
Security for the people - avsaro
http://google-opensource.blogspot.com/2014/09/security-for-people.html
======
tombrossman
The simplysecure.org domain uses Google Analytics which isn't disclosed on
their privacy page (as required by Google Analytics' TOS). There is also a
mixed-content warning because someone hard-coded an [http://](http://) link to
the balloons image in the blog post on their https site. I went to email them
and first looked for PGP keys (us pro-privacy & security people all use PGP,
right?) and found none for the domain on any key servers.

I point all this out because it perfectly illustrates their point. Here are a
group of smart people launching a great initiative with a beautiful and modern
website, and they made some mistakes just like the rest of us do.

I've offered to help and recommended they switch to Piwik (and fix the http
link). I hope others here on HN who care about security and privacy will also
offer to help out. Some of this stuff is easy to fix and I think it's a great
initiative.

~~~
Mandatum

        I've offered to help and recommended they switch to Piwik (and fix the http link).
    

HN does tech satire so much better than the rest of the internet..

~~~
simonebrunozzi
What do you exactly mean?

~~~
girvo
Telling the Google Open Source people to use Piwik instead of Google Analytics
seems like satire.

~~~
tombrossman
I know the Piwik recommendation gave some a reason to chuckle but I was dead
serious. This initiative was promoted by Dropbox (who recently brought
Condoleeza Rice on board) and Google (an ad company currently removing
privacy-enhancing apps from their mobile marketplace) and so this group will
need to distinguish themselves to appear credible.

It's that or be dismissed as just another iteration of Microsoft's 'embrace,
extend, extinguish' plays.

------
tptacek
_Researching and developing usability and security auditing practices. How do
we measure the two in a single assessment?_

You don't. They're wildly different disciplines. Security auditing is
fundamentally a systems programming problem. The least effective security
"auditors" approach security as something different than software engineering.
The most significant security issues arise from correctness issues; finding
and fleshing them out involves discovering the degrees of freedom offered to
an attacker by faulty assumptions made by blocks of code scattered throughout
an entire system.

That's not to take anything away from the practice this team is trying to
start! Someone should be doing security usability work, because I don't know
anyone who does it well now.

Providing real software security for open source projects is a tricky problem.
Talented software security people are in enormous demand. Bill rates are going
up. One thing a project like this might want to tackle is onboarding more
technical people into the discipline, to address the supply problem.

~~~
cbhl
I'm not so sure. "User uses the system as designed" is a huge faulty
assumption -- look at all the people who put SSH private keys (or Amazon AWS
keys) on GitHub or who write a shared company-wide password on a sticky note
taped to their monitor. A more usable system might prevent these sorts of
failure modes, or at least inform the user of the risks that result from such
decisions.

~~~
tptacek
I'm probably being imprecise. There's a big and important discipline of
assessing the usability of a system and the impact of all the affordances the
interface of a system provides. I believe that also takes a special skillset,
and it's a skillset I'm happy to see new initiatives like this taking on.

I am not suggesting that security usability (or, to keep it technical,
security UX) is easy, or that software security practices are necessarily good
at it.

------
mindslight
It's very odd that they lead off by focusing on unrelated FUD.

> _However, if people are indeed working to protect themselves, why are we
> still seeing incidents, breaches, and confusion?_

That references a completely different security area, and as much as it's a
juicy source of scare stories for mass media, it's unrelated to end user
security with respect to government and corporate mass surveillance.

The former is basically insecure by design (based on the assumption that
transactions are always reversible), with the duct tape occasionally failing.
The latter will never manifest itself as a discrete problem for the sheer
majority of people, but just an ever-growing set of annoyances and chilling
effect on one's thoughts and actions.

They require completely different approaches. For the former simply having
backup credit cards, being prepared to sue your banks for negligently giving
away your money, and flagging the pop culture scare articles off Hacker News -
that's about all you can do, because the deficient technology is _not yours_.

