IT experts prove themselves as useful idiots as a civil war escalates over the proper security activists and journalists should use to evade repressive governments.<\/h3>\n
Right now there is a battle raging on the Internet between IT security experts about how activists and journalist can safely communicate sensitive information without some oppressive totalitarian government killing them for it.<\/p>\n
The battle is centered around the recent fanfare given to the ability CryptoCat to safely allow people to communicate easily via an online based instant messenger chat system.<\/p>\n
As these IT experts continue throwing insults at one another, disproving each others claims and promoting their technology of their own choice, they are ALL accomplishing little more them proving themselves to be useful idiots<\/a>.<\/p>\n For the TLDR crowd \u2013 and I will fully qualify this statement \u2013 There is no such thing as a safe and secure online communication system PERIOD. I don\u2019t give a shit which one of these \u2018experts\u2019 tells you otherwise and if you want to be dumb enough to risk your life trusting one don\u2019t say I didn\u2019t warn you when you are being hung.<\/p>\n As these \u2018experts\u2019 continue touting the one technology verse another the bottom line is they are all extremely incompetent, ignorant or both and are all wrong \u2013 there is simply nothing that will evade government actors period and these \u2018experts\u2019 are nothing more that useful idiots for those repressive governments for telling you anything otherwise.<\/p>\n In case you haven\u2019t been following the drama the insults getting thrown back and forth the gist of the attacks goes something like this:<\/p>\n Very loosely paraphrased<\/em><\/p>\n This so-called security expert on site X is a fucking idiot and is clearly setting you up to get stung by [Insert choice of totalitarian government (US, China, Iran) here] by claiming [insert security\/encryption technology here] is safe and secure.<\/p>\n [insert security\/encryption technology here] is not safe and secure and here\u2019s how you\u2019ll get fucked if think using it will protect you from [Insert choice of totalitarian government (US, China, Iran) here]<\/p>\n Now instead of using that dumb fuckwit\u2019s technology you should used [insert attacking idiots security\/encryption technology of choice here] because it because it addresses the obvious flaws that the original fucknut failed to warn you about hence making it safe and secure.<\/p>\n<\/blockquote>\n While the tone of the conversation is alarming if there is anything good coming out of the conversations it is these experts are finally revealed to the long deceived public security systems they once believed to be safe (such as SSL systems) really are anything but safe and a susceptible to wide range of attacks from \u2018bad state actors\u2019.<\/p>\n But was is alarming about this is that as each expert debunks on security framework they push another system of technologies which of course gets exposed as being vulnerable by another expert.<\/p>\n The danger in all of this is that an activist or journalist who didn\u2019t read the debunking of some touted technology is susceptible to unknowingly use that technology believing it will stop the Egyptian government from imposing a life sentence, or the Iranians from handing out a death sentence, or the Americans from \u2018disappearing\u2019 them to some secret CIA torture prison for the remainder of their days on earth without a trial or jury.<\/p>\n As I will explain below all of these technologies are vulnerable\u2026 period.<\/p>\n But first a quick overview of the shit throwing that is going on.<\/p>\n Instead of taking you back to the start, this wired article picks up a few attacks and counterattacks later:<\/p>\n Note \u2013 These are select excerpts from a long 5 page article:<\/em><\/p>\n Two Fridays ago, Wired published a 2,000 word feature story by Quinn Norton about Cryptocat, an online chat system that\u2019s working to make encrypted chat as simple as loading a web page. Norton profiled its creator Nadim Kobeissi<\/a>, the intimidation from U.S. officials he\u2019s claimed to have faced, and the difficult technical challenges that such a program entails.<\/p>\n The piece delves into Kobeissi\u2019s motivations, the initial pushback from the security community and his dedication to making a security tool that\u2019s actually usable by someone outside the rarefied world of crypto geeks.<\/p>\n I was quite pleased the story gathered a lot of attention, including making it onto the front page of Reddit<\/a>.