Re: [GNU/consensus] Map of Projects / Sessions at 30C3

[carlo von lynX]

On Fri, Nov 15, 2013 at 03:28:38PM -0300, hellekin wrote:
> *** We need to distinguish two vectors in our working group.
> 
> One is the hardcore P2P "next generation" that focuses on GNUnet and
> peer-to-peer solutions ; and the other is the "transitional" that
> focuses on how to go from here to there, including contemplating
> alternate paths, such as patching hopeless protocols, or seeking to
> reform the existing nightmarish hell of a reality.

No, we don't need to make that distinction. At the last meeting
there was a clear majority who only wants to get something solid
off the ground and doesn't care for legacy patchwork.

Since there are dozens of projects oriented on writing yet another
easy UI for PGP, there is no need to disturb this project with it.

> I urge to stop entirely with this anti-whatever discourse: we have
> nothing to justify, nothing to fear, and we can't do much about other
> people's decisions, but to bring them better alternatives.

It's not anti-whatever but anti pro-whatever. Like if someone
comes here to sell open standards, the web browser or XMPP as a
part of the solution to our challenge. If we don't place clear
limits to how much humbug this working group can take it becomes
distracting, confusing and derailing from the plan.

The job is complicated enough, we don't have the time to discuss
the broken pieces, too.

> If you cannot convince someone to join forces, repeating how bad their
> choices are probably won't help convince them.

We can patiently explain why we aren't doing things the way they
think should be done. If that doesn't help, they can come back
four year laters when they learned the lesson. Has happened so
many times before, it's nothing new.

> That's especially
> important as while you're complaining, they're working.  And when they
> show their product, users go there, and then you can't tell users:
> wait! Wait! That is wrong!  On the other hand, showing examples of
> things you can do with your solution, that you cannot with another--or
> not even considering it: showing what's possible and how to get
> started doing it, then yes, you get people working with you.  That's
> the hard part.

Yes, all brilliant. With PSYC we've been doing things XMPP couldn't do -
and still nothing changed. People stick to the "open standard" even if
it doesn't work.

> >> that trojan horse called WebRTC which comes equipped with MITM 
> >> capabilities and missed the chance to at least mandate pinning.
> > 
> > Such decisions are not immutable.
> > 
> *** Indeed, that could be an interested channel for aggressiveness.

The W3C recommends certificate pinning, yet Firefox doesn't do it
and you have to install Certificate Patrol by hand - and there are
even sucky websites that produce false positives all the time.
Under these preconditions you want to convince Google and Mozilla
to pin down DTLS identities? The whole architecture is so super
programmable, the browser wouldn't even know which ones are important
and which ones aren't. Also, if Facebook wants to MITM your WebRTC
video phone call, it simply sends you a new identity for that person.
How would the browser possibly be able to figure out, that its user
is being tricked?

Hopeless.. if Mallory wants to record all those WebRTC sessions, it
will be able to.. and even WebRTC devs will not be able to figure
it out, unless they are working for Facebook or Google.

> *** That is precisely why Snowden defected: for such illegal things
> not to be able to happen.  Now, I understand your position, to help

I don't see much progress in people comprehending what needs to be
done to actually cut out the middle man. I still have to discuss
basic mistakes day-in day-out.

> build technology that will prevent such abuse.  But you're still
> fighting reality if you consider that question seriously.  "They broke
> the Internet. We're building a GNU one."  One where such blackmail
> over vendors is not worthy.  We're not looking for absolute, we're
> looking for enough.

Blackmail? Just assessing the situation.
A GNU Internet stack is barely enough.
SMTP, the web, WebRTC, XMPP.. is not.

There must be at least one no-BS working group on earth.