[liberationtech] OkayFreedom

Jacob Appelbaum jacob at appelbaum.net
Sun Oct 28 08:16:08 PDT 2012 

Eric S Johnson:
>> As an example, I told you about the extreme surveillance in Belarus (if
>> I recall correctly) once and until the Swedish news covered it, it
>> wasn't a reality for you; merely rumors or something of the like.
> 
> The STV report added nothing to our knowledge about the BY gov't's
> capabilities. It provided very "good" publicity for the help Western
> companies provide less-savory governments' cybercensorship &
> cybersurveillance efforts--although strictly speaking, it doesn't seem that
> difficult to get analogous technology from RU or CN.
> 

Huh. I distinctly remember my response to your query being dismissed as
mere rumor. Specifically that *I* had no evidence of Belarus network
behavior with regard to surveillance or censorship. I don't think I need
to quote our private emails to prove my point, right? Perhaps I
misremember the entire discussion; it happens to all of us!

None the less it is irrelevant where Belarus gets this kind of
technology. What matters is that users must be protected against serious
attackers.

>> fully grok and that are part of a bigger picture. As an example - that a
>> telephone can be intercepted means that it is *insecure* by *default*
> 
> Agreed (and with many of your other assertions, none of which I stated
> anything counter).

Does this mean you don't promote non-free and proprietary software any
longer, such as Skype, UltraSurf, or other software? How about
centralized VPNs? It sure looks like you're using Microsoft Outlook, so
I'm not sure.

Your implicit and explicit statements seem quite contradictory to me. It
is extremely frustrating but perhaps I'm just dense and I don't
understand. I don't doubt that such a thing is possible.

> 
>> Probably far more than we fully understand if we include the NSA
>> warrantless wiretapping that is still ongoing.
> 
> I think we all assume the NSA does that. But part of my point about threat
> modeling & prioritization is, the NSA isn't the primary threat for someone
> in Uzbekistan.

There is no assumption about the NSA spying. It is a fact. The question
open at the moment for those in the US is if we will have some kind of
justice for this spying on all of us. It sure seems bleak.

However, when you say that the NSA isn't the primary threat, I wonder?
And how did you decide that? People in Uzbekistan are explicitly and
have always been, a valid target for the NSA. If perhaps you mean to
suggest that it is a valid threat but the local telecom is more of a
threat, I don't think we disagree. However, I wonder how it differs in
practice in terms of advice or suggestions or risks that an activist in
Uzbekistan might face?

> 
>> "99.9% of VPN users are principally looking for cybercircumvention" -
>> this of course implies that my needs or my concerns don't matter, they
> 
> Not at all--I'm just stating that the number of people for whom a VPN's
> primary purpose is cybersecurity (instead of cybercircumvention) is
> minimal--even if that 0.1% includes you, me, everyone on this list, and many
> of the people all of us are in touch with.
> 

We'll have to agree to disagree here - you repeatedly state most users
don't care and I think most users don't understand your anecdotal
survey. I hardly understand it.

I mean, who uses terms like cybersecurity or cybercircumvention with a
straight face? You say cyber and I think about sexy internet chatrooms -
perhaps this is just a cultural difference.

If you asked me if I need cybersecurity or cybercircumvention, I would
be unable to take the question seriously. I need specific security
properties and I need traffic analysis resistance.

You continue to make up numbers without any data to back it up - it is
extremely disempowering and dismissive.

Users care about going to prison, they care about being blackmailed,
they care about having their emails read by others, they care about
their calls being recorded, they care about their computers being
infected with malware, they care about avoiding the authorities
interference and a lot more!

>> threats are real, the risks for many of them are high and that spending
>> a few hours everyday might be helpful. In some cases, I think it is the
> 
> Everyone agrees more education is good. An issue we have to face, though, is
> that we aren't always going to be able to get everyone to do what we want
> (no matter how seriously we try to convince our partners, or threaten them
> with real-life scenaria, let alone hypotheticals). Hence prioritization (to
> maximize the usefulness of the attention we're able to get).
> 

I don't think that everyone agrees - that is why there is such a focus
on tools rather than process. That is also why people select and suggest
non-free/proprietary software solutions, they suggest and promote things
they hardly understand theoretically, let alone in practical
implementation. Hell, I often feel like I'm missing pieces of the
technology unless I sit down and read source code for days on end.

This is ultimately an epistemological issue - how do we know what we
know and how do we know that anyway?

Teaching a collection of facts without a cohesive process for
understanding the (many) big picture(s) is a disaster and has failed
repeatedly.

The point isn't to get people to do what we want. My point is that we
need to build alternatives to the current surveillance and censorship
realities, to help people understand processes that give users autonomy
to make their own choices, to show data and stories about lessons we've
learned the hard way, and when we are able, to offer solidarity where it
is possible and welcome. I'm not interested in imperialism - I'm
interested in mutual aid for individuals and groups who need, want and
ask for it.

