Both Assange and Snowden are apparently alive and well, despite Mossad-like agencies wishing otherwise, largely thanks to Tor; and Hamas, whose adversary was in fact the Mossad, apparently still exists. Hizbullah has hopefully taught us all a good lesson about supply-chain attacks.
Debian is probably the only example of a successful public public-key infrastructure, but SSH keys are a perfectly serviceable form of public-key infrastructure in everyday life. At least for developers.
Mickens's skepticism about security labels is, however, justified; the problems he identifies are why object-capability models seem more successful in practice.
I do agree that better passwords are a good idea, and, prior to the widespread deployment of malicious microphones, were adequate authentication for many purposes—if you can avoid being phished. My own secure password generator is http://canonical.org/~kragen/sw/netbook-misc-devel/bitwords...., and some of its modes are memorable correct-horse-battery-staple-type passwords. It's arguably slightly blasphemous, so you may be offended if you are an observant Hindu.
Never agreed with this logic. For a lot of people (anyone that does political activism of some sort for example) the threat model can be a lot more nuanced. It might not be Mossad or the CIA gunning for you, specifically, but it might police searching you and your friend's laptops or phones. It might be burglars targetting the office of the small organization you have and the small servers you have running there.
the maximalist false dillema of "all or nothing": either it's a super-poweful super-human agency and you can't do anything, else any half-measure is fine
The idea that average people can't handle incremental improvements like a password manager, MFA, full disk encryption, etc is unhealthy infantilization of people who are entirely capable of understanding the concepts, the benefits, the risks they address, and appreciating the benefits of them.
Most people just don't care enough until after they're hacked, at which point they care just enough to wish they'd done something more previously, which is just shy of enough to start doing something differently going forward.
It's not that normies are too stupid figure this out, it's that they make risk accept decisions on risks they don't thoroughly understand or care enough about to want to understand. My personal observation is that the concept of even thinking about potential future technology risks at all (let alone considering changing behavior to mitigate those risks) seems to represent an almost an almost pathological level of proactive preparation to normies, the same way that preppers building bunkers with years of food and water storage look to the rest of us.
I do understand the concepts and exactly because of that I doubt I myself would be able of airtight opsec against any determined adversary, not even state-level one. I think it's humility, you think I infantilize myself lol.
I do use password manager and disk encryption, just for case of theft. Still feels like one stupid sleepy misclick away from losing stuff and no amount of MFAs or whatever is going to save me, they actually feel like added complexity which leads to mistakes.
Yep. While there might be some use cases for his ultra-simplistic "Mossad/not-Mossad duality" - say, convincing Bob Jones that "b0bj0nes" is not a great password - it's 99% fairy tale.
And even if the CIA/Mossad/NSA/whoever is "interested" in you - this is the era of mass surveillance. The chances that you're worth a Stuxnet level of effort is 0.000000001%. Vs. 99.999% chance that they'll happily hoover up your data, if you make it pretty easy for their automated systems to do that.
I have a fond memory of being at a party where someone had the idea to do dramatic readings of various Mickens Usenix papers. Even just doing partial readings, it was slow going, lots of pauses to recover from overwhelming laughter. When the reading of The Slow Winter got to "THE MAGMA PEOPLE ARE WAITING FOR OUR MISTAKES", we had to stop because someone had laughed so hard they threw up. Not in an awful way, but enough to give us a pause in the action, and to decide we couldn't go on.
I think people don't understand what this means either. the nation-state "agencies" that can and will get into your network/devices can do so because they would employ tactics like kidnapping and blackmailing a local telco field technician. or if it's your own government, they can show up with some police and tell them to do whatever and most will comply without even receiving a proper court order.
so unless you're worth all that trouble, you're really just trying to avoid being "low hanging fruit" compromised by some batch script probing known (and usually very old) vulnerabilities
While having your own foundry is undoubtedly a good thing from the perspective of supply chain resiliency, if hacking is what you're worried about there are probably easier ways to mitigate (e.g. a bit more rigor in QC).
>someone who just wants to get by in life and is content
"It’s the reductionist approach to life: if you keep it small, you’ll keep it under control. If you don’t make any noise, the bogeyman won’t find you. But it’s all an illusion, because they die too, those people who roll up their spirits into tiny little balls so as to be safe. Safe?! From what? Life is always on the edge of death; narrow streets lead to the same place as wide avenues, and a little candle burns itself out just like a flaming torch does."
True enough. I'm content as long as I don't hear the news anywhere. Recently had my dad over and he can't go 5 minutes without the news on in the background. Really hard to be content then.
