[OTR-dev] Clever logging for weechat_otr plugin (+ log management discussion)

Daniel ".koolfy" Faucon koolfy at koolfy.be
Thu Mar 14 07:17:30 EDT 2013 

On Wed, 13 Mar 2013 18:39:16 -0400 (EDT)
Paul Wouters <paul at cypherpunks.ca> wrote:

> On Wed, 13 Mar 2013, "Daniel ".koolfy" Faucon" wrote:
> 
> > - Logging should be deactivated for the entire duration of the OTR
> >  session by *DEFAULT*, and the only way to re-activate it should be
> > on a per-conversation basis, manually. I voluntarily refused to add
> > an easy command to re-enabling the systematic logging of OTR
> >  conversations. Doing so is toxic
> 
> I disagree. While I (reluctantly) agree with a default "no logging"
> policy, it should be possible for users to enable this.

Enabling them on a per-conversation basis, sure.
Systematically for every conversation... I don't like it. 
While I am in favor of giving choice to the users generally, here we
are giving the choice of putting people in danger. That's my complaint.


> For instance, I use full disk encryption, so my logs are perfectly
> safe. And I prefer having my logs because I often need to look up
> things from my logs. 

From Quinn Norton's article about the Aaron Swartz prosecution:

   And if the prosecutor took my computer, I would have to go to jail
   rather than turn over my password. I had no choice. I'd been logging
   all of my communications for years, professional and personal. Aaron
   knew this, and he was furious at me for it when he read the
   subpoena. It was a kind of impersonal fury, not directed at me and
   my decisions, but the situation itself. "Why did you log?" he asked
   me repeatedly. I told him that it had kept me sane in my divorce.
   But he already knew that, he'd been there.

   These days, I not only don't log, I refuse to talk to anyone who
   does. I often refuse to communicate without encryption. But I had to
   continue to log during the investigation. I was told that changing my
   behavior while being investigated could be held against me, because
   in an investigation it is suspicious to learn from your mistakes. 

http://www.theatlantic.com/technology/archive/13/03/life-inside-the-aaron-swartz-investigation/273654/

Encryption doesn't take away the responsibility of logging. In some
contexts, you might be forced to "cooperate" legally or violently.

Strange game, the only winning move is not to log :)


> Especially if OTR becomes the default enmasse,
> not allowing people to log their conversation is a sure way to get
> them to not use OTR.

You assume that if everybody suddenly used OTR for every conversation
"enmasse", but still logs everything, those communications are secure.

When in fact, in that situation, you render passive surveillance
useless, and computer seizure, compromise, or robberhose decryption so
much valuable than passive interception would ever have been. When you
get to the logs you get so much more than you could ever get from
network surveillance, even when only compromising one person in a
target group.

But then again, there is no such thing as not enabling users to log
conversations. This is delusional and counter-productive. But enabling
the logging should strictly be on a per-conversation basis. The ideal
situation being manually copy/pasting important bits while redacting
the sensitive stuff away. Granted this is probably asking too much, but
requiring to re-enable logging for specific conversations seems like a
decent compromise between ideal and responsible logging on one hand,
and "I want a few logs, re-enagle systematic logging of EVERYTHING
OTR'ed, then forget about that switch and log everything to disk until
the end of times".

The "all ON" switch looks very risky to put on the UI (or plugin
commands). I'm more in favor of a "ON just for this time, and then OFF
again by default" solution. It at least requires the user to actively
think about the consequences of logging that conversation. Every time.




-- 
Daniel ".koolfy" Faucon

Tel: France : (+33)(0)658/993.700
PGP Fingerprint : 485E 7C63 8D29 F737 FEA2  8CD3 EA05 30E6 15BE 9FA5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.cypherpunks.ca/pipermail/otr-dev/attachments/20130314/26bb7ea5/attachment.pgp>

More information about the OTR-dev mailing list