<\/p>\n A few days later, Christopher Sogohian, a well-known and widely respected voice in the security community<\/a>, penned a response entitled \u201cTech journalists: Stop hyping unproven security tools<\/a>,\u201d lambasting Wired\u2019s story, laying it side-by-side with other sites\u2019 coverage of security vaporware. He called it \u201cbad journalism.\u201d<\/p>\n As the editor of the piece, I\u2019m going to disagree.<\/p>\n Clearly, Cryptocat<\/a> is not always the ideal tool. So far nothing is. But that doesn\u2019t mean it\u2019s a bad tool or that writing about it is bad journalism.<\/p>\n Even the well-tested tools like Tor<\/a>, Off-The-Record IM<\/a> encryption (OTR) and PGP<\/a> (e-mail and disk encryption) are vulnerable to a simple keylogger being installed on a machine, among other attacks.<\/p>\n Cryptocat is a very interesting addition to the suite of security tools available to the world, and is a refreshing breakthrough \u2014 thanks to its focus on user experience, something that is abysmally lacking in security tools like Tor and OTR.<\/p>\n [\u2026]<\/p>\n While this post is a response to Soghoian\u2019s critique, it\u2019s not really directed at him \u2014 it\u2019s meant for the portion of the security community his blast was emblematic of.<\/p>\n First, you\u2019d have no indication from Soghoian\u2019s critique that Quinn Norton is anything other than an overworked, technically illiterate blogger filling a quota by writing up press releases hyping the next big thing.<\/p>\n He writes: \u201cWhen a PR person retained by a new hot security startup pitches you, consider approaching an independent security researcher or two for their thoughts. Even if it sounds great, please refrain from showering the tool with unqualified praise.<\/p>\n By all means, feel free to continue hyping the latest social-photo-geo-camera-dating app, but before you tell your readers that a new security tool will lead to the next Arab Spring or prevent the NSA from reading peoples\u2019 emails, step back, take a deep breath, and pull the power cord from your computer.\u201d<\/p>\n Norton has never written a story for Wired or any other publication based off a press release. That\u2019s not the kind of thing she covers. She covers Occupy and Anonymous \u2013 penning thoughtful, informed, well-sourced pieces<\/a> that often climb past 3000 words. Moreover, she\u2019s been part of security\/geek\/electronic freedom communities for years, and for more than a decade has been an educator teaching people how to use their computers..<\/p>\n She uses more crypto and practices more vigilant opsec than any other reporter I\u2019ve ever met (and for good reason). But you\u2019ll not find any indication of that in Soghoian\u2019s post. Instead, she gets dismissed because she\u2019s made comments on Twitter criticizing the security community for its first-world white male privilege.<\/p>\n Moreover, Soghoian suggesting that if Quinn Norton ever wanted to write about about encryption tools in the future, she ought to \u201cstep back, take a deep breath, and pull the power cord from your computer\u201d isn\u2019t just rude and obnoxious, it\u2019s border-line sexist and an outright abuse of Soghoian\u2019s place in the computer security world.<\/p>\n [\u2026]<\/p>\n<\/blockquote>\n Norton asked Meredith Patterson, a talented and well-known security figure, who was initially critical of Cryptocat and who has reviewed the codebase, for comment:<\/p>\n \u201cBrowsers are huge, complex, multilayered beasts with lots of moving parts, and every last one of them implements at best some dialect of each of the many standards that a modern browser has to support,\u201d said Meredith Patterson, a senior research scientist at Red Lambda. Patterson deals with security and cryptography on an architectural level in her research, and has reviewed and commented on Cryptocat.<\/p>\n Problems like bad browser sandboxing meant that something in one tab could affect a session in a Cryptocat window. No libraries or standards existed to handle normal encryption functions in Javascript. The biggest problem is that delivery of Javascript code from server to browser could be intercepted and modified by breaking the SSL connection without a user ever knowing they were running malicious code.<\/p>\n Kobeissi faced criticism from the security community for even trying, but he persevered. Now more than a year later, \u201cCryptocat has significantly advanced the field of browser crypto,\u201d he said with obvious pride. \u201cWe implemented elliptic curve cryptography, (and) a cryptographically secure random number generator in the browser,\u201d along with creating a Cryptocat Chrome app to address the code delivery problem.<\/p>\n \u201cI don\u2019t think Nadim really knew what he was in for when he started this project, but although it got off to a bumpy start, he\u2019s risen to the occasion admirably,\u201d said Patterson.