[liberationtech] Appelbaum's Ultrasurf report

Collin Anderson collin at averysmallbird.com
Wed Apr 18 11:15:25 PDT 2012 

Hi Frank and Brian,


> I hope Collin will weigh in directly because he is on this list...


Sure, but the best I can give is a history of sorts. I defer to Jacob for
one perspective and Walid Al-Saqaf for another.

Since the Haystack affair, there has been a clear, but perhaps
uncoordinated, push by communities such as the Tor Project to ensure that
funders understand their responsibilities in the endorsement of security
tools. To credit of the State Department, and a few other American (RFA)
and European organizations, it is evident that people are coming into the
fold that understand this. It has been my ungrounded assumption that part
of the money you footnoted is going to such due diligence, a hypothesis
that Ultrasurf gives evidence to in their response:

"As an example of how we are taking security seriously, we have already
> retained a thirdparty testing and review service at the recommendation of
> the U.S. State Department to help us identify and remove security
> vulnerabilities. This is an active exchange and is resulting in continual
> improvement of our system."


More directly to your comment:

Which could be used, for instance, to inform anyone
> considering using/funding tech that claims to support "anonymity,
> security, privacy and Internet censorship circumvention" to ensure
> veracity before release and continuity whilst in use and when updated
> and for accreditation/certification technical analysis to be published
> responsibly?


If you want a Kimberley Process of sorts, I think that would be very cool
way to shape the narrative around tools; sort of like how we teach people
SSL by having them look for the Padlock icon. However, when there is
millions of dollars on the table, politics comes into play more than
technology. Ultrasurf was the primary example of such as case, however, I
took great pains in my writing to note that I empathize with their history
and position. It was clear that they were more willing to be open when they
did not think that disclosure would damage their reputation. State's offer
was much more low risk because it was not public or efface them in any way.

Tor Project, and more recently Psiphon v3, have set higher standards for
their competitors regarding community participation and documentation. I
have great faith and confidence that Lantern and others will follow suit
when they are ready to launch. At this point, even auditing the security of
other tools seems to be a new act -- but there are so many claims out there
to check. I have my list of vendors that concern me, a list which probably
doesn't match anyone elses'. To cut this short, when security is not a
zero-sum game of politics, we might get this better process you imagine.

Cordially,
Collin

On Wed, Apr 18, 2012 at 12:57 PM, Frank Corrigan
<email at franciscorrigan.com>wrote:

> Would it be feasible and practical to develop some sort independent
> accreditation/certification/research/benchmarking mechanism* that covers
> such technology? Which could be used, for instance, to inform anyone
> considering using/funding tech that claims to support "anonymity,
> security, privacy and Internet censorship circumvention" to ensure
> veracity before release and continuity whilst in use and when updated
> and for accreditation/certification technical analysis to be published
> responsibly?
>
> *Using some of the $28 million set aside for such tech:
>
> http://www.bloomberg.com/news/2011-04-20/u-s-funds-help-democracy-activists-evade-internet-crackdowns.html
>
> Frank
>
> ----- Original message -----
> From: Chad Hurley <hurleyc at rfa.org>
> To: liberationtech at lists.stanford.edu
> Subject: Re: [liberationtech] Appelbaum's Ultrasurf report
> Date: Wed, 18 Apr 2012 11:00:48 -0400
>
> Collin Anderson worked with Ultrasurf to assist with the patching of
> holes found in Jacob's report.  He has a blog post about his
> participation here:
>
>
> http://b.averysmallbird.com/entries/the-need-for-community-participation-and-clear-disclosure-processes-in-the-case-of-ultrasurf
>
> -Chad
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
>
> Should you need to change your subscription options, please go to:
>
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> If you would like to receive a daily digest, click "yes" (once you click
> above) next to "would you like to receive list mail batched in a daily
> digest?"
>
> You will need the user name and password you receive from the list
> moderator in monthly reminders. You may ask for a reminder here:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> Should you need immediate assistance, please contact the list moderator.
>
> Please don't forget to follow us on http://twitter.com/#!/Liberationtech
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
>
> Should you need to change your subscription options, please go to:
>
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> If you would like to receive a daily digest, click "yes" (once you click
> above) next to "would you like to receive list mail batched in a daily
> digest?"
>
> You will need the user name and password you receive from the list
> moderator in monthly reminders. You may ask for a reminder here:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> Should you need immediate assistance, please contact the list moderator.
>
> Please don't forget to follow us on http://twitter.com/#!/Liberationtech
>



-- 
*Collin David Anderson*
averysmallbird.com | @cda | Washington, D.C.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20120418/20f86afc/attachment.html>

More information about the liberationtech mailing list