[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[freehaven-cvs] edits throughout. Clean up some prose and parallelism.

To: freehaven-cvs@xxxxxxxxxxxxx
Subject: [freehaven-cvs] edits throughout. Clean up some prose and parallelism.
From: nickm@xxxxxxxx (Nick Mathewson)
Date: Sat, 1 Jan 2005 22:49:17 -0500 (EST)
Delivered-to: archiver@seul.org
Delivered-to: freehaven-cvs-outgoing@seul.org
Delivered-to: freehaven-cvs@seul.org
Delivery-date: Sat, 01 Jan 2005 22:49:57 -0500
Reply-to: freehaven-dev@xxxxxxxxxxxxx
Sender: owner-freehaven-cvs@xxxxxxxxxxxxx
Update of /home/freehaven/cvsroot/doc/wupss04
In directory moria.mit.edu:/tmp/cvs-serv9710

Modified Files:
	usability.tex 
Log Message:
edits throughout. Clean up some prose and parallelism.

Index: usability.tex
===================================================================
RCS file: /home/freehaven/cvsroot/doc/wupss04/usability.tex,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -d -r1.20 -r1.21
--- usability.tex	2 Jan 2005 01:18:28 -0000	1.20
+++ usability.tex	2 Jan 2005 03:49:14 -0000	1.21
@@ -25,19 +25,21 @@
 example, fetch a web page or send an email) without revealing their
 communication partners.
 
-In this chapter we're going to focus on the \emph{network effects}
+In this chapter, we'll focus on the \emph{network effects}
 of usability on privacy and security: usability is a factor as before,
 but the size of the user
-base also becomes a factor.  Further, in anonymizing systems, even if you
+base also becomes a factor.  As we will see, in anonymizing networks, even if
+you
 were smart enough and had enough time to use every system
 perfectly, you would nevertheless be right to choose your system
 based in part on its usability for \emph{other} users.
+%AWK
 
 \section{Usability for others impacts your security}
 
-While security software is the product of developers, the operation of
-software is a collaboration between developers and users.  It's not enough
-to develop software that is possible to use securely; software that
+While security software is the product of developers, the security it
+provides is a collaboration between developers and users.  It's not enough
+to make software that \emph{can} be used securely; software that
 is hard to use often suffers in its security as a result.
 
 For example, suppose there are two popular mail encryption programs:
@@ -49,18 +51,19 @@
 But if you do, it's likelier that when your friends send you
 confidential email, they'll make a mistake and encrypt it badly or not at
 all.  With LightCrypto, you can at least be more certain that all your
-friends' correspondence with you will get a minimum of protection.
+friends' correspondence with you will get some protection.
 
 What if you used {\it both} programs?  If your tech-savvy friends use
 HeavyCrypto, and your less sophisticated friends use LightCrypto, then
-everybody will be getting as much protection as they can.  But can all your
+everybody will get as much protection as they can.  But can all your
 friends really judge how able they are?  If not, then by supporting a less
-usable option, you've made it likelier that they'll shoot themselves in the
-foot.
+usable option, you've made it likelier that your non-savvy friends will
+shoot themselves in the foot.
 
-The crucial insight here is that in email encryption, the cooperation of
-multiple people is needed to keep you secure, because both the sender and the
-receiver of a secret email want to protect its confidentiality.  Thus, in
+The crucial insight here is that in email encryption, secuirty is a
+collaboration between multiple people: both the sender and the
+receiver of a secret email must work together to protect its confidentiality.
+Thus, in
 order to protect your own security, you need to make sure that the system you
 use is not only usable by yourself, but by the other participants as well.
 
