micah: > Eugen Leitl <[email protected]> writes: > >> On Sun, Apr 21, 2013 at 03:07:35PM +0200, ilf wrote: >> >>> I can't believe this bullshit thread recommending *only* >>> commercial services. >> >> Look, free is distinctly unaffordable. If you need a dedicated box >> somebody has got to pay for the hosting and remote hands. Activists >> donating own resources are quite nice and cool (heck, been there, >> done that) but ultimatively you can't rely on them to be there if >> the shit hits it. > > Can't rely on them to be there for what exactly?
To be fair - some activist communities just aren't holding the five nines that other companies hold up as marketing material. ;-) > > Where is the liberatory technological element to recommending > commercial services when they are more than happy when the "shit hits > it" to bend over backwards for law enforcement without bothering even > questioning if the request is even legal because that would cut into > their profits? I have to say I agree with ilf, this is pretty > depressing for this list. I thought about the sheer number of people trying to compromise some of my most public systems. The trade-off was one where I stopped worrying as much about buggy software and traded it for a legal attacks; I did so knowing that if I were to lose, I would still *win* in that I would learn something and set an undeniable example and if I were to win outright, I'd have defended my or access to such systems successfully. Thus I actually selected Google, Twitter and other service providers to test a theory about how companies might act when pressed. Each company has law budgets that greatly exceed the amount of money I could ever hope to raise or spend on my own. After all is said and done - their brands rely on people believing that they're good and will fight for their users. I actually told the FBI about this strategy during a Q&A in NYC - which if you haven't seen it is ... well, lets say, I wasn't the only one who thought it was funny: https://www.youtube.com/watch?v=dTuxoLDnmJU In short - there are companies that will go to court and even, if you're lucky, spend *millions* of dollars on defending you because it is their business model by proxy that they're defending. Not all companies will do this though. Boy oh boy, the companies that did attempt to protect my data versus the companies that didn't or didn't/don't have the ability to tell me is _very_ low. I'd guess it is around three known actors with likely over one hundred others at the bare minimum. That's just for active accounts, I might add. I believe there was a lot of data sitting around in logs and other places where I had not consented to the collection (AT&T) and naturally such collectors don't notify or ask for your consent in such a case... So, lets say that the company goes to court for you. What will it matter practically? Well, I think it depends on the technical *and* social architecture of the system as it is constructed, run and maintained. The question that comes to mind about architecture is one that most people on this list generally dismiss out of hand. It happens for VPNs vs Tor, email hosting, chatting, web browsers, etc, etc. We should consider that if the architecture of a system, even a mostly *technically* secure system, is optimized for surveillance to the company's benefit - it *will* almost certainly be forced to hand your data over when ordered. Simply because it *is able to do so* at all, we've learned that the law in the US is interpreted to suggest that such companies must and they must do so silently. And it seems to be the case that when the US has no legal recourse, it may use other methods for jurisdictions beyond their direct legal reach. It might happen through legal means, it might happen through general blackhattery, it might happen through kidnapping a family member - compliance is possible and there exists a case where compliance *will* happen. I have a friend who said that in the days following the seizure of my telephone by the US Government that his entire home network was compromised and that included his X-Box. That is a lot of 0day to burn and I think intelligence related folks are really in the golden era of their industry. And when that happens, it won't matter if they had gone court for you in a practical sense - the data is in the hands of whoever wanted it. It may or may not be used in court - that is largely irrelevant as life is often made miserable by things outside of courts. As an example Replace legal threats with say, threats from the Zeta Cartel rather than threats from a US Court and we see how strongly these systems will stand up. Absent an attacker, many systems are secure and so, what is the ultimate stopping block when such an attacker is present? Not having the information, of course. Or having it in an encrypted format such that it is useless without the user consenting to decryption in some privacy preserving manner. We generally call this Privacy by Design and the idea is a loose one, sometimes poorly implemented. Generally it suggests a compartmentalized design of systems where the systems are compartmentalized with something more than a promise. Most of the radical collectives realized this long long ago - there is little difference between an FBI agent who wants to *illegally* do something and one who wishes to challenge a group with no legal resources and will thus lose. The same exists for attacks from other groups legal, illegal or perhaps even unknown. The end result of a successful attack is a loss in all cases, almost always. Even if they "promise" not to use the data. Cryptography may be used to ensure that short of a crypto key, a service won't have the ability to betray that promise and so the attacker won't ever be able to betray it either. So what will be lost? With a proper design - little to nothing from the past but perhaps it gives an advantage moving forward. As those radical collectives do not profit from surveillance and rather exist because of their users entirely, they try to secure themselves against the threats that companies otherwise leave as a matter of monetization. Some of them do better than others, obviously. One thing should be clear: The architecture of a system limits the autonomy of those who participate in running it. So, shall we design systems that limit that autonomy to be in line with the expectation set for users and the promises to users about protecting privacy? I think so. So what good are corporate services? They're sometimes good to use as hedge against more powerful adversaries and especially if you're trying to find the edges, such that we all better understand the entire set of choices! So - where is the liberatory technological element you ask? "Corporate Mutual-aid" - a guide for activists? Probably not! An important set of hard learned lessons? Absolutely! > > How can anyone in good conscience recommend to activists commercial > services whose primary goal is to optimize for the bottom line? You > realize that when "the shit hits it" you can rely on them to not > waste any of their money fighting for you. Not that it matters, > because they are already deupitized data collection points for the > police, building into their money-making schemes keeping as much logs > as they possibily can to maximize profits from various advertising > and surveillance efforts. I generally agree. Though, I wonder. It depends entirely on the threat model, doesn't it? For example - I would never suggest that some groups roll their own solutions if their best solution has the same weaknesses of a company and without any of the actual technical or legal support that is often needed. Some activists don't care about Free Software, some don't care about surveillance, some don't care about wiretapping - as a result, I think they often it makes people less effective because *it still impacts* everyone. It is hard to deal with a holistic framework that includes weird small seeming details like infrastructure. > > And really, Cloudflare? Comon. After their willingness to roll over > on the subpoena for Barret Brown and prentend that they were the > internet's saviors by making up that whole thing about how they saved > the internet from the biggest DDOS ever? > Yeah - they're an SSL MITM by design - it should give you some idea about what vulnerability they introduce into the mix. For a while there was an encrypted web chat service that MITM'ed their entire "secure" chat service with Cloudflare. Combine that with some other hilariously bad ciphertext only bugs and we have a passive break on their service in a worst case scenario. Such a setup is the opposite of defense in depth. Whoops. > This is an amazing statement: "free is distinctly unaffordable" -- > what meaning of "free" are you using here? There are other things > that I'd pay *more* money for if it meant the kind of free that I'm > thinking of was in play... But this is 'liberationtech', right? Is > the only thing you are concerned about is being liberated from your > money when doing tech things? > Oh man, I couldn't agree with you more. > The cognitive dissonance here is deafening. > To paraphrase and bastardize jwz: Free Services, like Free Software, are only Free if your time is worth nothing. Free "time" like free as in not in jail or dead or worse! All the best, Jacob -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at [email protected] or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