<\/p>\n But Kobeissi also knows that it\u2019s equally important that Cryptocat be usable and pretty. Kobeissi wants Cryptocat to be something you want to use, not just need to. Encrypted chat tools have existed for years \u2014 but have largely stayed in the hands of geeks, who usually aren\u2019t the ones most likely to need strong crypto. \u201cSecurity is not just good crypto. It\u2019s very important to have good crypto, and audit it. Security is not possible without (that), but security is equally impossible without making it accessible.\u201d<\/p>\n Patterson agrees with Kobeissi\u2019s approach. \u201cAs much as it drives all of us nerds batshit, J. Random internet user spends most if not all of her time in the browser, and generally doesn\u2019t care to install even a separate email client \u2014 much less a separate chat client,\u201d she said. \u201cIf you don\u2019t go where the users live, you don\u2019t get users. End of story.\u201d<\/p>\n<\/blockquote>\n [\u2026]Soghoian\u2019s main objection is that as a browser-based tool that relies on JavaScript, Cryptocat is vulnerable to man-in-the-middle attacks. Therefore, no one should rely on it at all and instead should install complicated crypto tools such as the OTR add-in that require both parties to a communication to have configured the software correctly (including knowing to turn off logging in their chat client.)<\/p>\n That, he says, was not made clear in Wired\u2019s story until late, implying we wanted to hide it from users.<\/p>\n [\u2026]<\/p>\n For the record, the headline on the story, This Cute Chat Site Could Save Your Life and Help Overthrow Your Government, and the placement of the section on the tool\u2019s experimental nature, were my choices as the editor. I won\u2019t apologize for the headline which, though bold, was also accurate. Moreover, Quinn\u2019s first draft had the section that Soghoian thought came too late \u2014 about the tool being in its early stages and being vulnerable to certain attacks \u2014 starting in the ninth paragraph of a very long piece.<\/p>\n I made the decision to move it down, since the piece read much better in a different order. Leading with Kobeissi\u2019s background put the software in a different context \u2013 the software came across as an expression of a worldview informed by Kobeissi\u2019s life in Lebanon and the interrogations he says he\u2019s endured at the U.S. border.<\/p>\n We weren\u2019t hiding anything from readers \u2014 we write long stories and our readers read them.<\/p>\n Soghoian says we failed our readers and put their lives at risk because Cryptocat is made for the \u201ctl;dr crowd\u201d. For those who don\u2019t know, tl\u2019dr means \u201cToo Long; Didn\u2019t Read\u201d and is used online to dismissively signal that a story is too long, but often it just demonstrates a person\u2019s intellectual laziness.<\/p>\n It\u2019s a very telling assumption about Wired readers and Cryptocat\u2019s users. In Soghoian\u2019s view, a simple encryption tool that focuses on user experience is meant for those who are lazy and stupid and who can\u2019t be bothered to read a longish story. It\u2019s a convenient way to elide longstanding criticism of\u00a0security\u00a0tools for being too difficult for even decently tech-savvy users to configure and install.<\/p>\n [\u2026]<\/p>\n Speaking for a very vocal part of the crypto-community, he goes on to argue that it is dangerous to encourage people to use a tool that is safer than Twitter, Facebook, AIM or Google Chat, but not as safe as OTR.<\/p>\n It is by now well documented that humans engage in risk compensation. When we wear seatbelts, we drive faster. When we wear bike helmets, we drive closer. These safety technologies at least work.<\/p>\n We also engage in risk compensation with security software. When we think our communications are secure, we are probably more likely to say things that we wouldn\u2019t if our calls were going over a telephone like or via Facebook. However, if the security software people are using is in fact insecure, then the users of the software are put in danger.<\/p>\n<\/blockquote>\n [\u2026]For instance, Soghoian is one of the net\u2019s biggest proponents of increased use of SSL (encountered on the web as https:\/\/) as a way to increase user safety.<\/p>\n But SSL is widely known to be vulnerable to the exact same man-in-the-middle attack<\/a> as Cryptocat. Soghoian knows about this problem and has written extensively about the flaws in SSL<\/a>, as have the security experts that he prefers to Patterson. In short, it\u2019s not very hard for a business, an ISP or a country to muddle with SSL certificates so that it can spy on a user who thinks she is connecting securely to a site.