Re: "Revealed: how Microsoft handed the NSA access to encrypted messages" from Mark Watson on 2013-07-12 (public-restrictedmedia@w3.org from July 2013)

From: Mark Watson <watsonm@netflix.com>
Date: Fri, 12 Jul 2013 13:59:54 -0700
To: Emmanuel Revah <stsil@manurevah.com>
Cc: public-restrictedmedia@w3.org
Message-ID: <CAEnTvdD4+0LQqCpWawogNsuSRJE=m1XgfsQYCL5Q9qVy80bKaQ@mail.gmail.com>

On Fri, Jul 12, 2013 at 1:43 PM, Emmanuel Revah <stsil@manurevah.com> wrote:

> On 2013/07/12 21:25, Mark Watson wrote:
>
>> Sent from my iPhone
>>
> [...]
>
>  Just to re-iterate, the intention is that the closed software comes
>> from, or is at least well understood by, your browser implementor or
>> your OS implementor. I believe you have bigger problems if you don't
>> trust either of those.
>>
>
>
> Are you insinuating that FOSS users are paranoid freaks ?  What are the
> bigger problems ? I wouldn't mind clarification.

I think FOSS users are more careful about what they trust than others. That
doesn't make them paranoid.

For example, if you don't trust your browser or OS implementation than how
do you know it is telling you the truth when it does SSL certificate
verification or indeed any other security function ? How do you know that
the so-called anonymous mode really is anonymous, or rather what the
implementors thought "anonymous" really meant ? How do you have confidence
there aren't gaping security holes in the implementation that leave you
open to malware ?

Some people gain this knowledge through their own security review of the
implementation source code. Other users trust the vendors of closed source
browsers. Others trust the vendors of open source browsers and trust that
the open source community has done this kind of review. What I'm saying is
that *if* you trust a browser/OS on all of the above things, why wouldn't
you trust them with respect to the CDM they ship and vouch for ?

Giving examples where you believe user trust was misplaced isn't relevant
to my point that there are many things that you need to be sure your
browser/OS is doing right, and the CDM - if there is one - is just one of
them.

...Mark

>
>
>
>
>  Furthermore, you have choices, which through
>> the operation of competition pushes these vendors towards honesty and
>> transparency.
>>
>
> OMGLOL!!11!!

>
>
>  This is in contrast to the current situation where the closed software
>> comes from a third party who indeed you may not trust and about whom
>> you have no choice.
>>
>> Is this not an improvement ?
>>
>
>
> I'm not sure you heard the news, or read the initial post in this thread.
> In short, users who trusted their own operating system/browser (Windows/IE)
> have been abused and lied to.  So no, using software that comes directly
> from one company you trust is not a viable option for those who believe in
> privacy.
>
> Perhaps you in fact believe that Microsoft did not abuse their users who
> trusted them. If so I take everything back.
>
>
>
>
> --
> Emmanuel Revah
> http://manurevah.com
>
>
>

Received on Friday, 12 July 2013 21:00:22 UTC