@@ -136,7 +139,7 @@
 suspicious of Bob and Carol, even though the anonymity sets are the same
 size.  Because of this, recent research is moving beyond simple anonymity
 sets to more sophisticated measures based on the attacker's confidence.}
-Therefore, when more users join the network, existing users become more
+When more users join the network, existing users become more
 secure, even if the new users never talk to the existing
 ones! \cite{econymics,back01} Thus, ``anonymity loves company.''\footnote{This
   catch-phrase was first made popular in our context by the authors of the
@@ -145,11 +148,12 @@
 In a data confidentiality system like PGP, Alice and Bob can decide by
 themselves that they want to get security. As long as they both use the
 software properly, no third party can intercept the traffic and break
-their encryption. However, in the case of an anonymity system, Alice
+their encryption. However, Alice
 and Bob can't get anonymity by themselves: they need to participate in
 an infrastructure that coordinates users to provide cover for each other.
 
-No organization can build this infrastructure for itself. If a single
+No organization can build this infrastructure for its own sole use.
+If a single
 corporation or government agency were to build a private network to
 protect its operations, any connections entering or leaving that network
 would be obviously linkable to the controlling organization. The members
@@ -162,7 +166,7 @@
 In practice, existing commercial anonymity solutions (like Anonymizer.com)
 are based on a set of single-hop proxies. In these systems, each user
 connects to a single proxy, which then relays the user's traffic. This
-provides only weak security, since a compromised proxy can trivially
+provides comparatively weak security, since a compromised proxy can trivially
 observe all of its users' actions, and an eavesdropper only needs to
 watch a single proxy to perform timing correlation attacks against all
 its users' traffic. Worse, all users need to trust the proxy company to
@@ -221,9 +225,9 @@
 controls both ends of a communication can trivially correlate message timing
 and link the communicating parties.
 
-Clearly, users who need to resist strong attackers need to choose
+Clearly, users who need to resist strong attackers must choose
 high-latency networks or nothing at all, and users who need to anonymize
-interactive applications need to choose low-latency networks or nothing at
+interactive applications must choose low-latency networks or nothing at
 all.  But what should flexible users choose?  Against an unknown threat
 model, with a non-interactive application (such as email), is it more secure
 to choose security or usability?
@@ -286,7 +290,7 @@
 extension based on their security needs.  In reality, however, if the
 extension is enabled by default, nearly all users will leave it on whether
 it's secure or not; and if the extension is disabled by default, users will
-tend to enable it first based on their perceived demand for the extension
+tend to enable it based on their perceived demand for the extension
 rather than their security needs.  Thus, only the most savvy and
 security-conscious users---the ones who know more about web security
 than the developers themselves---will actually wind up understanding
@@ -295,8 +299,8 @@
 The real issue here is that
 designers often end up with a situation where they need to choose between
 `insecure' and `inconvenient' as the default configuration---meaning they've
-already made a mistake in designing their application; but that discussion
-is left to chapters X and Y.
+already made a mistake in designing their application.   (This issue is
+discussed more in chapters X and Y.)
 
 Of course, when end users {\it do} know more about their individual security
 requirements than application designers, then adding options is beneficial,
@@ -332,7 +336,7 @@
 it works.  Of the fraction of users who change the default at all, most will
 not, in fact, understand the security implications; and those few who do will
 need to decide whether the increased traffic-analysis resistance that comes
-with higher latency is worth the decreased anonymity that comes from
+with more variable latency is worth the decreased anonymity that comes from
 splitting away from the bulk of the user base.
 
 \section{Case study: Mixminion and MIME}
@@ -359,17 +363,17 @@
 
 Other possible solutions to this problem could include limiting users to
 a single email client, or simply banning email formats other than plain
-7-bit ASCII.  But these procrustean approaches limit usability, and
+7-bit ASCII.  But these procrustean approaches would limit usability, and
 turn users away from the Mixminion network.  Since fewer users mean less
-anonymity, we had to ask whether users would be better off in a larger
+anonymity, we must ask whether users would be better off in a larger
 network where their messages are likelier to be distinguishable based on email
 client, or in a smaller network where everyone's email formats look the same.
 
-Some distinguishability is inevitable, since users differ in
+Some distinguishability is inevitable anyway, since users differ in
 their interests, languages, and writing styles: if Alice writes about
 astronomy in Amharic, her messages are unlikely to be mistaken for Bob's, who
 writes about botany in Basque.  Also, any attempt to restrict formats is
-likely to backfire.  If we limit Mixminion to 7-bit ASCII, users won't
+likely to backfire.  If we limited Mixminion to 7-bit ASCII, users wouldn't
 stop sending each other images, PDF files, and messages in Chinese: they
 would instead follow the same evolutionary path that led to MIME in the first
 place, and encode their messages in a variety of distinguishable formats,
@@ -442,10 +446,10 @@
 
 At the time of this writing, the most important solutions for these users have
 been improve Tor's documentation for how to configure various applications
-to use Tor, to change the warning messages to refer users to a description of
+to use Tor; to change the warning messages to refer users to a description of
 the solution (``You are insecure. See this webpage.'') instead of a
 description of the problem (``Your application is sending IPs instead of
-hostnames, which may leak information. Consider using SOCKS4a instead.''),
+hostnames, which may leak information. Consider using SOCKS4a instead.'');
 and to bundle Tor with the support tools that it needs, rather than
 relying on users to find and configure them on their own.
 
@@ -524,7 +528,7 @@
 anonymity set size.  As in market economics, expectations themselves can
 bring about trends: a privacy system which people believe to be secure and
 popular will gain users, thus becoming (all things equal) more secure and
-popular.  Thus, security depends not only on usability, but on {\it
+popular.  Thus, security depends not only on usability, but also on {\it
   perceived usability by others}, and hence on the quality of the provider's
 marketing and public relations.  Perversely, over-hyped systems (if they are
 not too broken) may be a better choice than modestly promoted ones,
@@ -543,12 +547,13 @@
 survivors, privacy enthusiasts, and so on) and now I'm hard to profile.
 
 The more cancer survivors on Tor, the better for the human rights
-activists. The more script kiddies, the worse it is for the normal
-users. On the surface this may not appear to be an anonymity issue,
-but it is for two reasons. First, it impacts the sustainability of the
+activists. The more script kiddies, the worse for the normal
+users. Thus, reputation is an anonymity issue
+for two reasons. First, it impacts the sustainability of the
 network: a network that's always about to be shut down has difficulty
 attracting and keeping users, so its anonymity set suffers. Second,
-it attracts the attention of powerful attackers who may not mind
+a bad reputation attracts the attention of powerful attackers who may not
+mind
 revealing the identities of all the users to uncover the few bad ones.
 
 While people therefore have an incentive for the network to be used for
@@ -598,17 +603,17 @@
 and usability. On the one hand, we might remark that anonymity is already
 tricky from a technical standpoint, and if we're required to get usability
 right as well before anybody can be safe, it will be hard indeed
-to come up with a good design. That is, if lack of anonymity means lack
+to come up with a good design: if lack of anonymity means lack
 of users, then we're stuck in a depressing loop. On the other hand, the
 loop has an optimistic side too. Good anonymity can mean more users: if we
 can make good headway on usability, then as long as the technical designs
 are adequate, we'll end up with enough users to make everything work out.
 
-In any case, choosing not to figure out a good solution means leaving most
+In any case, declining to design a good solution means leaving most
 users to a less secure network or no anonymizing network at all. Cancer
-survivors and abuse victims are going to continue communications and
+survivors and abuse victims would continue communications and
 research over the Internet, risking social or employment problems; and human
-rights workers in oppressive countries are going to continue publishing
+rights workers in oppressive countries would continue publishing
 their stories.
 
 The temptation to focus on designing a perfectly usable system before

***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxx with
unsubscribe freehaven-cvs       in the body. http://freehaven.net/
Prev by Author: [freehaven-cvs] fix freedom cite
Next by Author: [freehaven-cvs] Arma says that reputation is a loaded word, but repu...
Previous by thread: [freehaven-cvs] try to integrate the distributed trust stuff better
Next by thread: [freehaven-cvs] Arma says that reputation is a loaded word, but repu...
Index(es):
- Author
- Thread