Login

Redecentralize

We’ve had enough of digital monopolies and surveillance capitalism. We want an alternative world that works for everyone, just like the original intention of the web and net.

We seek a world of open platforms and protocols with real choices of applications and services for people. We care about privacy, transparency and autonomy. Our tools and organisations should fundamentally be accountable and resilient.

Home

Parent
Paul Frazee [LibreList] Re: [redecentralize] Spring of User Experience 2014-02-28 17:53:18 (5 years 11 mons 25 days 02:57:00 ago)
Is anybody familiar with novel approaches to security UX that you might share? I'd enjoy some anecdotes about what's worked.


On Fri, Feb 28, 2014 at 4:46 PM, Ximin Luo <infinity0@pwned.gg> wrote:
Telegram's justifications for their security have basically been "prove me wrong". In fact, they have been proven wrong several times, but then they fix the specific attack and repeat the "prove me wrong" challenge. It gets tiring. Modern strong security justifications must be secure-because arguments, not lack-of-attack arguments.

They also made a big deal out of the fact that some of their team have PhDs. They weren't in computer security, though.

I do not want to present this as a "you must listen to a security professional" advice. The security community is realising more and more how elitist the traditional "don't do your own crypto" advice sounds. Rather, we would encourage people to learn security in a more precise and technical fashion, and that includes practising by implementing these things yourself.

But - don't release them, or make claims about them, until you are genuinely honestly sure (as opposed to wanting to make a quick buck) and have had it reviewed by similarly genuine and honest people. Also, even if you don't become good enough to release things for deployment, learning about these concepts from a precise and engineering viewpoint lets you see through the bullshit more effectively.

X

On 28/02/14 14:55, Eric Mill wrote:
> I see Moxie doesn't think much of Telegram:
>
> http://www.thoughtcrime.org/blog/telegram-crypto-challenge/
>
> -- Eric
>
> On Feb 28, 2014 9:48 AM, "Eric Mill" <eric@konklone.com <mailto:eric@konklone.com>> wrote:
>
>     Not to drag this out, but would you mind posting a link to something about Telegram's travails? I'm interested.
>
>     There's the potential for a dangerous wave of slickly designed messaging apps that adopt the mantle of security without truly prioritizing it. I had a frustrating interaction with the Tox team here, for example:
>
>     https://github.com/irungentoo/ProjectTox-Core/issues/121
>
>     -- Eric
>
>     On Feb 28, 2014 6:51 AM, "Ximin Luo" <infinity0@pwned.gg <mailto:infinity0@pwned.gg>> wrote:
>
>         On 27/02/14 20:20, Francis Irving wrote:
>         > Hi all!
>         >
>         > Having interviewed many geeks, I now think the limiting factor in mass adoption is involvement of more design and user experience people in decentralization projects.
>         >
>         > As I describe in the Gigaom article today, I also think designers are quite interested in this (post Snowden), and likely there are some who need good projects to help/start but don't know about this movement.
>         >
>         > We are going to try and interview more people with that kind of background, who have done at least something tangible in this area.
>         >
>         > Ideas I have:
>         > Telegram - who does design stuff there?
>
>         For the love of god please do not give Telegram any more attention.
>
>         They are a marketing machine with no security credentials whatsoever.
>
>         They are so far up their own ass they are like a 3D projection of a klein bottle.
>
>         They ate a crap load of humble cake, perhaps it will be worth talking to them in a year or so. But not now. Give more deserving projects your attention for the time being.
>
>         X
>
>         --
>         GPG: 4096R/1318EFAC5FBBDBCE
>         git://github.com/infinity0/pubkeys.git <http://github.com/infinity0/pubkeys.git>
>


--
GPG: 4096R/1318EFAC5FBBDBCE
git://github.com/infinity0/pubkeys.git


: