all past
> messages. Since there is cryptographic proof, her messages
> may get used in court against her or others.
> - From the description, no transport obfuscation is planned
> for Trsst. That means that enormeous intelligence about the
> social graph can be gathered simply by observing communication
> patterns - even by those who run their own node at home.
>
> Also, I presume that Trsst, once implemented, will encounter
> serious scalability issues since there is no mention of a
> distribution strategy. Other grooups are investing years in
> work to obtain a functional distribution while Trsst doesn't
> even address the problem. There's a mention of OStatus which
> has already proven to not be scalable.
>
> There are projects like Briar and secushare which are already
> several years ahead in actually developing a Twitter replacement
> with the necessary security. Also, Retroshare can already be
> used in such a fashion, today. Starting such a project from
> scratch in such a blue-eyed manner is not going to produce a
> useful product - it's at best the next Diaspora. A "six person-
> months of development time" as planned on the Kickstarter page
> will at best produce a centralised silo/cloud experience while
> the decentralized nodes do not work properly because of the
> scalability issues. That's why $15K need to be reserved to run
> the silo.
>
> And the most surprising detail: There is no mention that the
> server software will actually be available in open source -
> only the client is being described as open source. I have no
> idea how users can run fully compliant nodes if the server
> side isn't free. I hope this is just a misunderstanding on
> my side and the project will fully be open or - even better -
> free software according to the Affero GPL.
>
> I don't understand why TechCrunch and Liberationtech insist
> on promoting people that promise easy solutions.. while
> ignoring existing software, which is a lot closer to actual
> results (Retroshare lacks onion routing, forward secrecy and
> a sufficient distribution strategy - so it is similar to Trsst,
> but it is already here and just needs a hand to have a better
> UI. And you get a free Skype replacement with it, too).
>
>
> --
> talk to me in private using Tor: https://symlynX.com/LAVA/
> torify telnet 7yuogiqxgrak36kk.onion
> psyc://7yuogiqxgrak36kk.onion/~lynX DON'T SEND ME
> irc://7yuogiqxgrak36kk.onion/lynX PRIVATE EMAIL
> http://7yuogiqxgrak36kk.onion/ OR FACEBOOGLE
>
> _______________________________________________
> unlike-us mailing list
> unlike-us at listcultures.org
> http://listcultures.org/mailman/listinfo/unlike-us_listcultures.org
More information about the Air-L
mailing list