<\/p>\n Clearly, a user who sees a lock icon in their browser might well say something more damning or explicit than they would if that icon weren\u2019t there assuring them they are safe.<\/p>\n Despite that, Soghoian has been a leader in pushing the net\u2019s biggest tech companies to adopt SSL by default, accusing them of putting users at risk by not doing so<\/a>. In 2009, he published an open letter to then-Google CEO Eric Schmidt<\/a> to implement HTTPS as the default for Gmail, Google Docs and Google Calendar. He later pushed Mozilla to turn Firefox\u2019s search box\u2019s default to encrypted Google search<\/a>.<\/p>\n He and the security community are right \u2013 despite the known flaws in SSL, and Wired has covered their campaigns extensively.<\/p>\n However, nowhere in these efforts does Soghoian mention or address that a user who see HTTPS might engage in riskier behavior. For example an employee might send an e-mail critical of their boss from a private webmail account accessed on a work computer \u2014 assuming that the communication is safe from prying eyes \u2014 when in fact the certificates installed in their browser have been modified by their employer so that employees can be spied on. Or a Iranian activist could login to Facebook over HTTPS<\/a>, only to find later she\u2019d been spied on.<\/p>\n But when it comes to another tool with known vulnerabilities \u2014 one created by an outsider to the clubby crypto community and one that\u2019s written up by a woman and reviewed by a female security expert, Soghoian turns to the \u201crisk compensation\u201d argument.<\/p>\n That\u2019s a shame because in the real world, most people don\u2019t chose to be activists or to be in a position where encryption is necessary. It\u2019s rarely a lifestyle and occupation choice, as it is for many in the U.S. They become activists or whistleblowers because something happens to them \u2013 or because there\u2019s some larger, inescapable event that intrudes on their lives.<\/p>\n What people do is turn to the tools that are familiar and easy \u2013 Skype, Facebook, Twitter \u2014 not to installing PGP, TOR, Pidgin and OTR. Ideally, citizens-turned-activists will eventually learn to use those more complicated tools, but there\u2019s a continuum.<\/p>\n [\u2026]His vocal critics crowed over his capitulation. Soghoian asked me for a retraction. Then they complained that version 2 was still unsafe since Google could decide to deliver an infected plug-in.<\/p>\n [\u2026]Source: Wired<\/a><\/p>\n<\/blockquote>\n The latest in the escalation of the civil war among these \u2018security experts\u2019 comes from Patrick Ball, via wired as well, which attacks the wired article above,<\/p>\n In doing so, he continues the same cycle I paraphrased above, pointing out why Cryptocat is vulnerable because the host can be compromised and goes own to tout the security system used by his own company again in either incompetence or in ignorance believing the technology and those who use are safe from repressive governments.<\/p>\n Note: these are excerpts from a two page wired article<\/em><\/p>\n As one of\u00a0people who built<\/a>Martus<\/a>, an encrypted database used by thousands of human rights activists around the world, I routinely confront the needs of users who are not in wealthy countries, as well as the difficult problem that creating real, easy-to-use security poses. My thoughts here are focused on the democracy activists, citizen journalists, and human rights workers in the world\u2019s toughest political environments. These are our Martus users, and my colleagues and friends. These are people who need security more than just about anyone: it can be literally a question of life and death.<\/p>\n One thing that makes that already difficult situation worse, though, is when otherwise well-informed people give bad advice about what is and is not secure. Unfortunately, an opinion piece\u00a0at Wired<\/a>\u00a0recently espoused a view I find inaccurate, misleading, and potentially dangerous about using certain tools for human rights work. I\u2019ll explain the problem here, and I\u2019ll offer some questions you might ask about security applications in the future.<\/p>\n My concerns stem from a\u00a0sharp debate\u00a0over software called\u00a0CryptoCat<\/a>\u00a0\u2013 a debate spurred largely by an\u00a0admiring profile<\/a>\u00a0at Wired. CryptoCat is a web-based chat application which uses encryption to scramble the contents of a conversation, in theory resisting electronic snooping. The interesting twist is that CryptoCat does the crypto without using the easily-thwarted security built into browsers (called SSL), and without requiring the user to download and install additional software (like\u00a0Pidgin<\/a>\u00a0and\u00a0OffTheRecord<\/a>).