Category Archives: Technology

Posted on
by

Today, Groklaw, a site responsible for, among other things, victory in the SCO patent troll attack on the Linux kernel, followed Lavabit and shut it’s doors. It did so because there is now no way to communicate securely on the internet; traffic is routinely intercepted, servers can be stolen and operators forced to reveal confidential sources.

This is the world we live in, and have been living in for a while now, but thanks to a whistleblower we are all forced to confront this reality.

So, as technologists, what can we do to protect ourselves and our loved ones?

Truth is there is no silver bullet, but that doesn’t mean we just give up and go home. While the technology is only a small part of the issue here, it is something that we as technologists and makers are in a position to do things about.

While we work to solve the political problems that have caused this current situation, I think that we need to work towards making cryptography ubiquitous. Analysis of some of the leaked material already suggests that if the level of cryptographic content was raised, it would raise the cost of analysis by government agencies to an impractical level, and at the very least we’d remove “use of encryption” as grounds for suspicion.

When we build systems we need to decentralise, so there’s no one server and operator to intimidate. We need to protect content and metadata, because who talked to whom, and where, is still sensitive information. We need to work on the UX of the systems that are available, so that cryptography isn’t something someone who just wants to use the computer needs to think about. Think of these sorts of things as safety equipment, like seat belts or airbags. They should just work, without the operator having a degree.

Don’t be this guy.

We needed to think about this stuff before the first sharpie hit the paper.

Coulda, shoulda, woulda….

In the mean-time, we need to use the tools that we have. Make security and cryptography ubiquitous. As technologists, we have the knowledge to protect ourselves (and if you’re not already, you’ve got no excuse), but we also have a duty to help our friends, neighbours and family as well.

So, encourage your friends to use encrypted email and OTR messaging on IM, explain why it’s important while helping them install and use the plugin. Install HTTPS Everywhere on your mum’s computer. Talk to your neighbours about the dangers of the guilt by association fallacy in relation to communication metadata while installing the TOR browser bundle on their laptop.

You get the idea, friends don’t let friends use cleartext!

Posted on
by

Edward Snowden’s exposure of the illegal mass surveillance of basically everybody conducted by the NSA and GCHQ, has and is still causing international political fallout. Hijacking diplomatic flights and using anti-terror legislation to intimidate journalists, aren’t doing much to help matters.

Glyn Moody suggests that, given the widespread abuse of communication technology by the security services, campaigning to get everyone online may not be such a good idea.

Here’s my response:

People shouldn’t necessarily throw away an entire technology just because a few (thousand) bad apples abuse it. As technologists, what this means is that we need to build in safeguards (encryption, obfuscation, anonymous routing etc etc) which make such abuses impossible in the future.

This is already starting to happen (almost every other post on Hacker news these days is some new product that solves one part of the puzzle).

Everyone can do something:

Joe User can do some simple things – install the EFF’s HTTPS Everywhere plugin, and use email encryption (if we can make encryption ubiquitous then we make the PRISM/Tempora kind of abuse much much harder).

Network admins can do things like move their DNS over to OpenNIC (a drop in replacement domain name system run by volunteers outside of government control, often without any logging of queries) and use DNSCrypt to encrypt lookups.

Coders can look at throwing their weight behind an open source project – perhaps add encryption support to their favourite mail client (or make the UX easier), or take a look around at some of the decentralisation projects going on (particularly worth looking at the #indiewebcamp community).

Basically, we need more engagement, not less. Decisions are made by those who show up, and as Tesco put it, “Every little helps” :)

What are your thoughts?

Posted on
by

The fallout from the Snowden affair seems to keep coming, with the shuttering of not one but two secure email services.

For those who have been living under a rock for the past month or so, Edward Snowden is the whistleblower and political dissident who leaked evidence of vast illegal US and UK internet surveillance projects, and who has currently been granted asylum in Russia. Given the American government’s shockingly poor record on the treatment of its political prisoners, as well as their clear desire to make an example of him, I for one am relieved Russia stepped up to its obligations under international law. Granting Mr Snowden some respite from persecution, however temporary that may be, was both legally and morally the right thing to do, even if the cognitive dissonance that I feel from the reversal of the traditional narrative is giving me a migraine.

Known in crypto-analysis circles as “The Rubber Hose technique”.

Lavabit, a Texas based provider of encrypted email apparently used by Snowden, shut down to avoid becoming “complicit in crimes against the American people”. Later Silent Circle, based in Maryland, did the same, taking the view that it was better to close down and destroy its servers than to deal with the inevitable bullying.

The message seems to be simple. You can’t rely on the security of services where the data is out of your control, especially if the machines or companies involved have ties to the USA, but to say you’re safe from this sort of thing because you use a non-us provider (as many seem to be saying) is frankly delusional.

For those who are looking for alternatives to giving all your data to a third party, I do suggest you check out the #indieweb community, especially if you’re a builder. #indiewebcamp-uk is happening in September in Brighton, RSVP here.

It seems it is fast becoming a dangerous time to be a software creator, and no matter how secure your platform, you always run the risk of the rubber hose technique. As an industry, we are living in “interesting times“, it will be interesting where we go from here.

Update: Graham Klyne points out that Silent circle haven’t shuttered their end-to-end encryption offerings.

Image “Security” by XKCD.