Jacob Appelbaum on How OSS Improves Cryptography 35
destinyland writes "Jacob Appelbaum, the Tor Project's main advocate, argues that Open Source software is necessary 'to both verify and improve' available cryptography. (Adding 'We also need that to ensure that everyone has a reasonable baseline — which is part of the cypherpunk ethos.') In this new interview, he's critical of a general public silence over government encroachments on privacy, but points to the current impact of the Tor network now as something that 'runs, is open and is supported by a large community spread across all walks of life.' And he ultimately identifies Tor as 'part of an ecosystem of software that helps people regain and reclaim their autonomy,' saying the distributed anonymous network 'helps to enable people to have agency of all kinds; it helps others to help each other and it helps you to help yourself.'"
Till... (Score:5, Insightful)
They make running or using a proxy illegal. They have the power to do that you know. Doing that technologically though, is a whole different beast.
Re:Till... (Score:5, Insightful)
Tor might be an alternative, but the best way to deal with the issue is to attack the privacy problem, head on. The post claims that there is no general public outcry, and that claim is wrong. There's lots of outcry. There's no one bribing politicians-- and that's why every thing you do is tracked, and that tracking is for sale.
Re:Till... (Score:5, Insightful)
Tor might be an alternative, but the best way to deal with the issue is to attack the privacy problem, head on. The post claims that there is no general public outcry, and that claim is wrong. There's lots of outcry. There's no one bribing politicians-- and that's why every thing you do is tracked, and that tracking is for sale.
Privacy is dead forever. Technological trends will render privacy dead no matter what laws you pass. Technology determines privacy not the law.
Re:Till... (Score:4, Funny)
Uh, no.
Privacy is part of dignity, and despite technology, I'll have my dignity. Now take your marbles and go hom, Eric.
Re: (Score:3, Insightful)
Privacy is only dead if you give it up right now. It's not dead yet. There are still people holding on to whatever bits of privacy are left (and there are some). You don't have to bring devices home with microphones in them or cameras. You can still get by without a cell phone. If you can't chances are you can simply turn it off when your not using it. It isn't a perfect solution although I work with someone who does exactly this. One of my employees isn't reachable while on the road. He does have a cell ph
Re: (Score:2)
Privacy is only dead if you give it up right now. It's not dead yet. There are still people holding on to whatever bits of privacy are left (and there are some). You don't have to bring devices home with microphones in them or cameras. You can still get by without a cell phone. If you can't chances are you can simply turn it off when your not using it. It isn't a perfect solution although I work with someone who does exactly this. One of my employees isn't reachable while on the road. He does have a cell phone. It is always off unless he needs to make a call. His wife calls him at work when she needs to reach him. You can use Tor to get privacy online in areas that you may not wish to be known for looking or things you may not want others to know you partake in or otherwise believe/speak.
In the real world privacy is largely dead. It is sad that the law doesn't prohibit hidden recording devices in public places. Where cameras might be absolutely necessary (high security instillations) there should be notices posted everywhere that one might be within the range of the camera.
A tin foil hat wont protect you from a high tech privacy invasion. There is no privacy and no way to defend yourself against the snooping potential of the electromagnetic spectrum.
They wont make it illegal (Score:5, Interesting)
They'll just put anyone who uses it under the most intense surveillance, hack their computers, creep into their house when they aren't around, etc. This is effectively better than making it illegal because it gives users a false sense of security. While they use Tor, they are being monitored by the secret services.
Tor does not prevent monitoring or surveillance. Surveillance that can see everything you do at your computer, everything you type, etc. What good is Tor under surveillance? It's useless if you're using it to go against the government.
Re: (Score:1)
That kind of effort would generally require a significant amount of resources if applied to more than a few hundred people. The only practical widespread surveillance they could pull off is somehow infecting everyone's computers with malware.
It would be far, far easier for them to just make it illegal and call it a day.
Re: (Score:1)
The only practical widespread surveillance they could pull off is somehow infecting everyone's computers with malware.
http://windows.microsoft.com/windows [microsoft.com]
Your point is?
Re: (Score:2)
Re: (Score:2)
Apparently you don't know the technology very well or the capabilities. Putting thousands of people under surveillance at a time is easy and is being done. I'm talking tens of thousands. It's expensive to scale up into the millions but millions of people wont be expert enough to use Tor and use it properly, and they probably know who all the most expert types are and are building files on them.
