In which a reporter falls in love with a fellow nerd she meets at a European hackerspace, maintains a long-distance relationship by messaging using showily bad file encryption, decides to move to Europe to cohabitate, and, lacking Facebook profiles to verify the relationship, relies on the testimony of friends and other anecdotal evidence sources, like hundreds of millions of other couples whose lives are imperfectly recorded by social networks.
Criticizing someone else's choice of crypto is I guess par for the course on HN. But I think her story is still noteworthy.
It's unusual to be someone who specializes in writing about digital activists who need encryption.
It's unusual to be a nerd (your identity is online) and also be constantly hiding your tracks (your identity is constantly erased, by your own action).
It's unusual to be an emigrant in this age, where they expect you to surrender your voluntary self-surveillance at the border.
The thing is, what happens to nerds on the margins eventually happens to everybody.
Personally – there's some of her story that already applies to me. And, even if all of this is trivial in terms of technology, there aren't a lot of people who can bring such evocative writing to the topic.
It's very unusual to be someone who specializes in writing about encryption for digital activists. More unusual than you might know.
The rest of it: sure, this is all true. But that's my gripe: this story has little to do with any of that. Ultimately, the only role surveillance played in this story was something for a new couple to bond over. Sure, better that than The Sound And The Fury, which I swear to Christ a teenaged girlfriend made me read, but so what? What's special about OpenSSL here that wouldn't be special about Club Penguin or Overwatch or some other lower-status technological detail?
I enjoyed your initial quip immensely. This one a bit less (I liked _The Sound And The Fury_, although not nearly as much as _The Mansion_).
I think the OpenSSL line was only intended to emphasize that the communication wasn't easy - thereby making it more meaningful. I often wonder what internet messages would be like if sending them was has the same time/effort overhead as sending physical letters (having to address them properly, walking to a postoffice, etc.). Surveillance isn't really important here.
Not the Jabber/OTR thing. The decentralized nature of Jabber was pretty overblown, more something she wanted to be true and meaningful than something that actually was meaningful, but: whatever, it's 2011 at that point.
It's the OpenSSL command line that I'm taking issue with.
First, don't encrypt things directly with OpenSSL.
Second, they're using unauthenticated AES-CBC, so an attacker that knows what file format they're sending can flip bits to exploit bugs and pop calc.exe on them.
Third, reprising the first problem: using OpenSSL to encrypt means you're using OpenSSL's weak password KDF. In fact, I think the defaults when they were using this were single-iteration hash KDF; essentially: salted hashes.
This is like the one application where GPG actually still makes sense to use, and GPG is easier to use here than OpenSSL in addition to being safer.
OBVIOUSLY NONE OF THIS MATTERS. My issue with the article isn't "it recommends weak crypto". My issue is that despite the title, it isn't actually about crypto or surveillance or anything like that.
Gabriel Garcia Marquez, eat your heart out.