<\/p>\n Seems great, right?<\/p>\n Well, not so great. CryptoCat is one of a whole class of applications that rely on what\u2019s called \u201chost-based security\u201d. The most famous tool in this group is Hushmail, an encrypted e-mail service that takes the same approach. Unfortunately, these tools are subject to a well-known attack. I\u2019ll detail it below, but the short version is if you use one of these applications, your security depends entirely the security of the host. This means that in practice, CryptoCat is no more secure than Yahoo chat, and Hushmail is no more secure than Gmail. More generally, your security in a host-based encryption system is no better than having no crypto at all.<\/p>\n [\u2026]<\/p>\n CryptoCat\u2019s security is based on how it convinces your browser to do the encryption on your computer. To simplify, there are two parts to an encryption system: the encryption engine, and the key. The encryption engine is the software that does the actual work \u2014 everyone who uses the tool uses the same encryption engine. The second component is your key, which is unique to every user. The key holds, well, the key to your security. It must be kept secret, so only you have it. Again simplifying, the key consists of a tiny computer file and your passphrase. (If you want to know more about keys, see\u00a0my earlier blog post on this topic<\/a>).<\/p>\n n host-based systems, the host keeps the tiny computer file, but not your passphrase. The idea is that only you know your passphrase. In theory, the host cannot access your data because although they have part of your key, they don\u2019t have your passphrase. When you login, the hosts sends the encryption engine to you in a computer program (called an applet) that runs inside your browser; the tiny computer file with part of your key is attached alongside the applet. All the encryption and decryption happens in your browser, on your computer. That means that the host only ever sees the encrypted data. Since only you have your passphrase, your data should be secure, even if the host wants to attack it.<\/p>\n But there\u2019s a problem. If an attacker can get access to your key and your passphrase, all your encrypted data is now accessible to him. Remember that the host already has your key. All they need is your passphrase. So if the host wants to attack you, all they need to do is send you a special encryption engine that captures your passphrase the next time you use the service. As usual, it does all the encryption and decryption for you, right on your computer. But it also remembers your passphrase, and sends it secretly back to the host. This is the heart of the attack: if the server sends you a special applet that spies on you, all your encrypted data is now wide open.<\/p>\n Source: Wired<\/p>\n<\/blockquote>\n Patrick Ball is entirely right for pointing out the vulnerabilities of \u2018host based\u2019 systems, he and every other security expert attacking Cryptocat as being insecure for this reason are really proving to be useful idiots when they advocate other security systems as being safe when they to are also downloaded of the internet.<\/p>\n For starters, just because they are downloaded only single time and installed\u00a0 the user computer and executed from the user\u2019s computer in each instance afterward still does not discount the fact a repressive government can compromise that original download.<\/p>\n Yet, a version of Cryptocat allows users to install a plugin in their browser \u2013 from Google\u2019s server \u2013 after which the Cryptocat code is executed from that single download meanwhile these idiots push that as being insecure while saying their systems \u2013 which too are downloaded \u2013 are safe.<\/p>\n Then there is the fact that there are a wide vector of attacks to compromise even that code that is already installed on a local computer \u2013 I mean just look at the riddled security flaws in the windows operating system.<\/p>\n One could argue \u2018but you can download the original open source code and compile it yourself\u2019 but let\u2019s get real. Nothing says that source code isn\u2019t going to be intercepted and modified or that source code is even free from attacks.<\/p>\n Even then that source code needs to be compiled and what stops an oppressive government from using nasty little things like National Security Letters to secretly put code into the compiler to inject vulnerabilities into the open source.<\/p>\n Or an ISP can be ordered to forward your internet traffic through a government controlled router who can then in turn do all kinds of nasty things \u2013 like give you malicious code updates for your operating system and other software.