Just as we rarely, if ever, understand the full context on the ground in
a place - we should not project the security, privacy, anonymity desires
of people that do not understand the technology with which they interface.

So where do we disagree? At the very least, we disagree with the "more"
- I want specific kinds of educational material, specific kinds of
technical material and specific kinds of support. Smart educational
offerings rather than simply "more" educational materials.

This discussion reminds me of a cold war mindset and it feels bad. We're
not at war with countries or anything like it. We're, if we're doing
anything, are hopefully helping people to make different choices by
building alternatives together.

For example, imagine I asked if you wanted a VPN that was compatible
with a twos-complement CPU architecture? Your answer requires an
understanding of computer science that many users would not really
understand. Who cares? That shouldn't change my priority for ensuing
that your VPN uses breakable crypto - it is in-fact totally unrelated.

No one disagrees that we must have priorities. I think we explicitly and
clearly seem to disagree about what those priorities are in practice.
Perhaps I'm wrong here - perhaps we totally agree with everything except
in how we phrase our experiences.

So then, what are the priorities?

>> That is - by default - you assume good faith of all of the players and
>> anyone who seems to state anything to the contrary is paranoid. This is
> 
> Nah. No one among us is making those assumptions. That's why it seems
> counterproductive for you to make the assumption that I'm making that
> assumption.

Are you explicitly warning users, partners or groups about your lack of
good faith? I've never heard it - I hear a lot of discussion about
paranoia, rumors and other stuff like it - but it is always aimed toward
people who have concerns. I personally feel like it is often suggested
that the burden to show something is unsafe is on us. It is especially
frustrating as there is no evidence it should even be considered secure
in the first place.

You said it earlier in the thread perfect:

"Conceivably, a cybercensoring government could come up with all sorts
of tricky ways to “poison” cybercircumventing citizens by, say, seeding
local VPN resellers with a VPN that delivers a “fake” site loaded with
malware. But again, that’s purely theoretical;"

I take issue with this "purely theoretical" business.

https://www.eff.org/deeplinks/2012/07/new-blackshades-malware
https://www.eff.org/deeplinks/2012/08/syrian-malware-post
https://www.eff.org/deeplinks/2012/05/fake-skype-encryption-tool-targeted-syrian-activists-promises-security-delivers
https://www.eff.org/deeplinks/2012/05/trojan-hidden-fake-revolutionary-documents-targets-syrian-activists

I think you're right - you're not making an assumption... You're making
flatly incorrect statements and that isn't an assumption by me, it's a
matter of record on this mailing list clearly written by you.

It also feels rather weird that you selectively quote my emails. I feel
you did not address my previous points at all. I'll repeat them and I
hope you will address them - it is hard to reach clarity on these topics
when we skip over so many of them.

=============== begin previous questions  ==================

>
> So we (and those who depend on our help) are hugely benefitted by tallying
> up how much/often we know a particular threat has been used to persecute
> someone, and then focusing our efforts on solving that threat first
... then
> solving the next-most-dangerous threat ... etc.

This is a pointless *general* metric Eric. We know for example that
wiretapping is a huge risk and it poses a serious threat to people.
Probably far more than we fully understand if we include the NSA
warrantless wiretapping that is still ongoing.

These things are not solved with technology alone, they are solved
socially as well. However, I see neither of those things happening in
this discussion because users are being taught about a product which
ironically hasn't even been meaningfully evaluated!


> 	My main point about VPNs was that (in my experience) I know of no
> situation in which we've learned that it was a government-owned VPN which
> caused an activist's compromise, but I do know of lots of situations in
> which the compromise resulted from lack of endpoint security or the
physical
> loss of unencrypted media, and some in which data were intercepted
in-line.
> So these latter are deserving of more attention on the part of
cybersecurity
> trainers.
>

My core point in response is that your default assumptions are simply
rotten to the core. We will likely not learn these things and so, we may
never know that this was the vector. Nor would it even matter if it was
government-owned - many are government-compromised. Look at the lulzsec
guys who were turned in by HideMyAssVPN:

  http://blog.hidemyass.com/2011/09/23/lulzsec-fiasco/

That in my view is a perfect example of why it doesn't matter who owns
it *unless* you *really* trust them! What matters is that the
architecture *and* the people are stacked against the activists. That is
what happened in that case and now, some kids are in jail because they
listened to the same line of argument that you're making now.

But perhaps you'll argue that they're just criminals and should be
locked up or something?

============= end previous questions ===========

If I sound frustrated - firstly, I hope you don't take personal offense
and secondly, I hope it does engage you to actually discus these
important topics. I also hope you'll understand that this is because
while in theory we're working towards similar goals and in practice, I'm
hearing user blaming, weird security claims, lots of weird suggestions
and tons of excuses.

All the best,
Jake

More information about the liberationtech mailing list