The latter requires _proactively_ analyzing the implications of one's
technology choices and avoiding the attractive nuisances. Fixing these
problems is not at all straightforward and is one of the great struggles of
our time, which is why it is such a disservice to conflate the two.

~~~
tmzt
But the former now leads to further erosion in the latter as well as
reinforcing the misconceptions and fear tacticts that lead to greater and
greater incursions on the privste sphere. Those "annoying" mass media articles
have led Congres to enact laws, a court to seize the operations of a private
company and hand it to a competitor, as well as forming tighter public-private
partnerships that provide end-runs around due process.

These things can happen because the public is uninformed, disinterested, and
subjected to carefully coordinated messaging by security companies selling
solutions, "credit monitoring" companies that package insurance, and the mass
media that doesn't have a deep commitment to getting the facys right when it
comes to this topic.

------
stevekl
And don't forget the end-to-end project[1], which is the javascript crypto
library by google.

The significance of these types of project extend beyond browser privacy. As
crypto-currency become more prominent, we NEED better, carefully auditted
javascript crypto-libraries.

Right now, all the crypto-code are home baked. e.g.:
[https://github.com/bitcoinjs/bitcoinjs-
lib/blob/master/src/e...](https://github.com/bitcoinjs/bitcoinjs-
lib/blob/master/src/ecdsa.js)

While, I think they are all doing a fine job. It is not settling to think that
these mission critical, crypto-code is not vetted by cryptographers.

In fact, a few months ago, there was a bug where the nonce for each signature
was not set properly that basically meant you were able to work out the
private key for 2 different signatures. Some users lost funds due to the bug.

These open initiatives will lay an important foundation.

[1][https://code.google.com/p/end-to-end/](https://code.google.com/p/end-to-
end/)

~~~
anon1385
Holy crap, people are actually using javascript crypto for bitcoin‽

~~~
scintill76
They also pretty commonly use in-browser JS SHA256 to derive private keys from
human-generated passphrases:
[https://brainwallet.github.io/](https://brainwallet.github.io/) There have
been reports of pretty obscure, but still guessable, keys being cracked this
way.

Bitcoin is fascinating just because it makes these sorts of things worth
untraceable money, sometimes a lot of money, and puts it in the hands of
people who have never had that sort of responsibility. Whatever else
cryptocurrency does, maybe it will teach laypeople about these things, devise
new ways to teach them and new technological measures to increase their
safety.

------
fidotron
I wonder what the high level thinking at Google is these days around user
privacy. They must be aware that the growing noise about it means it is going
to be the stick they are going to be attacked with, and yet their business
relies on people willingly giving some of it up.

While this particular announcement seems fluffy, I do somewhat applaud the
intent. The question of how we expect to run the internet economy and preserve
user privacy is becoming more pressing for everyone though.

~~~
lazaroclapp
I feel "willingly giving some [privacy] up" and "being incapable of even
assessing one's level of privacy" are two very different conditions to be in.

------
hazz
[https://simplysecure.org/](https://simplysecure.org/) is the project that
Google is supporting, which seems to be an open consultancy that works with
OSS crypto/security/privacy projects to make them easier to use.

------
ef4
On the topic of bringing better security to normal users, the project I'm most
hopeful about is the FIDO alliance's U2F and UAF standards.[0] There's a new
YubiKey that implements U2F, which is supposed to ship soon.[1]

I'm optimistic because these are open standards backed by many big
organizations, and web browsers will be shipping with support built right in,
no drivers, no plugins.

Tokens like that Yubikey work over USB HID (they look like keyboards to the
OS, so they don't need dedicated drivers). They also work over NFC on mobile
devices (ok, on Android devices. Still waiting on iOS.)

[0]
[https://fidoalliance.org/specifications](https://fidoalliance.org/specifications)
[1] [http://www.yubico.com/2014/09/yubikey-
neo-u2f/](http://www.yubico.com/2014/09/yubikey-neo-u2f/)

------
laydros
This sounds smart. And I'm pretty pragmatic. I don't think Google and Apple
and Microsoft are really trying to ruin my privacy.

But something about this makes me uncomfortable. The fact that when this
appeared on the front page of HN it was with posts from Google and Dropbox
about how they support this.

Google that Assange is releasing a book about, and Dropbox that went a day
where it didn't matter what password you entered and has former Secretary Rice
on their board.

I have a feeling this organization might help keep things like the recent
celebrity iCloud break happening, but as someone else said, real security is
not easy. And false security is worse than no security.

------
peterwwillis
A PR announcement of an initiative to form a coalition to investigate making
it easier to use security tools that most people don't care about. How
thoughtful of you, Google. This wouldn't be an attempt at improving the
public's negative view of you with regard to privacy issues, now would it?

Funny how Google doesn't offer a messaging service that's secured to a
physical device the way Apple does, and these projects when combined would
result in something like that.

~~~
patcon
You seem to imply that there is no real value in the initiative. I humbly
suggest you ask the teams doing all the work (Guardian Project, Open Whisper
Systems, F-Droid, etc.) how excited _they_ are about this. I suspect it's not
as intangible or fuzzy as you imagine. They're expecting real resources and
real funding, which will result in real progress for their already-strapped
projects.

