Delivery-Date: Fri, 27 Mar 2015 03:14:11 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED,FREEMAIL_FROM,RCVD_IN_DNSWL_MED,T_DKIM_INVALID,T_RP_MATCHES_RCVD
	autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 606361E0F02
	for <archiver@seul.org>; Fri, 27 Mar 2015 03:14:09 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 3986D342EF;
	Fri, 27 Mar 2015 07:14:04 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 0FE40342D3
 for <tor-talk@lists.torproject.org>; Fri, 27 Mar 2015 07:14:01 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id kZCflHIcOzEG for <tor-talk@lists.torproject.org>;
 Fri, 27 Mar 2015 07:14:00 +0000 (UTC)
Received: from mail-wg0-x236.google.com (mail-wg0-x236.google.com
 [IPv6:2a00:1450:400c:c00::236])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id B9FF134221
 for <tor-talk@lists.torproject.org>; Fri, 27 Mar 2015 07:14:00 +0000 (UTC)
Received: by wgra20 with SMTP id a20so89140058wgr.3
 for <tor-talk@lists.torproject.org>; Fri, 27 Mar 2015 00:13:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :content-type; bh=/1b39JzdCF22OYr7bAmPTG5/hOpy5LgGADWlyb17Elg=;
 b=li6JDrMsAKrnhj9tmAXRo3U5lTwDKpc7AM/BruM4C6bwAM/uVRaergtupTr0ZkHdvc
 Ewv8yXSatYZeoe7d4gf7frEA2x7PVJ8CfD7ukMIN/uBfW2wr4r2G638jkxG3U4m0PBZf
 gofxfC1n1X1Ec/HFtRXkwPXKL8ZfzWaQ2ZTnKhdS7YYM86uPYJ7rXvqmypWt/ZL/U64f
 mbcxbPGNGVyc5yaSilG8MItAF2c5fnqX03r8OGDP0Lty3jiq6jKtO2xNbwBCHRPIFmH8
 BMGqLByThPi2N11+mjqRFYjjTd9a+GAXBRodTEuJcQ/pGgHiZgz26iq4IktEuxzgTApD
 i4bA==
MIME-Version: 1.0
X-Received: by 10.180.107.99 with SMTP id hb3mr2665986wib.79.1427440437952;
 Fri, 27 Mar 2015 00:13:57 -0700 (PDT)
Received: by 10.194.11.73 with HTTP; Fri, 27 Mar 2015 00:13:57 -0700 (PDT)
In-Reply-To: <CAA+0wAGkxaTASLw-d75hsb_A8vO82+e8GsGpENApFU+D+RBKuQ@mail.gmail.com>
References: <CAA+0wAHe0E+x7JRWSshrOrMQaXEADdp3+0ytgLXxDbcsEpmz=w@mail.gmail.com>
 <CAPkfgVZQuOTDxGUYJw97dRfYSfq_Ji59HW9i+5kpSnXbUZPP6w@mail.gmail.com>
 <CAA+0wAGkxaTASLw-d75hsb_A8vO82+e8GsGpENApFU+D+RBKuQ@mail.gmail.com>
Date: Fri, 27 Mar 2015 09:13:57 +0200
Message-ID: <CAPkfgVYJJK5i8Tot5UYco0kodOa6i1faCiyne5RyDPd-40DGdA@mail.gmail.com>
From: Jon Tullett <jon.tullett@gmail.com>
To: tor-talk@lists.torproject.org
Subject: Re: [tor-talk] Games Without Frontiers: Investigating Video Games
 as a Covert Channel
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

Hi Rishab


On 26 March 2015 at 14:37, Rishab Nithyanand <rishabn.uci@gmail.com> wrote:
>
> Please correct me if I'm misunderstanding you. I think you don't buy some
> subset of the following implicit (I believe to be reasonable) assumptions
> that we make:

No, you're entirely correct about that :)


> (1) There is no collusion between application developers and censors.

That right there is a fundamental mistake. There are numerous ways for
that collusion to happen, but I'll offer just three:
- A developer can be legally compelled to comply with surveillance.
The Lavabit saga, versus the many other vendors who _didn't_ say no,
is instructive in this regard.
- A developer can be infiltrated or hacked. See also: Gemalto.
- A developer can be incompetent. Leak keys (hello, pastebin!), leave
admin backdoors, incorrectly configure crypto, etc etc ad nauseam.


> (2) There is a secure application distribution medium that the censors
> cannot "hijack".

...if and only if it is implemented correctly.  That, again, is a
dangerous assumption. It builds on the first assumption, so now we
have assumption^2.

Also, remember that compromised client software trumps perfect crypto.
And remember that it's not just your game client that could be
attacked, it's the entire operating stack: hardware, firmware, OS, and
userspace.

It feels to me like anyone who's already under surveillance would
probably gain nothing at all from this exercise beyond a false sense
of security. Its benefit to anyone else, over and above using the
alternative existing tools, is a question I'd be interested to
explore.


> (3) Crypto attacks against authenticated, encrypted, and integrity
> protected channels are not possible.

...if and only if they are implemented correctly. Another assumption,
so now we're at assumption^3. And vulnerable to the same attack
vectors as your second assumption. Assume Tor is as resistant a comms
channel as we can manufacture today - it didn't save Ross Ulbricht.
Why? Because he made opsec mistakes _separate_ to the secure comms
channel.

I think the mistakes you're making here are broadly twofold:
1) You're assuming technology is implemented in a hypothetically
perfect manner. That's great in an academic thought-experiment, but
not in the real world.
2) You're underestimating both the vulnerable surface area of this
sort of project, and the capabilities of the potential adversaries.

And again, I don't think the paper is useless or uninteresting - I'm
not completely down on it :) I just don't think it's as effective as
you're pitching it to be. If nothing else. the obfuscation may raise
the bar a bit for an attacker. At worst, though, it may lull a user
into a false sense of security. We do, after all, know that the NSA is
attacking game networks, presumably because they have a sense that
their targets are using them to communicate. You're relying on
security through obscurity, but the obscurity is already under attack.

-J
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

