[liberationtech] Appelbaum's Ultrasurf report

Fri Apr 20 02:11:33 PDT 2012

Hi x z,

I'll not respond to all of your comments, but at least to the ones where I
see relevance to my own area of work, and thus feel qualified to comment
on... response in-line, for the sake of readability I'll cut the rest of
the appended text

On Fri, Apr 20, 2012 at 1:09 AM, x z <xhzhang at gmail.com> wrote:
<snip>

>
>>
>> What other choices do they have? If we accept the circumvention tools
>> don't actually circumvent all blocks, what has been created? Seems
>> pretty weird.
>>
>> Ultrasurf is only one tool, there are tons of other tools, including Tor,
> that people can use. A circumvention tool does not need to be perfect to be
> useful.
>

The issue here shouldn't be around whether or not its right to criticize.
If ultrasurf is so awesome, then they shouldn't worry what a little old
american guy like Jacob has to say. And we as liberation tech
activists/enthusiasts/experts should never attempt to quash debate or
discussion about the flaws in any tech, I for one would love to see more
discussion about potential flaws in Tor!

<snip>

>
>> Furthermore - what happens when a user in China can't access sites in
>> China from the tool? I suspect it may cause the user to unproxy
>> themselves, with other windows open and well, uh oh.
>>
>> This is not a big deal at all. A typical Chinese user has multiple
> browsers, one with proxy to access websites outside GFW, another to browse
> domestic websites directly. Of course this is an area for improvement, but
> not a deal killer.
>
>
So yes, Jacob did use China as his frame of reference, but shouldn't we
expect tools to be flexible for many scenarios, and to be honest, I'm not
sure how anyone can speak about a "typical Chinese user" with authority...

> >
>>
> <snip>

> >
>>
>> Chrome isn't a circumvention tool. It has a secure automatic updating
>> tool. It would be absolutely insane if Google said "oh whatever, we're
>> just a web browser" and didn't offer a secure way to update Chrome.
>>
>> Google is a big company with abundant resources and big responsibilities.
> It is unfair to ask Ultrasurf to hold the same high standard as Google,
> because it lacks the resources and it has its own priorities.
>

LOL. Everyone should strive for greatness. It may be unfair to expect it,
but certainly not to desire or request it.

>
> You can't have effective circumvention that presents no risks without
>> being honest about the security and privacy needs of your users. I think
>> it's possible to do it without anonymity but I think that is actually
>> the wrong course of action. We see this in reality by the fact that
>> Ultrasurf has been served with some kind of legal process and has, as I
>> understand it, given up data to someone claiming to be law enforcement.
>>
>> What user's of the software need most is circumvention, perhaps. But
>> security, privacy, and anonymity are part of the circumvention picture.
>> It's not just about hopping over a firewall. BASE64 encoding isn't
>> enough, even if it "works" for getting past content filters. We have to
>> think beyond that and to really develop threat models, designs and so on.
>>
>> Circumvention and SPA (security, privacy, anonymity) are two things. What
> most people in China, Syria and other repressive regimes need most is the
> former. SPA are for those who involve in sensitive activities, this is an
> important group, but a very small group too. I think this is a critical
> point the developers should keep in mind - what is your software's use
> case? what is the other guy's software's use case?
>

Right, because users are only ever targeted by governments/states because
they have *actually* broken a law(whether or not that law is legitimate
lets leave aside for now). I'm sorry x z, but its quite naive, ignorant,
and dangerous to present the idea that there is no need for "average
citizens" or as you say those not "involve in sensitive activities" to have
access to SPA... Everyone deserves privacy. The problem is not that they
don't want it or don't deserve it, the problem is that the architecture of
the internet and modern communications have not been built at the behest of
citizens and consumers but states and corporations who each have various
goals of hegemony in mind, and not liberation.

Brian

>
> Best,
>
> >
>> > Lastly, I must add that your Ultrasurf study and report are very useful
>> and
>> > extremely important in making Ultrasurf more secure and force them to be
>> > more honest in their marketing.
>>
>> Thanks.
>>
>> All the best,
>> Jake
>>
>
>
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
>
> Should you need to change your subscription options, please go to:
>
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> If you would like to receive a daily digest, click "yes" (once you click
> above) next to "would you like to receive list mail batched in a daily
> digest?"
>
> You will need the user name and password you receive from the list
> moderator in monthly reminders. You may ask for a reminder here:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> Should you need immediate assistance, please contact the list moderator.
>
> Please don't forget to follow us on http://twitter.com/#!/Liberationtech
>

-- 

Brian Conley

Director, Small World News

http://smallworldnews.tv

m: 646.285.2046

Skype: brianjoelconley

public key:
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xCEEF938A1DBDD587<http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE827FACCB139C9F0>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20120420/8999f4af/attachment.html>