[liberationtech] The security and ethics of mapping in repressive environments

Wed Feb 9 00:21:49 PST 2011

On 02/08/2011 11:23 PM, Jonah Silas Sheridan wrote:
> Thanks for posting this Katrin.
> 
> I am actually impressed by the writeup, as it is far beyond what most
> activists I have been around are doing. My own concern would be why
> encryption gets short shrift - why no encrypted local filesystem, why no
> PGP emails, etc. Without those tools, deleting sensitive materials
> (logs, files, emails) just made the forensics harder, not impossible....
> 

I was surprised by the lack of local encrypted file systems as well. A
system with full disk encryption and a reasonable passphrase makes for a
forensics nightmare.

> Although I agree *absolutely* with Jacob, I have worked with numerous
> U.S. based NGO's, many doing international and/or human rights work, and
> don't think I have ever gotten a single individual to conform to even
> these incomplete best practices. And that lack of movement, it seems to
> me, is the true barrier to penetration of these better tools.
> 

We've worked together and I can't agree enough. It's really depressing
because it's a cycle. A key issue is that *we* may know these things but
we can't actually get people to really _care_ until it's too late.

> I think the Skype use case is a good example. As Danny stated:
>>> Right now I'd say people
>>> feel it falls in the  "gmail" category – not the best thing to use by
>>> a long chalk, but certainly better than nothing.
> And:
>>> The in-the-wild attacks on Skype
>>> users I *have* heard all involve attacks that compromise the client
>>> or obtain user passwords through malware. That combined with the
>>> circumstantial evidence that of state-actors' apparent fury at Skype
>>> for not providing intercept access would seem to point that it's not
>>> *garbage* per se. Or at least make it hard to compellingly onvince
>>> people to move off it.
> My own observations from working with NGO's mirrors Danny's. Folks are
> using Skype, warts and all, because it meets their immediate need better
> than the alternatives, which almost all demand some level of technical
> facility/staffing/training to operate and so are a non-starter for most
> of them. And this cultural bent around seeing Skype as
> anti-authoritarian, and "common enough" does not help the cause of those
> of us trying to redirect the narrative to potential harmful outcomes and
> alternate best practices, regardless of the threat model. In short, it
> just "doesn't matter enough" and the possible harm is abstract enough
> (and counter to the status quo) to overcome the barriers to better
> solutions.
> 

I tend to agree but I find it rather painful to do so. It is so
frustrating to watch NGO after NGO use non-free software with absolutely
questionable security properties.

> My restating of Jacob's quick response is that these harmful outcomes
> are very real and that the vulnerability arises from Skype's
> architecture. Because they use proprietary encryption and transport
> methods, there is no way to properly audit Skype for security. Beyond
> that, they are clearly known to use vulnerable components (e.g. VBR) in
> their product. This is why Jacob states it is their responsibility to
> prove to us it is secure, not the other way around. In turn the only
> way, truly, to verify the insecurity of the tool is when there is a
> breach, and that could have terrible consequences. As I have often told
> folks, "You don't want to discover your systems were insecure through
> somebody in your community's death, incarceration or repression." Is
> that a fair restatement? Can you imagine using that to successfully make
> a "compelling case" to a non-techie on why not to use Skype? Me neither...
> 

While slightly tangential, I'm fond of responding to complaints about
Tor's speed by asking "how quickly do you want to die?" - that usually
drives home the point. When people are seriously evaluating things,
they'll play it safe. When they're just having Skype-phone-sex, I guess
they'll make different choices. Ironically, if Skype is exploitable
(historically so) - you might screw up (no pun!) your later attempts at
being secure by using the same computer for high and low security
activities.

> My answer then to Danny's question about how Skype is compromised is
> that it doesn't matter, or it matters less than the sector wide
> acceptance of the status quo over the facts of the matter, or the
> opinions of "us experts."
> 
> So my question to the community is how we shift the conversation within
> organizations/communities of activists to one not of perceived risks
> (non-risks), or industry norms, but of actual effective steps to
> protecting yourself and those with whom you communicate? Is it really a
> question of building the better tools and then pushing them out?
> 

I think we have to build, promote, and use viable alternatives. We also
need to know that until those viable alternatives are perfect, we should
not settle or become complacent - we should let people know about these
issues.

All the best,
Jacob