46 comments

[ 3.3 ms ] story [ 50.0 ms ] thread
I think fighting Israel is kind of a glimpse into what trying to fight a malevolent AGI will be like.

Expect to lose in highly surprising ways.

Remember, you don't have to be unhackable, just sufficiently unimportant to not be worth burning any novel capability on
So the advice would be for an activist to choose extremely boring forms of activism? ;)
I like the "gray man" concept, but can't predict when you end up on the radar or why. As a young graduate student, I once wrote an article that rebuffed the government's "Total Information Awareness" trial balloon and suddenly found myself embroiled in much unexpected controversy, including some big name journalists e-mailing me and asking questions. You just never know when you stumble into something that you're not supposed to know about and what might happen.
Never agreed with this logic. For a lot of people (anyone that does political activism of some sort for example) the threat model can be a lot more nuanced. It might not be Mossad or the CIA gunning for you, specifically, but it might police searching you and your friend's laptops or phones. It might be burglars targetting the office of the small organization you have and the small servers you have running there.
The third mode is enabled by scale of data and compute. If enough data from enough sources is processed by enough compute, Mossad does not need to have a prior interest in you in order for you to fit a profile that they are interested in.

Anyone else see all the drones flying over a peaceful No Kings assembly?

Yeah it's extremely immature, even within police agencies there's a huge variation on their ability to perform digital forensics. Furthermore, just because the feds don't like you for whatever reason doesn't mean they're going to deploy their top-of-the-line exploits against you, or detain and torture you, or whatever magic voodoo bullshit the author thinks the Mossad can do.
Not sure what audience he is talking to. Experts deal with a lot more issues that sit between choosing a good password + not falling for phishing and "giving up because mossad". The terminology that he sprinkles about suggests the audience is experts.
The Mossad part is a very silly element of the text. Many organizations have to defend against US intelligence, Israeli intelligence etc., and I'm sure, that they, with the exception of some very terrible countries with a lot of incompetence or full of disloyal people likely to become infiltrators, are quite successful.

Actual security is possible even against the most powerful and determined adversaries, and it's possible even for you.

Well, data security. Right up until the wetware is included.
Then how it's possible Mossad didn't know about what had happened on 7 October 2023?
Lack of omniscience, infinite computing power, and yottabyte storage facilities?
They didn't know about Hannibal Directive Celebration Day? Who told you that?
If your adversary is a state intelligence agency, you're probably a high ranking politician and a boomer who is clueless about computers, and has demonstrably terrible opsec, either through government incompetence of your own agencies, or not following the terribly cumbersome opsec procedures, either because of inconvenience, the policies being terrible or sheer incompetence.

The amount of examples we've seen of this is staggering.

It's hilarious, but the hilarity gets in the way of recognizing how much insight there is also there. It makes serious points. This part about the Mossad is especially astonishing given the pager attack:

> If your adversary is the Mossad, YOU’RE GONNA DIE AND THERE’S NOTHING THAT YOU CAN DO ABOUT IT. The Mossad is not intimidated by the fact that you employ https://. If the Mossad wants your data, they’re going to use a drone to replace your cellphone with a piece of uranium that’s shaped like a cellphone

It's like a Mossad agent read this paper and thought hey that's actually not a bad idea.

But the core rant is about dubious assumptions in academic cryptography papers. I was also reading a lot of academic crypto papers in 2014, and the assumptions got old real fast. Mickens mocks these ideas:

"There are heroes and villains with fantastic (yet oddly constrained) powers". Totally standard way to get a paper published. Especially annoying were the mathematical proofs that sound rigorous to outsiders but quietly assume that the adversary just can't/won't solve a certain kind of equation, because it would be inconvenient to prove the scheme secure if they did. Or the "exploits" that only worked if nobody had upgraded their software stack for five years. Or the systems that assume a perfect implementation with no way to recover if anything goes wrong.

"you could enlist a well-known technology company to [run a PKI], but this would offend the refined aesthetics of the vaguely Marxist but comfortably bourgeoisie hacker community who wants everything to be decentralized", lol. This got really tiresome when I worked on Bitcoin. Lots of semi-technical people who had never run any large system constantly attacking every plausible design of implementable complexity because it wasn't decentralized enough for their tastes, sometimes not even proposing anything better.

"These [social networks] are not the best people in the history of people, yet somehow, I am supposed to stitch these clowns into a rich cryptographic tapestry that supports key revocation and verifiable audit trails" - another variant of believing decentralized cryptography and PKI is easy.

He also talks about security labels like in SELinux but I never read those papers. I think Mickens used humor to try and get people talking about some of the bad patterns in academic cryptography, but if you want a more serious paper that makes some similar points there's one here:

https://eprint.iacr.org/2019/1336.pdf

> going to use a drone to replace your cellphone with a piece of uranium

That's assuming they can figure out who you are in the first place. My pipe dream for the internet (that I thought we were getting way back in the 90's) is total anonymity. You can say whatever you like about the mossad, or the NSA or the KGB or whatever you like, and they'll never be able to figure out whose cellphone to replace with a piece of uranium.

We have the technology to make it happen (thanks to the paranoid security researchers!) just not the collective will to allow it.

Very true, unfortunately there's no password strong enough to stop Malaysian Airlines ground crew from loading a pallet full of Mossad-rigged walkie talkies on my flight from Kuala Lumpur to Beijing via conveniently-placed-NATO-AWACS-infested airspace.

2FA isn't going to protect me from cruising altitude walkie talkie detonation and having the debris scattered over an impossibly wide area.

I guess the best thing to do is not take an airline of a country that has recently showed public support for Gaza specifically during a humanitarian visit in the months prior to my flight.

