[Mailman-Developers] Encrypted lists predictable difficulties and implementation needs

Sat Mar 18 16:37:40 EDT 2017

On Thu, Mar 16, 2017 at 05:30:36PM -0400, Barry Warsaw wrote:
> On Mar 15, 2017, at 09:47 PM, Rich Kulawiec wrote:
> 
> >What all of this means is that once a list passes N members, where
> >we can debate about N, the probability that at least one of those
> >members has already been compromised even before they've joined the
> >list starts rapidly increasing.
> 
> That assumes an open membership policy.  Wouldn't much of this be mitigated
> with a closed subscription policy? 

It *might* be.

The problem is that the list owner and other list members have no way to
know.  From their point of view, there is no way to know that whether the
latest list member -- whether that's list member #8 or #7,221 -- is using
a reasonably secure mail client on a reasonably secure operating system in
a reasonably secure environment -- or whether they're reading list traffic
on an iPhone that was fully compromised eight months ago.   Morever, even if
that newest list member is doing the former today, nothing from prevents
them from doing the latter tomorrow.

(Yes, one could ask them not to, even make not doing so a condition of
membership.  That won't work.  Somebody is going read email on their
fridge or their car or their Android phone because they can, because
they're lazy, because it's convenient, because they feel like it.)

It's thus impossible to (a) estimate the risk or (b) control the risk or
(c) know when a full compromise has taken place, absent outside indicators.

That's a really bad combination to have in anything that's trying to be secure.

> Yet there still may be value in encrypting the communication channels
> into and out of Mailman, even if that can be compromised at the end-points.

I agree.

> >I can sadly report that the problem is getting worse and will continue
> >to get worse, because (a) all of the various factors contributing to it
> >are also getting worse and (b) there are no reasons for anyone to
> >significantly invest in making it better.
> 
> (b) is not necessarily true.  There is lots of work going on to provide secure
> base platforms on which to implement IoT devices.  

I'm aware of at least some of that, and I'd like to hope for the best.

But economic incentives being what they are, there is little motivation
for vendors to bother.  Moreover, many vendors are deliberately compromising
end-user privacy and security (e.g., Vizio) because it's profitable to do so
and the penalties, if any, are a mere slap-on-the-wrist.  (I know you see
a lot of this because of what you do; other folks might want to browse
through TechDirt's ongoing partial catalog of IoT failures.)

My view -- at the moment, ask again tomorrow ;) -- is that so many IoT
devices have been rushed to market with no consideration for security
and privacy issues that the present situation is untenable.  The best thing
would be to recall *all* of them: all the smartphones, all the watches,
all the TVs, everything...and start over.  That's of course ludicrous and
won't happen.  Which means all those devices will persist in the field,
joined by new ones in large numbers every day.  And the slow backfill
of fixes which *might*, in a vacuum, actually suffice, aren't going to
be enough because so much of the rest of the IoT ecosystem is a mess.

	In a relatively short time we've taken a system built to resist
	destruction by nuclear weapons and made it vulnerable to toasters.
		--- Jeff Jarmoc

---rsk