[liberationtech] OkayFreedom
Jacob Appelbaum
jacob at appelbaum.net
Sat Oct 27 02:09:30 PDT 2012
Eric S Johnson:
> Whew. Stirred up a hornet's nest.
>
> We all have good experiences to share. I worry, though, that if we spend a
> huge amount of time fighting each other, we'll not be spending that time
> helping the people who really need it. None of us actually disagree with
> each other on whether an activist in a cyberdangerous country should be
> using a government-managed VPN. We all know about MITMing, and FinFisher,
> and OpenVPN, etc. etc. etc.
I'm not fighting with you. I merely reject your simplistic assertions.
As an example, I told you about the extreme surveillance in Belarus (if
I recall correctly) once and until the Swedish news covered it, it
wasn't a reality for you; merely rumors or something of the like.
eg:
https://www.eff.org/deeplinks/2012/05/swedish-telcom-giant-teliasonera-caught-helping-authoritarian-regimes-spy-its
That is - by default - you assume good faith of all of the players and
anyone who seems to state anything to the contrary is paranoid. This is
of course a tactic of either a person who is not empowered, a person who
is working to sew discord or perhaps merely a person who doesn't know; I
have always preferred the latter explanation. Generally, I have stayed
quiet about it but I'm sorry to say that this email thread caught my
interest in a way that wasn't easy to ignore.
We do have good experiences to share and yet we must realize that there
are facts about our experiences that we may not understand, we may not
fully grok and that are part of a bigger picture. As an example - that a
telephone can be intercepted means that it is *insecure* by *default*
and if you've been to a place and never seen wiretapping - we must not
forget that it is not only possible, it is policy!
While you assert that we all know about MITM, FinFisher and OpenVPN - I
think we know about them in different ways. That is - they are
considered binary things; when in reality, a MITM isn't always changing
a certificate. Absence of detection is often used as absence of a need
for a concern. This is not a reasonable way to threat model at all. I'm
sure others will chime in here and beat this horse to death. I welcome it.
>
> The most important points I think worth making is that it's really important
> to a) understand the threat, and b) prioritise the response.
>
Your statements demonstrate to me that you do not understand the threat
in a way that you convey to others. Rather, I feel that you openly
minimize things because you feel that we cannot solve *everything* at
once. The language used is often something that will disempower a person
"99.9% of VPN users are principally looking for cybercircumvention" -
this of course implies that my needs or my concerns don't matter, they
haven't yet reached critical mass, etc. This is of course a logical
fallacy and well, as far as I can tell, unsubstantiated in any case.
> There are so many threats that if we try to solve all problems (both known
> and theoretical), most end users simply won't accomplish much (not to
> mention that our resources are limited). I can't count the number of times I
> find an activist in Ethiopia, Uzbekistan, or Vietnam who's still accessing
> her @yahoo.com e-mail account unencryptedly, even after having been to a
> cybersecurity seminar one of us taught. Or whose OS hasn't been patched
> since it was installed two years ago. Or whose entirely-unencrypted hard
> drive has been taken.
That is however not a reason to pretend yahoo is secure or that since
many users use it, they obviously don't care about security. Rather, we
should encourage them to use a more secure popular mail provider.
Furthermore, we should encourage them to install an OS that is Free
Software, that automatically applies security patches and that comes
with disk encryption enabled by default.
Or at the very least, we might consider telling these activists that the
threats are real, the risks for many of them are high and that spending
a few hours everyday might be helpful. In some cases, I think it is the
difference between a few hours of education every week and a lifetime in
jail. Minimizing these security realities is harmful and if we're going
to teach users anything, we should teach them the processes by which we
learn decide and evaluate these issues. I'd even advocate teaching about
the philosophy that allows us to believe we have a personal right to
protect ourselves. Merely teaching solutions leads to oversimplification
and judgments by people who don't really ever fully understand the
context - that is what we're doing right now.
>
> So we (and those who depend on our help) are hugely benefitted by tallying
> up how much/often we know a particular threat has been used to persecute
> someone, and then focusing our efforts on solving that threat first ... then
> solving the next-most-dangerous threat ... etc.
This is a pointless *general* metric Eric. We know for example that
wiretapping is a huge risk and it poses a serious threat to people.
Probably far more than we fully understand if we include the NSA
warrantless wiretapping that is still ongoing.
These things are not solved with technology alone, they are solved
socially as well. However, I see neither of those things happening in
this discussion because users are being taught about a product which
ironically hasn't even been meaningfully evaluated!
> My main point about VPNs was that (in my experience) I know of no
> situation in which we've learned that it was a government-owned VPN which
> caused an activist's compromise, but I do know of lots of situations in
> which the compromise resulted from lack of endpoint security or the physical
> loss of unencrypted media, and some in which data were intercepted in-line.
> So these latter are deserving of more attention on the part of cybersecurity
> trainers.
>
My core point in response is that your default assumptions are simply
rotten to the core. We will likely not learn these things and so, we may
never know that this was the vector. Nor would it even matter if it was
government-owned - many are government-compromised. Look at the lulzsec
guys who were turned in by HideMyAssVPN:
http://blog.hidemyass.com/2011/09/23/lulzsec-fiasco/
That in my view is a perfect example of why it doesn't matter who owns
it *unless* you *really* trust them! What matters is that the
architecture *and* the people are stacked against the activists. That is
what happened in that case and now, some kids are in jail because they
listened to the same line of argument that you're making now.
But perhaps you'll argue that they're just criminals and should be
locked up or something?
> As to "99.9% of VPN users are principally looking for
> cybercircumvention"--nope, no statistical proof. Just lots of real-life
> experience (which is in no way minimizing the experience of everyone else on
> this list).
>
Ask a person a question they don't fully understand and you'll get an
answer that is meaningless.
For example, I invite you to read my latest paper on why VPNs are
dangerous in this context:
https://www.usenix.org/conference/foci12/vpwns-virtual-pwned-networks
A perfect example is the discussion surrounding Dihydrogen Monoxide. How
many people were fooled by the mere *wording* of the discussion?
All the best,
Jake
More information about the liberationtech
mailing list