Do the bombs dropping in war zones avoid apolitical people? If not, when is the appropriate time to get sufficiently political to avoid having a bomb dropped on one's head?
"Keeping your head down" means not doing anything that would cause a government (especially your own) to want to disappear you.
If you vocally oppose your tyrannical government, you won't avoid a bomb on your head. In the best case you'll get a bullet through your head. Worst case, you spend a lifetime in a prison.
Very few individuals can influence whether or not bombs drop. The best way to avoid having bombs dropped on your head is moving to a place where fewer bombs are dropped.
Downvoted, but so much evil is caused by people due to their distorted yet sincerely believed moral virtues. Not due to an absence of morality but because of it. Whatever you have in your mind as the image of quintessential evil is probably caused by those people's sincerely held moral system, a moral system they believed in as strongly as you do yours. So people who just live their lives and do not grasp on external change are fine by me.
The 4096 bits just stops it being so easy to surveil you that it is hyper-automated. So there is some use. The $5 wrench needs a million dollar operation to get that guy to your house.
Depends how strong the protections of your civil society is, but it doesn't cost $1m to send a goon with a crowbar or shotgun. Sure that doesn't scale, but if you are a target you're screwed
Probably used to average over $1m. Nowadays, those operations (polonium, novachuk, expending expensive KGB resources) send a signal. Otherwise, swatting your home while they drain your wallets; or threatening to swat; quite inexpensive.
Another example of power resides where men believe it resides.
Americans are just very scared of Mossad. Tons of money goes into Holywood to make them appear invincible to the world. Fun fact, they aren't.
Intelligence agencies have great capabilities no doubt they get billions of $$$ and have utter immunity to do whatever they want in the name of national security. Why is only Mossad scary? I'd be more scared of the CIA and KGB than of Mossad.
US has never been in existential threat like Israel has been, if it were I wouldn't want to stand in their way.
I see this on reddit a lot in self hosting context.
The range of things people do on security is wild. Everything from publicly expose everything and pray the apps login function some random threw together is solid to elaborate intrusion detection systems.
It's hilarious, but the hilarity gets in the way of recognizing how much insight there is also there. It makes serious points. This part about the Mossad is especially astonishing given the pager attack:
> If your adversary is the Mossad, YOU’RE GONNA DIE AND THERE’S NOTHING THAT YOU CAN DO
ABOUT IT. The Mossad is not intimidated by the fact that you employ https://. If the Mossad wants your data, they’re going to use a drone to replace your cellphone with a piece of uranium that’s shaped like a cellphone
It's like a Mossad agent read this paper and thought hey that's actually not a bad idea.
But the core rant is about dubious assumptions in academic cryptography papers. I was also reading a lot of academic crypto papers in 2014, and the assumptions got old real fast. Mickens mocks these ideas:
• "There are heroes and villains with fantastic (yet oddly constrained) powers". Totally standard way to get a paper published. Especially annoying were the mathematical proofs that sound rigorous to outsiders but quietly assume that the adversary just can't/won't solve a certain kind of equation, because it would be inconvenient to prove the scheme secure if they did. Or the "exploits" that only worked if nobody had upgraded their software stack for five years. Or the systems that assume a perfect implementation with no way to recover if anything goes wrong.
• "you could enlist a well-known technology company to [run a PKI], but this would offend the refined aesthetics of the vaguely Marxist but comfortably bourgeoisie hacker community who wants everything to be decentralized", lol. This got really tiresome when I worked on Bitcoin. Lots of semi-technical people who had never run any large system constantly attacking every plausible design of implementable complexity because it wasn't decentralized enough for their tastes, sometimes not even proposing anything better.
• "These [social networks] are not the best people in the history of people, yet somehow, I am supposed to stitch these clowns into a rich cryptographic tapestry that supports key revocation and verifiable audit trails" - another variant of believing decentralized cryptography and PKI is easy.
He also talks about security labels like in SELinux but I never read those papers. I think Mickens used humor to try and get people talking about some of the bad patterns in academic cryptography, but if you want a more serious paper that makes some similar points there's one here:
> Lots of semi-technical people who had never run any large system constantly attacking every plausible design of implementable complexity because it wasn't decentralized enough for their tastes, sometimes not even proposing anything better.
And for added fun, that same radical decentralization crowd, finally settling on the extremely centralized Lightning crutch, which is not only centralized but also computationally over complicated and buggy.
It is kinda funny, but cost and benefit analysis is not foreign even to Mossad. Mossad would prefer quite a few people's data stolen, but they are not going to carry out a black abroad for most of them.
