the TOFU lie - or why I want my meat...

Christoph Anton Mitterer calestyo at
Wed Apr 1 03:36:06 CEST 2015

And perhaps one further reason why massive MitM attacks would likely not
There's an (hopefully) April Fool's Day joke today on German Magazine
heise[0], which tells the story how the NSA cooperates with Facebook in
order to control government critical demonstrations/protests/etc..

The story tells how they "made" a program were messages between
protesters were manipulated so that they came all to the wrong places or
at wrong times.
The "internal study" of the NSA concluded that masses can be much better
controlled by subtly manipulating them and it's much better than simply
blocking their messages. They also concluded that this would have great
psychological impact on the organisers of such protests (e.g. against
TTIP, ACTA and that like), cause when no people showed up, they would
think the public isn't on their side after a few failures and give up.

So far this is just a nice, unfortunately far too realistically possible
story and if something like that would really be true, the point of
totalitarian dictatorship would have been definitely crossed - one that
no one even recognises unless he's part of the system.

The aspect which makes it interesting concerning the argumentation my
rant against TOFU is the following:
In that story the NSA is aware that the "core people" of such
demonstrations would notice if they are manipulated, so they're simply
left out and get the real data.

This is basically one more reason why the pro-TOFU argument (2) in my
previous mail (i.e. that people would notice as mass-MitM) is moot
(apart from the major reason/fact that, even if they'd notice it
wouldn't change anything):
Mass surveillance power like the NSA can probably determine which people
are likely to ever really mutually authenticate properly (and thus
notice a massive MitM attack) and just exclude these (and attack them
via other means).

We already know that the "mark" people just using Tor and those who are
really involved in crypto development are "marked" for sure as well.
I wouldn't be surprised if their have a internal "Werner-Koch-Sucks"
nursery school and a "DJB-is-Evil" Kindergarden. ;-)

In fact, we cannot even know for 100% sure whether we're all reading the
same mailing list.
Maybe my rant against TOFU shows up completely different approving it on
your side.
Maybe hypothetical concerns from some experts against Goldilocks never
appeared as such when they posted it to the CFRG mailing list.
But whenever one looks at the mailing list archives, one sees his
personal (non-manipulated) version.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5313 bytes
Desc: not available
URL: </pipermail/attachments/20150401/41839b4d/attachment.bin>

More information about the Gnupg-devel mailing list