Thankfully none of this is true and everything the mainstream media and governments tell us are true - imagine if things weren't as they seemed?.. Craziness... Back to my password manager!

this guy's stuff reads like word salad and people lap it up. I've never understood why.
He wrote quirky internet humor before it was mainstream, in fact he's a victim of his own success - when this article came out this would've been considered funny and witty writing, but has become tired and derivative enough today to provoke a negative reaction.
I've always enjoyed Mikens' writing. He has a great sense of humor.

I like his using Mossad as the extreme. I guess "Mossad'd" is now a verb.

Security is a problem caused by ownership of some usefulness. Sometimes solution can be around addressing these two causes.
I see this on reddit a lot in self hosting context.

The range of things people do on security is wild. Everything from publicly expose everything and pray the apps login function some random threw together is solid to elaborate intrusion detection systems.

Mickens essays are always a good read
I think the central premise is a "wrong". The "point" of science isn't really to do useful things. Framing things from that angle is in subtle ways dangerous bc that shouldnt be part of the incentive structure.

you dont understand the mating behaviors of naked mole rats bc of some sense of "usefulness". Its just an investigation of nature and how things work. The usefulness comes out unexpectedly. Like you find out naked mole are actually maybe biologically immortal

You should just find interesting phenomena and invetigate. Capitalism figures out the usefulness side of things

Both Assange and Snowden are apparently alive and well, despite Mossad-like agencies wishing otherwise, largely thanks to Tor; and Hamas, whose adversary was in fact the Mossad, apparently still exists. Hizbullah has hopefully taught us all a good lesson about supply-chain attacks.

Debian is probably the only example of a successful public public-key infrastructure, but SSH keys are a perfectly serviceable form of public-key infrastructure in everyday life. At least for developers.

Mickens's skepticism about security labels is, however, justified; the problems he identifies are why object-capability models seem more successful in practice.

I do agree that better passwords are a good idea, and, prior to the widespread deployment of malicious microphones, were adequate authentication for many purposes—if you can avoid being phished. My own secure password generator is http://canonical.org/~kragen/sw/netbook-misc-devel/bitwords...., and some of its modes are memorable correct-horse-battery-staple-type passwords. It's arguably slightly blasphemous, so you may be offended if you are an observant Hindu.

> prior to the widespread deployment of malicious microphones, were adequate authentication for many purposes

Can you elaborate on this? I don't understand the context for malicious microphones and how that affects secure passwords.

> ...Assange and Snowden...

I'd argue that for every Assange and Snowden, there are 100 (1k? 100k?) people using Tor for illegal, immoral, and otherwise terrible things. If you're OK with that, then sure, fine point.

> SSH keys

Heartbleed and Terrapin were both pretty brutal attacks on common PKI infra. It's definitely serviceable and very good, but vulnerabilities can go for forever without being noticed, and when they are found they're devastating.

The idea that either of them are at risk of being whacked is utter tinfoil-hattery. The worst Snowden has to fear is being convicted and jailed, and it says a lot about him that he fled to Russia of all places instead of manning up and facing trial.
Neither Assange nor Snowden are a threat anymore. They are contained and have next to no ability anymore. So it would be a waste of resources to pursue them. The lackeys (police etc) are all that’s needed here to harass them and make their lives miserable. What’s Mossad going to do? Kill them with explosives? That takes all the fun out of torturing them and making their lives miserable by proxy.

The only thing I see is that both are contained and quarantined. The threat of both has been neutralized to the degree where I think the espionage agencies of all these countries are playing along together to keep the engine of their craft going uninterrupted without fuss.

In other words, you have to be gullible to think an embassy cares about protecting Assange. It’s a phone call from the secret service director saying “Keep him there for now, it’s where we want him.”

The point about the lay person not needing massive parallelism was very true, until it was not :D
Ah, very Germanic tactics against some Mediterranean foe. Us, Southern Mediterranean/half Atlantic guys, we have it easier. We would just put fake data, hints and traces untl they get mad and paranoid between themselves, we are experts on that since forever.

Also, the Southern part of the country (which I am pretty much not related culturally at least on folklore and tons of customs) managed to bribe even the Russian mafias. They were that crazy, it's like a force of nature. OFC don't try backstabbing back these kind of people, some 'folklorical' people are pretty much clan/family based (even more than the Southern Italians) and they will kick your ass back in the most unexpected, random and non-spectacular way ever, pretty much the opposite of the Mexican cartels where they love to do showoff and displays. No, the Southern Iberians are something else, mixed along Atlantics and Mediterranean people since millenia and they know all the tricks, either from the Brits/Germanics to Levantine Semitic foes...

You won't expect it. You are like some Mossad random Levi, roaming around, and you just met some nice middle aged woman on a stereotyped familiar bar where the alleged ties to some clan must be nearly zero, and the day after some crazy Islamic terrorist wacko with ties to drug cartels will try to stab you some Sunday in the morning and he might try to succeed with the dumbest and cheapest way ever.

No, is not an exaggeration. We might not be Italy, but don't try to mess up with some kind of people. My country is not Mafia-bound, but criminal cartels, mafias and OFC some terror groups from the Magreb (and these bound to the Middle East ones) have deals with each other because of, you know, weapons and money. And Marbella it's pretty much a hub.

This explains a lot about Argentina.
Another example of power resides where men believe it resides.

Americans are just very scared of Mossad. Tons of money goes into Holywood to make them appear invincible to the world. Fun fact, they aren't.

Intelligence agencies have great capabilities no doubt they get billions of $$$ and have utter immunity to do whatever they want in the name of national security. Why is only Mossad scary? I'd be more scared of the CIA and KGB than of Mossad.

US has never been in existential threat like Israel has been, if it were I wouldn't want to stand in their way.