The best known PKI (webtrust) is many companies, not a single company. So it's distributed but that makes it easier to hack not harder because you have many possible targets instead of just one.
Not sure what audience he is talking to. Experts deal with a lot more issues that sit between choosing a good password + not falling for phishing and "giving up because mossad". The terminology that he sprinkles about suggests the audience is experts.
The article actually addresses this -- that all these extra issues are not manageable for mere mortals anyway and/or perfectly spherical cows are involved.
I think the central premise is a "wrong". The "point" of science isn't really to do useful things. Framing things from that angle is in subtle ways dangerous bc that shouldnt be part of the incentive structure.
you dont understand the mating behaviors of naked mole rats bc of some sense of "usefulness". Its just an investigation of nature and how things work. The usefulness comes out unexpectedly. Like you find out naked mole are actually maybe biologically immortal
You should just find interesting phenomena and invetigate. Capitalism figures out the usefulness side of things
Yeah, Science shouldn't be concerned with usefulness, just like Art. It's the application of those fields which should concern itself with usefulness i.e. applied science, engineering, design etc. I'm not saying that scientific research shouldn't be carried out by companies with specific goals in mind, just that it shouldn't be the expected default.
Ah, very Germanic tactics against some Mediterranean foe. Us, Southern Mediterranean/half Atlantic guys, we have it easier. We would just put fake data, hints and traces untl they get mad and paranoid between themselves, we are experts on that since forever.
Also, the Southern part of the country (which I am pretty much not related culturally at least on folklore and tons of customs) managed to bribe even the Russian mafias. They were that crazy, it's like a force of nature. OFC don't try backstabbing back these kind of people, some 'folklorical' people are pretty much clan/family based (even more than the Southern Italians) and they will kick your ass back in the most unexpected, random and non-spectacular way ever, pretty much the opposite of the Mexican cartels where they love to do showoff and displays. No, the Southern Iberians are something else, mixed along Atlantics and Mediterranean people since millenia and they know all the tricks, either from the Brits/Germanics to Levantine Semitic foes...
You won't expect it. You are like some Mossad random Levi, roaming around, and you just met some nice middle aged woman on a stereotyped familiar bar where the alleged ties to some clan must be nearly zero, and the day after some crazy Islamic terrorist wacko with ties to drug cartels will try to stab you some Sunday in the morning and he might try to succeed with the dumbest and cheapest way ever.
No, is not an exaggeration. We might not be Italy, but don't try to mess up with some kind of people.
He wrote quirky internet humor before it was mainstream, in fact he's a victim of his own success - when this article came out this would've been considered funny and quirky writing, but has become tired and derivative enough today to provoke a negative reaction.
Very true, unfortunately there's no password strong enough to stop Malaysian Airlines ground crew from loading a pallet full of Mossad-rigged walkie talkies on my flight from Kuala Lumpur to Beijing via conveniently-placed-NATO-AWACS-infested airspace.
2FA isn't going to protect me from cruising altitude walkie talkie detonation and having the debris scattered over an impossibly wide area.
I guess the best thing to do is not take an airline of a country that has recently showed public support for Gaza specifically during a humanitarian visit in the months prior to my flight.
Thankfully none of this is true and everything the mainstream media and governments tell us are true - imagine if things weren't as they seemed?.. Craziness... Back to my password manager!
The Mossad part is a very silly element of the text. Many organizations have to defend against US intelligence, Israeli intelligence etc., and I'm sure, that they, with the exception of some very terrible countries with a lot of incompetence or full of disloyal people likely to become infiltrators, are quite successful.
Actual security is possible even against the most powerful and determined adversaries, and it's possible even for you.
Of course, but that's the point. Actual AGI wouldn't need to limit itself pointlessly in ways that would make it obvious to every internet rando how to hit it. Just as you cannot kill an intelligence agency with a single strike, it could distribute itself over many secret locations.
I would hope that data centre has multiple power supplies from multiple locations - as well as UPS and on site generators, certainly mine do.
However given AWS is so complex (which is required because they want to be a gatekeeping platform) leading the uptime to struggle to match a decent home setup, I'm not sure. I'm sure there's no 6 figure bonus for checking the generators are working, but a rounded corner on a button on an admin page?
Actually Gaza and the West Bank are handled by the "Shabak" agency which is the equivalent of the FBI while the "Mossad" agency is only for foreign operations and is equivalent to the CIA
And asking how did they miss something is like asking how come AWS has downtime. But I'm sure you could come to this conclusion on your own if you didn't really want the answer to be something else.
