having lots of apps though is that it makes it harder for the NSA to subvert the apps or developers
The NSA has had several 10s of $B a year, every year, basically since World War II. This is far greater than the entire public data security sector.
By now they likely have sophisticated internal tools for reversing and analysis. I doubt that it would take long at all for them to develop an exploit for an buggy amateur crypto app. They probably have plenty of new hires and contractors looking for trivial projects to practice on.
Don't get into a war of resource attrition with the most well-funded military on the planet.
I think we should all just create random sized files of random numbers, encrypt them with reasonably strong encryption, and email them to each other. Asymmetric warfare can work in the digital world too.
Don't get into a war of resource attrition with the most well-funded military on the planet.
Wars of attrition seem to have worked very well for a lot of people opposed to the best equipped military on the planet. Actually I think asymmetric warfare is a great analogy here; it's far harder to defeat a war amongst the people than to defeat a standing army, and part of what makes it difficult is there is no central point to attack, no clear lines of control, and no organisation(s) which you can shut down.
Re a buggy amateur crypto app, I'm sure some of them will be buggy, and some of them will be hard to break or use existing crypto which is hard to break. It's a tough subject and not one I'd like to tackle, but I absolutely don't object to others trying, because the alternative is for us to use products from large companies who we have seen will do whatever the US government asks them and call it legal.
Your attitude seems to be that we should just roll over and let the NSA/GCHQ/etc take whatever they want. I disagree.
> the alternative is for us to use products from large companies who we have seen will do whatever the US government asks them and call it legal.
> Your attitude seems to be that we should just roll over and let the NSA/GCHQ/etc take whatever they want. I disagree.
That's not at all what is being said. Many good cryptography products are open source. They have companies behind them because crypto is expensive - you need programmers and researchers and attackers and people to respond to security advisories.
"Don't use crappy kludgey crypto for serious uses; use established products instead" is not at all "Roll over and let GCHQ / NSA do what they want".
You can hardly compare a glut of crappy crypto apps on some app store to the Vietnam War where it took 70,000 body bags on the nightly news (and much higher losses on the other side) to finally get the US to withdraw.
This is basically the ignorant old "NSA has so much data they won't know what to do with it" argument in a slightly different form.
My attitude is that a handful of secure apps is infinitely better than a plethora of bad ones. I'm pretty sure the NSA would prefer the latter.
the Vietnam War where it took 70,000 body bags on the nightly news
I was thinking of Afghanistan (21stC, 19thC), but Vietnam would serve. It was your analogy, and the only valid comparison is tactical, not concrete.
I'm not supporting this particular app and wouldn't use it myself (I just use GPG on trust), but do think it's important we have a lot of people trying to work in this space, if only to have sufficient choice to prevent the field narrowing. The worst possible outcome from my point of view is to have just a few apps worldwide for crypto, not just for technical reasons but for political ones.
My attitude is that a handful of secure apps is infinitely better than a plethora of bad ones. I'm pretty sure the NSA would prefer the latter.
I'm not sure that's really the choice we have (a few secure apps OR lots of insecure ones, I'd have an AND in there and some grey area between secure and insecure), and how many crypto apps is too many? 200? 20? 10? 1?
Given the evidence from the PRISM program, which relies on tech infrastructure being localised in a few prominent US companies to give the NSA easy access which they have found very useful, I disagree about a handful of apps being the worst outcome for the NSA. Ultimately the security of cryptography is also dependent on things outside the cryptographers' control (politics, laws, corporate policies in a specific country), and I'd rather have too many cryptographers than too few in the world. Crappy amateur apps, as you put it, is part of that because some of those people might then learn why and how their apps are insecure and make better ones.
> but do think it's important we have a lot of people trying to work in this space, if only to have sufficient choice to prevent the field narrowing
Yes, I agree with that. As long as we aren't encouraging people to actually use experimental learning projects for critical stuff, or thinking that a diversity of half-baked crypto apps is anything but a birthday party at Chuck E. Cheese for the NSA.
This isn't a war of attrition, or asymmetric warfare, this is playing the exact game the NSA is meant to fight. It's like building MIG-21s to take on our F-22. A loser's fight.
I don't think there's any harm in pursuing this as long as expectations are realistic.
My impression was that guerilla warfare is based upon retreating in to relative anonymity following battles that you pick and win. Unfortunately, using most (any? I don't see any steganography, non-appstore distribution models) of these applications is likely to throw up huge flags on any public communications dragnet...
The NSA has had several 10s of $B a year, every year, basically since World War II. This is far greater than the entire public data security sector.
By now they likely have sophisticated internal tools for reversing and analysis. I doubt that it would take long at all for them to develop an exploit for an buggy amateur crypto app. They probably have plenty of new hires and contractors looking for trivial projects to practice on.
Don't get into a war of resource attrition with the most well-funded military on the planet.