FRESH

Hacker News

Home

This World of Ours (2014) [pdf]

244 points by xeonmc

by eirini1

5 subcomments

Never agreed with this logic. For a lot of people (anyone that does political activism of some sort for example) the threat model can be a lot more nuanced. It might not be Mossad or the CIA gunning for you, specifically, but it might police searching you and your friend's laptops or phones. It might be burglars targetting the office of the small organization you have and the small servers you have running there.

by kragen

5 subcomments

Both Assange and Snowden are apparently alive and well, despite Mossad-like agencies wishing otherwise, largely thanks to Tor; and Hamas, whose adversary was in fact the Mossad, apparently still exists. Hizbullah has hopefully taught us all a good lesson about supply-chain attacks.
Debian is probably the only example of a successful public public-key infrastructure, but SSH keys are a perfectly serviceable form of public-key infrastructure in everyday life. At least for developers.
Mickens's skepticism about security labels is, however, justified; the problems he identifies are why object-capability models seem more successful in practice.
I do agree that better passwords are a good idea, and, prior to the widespread deployment of malicious microphones, were adequate authentication for many purposes—if you can avoid being phished. My own secure password generator is http://canonical.org/~kragen/sw/netbook-misc-devel/bitwords...., and some of its modes are memorable correct-horse-battery-staple-type passwords. It's arguably slightly blasphemous, so you may be offended if you are an observant Hindu.

by jones89176

0 subcomment

I enjoyed "The Night Watch" a lot:
https://scholar.harvard.edu/files/mickens/files/thenightwatc...
> A systems programmer will know what to do when society breaks down, because the systems programmer already lives in a world without law.

by broodbucket

6 subcomments

Remember, you don't have to be unhackable, just sufficiently unimportant to not be worth burning any novel capability on

by ChrisMarshallNY

0 subcomment

I've always enjoyed Mikens' writing. He has a great sense of humor.
I like his using Mossad as the extreme. I guess "Mossad'd" is now a verb.

by samlinnfer

3 subcomments

This will always be my favourite Mikens essay (The Slow Winter): https://www.usenix.org/system/files/1309_14-17_mickens.pdf

by megous

1 subcomments

Not sure what audience he is talking to. Experts deal with a lot more issues that sit between choosing a good password + not falling for phishing and "giving up because mossad". The terminology that he sprinkles about suggests the audience is experts.

by tomhow

0 subcomment

Previously:
This World of Ours (2014) [pdf] - https://news.ycombinator.com/item?id=27915173 - July 2021 (6 comments)

by edu

2 subcomments

That's a fun take, similar to the classic XKCD 538: Security. https://xkcd.com/538/

by tuzemec

0 subcomment

Somewhat related video: https://vimeo.com/95066828

by mike_hearn

4 subcomments

It's hilarious, but the hilarity gets in the way of recognizing how much insight there is also there. It makes serious points. This part about the Mossad is especially astonishing given the pager attack:
> If your adversary is the Mossad, YOU’RE GONNA DIE AND THERE’S NOTHING THAT YOU CAN DO ABOUT IT. The Mossad is not intimidated by the fact that you employ https://. If the Mossad wants your data, they’re going to use a drone to replace your cellphone with a piece of uranium that’s shaped like a cellphone
It's like a Mossad agent read this paper and thought hey that's actually not a bad idea.
But the core rant is about dubious assumptions in academic cryptography papers. I was also reading a lot of academic crypto papers in 2014, and the assumptions got old real fast. Mickens mocks these ideas:
• "There are heroes and villains with fantastic (yet oddly constrained) powers". Totally standard way to get a paper published. Especially annoying were the mathematical proofs that sound rigorous to outsiders but quietly assume that the adversary just can't/won't solve a certain kind of equation, because it would be inconvenient to prove the scheme secure if they did. Or the "exploits" that only worked if nobody had upgraded their software stack for five years. Or the systems that assume a perfect implementation with no way to recover if anything goes wrong.
• "you could enlist a well-known technology company to [run a PKI], but this would offend the refined aesthetics of the vaguely Marxist but comfortably bourgeoisie hacker community who wants everything to be decentralized", lol. This got really tiresome when I worked on Bitcoin. Lots of semi-technical people who had never run any large system constantly attacking every plausible design of implementable complexity because it wasn't decentralized enough for their tastes, sometimes not even proposing anything better.
• "These [social networks] are not the best people in the history of people, yet somehow, I am supposed to stitch these clowns into a rich cryptographic tapestry that supports key revocation and verifiable audit trails" - another variant of believing decentralized cryptography and PKI is easy.
He also talks about security labels like in SELinux but I never read those papers. I think Mickens used humor to try and get people talking about some of the bad patterns in academic cryptography, but if you want a more serious paper that makes some similar points there's one here:
https://eprint.iacr.org/2019/1336.pdf