<\/p>\n While you may think this is far-fetched, you only need to look at what the US government did with the notorious Stuxnet and Flame viruses.<\/p>\n The Flame virus in fact replicates itself by attacking windows updates and a bad government actor certainly has the ability to do the same with linux\/unix package updates or whatever software you have on your system.<\/p>\n The only way to prevent this would be to never update anything on your computer at all and with things like planned obsolescence that is highly unlikely.<\/p>\n Even worse it is highly likely that government back doors are all over you computer and electronic equipment to begin with.<\/p>\n When using excuses such as national security it is not unimaginable to think that your windows NDIS driver ( which handles all network traffic), your keyboard drivers, your monitor drivers or whatever else has all kinds of \u2018zero day\u2019 vulnerabilities (read purposefully install on the order of a national security letter government backdoor).<\/p>\n We are not talking about things that are possible in theory here either \u2013 but are possible in practice and are openly available technologies.<\/p>\n These are things that are a matter of a government choosing<\/strong> to implement and when your life hangs in the balance and their excuse is national security, you just better think twice.<\/p>\n Do you really trust that the microchips in your computer or smart phone don\u2019t have hidden functionality in them to begin with?<\/p>\n Encryption does nothing if the unencrypted data can be intercepted before it is even encrypted.<\/p>\n And let\u2019s suppose that only the encrypted data exists and is accessible it is well-known that any encryption system can be cracked.<\/p>\n Seriously, it\u2019s not a matter of whether its uncrackable and encryption systems are designed to be uncrackable.<\/p>\n Instead they are designed with the consideration being if it is practical to crack them which is based on ASSUMPTIONS<\/strong> of how long it would take to crack<\/strong> given the technology commonly known to exist and<\/strong> on \u2018practical estimates of how fast that technology will advance in the foreseeable future.<\/strong><\/p>\n For example, the number of bits used in RSA encryption have historically been based on a key not being able to be cracked in less than 10,000 years given projections on how fast technology will exist.<\/p>\n Yet, the number of\u00a0 bits used has been repeatedly increased because the previous estimates not only were found to be far to lacking but were themselves cracked.<\/p>\n Bottom line is a government actor can crack TOR, or OTR, AES, or anything else that you think they can\u2019t.<\/p>\n If you think you are so smart and I am wrong then go right ahead and bet your life on it.<\/p>\n I could literally write an entire reference manual on how \u2013 given the government\u2019s power and resources \u2013 to crack all of these systems that people swear up and down are secure.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":" IT experts prove themselves as useful idiots as a civil war escalates over the proper security activists and journalists should use to evade repressive governments. Right now there is a battle raging on the Internet between IT security experts about how activists and journalist can safely communicate sensitive information without some oppressive totalitarian government killing … Read more<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"_links":{"self":[{"href":"https:\/\/blog.alexanderhiggins.com\/wp-json\/wp\/v2\/posts\/309"}],"collection":[{"href":"https:\/\/blog.alexanderhiggins.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.alexanderhiggins.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.alexanderhiggins.com\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.alexanderhiggins.com\/wp-json\/wp\/v2\/comments?post=309"}],"version-history":[{"count":3,"href":"https:\/\/blog.alexanderhiggins.com\/wp-json\/wp\/v2\/posts\/309\/revisions"}],"predecessor-version":[{"id":1250,"href":"https:\/\/blog.alexanderhiggins.com\/wp-json\/wp\/v2\/posts\/309\/revisions\/1250"}],"wp:attachment":[{"href":"https:\/\/blog.alexanderhiggins.com\/wp-json\/wp\/v2\/media?parent=309"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.alexanderhiggins.com\/wp-json\/wp\/v2\/categories?post=309"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.alexanderhiggins.com\/wp-json\/wp\/v2\/tags?post=309"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n
\n
Security Researchers: How to Critique a Tech Story Without Being Arrogant and Exclusionary<\/h2>\n
\n
\n
\n
\n
When It Comes to Human Rights, There Are No Online Security Shortcuts<\/h2>\n
Why They\u2019re All Useful Idiots<\/h3>\n