Israel's intelligence services (not Mossad) did collect valid signals, such as sim cards in Gaza being swapped out for Israel sim cards, but it was ignored as another false positive. What the public don't see are all the false positives (like many drills for an attack that don't materialize) that drown out valid signals when the attack is actually going to happen. There's also hesitancy to act on signals because drills are used to expose intelligence.
It's one of the many asymmetries that changes when you are the defender versus the attacker. As the defender, you have to be right 100% of the time. As the attacker, you have the luxury of being right only 30% of the time. The law of large numbers is on the side of the attacker. This applies to missile offense/defense and to usage of intelligence.
This information asymmetry is also one of the key drivers of the security dilemma, which in turn causes arms races and conflict. The defender knows they can't be perfect all the time, so they have an incentive to preemptively attack if the probability of future problems based on their assessment of current information is high enough.
In the case of Gaza there was also an assessment that Hamas were deterred, which were the tinted glasses through which signals were assessed. Israel also assumed a certain shape of an attack, and the minimal mobilisation of Hamas did not fit that expected template. So the intelligence failure was also a failure in security doctrine and institutional culture. The following principles need to be reinforced: (i) don't assume the best, (ii) don't expect rationality and assume a rival is deterred even if they should be, (iii) intention causes action, believe a rival when they say they want to do X instead of projecting your own worldview onto them, (iv) don't become fixated on a particular scenario, keep the distribution (scenario analyses) broad
a. I am too lazy to search but they probably did, the problem was what was done with the information. Same with 8200 the all mighty signal intelligence corps
b. The Mossad is the equivalent of the CIA, they are not meant to act inside Israel
They didn't know about the pretense they wanted to spend the following 2+ years making unlimited fallacious justifications for committing a live-streamed holocaust of children? Who told you that?
If your adversary is a state intelligence agency, you're probably a high ranking politician and a boomer who is clueless about computers, and has demonstrably terrible opsec, either through government incompetence of your own agencies, or not following the terribly cumbersome opsec procedures, either because of inconvenience, the policies being terrible or sheer incompetence.
The amount of examples we've seen of this is staggering.
That sounds like an elected legislator, not like the kind of person with close access to compartmentalized info. And its the form of a leak of policy or some covert program; details which could also be bought; so it’s called “retail” compared with systematic.
Both Assange and Snowden are apparently alive and well, despite Mossad-like agencies wishing otherwise, largely thanks to Tor; and Hamas, whose adversary was in fact the Mossad, apparently still exists. Hizbullah has hopefully taught us all a good lesson about supply-chain attacks.
Debian is probably the only example of a successful public public-key infrastructure, but SSH keys are a perfectly serviceable form of public-key infrastructure in everyday life. At least for developers.
Mickens's skepticism about security labels is, however, justified; the problems he identifies are why object-capability models seem more successful in practice.
I do agree that better passwords are a good idea, and, prior to the widespread deployment of malicious microphones, were adequate authentication for many purposes—if you can avoid being phished. My own secure password generator is http://canonical.org/~kragen/sw/netbook-misc-devel/bitwords...., and some of its modes are memorable correct-horse-battery-staple-type passwords. It's arguably slightly blasphemous, so you may be offended if you are an observant Hindu.
Why did you choose random’s SystemRandom rather than secrets?
What?
Never agreed with this logic. For a lot of people (anyone that does political activism of some sort for example) the threat model can be a lot more nuanced. It might not be Mossad or the CIA gunning for you, specifically, but it might police searching you and your friend's laptops or phones. It might be burglars targetting the office of the small organization you have and the small servers you have running there.
I'm pretty sure his point was that security labels are a dead end.
(Have you ever attended an academic security conference like Usenix Security?)
You did not write what you actually disagree with....
the maximalist false dillema of "all or nothing": either it's a super-poweful super-human agency and you can't do anything, else any half-measure is fine
The false dichotomy
The dichotomy between what average people(including political activists) can actually handle and stuff proposed by security researchers is real.
The idea that average people can't handle incremental improvements like a password manager, MFA, full disk encryption, etc is unhealthy infantilization of people who are entirely capable of understanding the concepts, the benefits, the risks they address, and appreciating the benefits of them.
Most people just don't care enough until after they're hacked, at which point they care just enough to wish they'd done something more previously, which is just shy of enough to start doing something differently going forward.
It's not that normies are too stupid figure this out, it's that they make risk accept decisions on risks they don't thoroughly understand or care enough about to want to understand. My personal observation is that the concept of even thinking about potential future technology risks at all (let alone considering changing behavior to mitigate those risks) seems to represent an almost an almost pathological level of proactive preparation to normies, the same way that preppers building bunkers with years of food and water storage look to the rest of us.
