Hacker News new | comments | show | ask | jobs | submit login

All he really needed was a "legitimate seeming" site which didn't keep logs at all. It is more important to not arouse suspicion through the act of using the tool vs. to be secure once targeted and subverted -- basically, forward secrecy would suffice.

He would have been fine with...a phone. "Talking about my book." Or, maybe, IM with OTR without logging, but that might arouse suspicion if non-default, and might also fall prey to crazy counterparty either not disabling logging or intentionally recording and blackmailing.




> Or, maybe, IM with OTR without logging, but that . . . might also fall prey to crazy counterparty either not disabling logging or intentionally recording and blackmailing.

I thought this was one of the benefits of OTR over, say, PGP. That is, with PGP if you sign a message the counterparty can wave it around and say "look at what this poerson said", while with OTR, since the encryption is done with a shared key, it could be just as likely that the counterparty made it up.

At least, that's what I gleaned from this wonderful video[1] someone linked to on HN yesterday.

[1] https://www.youtube.com/watch?v=eG0KrT6pBPk


The problem is your client can still log the pre or post crypto plaintext. I believe pidgin or some other shitty IM client does that by default, even with OTR.

So, I mean "use OTR, and ALSO disable client logging".


It's Adium that logs by default, not Pidgin (which correctly disables logging.)

http://trac.adium.im/ticket/15722




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: