From: carlo von lynX <lynX@time.to.get.psyced.org> Subject: Re: <unlike-us> about trsst Date: 19 August 2013 12:09:46 PM GMT+02:00 To: unlike-us@listcultures.org
By looking at the technical hints in http://www.trsst.com/paper/ I deduce that Trsst provides for various possibilities for the NSA to influence a system designed that way:
- Automate monitoring of the majority of Internet servers using direct memory access and scanning for encryption keys and unencrypted materials or other systemic weak points. Access to hoster infrastructure is obtained by Patriot Act or similar measures. - Similar to the attack recently operated against Freedom Hosting, modify server memory in order to insert malicious Javascript code into the "client software" such that a cleartext copy of the message is delivered to the server where it can be captured (This method works also with crypto.cat, heml.is and mailPile and it leaves no trace of corruption on the hard disks of the server). A surveillance can thus be established without a regular user being able to notice. - Additionally, since regular HTTPS is employed, the attacker can do man-in-the-middle attacks against the users by creating valid false certificates. So the malicious code can also be inserted via HTTPS and the unencrypted text captured and stripped before it reaches the server. - Some users can operate a complete node on their machines, which means that their crypto transactions are as safe as the computer they are using, but that won't be helpful if everybody else in their social network uses a hackable web interface. - From the description, no forward secrecy is planned for the system, so the NSA can in any case simply seize a user's computer to get at her private key and decrypt all past messages. Since there is cryptographic proof, her messages may get used in court against her or others. - From the description, no transport obfuscation is planned for Trsst. That means that enormeous intelligence about the social graph can be gathered simply by observing communication patterns - even by those who run their own node at home.
Also, I presume that Trsst, once implemented, will encounter serious scalability issues since there is no mention of a distribution strategy. Other grooups are investing years in work to obtain a functional distribution while Trsst doesn't even address the problem. There's a mention of OStatus which has already proven to not be scalable.
There are projects like Briar and secushare which are already several years ahead in actually developing a Twitter replacement with the necessary security. Also, Retroshare can already be used in such a fashion, today. Starting such a project from scratch in such a blue-eyed manner is not going to produce a useful product - it's at best the next Diaspora. A "six person- months of development time" as planned on the Kickstarter page will at best produce a centralised silo/cloud experience while the decentralized nodes do not work properly because of the scalability issues. That's why $15K need to be reserved to run the silo.
And the most surprising detail: There is no mention that the server software will actually be available in open source - only the client is being described as open source. I have no idea how users can run fully compliant nodes if the server side isn't free. I hope this is just a misunderstanding on my side and the project will fully be open or - even better - free software according to the Affero GPL.
I don't understand why TechCrunch and Liberationtech insist on promoting people that promise easy solutions.. while ignoring existing software, which is a lot closer to actual results (Retroshare lacks onion routing, forward secrecy and a sufficient distribution strategy - so it is similar to Trsst, but it is already here and just needs a hand to have a better UI. And you get a free Skype replacement with it, too).
-- talk to me in private using Tor: https://symlynX.com/LAVA/ torify telnet 7yuogiqxgrak36kk.onion psyc://7yuogiqxgrak36kk.onion/~lynX DON'T SEND ME irc://7yuogiqxgrak36kk.onion/lynX PRIVATE EMAIL http://7yuogiqxgrak36kk.onion/ OR FACEBOOGLE
_______________________________________________ unlike-us mailing list unlike-us@listcultures.org http://listcultures.org/mailman/listinfo/unlike-us_listcultures.org