I do understand the concepts and exactly because of that I doubt I myself would be able of airtight opsec against any determined adversary, not even state-level one. I think it's humility, you think I infantilize myself lol.
I do use password manager and disk encryption, just for case of theft. Still feels like one stupid sleepy misclick away from losing stuff and no amount of MFAs or whatever is going to save me, they actually feel like added complexity which leads to mistakes.
Yep. While there might be some use cases for his ultra-simplistic "Mossad/not-Mossad duality" - say, convincing Bob Jones that "b0bj0nes" is not a great password - it's 99% fairy tale.
And even if the CIA/Mossad/NSA/whoever is "interested" in you - this is the era of mass surveillance. The chances that you're worth a Stuxnet level of effort is 0.000000001%. Vs. 99.999% chance that they'll happily hoover up your data, if you make it pretty easy for their automated systems to do that.
This will always be my favourite Mikens essay (The Slow Winter): https://www.usenix.org/system/files/1309_14-17_mickens.pdf
Mine as well.
I have a fond memory of being at a party where someone had the idea to do dramatic readings of various Mickens Usenix papers. Even just doing partial readings, it was slow going, lots of pauses to recover from overwhelming laughter. When the reading of The Slow Winter got to "THE MAGMA PEOPLE ARE WAITING FOR OUR MISTAKES", we had to stop because someone had laughed so hard they threw up. Not in an awful way, but enough to give us a pause in the action, and to decide we couldn't go on.
Good times.
Sounds like you found nerd heaven. I couldn't imagine a situation like yours in my world! :)
> [...] it’s pretty clear that compilers are a thing of the past, and the next generation of processors will run English-level pseudocode directly.
hilarious AND scary levels of prescient writing...
I've always enjoyed Mikens' writing. He has a great sense of humor.
I like his using Mossad as the extreme. I guess "Mossad'd" is now a verb.
Remember, you don't have to be unhackable, just sufficiently unimportant to not be worth burning any novel capability on
I think people don't understand what this means either. the nation-state "agencies" that can and will get into your network/devices can do so because they would employ tactics like kidnapping and blackmailing a local telco field technician. or if it's your own government, they can show up with some police and tell them to do whatever and most will comply without even receiving a proper court order.
so unless you're worth all that trouble, you're really just trying to avoid being "low hanging fruit" compromised by some batch script probing known (and usually very old) vulnerabilities
Given that choice I'd rather choose to be unhackable.
I think the more important maxim to follow is this: if you didn't manufacture your own sillicon, you are infinitely more hackable than if you did.
Alas, no matter how hard we try to trust our compilers, we must also adopt methods to trust our foundries.
Oh, we don't have our own foundries?
Yeah, thats the real problem. Who owns the foundries?
When has anybody ever been hacked via a foundry?
While having your own foundry is undoubtedly a good thing from the perspective of supply chain resiliency, if hacking is what you're worried about there are probably easier ways to mitigate (e.g. a bit more rigor in QC).
Do you know what your CPU is doing? Do you really?
That's right, just keep your head down, smile and nod, do your job and nothing will ever go wrong. /s
A more charitable view would be to act like a zebra in a herd of zebra rather than a zebra in a herd of horses.
I don't think that's the interpretation, but make your computer systems disconnected from what you do.
If relevant adversaries don't know which computer to burn the exploit on, then they won't burn it on the right one.
You /s but this is actually valid advice for someone who just wants to get by in life and is content.
>someone who just wants to get by in life and is content
"It’s the reductionist approach to life: if you keep it small, you’ll keep it under control. If you don’t make any noise, the bogeyman won’t find you. But it’s all an illusion, because they die too, those people who roll up their spirits into tiny little balls so as to be safe. Safe?! From what? Life is always on the edge of death; narrow streets lead to the same place as wide avenues, and a little candle burns itself out just like a flaming torch does."
True enough. I'm content as long as I don't hear the news anywhere. Recently had my dad over and he can't go 5 minutes without the news on in the background. Really hard to be content then.
Do the bombs dropping in war zones avoid apolitical people? If not, when is the appropriate time to get sufficiently political to avoid having a bomb dropped on one's head?
"Keeping your head down" means not doing anything that would cause a government (especially your own) to want to disappear you.
If you vocally oppose your tyrannical government, you won't avoid a bomb on your head. In the best case you'll get a bullet through your head. Worst case, you spend a lifetime in a prison.
Very few individuals can influence whether or not bombs drop. The best way to avoid having bombs dropped on your head is moving to a place where fewer bombs are dropped.
