[Air-L] fwd: about trsst

Geert Lovink geert at desk.nl
Mon Aug 19 07:18:32 PDT 2013 

> From: carlo von lynX <lynX at time.to.get.psyced.org>
> Subject: Re: <unlike-us> about trsst
> Date: 19 August 2013 12:09:46 PM GMT+02:00
> To: unlike-us at listcultures.org
> 
> By looking at the technical hints in http://www.trsst.com/paper/
> I deduce that Trsst provides for various possibilities for the
> NSA to influence a system designed that way:
> 
> - Automate monitoring of the majority of Internet servers
>  using direct memory access and scanning for encryption
>  keys and unencrypted materials or other systemic weak
>  points. Access to hoster infrastructure is obtained by
>  Patriot Act or similar measures.
> - Similar to the attack recently operated against Freedom
>  Hosting, modify server memory in order to insert malicious
>  Javascript code into the "client software" such that a
>  cleartext copy of the message is delivered to the server
>  where it can be captured (This method works also with
>  crypto.cat, heml.is and mailPile and it leaves no trace
>  of corruption on the hard disks of the server). A
>  surveillance can thus be established without a regular
>  user being able to notice.
> - Additionally, since regular HTTPS is employed, the attacker
>  can do man-in-the-middle attacks against the users by
>  creating valid false certificates. So the malicious code
>  can also be inserted via HTTPS and the unencrypted text
>  captured and stripped before it reaches the server.
> - Some users can operate a complete node on their machines,
>  which means that their crypto transactions are as safe as
>  the computer they are using, but that won't be helpful if
>  everybody else in their social network uses a hackable web
>  interface.
> - From the description, no forward secrecy is planned for
>  the system, so the NSA can in any case simply seize a user's
>  computer to get at her private key and decrypt all past
>  messages. Since there is cryptographic proof, her messages
>  may get used in court against her or others.
> - From the description, no transport obfuscation is planned
>  for Trsst. That means that enormeous intelligence about the
>  social graph can be gathered simply by observing communication
>  patterns - even by those who run their own node at home.
> 
> Also, I presume that Trsst, once implemented, will encounter
> serious scalability issues since there is no mention of a
> distribution strategy. Other grooups are investing years in
> work to obtain a functional distribution while Trsst doesn't
> even address the problem. There's a mention of OStatus which
> has already proven to not be scalable.
> 
> There are projects like Briar and secushare which are already
> several years ahead in actually developing a Twitter replacement
> with the necessary security. Also, Retroshare can already be
> used in such a fashion, today. Starting such a project from
> scratch in such a blue-eyed manner is not going to produce a
> useful product - it's at best the next Diaspora. A "six person-
> months of development time" as planned on the Kickstarter page
> will at best produce a centralised silo/cloud experience while
> the decentralized nodes do not work properly because of the
> scalability issues. That's why $15K need to be reserved to run
> the silo.
> 
> And the most surprising detail: There is no mention that the
> server software will actually be available in open source -
> only the client is being described as open source. I have no
> idea how users can run fully compliant nodes if the server
> side isn't free. I hope this is just a misunderstanding on
> my side and the project will fully be open or - even better -
> free software according to the Affero GPL.
> 
> I don't understand why TechCrunch and Liberationtech insist
> on promoting people that promise easy solutions.. while
> ignoring existing software, which is a lot closer to actual
> results (Retroshare lacks onion routing, forward secrecy and
> a sufficient distribution strategy - so it is similar to Trsst,
> but it is already here and just needs a hand to have a better
> UI. And you get a free Skype replacement with it, too).
> 
> 
> -- 
>  talk to me in private using Tor:   https://symlynX.com/LAVA/
>  torify telnet 7yuogiqxgrak36kk.onion
> 	 psyc://7yuogiqxgrak36kk.onion/~lynX	DON'T SEND ME
> 	  irc://7yuogiqxgrak36kk.onion/lynX	PRIVATE EMAIL
> 	 http://7yuogiqxgrak36kk.onion/		OR FACEBOOGLE
> 
> _______________________________________________
> unlike-us mailing list
> unlike-us at listcultures.org
> http://listcultures.org/mailman/listinfo/unlike-us_listcultures.org

More information about the Air-L mailing list