~~~
peterwwillis
I'm sure they're very happy to get funding. The fact that they're excited to
get money for their projects does not mean their projects have value, or that
most people will be affected by them.

------
sauere
I see the motivation behind it and appreciate the cause, however it is not
just about the tools. Yes we need better tools but that alone wont help.
1-Click solutions often promise a lot but only end up giving a false sense of
security. I belive that a certain amount of understanding of the underlying,
general technology will always be required - both for users and developers.

Encrypting your e-mail does not help you if your machine is compromised.

Your super-secure 24 character password is useless if you use it on every
single website.

Encrypting and salting your users credentials is useless if your SSH password
is 6-digits.

What i'm saying is: REALLY staying secure is not easy and it never will be.

------
higherpurpose
I'd like to see Hangouts eventually implement some of Signal/TextSecure's
crypto.

~~~
jamessantiago
I'd like Hangouts to do a lot of things. It looks like they made the right
choice in moving away from XMPP compliance in favor of usability. It certainly
improved the apps' popularity but took a lot of back steps on security and
openness. I'd like to at least see google include hangouts as part of their
upcoming [end-to-end]([https://code.google.com/p/end-to-
end/](https://code.google.com/p/end-to-end/)) extension.

------
patcon
I'm excited to see how the Guardian Project will use the resources. God love
em, but their projects seem to have less UX polish compared to those of Open
Whisper Systems, likely due to Twitter's positive post-acquisition influence
on the latter.

------
gress
"We’re excited for a future where people won’t have to choose between ease and
security, and where tools that allow people to secure their communications,
content, and online activity are as easy as choosing to use them."

That future is now according to Apple.

In any case the real issue is protecting people from Google itself.

~~~
hack_edu
Apple's devotion to privacy ends at phone unlock; the easiest attack vector to
social engineer or forensically determine. Today's announcement is not much
more than a PR stunt to cover their ass and distract from their own repeated
failings to secure their platform or networks.

~~~
gress
"Apple's devotion to privacy ends at phone unlock."

If you had read either the privacy policy or security architecture, you would
know that you have made a false statement here.

I think it's you who is trying to distract us from the fact that Google itself
uses your private data for its own business purposes, and has a vested
interest in not protecting you from itself.

~~~
hack_edu
I find it adorable how people buy into the rhetoric and trust that Apple
doesn't leverage and track your data. They are a hardware _and_ content
company, and they absolutely leverage all the data they can in order to better
market _you_ the content they think _you_ might want. Its not just business,
its personal. Even with the lions' share of their money coming from hardware
sales, so what? Without deep, targeted tracking and mining of user data for
market research their entire mobile platform would implode along with the
business models of their content partners and app makers.

Meanwhile, I show nor imply any support for Google on the subject. They are no
better, perhaps worse.

~~~
gress
So you simply choose to believe they are lying with no evidence at all.

Not much point in discussing anything with you, I guess.

~~~
hack_edu
... and we devolve into the same old debate over the definition of _metadata_

~~~
gress
Nope. Thst's just you presenting more cynicism without a shred of evidence.

------
rasz_pl
Hey google, you can start by phasing out RC4 on YT.

------
Tepix
Nitpicking:

They should use a SHA256 certificate :-)

And DANE and TLSA

~~~
tptacek
Baffling that anyone could still be advocating for DANE after the NSA slides
indicating that the USG has owned up CAs came out. Why exactly does anyone
believe the DNS roots are harder to own up?

------
dang
We merged the comments from
[https://news.ycombinator.com/item?id=8335470](https://news.ycombinator.com/item?id=8335470)
into this thread, since the stories are the same.

------
dfc
The toolbox logo for simply secure is killing me. Whomever made the logo has
never used any hand tools. The saw is part hacksaw part panel saw.

~~~
hahainternet
It's a back saw. Sure it has a weird handle and low tpi, but every woodworker
knows what a back saw is.

~~~
dfc
And how many woodworkers have a back saw with a hack saw handle? I just went
through a ton of clip-art toolboxes and cant find any where the designer
decided to go with the extemporaneous saw design.

~~~
hahainternet
If you're nitpicking the handle design on some clip-art, then I think you
should probably just step back a bit.

~~~
tombrossman
This thread has some great 'Shit HN says' lines. We are truly a tiny little
bubble.