But many people together, although none of them individually influencial enough, certainly can influence where bombs get dropped.
When you start successfully reaching many people you can be sure that security agencies will start watching you.
Downvoted, but so much evil is caused by people due to their distorted yet sincerely believed moral virtues. Not due to an absence of morality but because of it. Whatever you have in your mind as the image of quintessential evil is probably caused by those people's sincerely held moral system, a moral system they believed in as strongly as you do yours. So people who just live their lives and do not grasp on external change are fine by me.
are you saying that you've downvoted me, or just pointing out that I've been downvoted? If the former, why?
I enjoyed "The Night Watch" a lot:
https://scholar.harvard.edu/files/mickens/files/thenightwatc...
> A systems programmer will know what to do when society breaks down, because the systems programmer already lives in a world without law.
The point about the lay person not needing massive parallelism was very true, until it was not :D
That's a fun take, similar to the classic XKCD 538: Security. https://xkcd.com/538/
The 4096 bits just stops it being so easy to surveil you that it is hyper-automated. So there is some use. The $5 wrench needs a million dollar operation to get that guy to your house.
Depends how strong the protections of your civil society is, but it doesn't cost $1m to send a goon with a crowbar or shotgun. Sure that doesn't scale, but if you are a target you're screwed
The $1m is the stuff they did to the point where they knew where to send the goon.
If you are a target you are screwed. But clever crypto isn't useless.
Probably used to average over $1m. Nowadays, those operations (polonium, novachuk, expending expensive KGB resources) send a signal. Otherwise, swatting your home while they drain your wallets; or threatening to swat; quite inexpensive.
Oh come on, that's way over budget! Every time I managed such an operation, we'd just rent a van and... uh, I mean, um, I heard it costs less.
<NO CARRIER>
Its a million dollars to the defense contractor who lobbies for more wrench attacks.
this is why you need a fake password that provides access to fake content that looks like the real content
Another example of power resides where men believe it resides.
Americans are just very scared of Mossad. Tons of money goes into Holywood to make them appear invincible to the world. Fun fact, they aren't.
Intelligence agencies have great capabilities no doubt they get billions of $$$ and have utter immunity to do whatever they want in the name of national security. Why is only Mossad scary? I'd be more scared of the CIA and KGB than of Mossad.
US has never been in existential threat like Israel has been, if it were I wouldn't want to stand in their way.
I see this on reddit a lot in self hosting context.
The range of things people do on security is wild. Everything from publicly expose everything and pray the apps login function some random threw together is solid to elaborate intrusion detection systems.
Somewhat related video: https://vimeo.com/95066828
It's hilarious, but the hilarity gets in the way of recognizing how much insight there is also there. It makes serious points. This part about the Mossad is especially astonishing given the pager attack:
> If your adversary is the Mossad, YOU’RE GONNA DIE AND THERE’S NOTHING THAT YOU CAN DO ABOUT IT. The Mossad is not intimidated by the fact that you employ https://. If the Mossad wants your data, they’re going to use a drone to replace your cellphone with a piece of uranium that’s shaped like a cellphone
It's like a Mossad agent read this paper and thought hey that's actually not a bad idea.
But the core rant is about dubious assumptions in academic cryptography papers. I was also reading a lot of academic crypto papers in 2014, and the assumptions got old real fast. Mickens mocks these ideas:
• "There are heroes and villains with fantastic (yet oddly constrained) powers". Totally standard way to get a paper published. Especially annoying were the mathematical proofs that sound rigorous to outsiders but quietly assume that the adversary just can't/won't solve a certain kind of equation, because it would be inconvenient to prove the scheme secure if they did. Or the "exploits" that only worked if nobody had upgraded their software stack for five years. Or the systems that assume a perfect implementation with no way to recover if anything goes wrong.
• "you could enlist a well-known technology company to [run a PKI], but this would offend the refined aesthetics of the vaguely Marxist but comfortably bourgeoisie hacker community who wants everything to be decentralized", lol. This got really tiresome when I worked on Bitcoin. Lots of semi-technical people who had never run any large system constantly attacking every plausible design of implementable complexity because it wasn't decentralized enough for their tastes, sometimes not even proposing anything better.
• "These [social networks] are not the best people in the history of people, yet somehow, I am supposed to stitch these clowns into a rich cryptographic tapestry that supports key revocation and verifiable audit trails" - another variant of believing decentralized cryptography and PKI is easy.