by Havoc

0 subcomment

I see this on reddit a lot in self hosting context.
The range of things people do on security is wild. Everything from publicly expose everything and pray the apps login function some random threw together is solid to elaborate intrusion detection systems.

by anthk

1 subcomments

Ah, very Germanic tactics against some Mediterranean foe. Us, Southern Mediterranean/half Atlantic guys, we have it easier. We would just put fake data, hints and traces untl they get mad and paranoid between themselves, we are experts on that since forever.
Also, the Southern part of the country (which I am pretty much not related culturally at least on folklore and tons of customs) managed to bribe even the Russian mafias. They were that crazy, it's like a force of nature. OFC don't try backstabbing back these kind of people, some 'folklorical' people are pretty much clan/family based (even more than the Southern Italians) and they will kick your ass back in the most unexpected, random and non-spectacular way ever, pretty much the opposite of the Mexican cartels where they love to do showoff and displays. No, the Southern Iberians are something else, mixed along Atlantics and Mediterranean people since millenia and they know all the tricks, either from the Brits/Germanics to Levantine Semitic foes...
You won't expect it. You are like some Mossad random Levi, roaming around, and you just met some nice middle aged woman on a stereotyped familiar bar where the alleged ties to some clan must be nearly zero, and the day after some crazy Islamic terrorist wacko with ties to drug cartels will try to stab you some Sunday in the morning and he might try to succeed with the dumbest and cheapest way ever.
No, is not an exaggeration. We might not be Italy, but don't try to mess up with some kind of people. My country is not Mafia-bound, but criminal cartels, mafias and OFC some terror groups from the Magreb (and these bound to the Middle East ones) have deals with each other because of, you know, weapons and money. And Marbella it's pretty much a hub.

by bitbasher

0 subcomment

My favorite talk by Mickens (https://vimeo.com/95066828), also talks about Mossad.

by drdrek

0 subcomment

The point about the lay person not needing massive parallelism was very true, until it was not :D

by coolThingsFirst

1 subcomments

Another example of power resides where men believe it resides.
Americans are just very scared of Mossad. Tons of money goes into Holywood to make them appear invincible to the world. Fun fact, they aren't.
Intelligence agencies have great capabilities no doubt they get billions of $$$ and have utter immunity to do whatever they want in the name of national security. Why is only Mossad scary? I'd be more scared of the CIA and KGB than of Mossad.
US has never been in existential threat like Israel has been, if it were I wouldn't want to stand in their way.

by some_random

0 subcomment

Where does this deification of Mossad come from anyways? They've done a lot more than western intel agencies post cold war but that's absolutely come with failures just like every other intel agency in existence.

by singular_atomic

0 subcomment

When we need him the most (a world overrun in llms and AI slop) it seems like he's vanished...

by dnlserrano

0 subcomment

Mickens essays are always a good read

by optimalsolver

1 subcomments

I think fighting Israel is kind of a glimpse into what trying to fight a malevolent AGI will be like.
Expect to lose in highly surprising ways.

by zkmon

1 subcomments

Security is a problem caused by ownership of some usefulness. Sometimes solution can be around addressing these two causes.

