[liberationtech] Secure, inexpensive hosting of activist sites

[Jacob Appelbaum]

 micah:
> Eugen Leitl <eugen at leitl.org> writes:
> 
>> On Sun, Apr 21, 2013 at 03:07:35PM +0200, ilf wrote:
>> 
>>> I can't believe this bullshit thread recommending *only*
>>> commercial services.
>> 
>> Look, free is distinctly unaffordable. If you need a dedicated box
>> somebody has got to pay for the hosting and remote hands. Activists
>> donating own resources are quite nice and cool (heck, been there,
>> done that) but ultimatively you can't rely on them to be there if
>> the shit hits it.
> 
> Can't rely on them to be there for what exactly?

To be fair - some activist communities just aren't holding the five
nines that other companies hold up as marketing material. ;-)

> 
> Where is the liberatory technological element to recommending
> commercial services when they are more than happy when the "shit hits
> it" to bend over backwards for law enforcement without bothering even
> questioning if the request is even legal because that would cut into
> their profits?  I have to say I agree with ilf, this is pretty
> depressing for this list.

I thought about the sheer number of people trying to compromise some of
my most public systems. The trade-off was one where I stopped worrying
as much about buggy software and traded it for a legal attacks; I did so
knowing that if I were to lose, I would still *win* in that I would
learn something and set an undeniable example and if I were to win
outright, I'd have defended my or access to such systems successfully.
Thus I actually selected Google, Twitter and other service providers to
test a theory about how companies might act when pressed. Each company
has law budgets that greatly exceed the amount of money I could ever
hope to raise or spend on my own. After all is said and done - their
brands rely on people believing that they're good and will fight for
their users.

I actually told the FBI about this strategy during a Q&A in NYC - which
if you haven't seen it is ... well, lets say, I wasn't the only one who
thought it was funny:

  https://www.youtube.com/watch?v=dTuxoLDnmJU

In short - there are companies that will go to court and even, if you're
lucky, spend *millions* of dollars on defending you because it is their
business model by proxy that they're defending. Not all companies will
do this though. Boy oh boy, the companies that did attempt to protect my
data versus the companies that didn't or didn't/don't have the ability
to tell me is _very_ low. I'd guess it is around three known actors with
likely over one hundred others at the bare minimum. That's just for
active accounts, I might add. I believe there was a lot of data sitting
around in logs and other places where I had not consented to the
collection (AT&T) and naturally such collectors don't notify or ask for
your consent in such a case...

So, lets say that the company goes to court for you. What will it matter
practically?

Well, I think it depends on the technical *and* social architecture of
the system as it is constructed, run and maintained.

The question that comes to mind about architecture is one that most
people on this list generally dismiss out of hand. It happens for VPNs
vs Tor, email hosting, chatting, web browsers, etc, etc.

We should consider that if the architecture of a system, even a mostly
*technically* secure system, is optimized for surveillance to the
company's benefit - it *will* almost certainly be forced to hand your
data over when ordered. Simply because it *is able to do so* at all,
we've learned that the law in the US is interpreted to suggest that such
companies must and they must do so silently. And it seems to be the case
that when the US has no legal recourse, it may use other methods for
jurisdictions beyond their direct legal reach. It might happen through
legal means, it might happen through general blackhattery, it might
happen through kidnapping a family member - compliance is possible and
there exists a case where compliance *will* happen. I have a friend who
said that in the days following the seizure of my telephone by the US
Government that his entire home network was compromised and that
included his X-Box. That is a lot of 0day to burn and I think
intelligence related folks are really in the golden era of their industry.

And when that happens, it won't matter if they had gone court for you in
a practical sense - the data is in the hands of whoever wanted it. It
may or may not be used in court - that is largely irrelevant as life is
often made miserable by things outside of courts. As an example Replace
legal threats with say, threats from the Zeta Cartel rather than threats
from a US Court and we see how strongly these systems will stand up.

Absent an attacker, many systems are secure and so, what is the ultimate
stopping block when such an attacker is present?

Not having the information, of course. Or having it in an encrypted
format such that it is useless without the user consenting to decryption
in some privacy preserving manner. We generally call this Privacy by
Design and the idea is a loose one, sometimes poorly implemented.
Generally it suggests a compartmentalized design of systems where the
systems are compartmentalized with something more than a promise.

Most of the radical collectives realized this long long ago - there is
little difference between an FBI agent who wants to *illegally* do
something and one who wishes to challenge a group with no legal
resources and will thus lose. The same exists for attacks from other
groups legal, illegal or perhaps even unknown. The end result of a
successful attack is a loss in all cases, almost always. Even if they
"promise" not to use the data. Cryptography may be used to ensure that
short of a crypto key, a service won't have the ability to betray that
promise and so the attacker won't ever be able to betray it either.

So what will be lost? With a proper design - little to nothing from the
past but perhaps it gives an advantage moving forward.

As those radical collectives do not profit from surveillance and rather
exist because of their users entirely, they try to secure themselves
against the threats that companies otherwise leave as a matter of
monetization. Some of them do better than others, obviously.

One thing should be clear: The architecture of a system limits the
autonomy of those who participate in running it.

So, shall we design systems that limit that autonomy to be in line with
the expectation set for users and the promises to users about protecting
privacy? I think so.

So what good are corporate services? They're sometimes good to use as
hedge against more powerful adversaries and especially if you're trying
to find the edges, such that we all better understand the entire set of
choices!

So - where is the liberatory technological element you ask?

"Corporate Mutual-aid" - a guide for activists? Probably not! An
important set of hard learned lessons? Absolutely!

> 
> How can anyone in good conscience recommend to activists commercial 
> services whose primary goal is to optimize for the bottom line? You 
> realize that when "the shit hits it" you can rely on them to not
> waste any of their money fighting for you. Not that it matters,
> because they are already deupitized data collection points for the
> police, building into their money-making schemes keeping as much logs
> as they possibily can to maximize profits from various advertising
> and surveillance efforts.

I generally agree. Though, I wonder. It depends entirely on the threat
model, doesn't it?

For example - I would never suggest that some groups roll their own
solutions if their best solution has the same weaknesses of a company
and without any of the actual technical or legal support that is often
needed.

Some activists don't care about Free Software, some don't care about
surveillance, some don't care about wiretapping - as a result, I think
they often it makes people less effective because *it still impacts*
everyone.

It is hard to deal with a holistic framework that includes weird small
seeming details like infrastructure.

> 
> And really, Cloudflare? Comon. After their willingness to roll over
> on the subpoena for Barret Brown and prentend that they were the
> internet's saviors by making up that whole thing about how they saved
> the internet from the biggest DDOS ever?
> 

Yeah - they're an SSL MITM by design - it should give you some idea
about what vulnerability they introduce into the mix. For a while there
was an encrypted web chat service that MITM'ed their entire "secure"
chat service with Cloudflare. Combine that with some other hilariously
bad ciphertext only bugs and we have a passive break on their service in
a worst case scenario. Such a setup is the opposite of defense in depth.
Whoops.

> This is an amazing statement: "free is distinctly unaffordable" --
> what meaning of "free" are you using here?  There are other things
> that I'd pay *more* money for if it meant the kind of free that I'm
> thinking of was in play... But this is 'liberationtech', right? Is
> the only thing you are concerned about is being liberated from your
> money when doing tech things?
> 

Oh man, I couldn't agree with you more.

> The cognitive dissonance here is deafening.
> 

To paraphrase and bastardize jwz:

Free Services, like Free Software, are only Free if your time is worth
nothing. Free "time" like free as in not in jail or dead or worse!

All the best,
Jacob