He also talks about security labels like in SELinux but I never read those papers. I think Mickens used humor to try and get people talking about some of the bad patterns in academic cryptography, but if you want a more serious paper that makes some similar points there's one here:
https://eprint.iacr.org/2019/1336.pdf
> Lots of semi-technical people who had never run any large system constantly attacking every plausible design of implementable complexity because it wasn't decentralized enough for their tastes, sometimes not even proposing anything better.
And for added fun, that same radical decentralization crowd, finally settling on the extremely centralized Lightning crutch, which is not only centralized but also computationally over complicated and buggy.
It is kinda funny, but cost and benefit analysis is not foreign even to Mossad. Mossad would prefer quite a few people's data stolen, but they are not going to carry out a black abroad for most of them.
> you could enlist a well-known technology company to [run a PKI],
If you have a single company, then that's easy enough for a group like Mossad to infiltrate. Probably easier than a distributed system.
The best known PKI (webtrust) is many companies, not a single company. So it's distributed but that makes it easier to hack not harder because you have many possible targets instead of just one.
Mickens essays are always a good read
Not sure what audience he is talking to. Experts deal with a lot more issues that sit between choosing a good password + not falling for phishing and "giving up because mossad". The terminology that he sprinkles about suggests the audience is experts.
The article actually addresses this -- that all these extra issues are not manageable for mere mortals anyway and/or perfectly spherical cows are involved.
It does not. It just invents a bunch of straw men, and then mocks them.
Such as?
Security is a problem caused by ownership of some usefulness. Sometimes solution can be around addressing these two causes.
Do you have a concrete example?
Do not have concentrated usefulness and do not have concentrated ownership.
I think the central premise is a "wrong". The "point" of science isn't really to do useful things. Framing things from that angle is in subtle ways dangerous bc that shouldnt be part of the incentive structure.
you dont understand the mating behaviors of naked mole rats bc of some sense of "usefulness". Its just an investigation of nature and how things work. The usefulness comes out unexpectedly. Like you find out naked mole are actually maybe biologically immortal
You should just find interesting phenomena and invetigate. Capitalism figures out the usefulness side of things
Yeah, Science shouldn't be concerned with usefulness, just like Art. It's the application of those fields which should concern itself with usefulness i.e. applied science, engineering, design etc. I'm not saying that scientific research shouldn't be carried out by companies with specific goals in mind, just that it shouldn't be the expected default.
Ah, very Germanic tactics against some Mediterranean foe. Us, Southern Mediterranean/half Atlantic guys, we have it easier. We would just put fake data, hints and traces untl they get mad and paranoid between themselves, we are experts on that since forever.
Also, the Southern part of the country (which I am pretty much not related culturally at least on folklore and tons of customs) managed to bribe even the Russian mafias. They were that crazy, it's like a force of nature. OFC don't try backstabbing back these kind of people, some 'folklorical' people are pretty much clan/family based (even more than the Southern Italians) and they will kick your ass back in the most unexpected, random and non-spectacular way ever, pretty much the opposite of the Mexican cartels where they love to do showoff and displays. No, the Southern Iberians are something else, mixed along Atlantics and Mediterranean people since millenia and they know all the tricks, either from the Brits/Germanics to Levantine Semitic foes...
You won't expect it. You are like some Mossad random Levi, roaming around, and you just met some nice middle aged woman on a stereotyped familiar bar where the alleged ties to some clan must be nearly zero, and the day after some crazy Islamic terrorist wacko with ties to drug cartels will try to stab you some Sunday in the morning and he might try to succeed with the dumbest and cheapest way ever.
No, is not an exaggeration. We might not be Italy, but don't try to mess up with some kind of people.
this guy's stuff reads like word salad and people lap it up. I've never understood why.
He wrote quirky internet humor before it was mainstream, in fact he's a victim of his own success - when this article came out this would've been considered funny and quirky writing, but has become tired and derivative enough today to provoke a negative reaction.
Despite word salad it is entertaining and the core message is valid
Because it's a funny rant.
Very true, unfortunately there's no password strong enough to stop Malaysian Airlines ground crew from loading a pallet full of Mossad-rigged walkie talkies on my flight from Kuala Lumpur to Beijing via conveniently-placed-NATO-AWACS-infested airspace.
2FA isn't going to protect me from cruising altitude walkie talkie detonation and having the debris scattered over an impossibly wide area.
I guess the best thing to do is not take an airline of a country that has recently showed public support for Gaza specifically during a humanitarian visit in the months prior to my flight.
Thankfully none of this is true and everything the mainstream media and governments tell us are true - imagine if things weren't as they seemed?.. Craziness... Back to my password manager!