by contrarian1234

1 subcomments

I think the central premise is a "wrong". The "point" of science isn't really to do useful things. Framing things from that angle is in subtle ways dangerous bc that shouldnt be part of the incentive structure.
you dont understand the mating behaviors of naked mole rats bc of some sense of "usefulness". Its just an investigation of nature and how things work. The usefulness comes out unexpectedly. Like you find out naked mole are actually maybe biologically immortal
You should just find interesting phenomena and invetigate. Capitalism figures out the usefulness side of things

by impossiblefork

1 subcomments

The Mossad part is a very silly element of the text. Many organizations have to defend against US intelligence, Israeli intelligence etc., and I'm sure, that they, with the exception of some very terrible countries with a lot of incompetence or full of disloyal people likely to become infiltrators, are quite successful.
Actual security is possible even against the most powerful and determined adversaries, and it's possible even for you.

by hackernewscunts

0 subcomment

[dead]

by realFredWilson

12 subcomments

[flagged]

by pinebox

0 subcomment

This all seemed very clever until I read the bio and learned that the author works for Microsoft -- the last company that has any business being flip about security. Bro needs to STFU and get on with the security drudgery, because his customer's opposition very definitely is the Mossad.

by gjvc

3 subcomments

this guy's stuff reads like word salad and people lap it up. I've never understood why.

by torginus

1 subcomments

If your adversary is a state intelligence agency, you're probably a high ranking politician and a boomer who is clueless about computers, and has demonstrably terrible opsec, either through government incompetence of your own agencies, or not following the terribly cumbersome opsec procedures, either because of inconvenience, the policies being terrible or sheer incompetence.
The amount of examples we've seen of this is staggering.

by lifestyleguru

9 subcomments

Then how it's possible Mossad didn't know about what had happened on 7 October 2023?

by smashah

0 subcomment

Very true, unfortunately there's no password strong enough to stop Malaysian Airlines ground crew from loading a pallet full of Mossad-rigged walkie talkies on my flight from Kuala Lumpur to Beijing via conveniently-placed-NATO-AWACS-infested airspace.
2FA isn't going to protect me from cruising altitude walkie talkie detonation and having the debris scattered over an impossibly wide area.
I guess the best thing to do is not take an airline of a country that has recently showed public support for Gaza specifically during a humanitarian visit in the months prior to my flight.
Thankfully none of this is true and everything the mainstream media and governments tell us are true - imagine if things weren't as they seemed?.. Craziness... Back to my password manager!

by teddyh

1 subcomments

Despite his somewhat annoying style, that article has many good points about the aloofness of security researchers. However, I will disagree on two points which the article contains:
1. Tor is (rightly) used by anyone who has a good reason for remaining anonymous. (See [REALNAMES] for who this can be.) Anyone trying to smear Tor as only used by drug dealers and other unsavory types are themselves suspect of having an agenda of discouraging Tor use for anyone lest they be suspected. This can only lead to an installation of Tor being viewed as a suspicious thing in itself; who would want that?
2. His threat model of Mossad or not-Mossad leaves out one important actor, which we can call the NSA. They, and others like them, unlike Mossad, are not after you personally in that they don't want to do anything to you. Not immediately. Not now. They simply want to get to know you better. They are gathering information. All the information. What you do, what you buy, how you vote, what you think. And they want to do this to everybody, all the time. This might or not bite you in the future. He seems to imply that since nothing immediately bad is happening by using slightly bad security, then it’s OK and we shouldn’t worry about it, since Mossad is not after us. I think that we should have a slightly longer view of what allowing NSA (et al.) to know everything about everybody would mean, and who NSA could some day give this information to, and what those people could do with the information. You have to think a few steps ahead to realize the danger.
[REALNAMES] Who is harmed by a "Real Names" policy? <https://geekfeminism.fandom.com/wiki/Who_is_harmed_by_a_%22R...>
(Repost of <https://news.ycombinator.com/item?id=23572778>)