Re: (Score:1)
No- but you can use a hardened environment with Tor and it becomes much more difficult to legally conduct surveillance until there is at least suspicion (and Tor doesn't equal suspicion). At that point it highly depends on what the person is doing. If they are posting copyright infringing material? Probably not going to draw the attention of the authorities where the authorities are going to be able to identify a person of reasonable intelligence. Bomb threats? (there are lots of these and identifying a per
Re: (Score:2)
Take a look at the majority of internet people: pedos, crackers, scammers caught online and you'll see a similarity of them leaking their personal info somewhere online (forum account, IRC, etc...), the only one I can think of that actually got reverse engineered and traced were the guys running a giant botnet serving malware to the tune of 6 million in supposed revenue. So unless you're doing something on that scope, the feds probably won't care. Oh, and they take missing kids & child abuse (porn wou
Re: (Score:2)
No- but you can use a hardened environment with Tor and it becomes much more difficult to legally conduct surveillance until there is at least suspicion (and Tor doesn't equal suspicion). At that point it highly depends on what the person is doing. If they are posting copyright infringing material? Probably not going to draw the attention of the authorities where the authorities are going to be able to identify a person of reasonable intelligence. Bomb threats? (there are lots of these and identifying a person could be difficult from a large crowd if its been passed through tor; example schools have lots of kids who would be potential candidates for such activity; few kids really like school). Child porn? Again- unless there posting pictures/video/etc that could be a tough one. I'm pretty confident that there are lots of people out there. Just given the significant number of reports every day and the utter hopelessness of police catching every perp....
No it doesn't. They will find out you're using Tor and that is all they'd have to know to suspect you're a terrorist.We aren't talking about the USA.
Re:Till... (Score:4, Interesting)
The technology doesn't matter. A prohibition is designed to give the authorities 'probable cause' to spy on you and enter your house as they please without having to worry about that silly old constitution.
Eat a Renault 4, Wear salami in your ears... (Score:1)
there neighbour started doing this 4 only about and as of now took care of the mortgage on there condo and got a top of the range Renault 4. go to,
"There" neighbour bought a "top of the range Renault 4"? [wikipedia.org] Seriously?!
:-)
It makes a change from lying to us that he bought a Ferrari, or some other bullshit... perhaps you're trying to appeal to people who like 1960s and 70s French economy cars...
Re: (Score:2)
There will come a time when everything is illegal, and it will be left to the police or the government to decide who to prosecute.
This way we can have the illusion of living in a democracy but in fact we'll be under the paw of an arbitrary power. Of course the normal guy who doesn't stand out will never notice it, but those who bother the rich and powerful will be quickly and effectively silenced, in a completely legal way. It's already happening, for example with patents and copyright.
Wasn't this how
This is obvious to anyone who has studied crypto (Score:5, Informative)
If the source and implementation is closed it could be backdoored from the kernel to the compiler to the random number generator to the crypto algorithm implementation.
Here is a problem though, since Windows is closed source what good is Tor or crypto in that environment? If you have to use crypto for any reason other than to protect your passwords then its probably at risk whether you use open source or not. Just one bug or backdoor allowing a RAT to interface with your computer and gain root/superuser or anything like that and all your keys are compromised. Key generation would have to be done in hardware. Entropy is also an issue you probably wont easily solve. There is a very long way to go before any crypto implementation will be secure and mainstream. Linux has not changed that game because you install one wrong piece of software and you've got a backdoor and it could be disguised as a legit piece of software. Since not every piece of software run on Linux is open source you don't know for a fact.
Re:This is obvious to anyone who has studied crypt (Score:4, Informative)
Even OSS can be vulnerable [bell-labs.com]
Re:This is obvious to anyone who has studied crypt (Score:4, Informative)
Re: (Score:2)
Yeah, and Ken Thompson's proposal is very brittle. If I've got two C compilers that aren't rigged in exactly the same way, I can defeat his mechanism almost trivially, and detect it almost as easily. If you get all your software from one source (*cough*Microsoft*cough*), you can't trust it any more than you can trust its source. If it's closed-source (*cough*Visual Studio*cough*), you either try to reverse-engineer it from the binary or trust (or not trust) it as is.
Re: (Score:2)
Why stop at Linux?
What good does it do to run software on Linux when you run on an Intel CPU with proprietary microcode?
You have obviously not *studied* security, although you raise real concerns. A security analysis requires defining a threat model.
The more obscure the threat model (such as Intel injecting a Tor backdoor into the microcode of its CPUs), the less weight it is given.
I'm not using an Intel based CPU. That being said I'm aware of that and other potential backdoors which is why I said what I said.
Re: (Score:1)
Because security through obscurity Just Works!
Re: (Score:3)
And, incidentally, close that side channel.
The crypto algorithms are fairly straight forward (of you have an undergraduate degree in math). There is nothing secret there, however various intelligence agencies around the world no doubt DO have secret processes not (yet) publicly known. Most crypto is broken by either technology catching up to make a head on attack feasible, or through side channels like bugs, or compiler idiosyncrasies.
Peer reviewed source code (along with any dependency version control an
encroachments on privacy (Score:5, Insightful)
In this new interview, he's critical of a general public silence over government encroachments on privacy
That is an important issue. But what I see is an even greater silence over corporate encroachment on privacy. Left alone, I think corporations could cause even greater damage (in part because of it's huge influence on government). So this is where I focus my efforts. Things like big banks sharing out financial details ... just for profit.