The Mossad part is a very silly element of the text. Many organizations have to defend against US intelligence, Israeli intelligence etc., and I'm sure, that they, with the exception of some very terrible countries with a lot of incompetence or full of disloyal people likely to become infiltrators, are quite successful.
Actual security is possible even against the most powerful and determined adversaries, and it's possible even for you.
I think fighting Israel is kind of a glimpse into what trying to fight a malevolent AGI will be like.
Expect to lose in highly surprising ways.
I don't know, driving a big truck into AWS' us-east-1 power supply section sounds more than enough to take down internet for a while.
Of course, but that's the point. Actual AGI wouldn't need to limit itself pointlessly in ways that would make it obvious to every internet rando how to hit it. Just as you cannot kill an intelligence agency with a single strike, it could distribute itself over many secret locations.
I would hope that data centre has multiple power supplies from multiple locations - as well as UPS and on site generators, certainly mine do.
However given AWS is so complex (which is required because they want to be a gatekeeping platform) leading the uptime to struggle to match a decent home setup, I'm not sure. I'm sure there's no 6 figure bonus for checking the generators are working, but a rounded corner on a button on an admin page?
Then how it's possible Mossad didn't know about what had happened on 7 October 2023?
Actually Gaza and the West Bank are handled by the "Shabak" agency which is the equivalent of the FBI while the "Mossad" agency is only for foreign operations and is equivalent to the CIA
And asking how did they miss something is like asking how come AWS has downtime. But I'm sure you could come to this conclusion on your own if you didn't really want the answer to be something else.
The same way the US didn't know about 9/11. Intelligence failures.
(Portions of the US intelligence apparatus knew, but that knowledge didn't transition into action)
Israel's intelligence services (not Mossad) did collect valid signals, such as sim cards in Gaza being swapped out for Israel sim cards, but it was ignored as another false positive. What the public don't see are all the false positives (like many drills for an attack that don't materialize) that drown out valid signals when the attack is actually going to happen. There's also hesitancy to act on signals because drills are used to expose intelligence.
It's one of the many asymmetries that changes when you are the defender versus the attacker. As the defender, you have to be right 100% of the time. As the attacker, you have the luxury of being right only 30% of the time. The law of large numbers is on the side of the attacker. This applies to missile offense/defense and to usage of intelligence.
This information asymmetry is also one of the key drivers of the security dilemma, which in turn causes arms races and conflict. The defender knows they can't be perfect all the time, so they have an incentive to preemptively attack if the probability of future problems based on their assessment of current information is high enough.
In the case of Gaza there was also an assessment that Hamas were deterred, which were the tinted glasses through which signals were assessed. Israel also assumed a certain shape of an attack, and the minimal mobilisation of Hamas did not fit that expected template. So the intelligence failure was also a failure in security doctrine and institutional culture. The following principles need to be reinforced: (i) don't assume the best, (ii) don't expect rationality and assume a rival is deterred even if they should be, (iii) intention causes action, believe a rival when they say they want to do X instead of projecting your own worldview onto them, (iv) don't become fixated on a particular scenario, keep the distribution (scenario analyses) broad
a. I am too lazy to search but they probably did, the problem was what was done with the information. Same with 8200 the all mighty signal intelligence corps
b. The Mossad is the equivalent of the CIA, they are not meant to act inside Israel
> b. The Mossad is the equivalent of the CIA, they are not meant to act inside Israel
For that purpose is Gaza inside or not inside Israel?
Shin Bet (Israeli internal security service) have an Arab desk that covers the West Bank & Gaza.
Yes (TBD)
Israel would probably dispute it, but for most of the world Gaza in relation to Israel is "abroad" and not "domestic".
Domestic intel = Shin Bet, not Mossad
This is exactly the type of comment that will get you mossad'd.
ok I'll keep you updated, but I don't own any real estate they could "de-Hamasify"
Maybe they did but it was permitted to happen to provide the pretext to expand those Greater Israel borders.
They didn't know about the pretense they wanted to spend the following 2+ years making unlimited fallacious justifications for committing a live-streamed holocaust of children? Who told you that?
If your adversary is a state intelligence agency, you're probably a high ranking politician and a boomer who is clueless about computers, and has demonstrably terrible opsec, either through government incompetence of your own agencies, or not following the terribly cumbersome opsec procedures, either because of inconvenience, the policies being terrible or sheer incompetence.
The amount of examples we've seen of this is staggering.
That sounds like an elected legislator, not like the kind of person with close access to compartmentalized info. And its the form of a leak of policy or some covert program; details which could also be bought; so it’s called “retail” compared with systematic.