[liberationtech] eternity USENET (Re: Internet blackout)

[Jacob Appelbaum]

Eleanor Saitta:
> On 2013.06.29 10.27, Jonathan Wilkes wrote:
>> It's not a simplistic choice between using modern devices and being
>> a Luddite.  It's about people having a better understanding about
>> what the threats are, digesting that information (unfortunately,
>> slowly) and then using tools to mitigate those threats or a
>> (probably paid) expert installing those tools for them.
> 
> That'd be lovely.
> 
> None of those tools exist right now, not for locational privacy and
> metadata obfuscation.

I disagree about the existence. Perhaps, I think we might be able to
agree on certain values of 'unusable' rather than saying they don't exist?

As an example - for chat clients, Pidgin has a "Tor/Privacy Proxy"
setting - that when combined with using SSL/TLS or a Tor Hidden Service
or both - gives a chatting user location privacy from the chat server. I
also tend to call this geographical anonymity - which seems reasonable -
that is - the user's location is anonymous but the contact list, the
content of messages, the metadata like away status and the user's
identity are known to the server.

This is possible for web browsing as well - with very few exceptions -
when users use the Tor Browser Bundle (aka TBB). This is something that
took us far too long and now, we're finally getting the changes into TBB
that many usability studies suggested. The new TBB alpha is an example
of something that is extremely simple to use and it gives users
geographic anonymity. This most certainly obfuscates metadata to the
local network and TBB itself also attempts to remove other fingerprints
a user might accidentally send over the Tor network with a normal
browser. It is far from perfect and we're working hard to improve it.

The next version of TBB is very fast and it requires no education about
the tools - only about the services a user may with to use - thus if a
user wishes to use a website that isn't secure, we have a problem we
have a chance of solving: getting a site to deploy HTTPS properly. That
is something that doesn't involve training users and as time progresses,
we'll be able to automatically (HTTPS-Everywhere is included in TBB)
secure connections to sites that support it. Obviously there are edges -
we're also hopefully going to start certificate pinning to further
reduce the threats to the user. This requires security on behalf of the
the services users wish to use - historically, very few companies get
this right. Still - if the local network is your primary threat - local
to your town, local to your country, local to your national telecom -
there are solutions for people using services outside of those networks.
The solutions may even provide reasonable protection for other services
- it depends a lot on the context.

> 
> The advice in question was "stop carrying a phone", which is what I
> was responding to.  I don't need to wait for peer review to tell you
> that's very unlikely to happen at scale any time soon, and moreover,
> that the arc of the history of technology rarely bends towards
> renunciation.

I think that this is an interesting bit of advice and it really depends
a lot on a person's context. I think it may be an unequal burden to not
carry a phone that is always switched on. For some it is easy and for
others, it simply doesn't reflect their contextual requirements.

Are you a sysadmin? Are you on call as a doctor? Is your partner really
controlling or excessively worried? Probably it isn't possible to take
the advice of not carrying a phone. Or at least - there are times when
not carrying a phone builds up a kind of stress that isn't worth the effort.

Not everyone has those demands on their availability. There exist people
who are able to go about their day freely by schedule, rather than by
being at someone's beck and call.

Which are you? By suggesting that people don't carry a phone - I think
it allows a person to experiment and discover how free we might be to
make that choice.

I'm trying very hard to be in the second category by setting
expectations about how to reach me, how long it might take, what modes
of communication I prefer and son on.

Often, it doesn't work out - someone will try to reach me and I'll miss
it for hours at a time - only to learn later when it is irrelevant. This
is actually quite nice except in the times when it is critically important.

I've been without an actual real phone for a while - probably over a
year depending on how I count it. I've replaced my phone with a few
devices that pull or receive data over Tor or via (authenticated) Tor
Hidden Services. This is not for everyone, I admit - again, it does exist.

Essentially, I've been experimenting with data only services for
notification. People leave voice mails and text messages with my VoIP
provider, which is queued and forwarded to me. A delay of one second and
often less is unnoticeable to me. I'm using Tor for anything that
touches the wire unless I'm willing to disclose my location. I ensure
that my local network sees a randomized MAC address for each new
network. I tend to prefer chatting with Jabber over Tor Hidden Service
using Off The Record than phone calls. For the rare moments where this
doesn't work - such as when voice is required, I find that I am able to
choose if I want to reveal my current location or the location of a VPN
that I feel comfortable linking to my voice print. If I'm lucky, the
voice chat is with someone that uses ZRTP - either Cryptophone, Red
Phone, Jitsi, Silent Circle or other similar tools. I tend to think Red
Phone is the best current system that is generally available and
Cryptophone is perhaps the best system overall - as it is designed to be
run detached from Google's Play Store. I wish Cryptophone was free
software but alas, it isn't. I also wish Moxie would release redphone
and text secure without being tied to Google's tentacles but alas, he won't.

These things exist and privacy is not only possible - it is practical.
It just isn't holistically practical for a person that doesn't
specialize. That is a key issue that we clearly need to fix - a Guardian
Project phone or Guardian Project tablet for example, would go a long
way if all the privacy preserving tools were installed as the default.

It seems be even better to ensure that there is a way to automatically
route messages properly to the correct applications.

Users shouldn't need to understand if the remote peer is using Red Phone
or Cryptophone or Text Secure or GibberBot. Users should signal their
communication intent and it should work.

A smart address book should be able to handle this and probably, if
we're lucky, a QR code could include all the expected keys or
fingerprints that we'd ever need to share. A unified interface is
clearly required for something like this and boy, that is a long way
off. Still - the building blocks for nearly everything else are working
today. They exist, they're just horrible to use - even the tools or
"full solutions" that spend a lot of time on UX.

All the best,
Jacob