[liberationtech] a privacy preserving and resilient social network)

[Eleanor Saitta]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 2013.06.29 01.52, Alireza Mahdian wrote:
> I really hope all your other facts are not based on this link you 
> sent. as Matt rightfully put it we don't know the kind of cipher 
> that was used it could have been a  very primitive one. you are 
> making a very bold statement based on a very incomplete data.

Of course not.  Frankly, I'm not worried about cryptanalysis.  If the
easiest way into a system is by breaking crypto, we've succeeded beyond
our wildest expectations.  Snowden said, in passing, that strong
crypto does in fact work; he also said that the terrible state of host
security means that this is almost never a problem for NSA.

> As for your recommended approach of not releasing research
> softwares to regular users you have to know that MANY of the
> current technologies that are being used have their roots in
> research projects. You mention Tor and so many other applications
> and ALL of them have started as a research project in academia.

Yes, they have.  The accepted standard of care in this community is that
software should not be recommended to real users for use with real data
if it is targeting high-risk use cases (which an intentionally
privacy-preserving social network designed for the Iranian context
necessarily is) until it has undergone community review and focused
security analysis from professional analysts.  Not everything in the
community is at that point yet, but we're working on getting there.

Releasing code that's clearly marked as alpha and likely dangerous is
fine, as long as you make it clear to users that this code may not, in
fact, provide any of the properties it claims to provide until such
point as it's had an appropriate degree of review.

While we can't do anything about projects coming from outside academia,
I'd love to see IRBs start to enforce this for academic projects.  It'd
likely save lives.

> My claim is that MyZone is privacy preserving and I stand by it. I
>  never claimed that it is providing anonymity and in fact I have 
> pointed out that it does not even aim for it. As the creator of 
> MyZone I did not felt the need for unlinkability as deniability is
>  provided to a needed degree.

And what I'm telling you is that on the basis of what we've seen coming
back from the field, not to mention the documents we've seen confirming
things in the past few weeks, THERE IS NO SUCH THING AS PRIVACY WITHOUT
UNLINKABILITY.

The game is in traffic analysis.  Most of what's interesting about a
conversation comes from traffic analysis.  Post-hoc deniability of
specific messages is not a useful property in evading negative security
outcomes, because the suspicion of being part of the set of people who
could have sent a message is more than sufficient to justify picking
someone up in high-risk scenarios, and in lower-risk scenarios is likely
insufficient to convince a judge.

We as a community have a fundamentally backwards idea of what privacy
means (or so we now see).  Privacy does not mean confidentiality, it
means confidentiality and unlinkability at a minimum, and in many
regimes, it means confidentiality, unlinkability, and undetectability
(because if you live somewhere where using crypto gets you killed, Tor
can't help you).

By the standards that we've been applying as a community previously,
while I stand by my comments on research software, you're not doing
bad (although the devil is in the details); the problem is those
standards were wrong.

> You probably are not going to give my app even a try but I would 
> certainly give your "Bullet proof" solution if it ever sees the 
> light of the day a try and read its documentation in full before 
> criticizing it.

I don't know where this "bullet proof" nonsense comes from -- that's not
a claim I'd make; it's childish, like talking about "military-grade
encryption"; we can do better.

I've seen a dozen architectures proposed this week for different kinds
of privacy-preserving systems.  I'm not going to install all of them and
read all of their documentation; I have work to do.  I'm happy to
provide feedback on some of them when I have time.

I'm taking the time to provide more detailed feedback on this one
because I think we need to, as a community, have a conversation around
the properties that we design solutions for.

> I have tried SO MANY of these solutions that you mentioned in a
> very restrictive environment (I come from Iran and I have first
> hand experience on whatever you are mentioning here) and trust me
> they are often so slow (you have to consider dial up bandwidth)
> that you prefer to avoid them in the first place.

I understand the bandwidth limitations of many connections in a place
like Iran.  I know Tor is too slow right now.  I'm not trying to excuse
it.  What I'm saying is that we should be working on building systems
that can compose with it and working on making it faster, or working on
building alternate systems that provide the same unlinkability with
different performance tradeoffs.  Sadly, we don't get to make the
problem that needs solving the one we know how to solve.

> I will consider any "constructive" criticism of my work and 
> appreciate it very much but telling me that I have solved the
> "wrong" problem is just your opinion. I certainly wouldn't consider
> my self such expert enough in the field to make a blunt statement
> like that towards anybody's work.

I've been doing architectural security work for a decade.  As principal
security engineer at OpenITP, it's my job to understand what the right
problems to be solving in the circumvention space are.

E.

- -- 
Ideas are my favorite toys.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iF4EAREIAAYFAlHOhFsACgkQQwkE2RkM0woxeAD/Ud2yNSgvvqy6v407jgpfU4Ex
9/rP141kqIl1G6SLsv0A/i7DGr0X6uEL6HAjVS4abNhEMMUKBmj0EnzXxxiYvyn6
=K1UK
-----END PGP SIGNATURE-----