...or to paraphrase Jeff Atwood: "I love crypto, it tells me what part of the system not to bother attacking"
Something like a one time pad is provably secure, however.
Yes based on our understanding today these things are computationally expensive (e.g not feasible), but they could theoretically be easy to crack given a mathematical breakthrough.
Am I misunderstanding?
As the field of mathematics advances there's a chance that current crypto will be broken. Why is this a misconception to point out?
Why is it not, on some level, conjecture to say these systems are secure?
It hadn't been implemented yet I'm any practical crypto system that I know of, buy it certainly seems like we are finally going to have actually, provably hard problems to build out security om.
For example, quantum computing may break the axiom, and then the proof will be invalidated.
It might be more correct to say assumption rather than axiom here.
If so - interesting, how does that work?
If not - then doesn't that mean it's not probably secure?
When using an OTP, you have to use non-pseudorandom values to avoid just being a stream cipher. If you're doing that, you can skip sharing the pad and just share the initial state of the PRNG.
If you go to the trouble of sharing the pad, go to the trouble of using random data within it. :)
Better to look at what lies on either side without relying on the pipe being vulnerable.
that's how i interpreted it
But crypto is of course not a magic pill. There are political issues that need to be addressed as well. This was a theme touched on in Bruce Sterling's SXSW keynote this year.
The only way to really ensure the integrity of encrypted communications is by isolating and keeping the endpoints away from prying eyes. If your personal, business, political or criminal activity is such that you're concerned about third party interference with your clients, you have no business using iMessage -- which is protecting you from snooping network admins and carriers.
The beauty of a complex but powerful tool like GPG is that you can completely isolate your online activity from secure activity. There's nothing preventing you from printing cipher text and using a scanner attached to an air gapped computer without any network connection.
If your health and safety depend on secure communications to avoid extraordinary threats, don't use off the shelf tools that you don't understand. If you don't understand any tools, follow "the Godfather's" advice and avoid telecom-based communication.
I despise the "if you have nothing to hide..." argument for the surveillance state. And I argue against it every chance I get.
But, practically speaking, I don't have much to hide. I also realized that one can draw more attention to oneself by taking drastic measures to preserve one's own privacy.
I know, citation needed... I believe FB (or a related party) released some research about detecting "holes in the social network". Browser fingerprinting is another front on which I've probably made myself more unique to trackers.
If you have a Mac that's on OS X 10.11.3-, then you shouldn't be running unpatched systems.
Weinre - https://people.apache.org/~pmuellr/weinre/docs/1.x/1.5.0/
Apple really needs to invest heavily in bug bounties and internal security audits. This is 101 type of stuff when implementing any user-controllable embedded web content.
The bar should never be this low for critical OS apps like iMessage.
You haven’t seen their XML bugs in Google Toolbar’s web gallery in 2013, have you? Full access to the whole file system of their servers via XML includes.
A bunch of security researchers managed to dump /etc/passwd as a sample to get the bug bounty.
Google’s security isn’t that much better either...
> In case of Android what you only need is that your application can read notifications
That way, you don't even have to attack WhatsApp itself and they have all the plausible deniability they needed.
EDIT: It appears that I was incorrect.