Re: library/binding for sftp?

[Stefan.Lucks@uni-weimar.de]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 3032 bytes --]

On Mon, 19 Aug 2013, Randy Brukardt wrote:

> <Stefan.Lucks@uni-weimar.de> wrote in message
> news:alpine.DEB.2.10.1308191900320.24091@debian...
> On Fri, 9 Aug 2013, Randy Brukardt wrote:
>
>> 1. obscuring is the best method against unfocused surveillance
>> 2. unfocused surveillance works only with known protocols.
>>
>> I question the first statement.
>
> Right.
>
>> The second one is dangerously wrong, and there are plenty of
>> counterexamples.
>
> I view it as a definition.

Hu?

> If you truly are using only "unknown protocols", then you're by definition
> using a private wired connection,

Randy, please check your logic. The sentence in question was
   "unfocused surveillance which works only with known protocols".
This is logically equivalent to
   "unfocused surveillance does not work if at least one protocol is
    unknown."

I claim that using a homemade protocol over an existing physical and 
transport layer can (and actually is likely to) be less secure than a 
well-evaluated and publicly known security protocol.

The statement you are trying to defend is logically different
   "unfocused surveillance does not work if all protocols are
    unknown."

This is not a definition -- but it is a statement I can agree with.

> This is where I always lose it. Filenames being sensitive information? Only
> if the programmers in question are complete idiots. (And I realize there are
> plenty of them out there.)

Not really. Any security application or a security protocol is designed 
around a threat model. It is impossible to protect the user from any 
threat one can imagine -- so the user has to be aware what are the threats 
the protocol protects her from.

> I can't imagine any value being associated with knowing that there is a 
> file name "J2Typ_De.Ads" that makes up part of the Janus/Ada compiler.

Imagine you send or receive a file with the name dxtiddfh887876y2012.xls, 
where "dxtiddfh887876y2012" happens to be the reference number of a file 
Snowden copied from the NSA computers.Even if the content of the file has 
been well encrypted, the filename would earn you some "friendly visits" 
...

> Besides, anyone who puts anything sensitive in the cloud for long-term
> storage is going to be a victim sooner or later.

Agreed! But the topic was on protocols, i.e., data in transit, rather than 
long-term storage.

> If you need public connections, then surely use SSH.

Agreed. Which is what the OP has been asking about, namely sftp (which is 
ftp + ssh).

> In truth, though, it's probably all pointless. The government (anybodies
> government) will soon ban computers that they can't control.

I am fairly optimistic that this will not happen in Europe. I am not so 
sure about the US.


------  I  love  the  taste  of  Cryptanalysis  in  the morning!  ------
     <http://www.uni-weimar.de/cms/medien/mediensicherheit/home.html>
--Stefan.Lucks (at) uni-weimar.de, Bauhaus-Universität Weimar, Germany--