Libpurple was written by people who wanted their open source chat client to talk to every kind of instant messaging system in the world, and didn’t give a shit about security or encryption. Security people who have examined the code have said there are so many possible ways to exploit libpurple there is probably no point in patching it. It needs to be thrown out and rewritten from scratch. These aren’t bugs that let someone read your encrypted messages, they are bugs that let someone take over your whole computer, see everything you type or read and probably watch you pick your nose on your webcam.My only criticism of this post is that it isn't terrifyingly pessimistic enough. If you boot it, they will come. Remember, you're reading this from a computer screen right now.
This lovely tool, OTR, sits on top of libpurple on most systems that use it. Let me make something clear, because even some geeks don’t get this: it doesn’t matter how good your encryption is if your attacker can just read your data off the screen with you, and I promise they can. They may or may not know how to yet, but they can. There are a hundred libpurples on your computer: little pieces of software written on a budget with unrealistic deadlines by people who didn’t know or didn’t care about keeping the rest of your system secure.
Software secure is wretched. Sometimes it's wretched because nobody cares. Sometimes it's wretched because, well, because you recompiled a program for a 64 bit architecture (rather than a 32 bit one) and without changing a line of code now everyone can pwnz0r you*. It's a little known fact that Nazi Germany fell because of a failure of cyber security.
But back to the post that Peter pointed us towards. This is absolutely correct:
Security and privacy experts harangue the public about metadata and networked sharing, but keeping track of these things is about as natural as doing blood panels on yourself every morning, and about as easy. The risks on a societal level from giving up our privacy are terrible. Yet the consequences of not doing so on an individual basis are immediately crippling. The whole thing is a shitty battle of attrition between what we all want for ourselves and our families and the ways we need community to survive as humans — a Mexican stand off monetized by corporations and monitored by governments.Even classified networks get hacked. I'm still the #1 Google result for "How to hack a classified network"**. If the Defense Department - with all their skilled security d00ds and financial resources - if they can't keep themselves safe, then what chance do you have?
The answer, of course, is slim to none. And Slim just left town.
I've worked in this technology space since 1985. Quite frankly, I'm not sure what to tell you to help yourselves out. I wish I had a better answer, other than "never do anything consequential on the 'Net". And that absolutely, positively means never bank online. Or vote online. Of have a car with a computer in it. Or a "smart" gun.
Riddle me this, Security Man: what do you get when you cross a car with a computer? Answer: a computer. Go read the post that Peter points us to. Re-read it until the hair on the back of your neck stands up, and a shiver runs up your spine. At that point, you will understand the situation precisely.
If ignorant both of your enemy and yourself, you are certain to be in peril.Good morning. ;-)
- Sun Tsu
* I'm actually pretty proud of this post, which is from when I'd only been blogging a couple months but already a distinctly Borepatchian style had emerged.
** Another pretty good security post from the early days of this blog.