Re: [liberationtech] Privacy, data protection questions
On Tue, Mar 26, 2013 at 04:24:33PM -0700, Brian Conley wrote: I generally read most of your comments on this list as I find them insightful, however in this case, I was struck by your entirely hostile attitude. You're misreading exasperation and frustration as anger, and you're still focused on style rather than substance. If you think I'm wrong (and of course I might be) then make the case. Show me how someone can keep (let's say) a 1000-phone population in the field secure when there's an adversary actively trying to make them otherwise. ---rsk -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Privacy, data protection questions
Hi Brian, Rich: Thanks for engaging me (and one another) here. I take no umbrage at Rich's line of argumentation. In fact, having been a lurker and occasional poster here for several months now, I am well aware there are (as Rich put it) paranoid clueful paranoid diligent (did I mention paranoid?) geeks in our midst and expected a passionate response of some kind. If I were easily put off by criticism, I wouldn't be doing this. But I will say that while I'm not deeply technical, I'm acutely aware of what I don't know. Which is why, for now, we're avoiding many of the pitfalls you point out. Right now, we're building solely for SMS and voice delivery of simple surveys, and aggregating that data to build profiles of respondents. Nothing need be installed on the phone. I will bookmark this thread as we start to think about smartphone apps, but for all the reasons you raise, it may be a non-starter in places with nosey, repressive regimes. The privacy questions I have right now have to do with partitioning the DB in such a way that a malevolent hacker, or personal info digger, couldn't crack into our system and in one fell swoop make off with a trove of mobile #'s + the personal info of the person connected to that number. Whoever I bring on as CTO/technical co-founder I will expect to shape these decisions. I appreciate the feedback. - Andrew On Mon, Mar 25, 2013 at 12:57 PM, Brian Conley bri...@smallworldnews.tvwrote: Rich, Mostly I'm taking issue with your nonconstructive demeanor. I've not seen you take the Guardian Project to task for trying to solve some of the same problems. I've not seen you take Tor project or Whisper Systems to task. You have essentially shat on someone's head who is taking a risk by being open and asking for feedback. As this is a LIST that numerous people have mentioned is beneficial to them as a place for discussion one might expect common courtesy to prevail. I know that is not the general tendency on the internet, where trolls abound. Perhaps we could all try to be a bit less trollish, and perhaps more gnomish. I would present Steve Weis' critical, yet cordial response to Crypho on another thread as a good example: Hi Yiorgis. The ways of asserting the authenticity of served [JavaScript] always reduce to trusted code executing on the client. You need to trust whatever is authenticating the served application. You can't get around it. This approach always ends up with either trusting the service or running client-side code. The former is a perfectly fine business model and the standard for almost all web apps, but you can't make the claim that the government and our staff cannot access your data. It's simply not true, and not just because there might be incidental bugs you're working on fixing. It's fundamentally untrue. I appreciate the challenge you are trying to tackle and understand that delivering client-side code across all browsers and platforms is a non-starter for an early startup. If it were an easy problem, we wouldn't be having this discussion. I wish you luck in solving it. Regards, Brian On Mon, Mar 25, 2013 at 5:52 AM, Rich Kulawiec r...@gsp.org wrote: On Fri, Mar 22, 2013 at 04:29:38PM -0700, Brian Conley wrote: Nose to the grindstone Andrew. Use Rich's email to remind you this is hard, but its still worth doing. I've read this multiple times and I still have no idea how your remarks relate to what I wrote in re the (in)security of smartphones, the resulting pervasive malware epidemic and the subsequent serious architectural problems for application developers, including but not limited to this one. (serious architectural problems == you're building on enemy territory, this probably won't end well) Neither coffee nor scotch (both applied liberally) have yielded any enlightenment, so I must now ask: Whiskey Tango Foxtrot, Over? ---rsk -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Brian Conley Director, Small World News http://smallworldnews.tv m: 646.285.2046 Skype: brianjoelconley -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Privacy, data protection questions
On Mon, Mar 25, 2013 at 10:57:10AM -0700, Brian Conley wrote: Mostly I'm taking issue with your nonconstructive demeanor. Clearly you have no idea how I write when I'm being nonconstructive. ;-) Think equal proportions Kingsfield[1], Vader, Snape. Season to taste with HST and Mencken, serve at full boil. I've not seen you take the Guardian Project to task for trying to solve some of the same problems. I've not seen you take Tor project or Whisper Systems to task. (a) There aren't enough hours in the day to provide extensive (security or other) critiques of everything that comes across here. And there are other people whose expertise in certain areas dwarfs mine, so until/unless I close the gap, I'll defer to them. Also I think I should occasionally STFU and listen. So I respond on-list when I feel that I have something useful to say, *usually* (but not always) when I think that has applicability beyond the particular topic-of-the-moment. Hence my comments in re Silent Circle, which are far more about the inherent insecurity of closed source software than about the specifics of Silent Circle itself -- most of which I didn't pay any attention to because I think they're irrelevant. And speaking of applicability beyond the topic-of-the-moment: (b) If you read my message carefully you'll notice that I did in fact explicitly point out that while I was using this particular project as an example, it's by no means the only one facing the exact same issue. Building a secure smartphone app is presently equivalent to trying to put the roof on a house whose foundation is sinking into quicksand and whose main floor is on fire. So what constructive thing could I possibly say? The entire smartphone ecosystem is rotten to the core: the OS vendors care far more about advertising than privacy and security [2]. Well, and they care a lot about paying attorneys so that they can all sue each other. [3] The app markets are loaded with malware, spyware, adware, and crap. And more crap. Also: still more crap. Users will download and run any shiny thing they see, doubly so if it purports to enhance their social experience -- much to the delight of the scammers and spammers running those operations. Telcos are happy to turn user tracking/surveillance/etc. into profit centers. Governments want every scrap of data they can get from carriers and there's now an entire subindustry for software that extracts data from locked phones. D'ya think if I asked them very nicely and politely they'd all stop? *crickets* There is NOTHING constructive to be done here. It's not a fixable situation at the moment or for the forseeable future. The *only* thing to do, as far as I can tell, is to stop pretending it's otherwise and stop laboring under the delusion that smartphone apps have a chance in hell of being secure in mass deployment scenarios. (c) So to re-emphasize the more general point: no smartphone apps, UNLESS you can produce a viable, workable, scalable, defensible plan to keep the phones secure in the field. Otherwise your app, whatever it does, and however nifty it is, is probably going to be undercut from the moment it's installed...or very soon thereafter, as soon as one or two governments your users are annoying decide to deploy countermeasures. (I think it's fair to say that, to a first approximation, the tempo and scale of their response will be proportional to the adoption rate and annoyance level. Thus: the better your app and the more people that use it, the sooner you should expect the backlash.) And they don't *have* to crack your app if they 0wn the phones it runs on. (I sure wouldn't. Too much work. Very tedious. Better to just hijack the phone, install a keystroke logger et.al., and compromise *all* the apps.) (d) I don't think you [generic you] can come up with that plan (above) and execute it. I think you have no shot whatsoever. But if you want to take a crack at proving me wrong: be my guest. I will be very surprised but happy if you succeed. I may even buy you beers. Good beers. (e) I *know* this is real unhappy news. Sorry. I didn't write the cruddy smartphone software. I didn't write the malware. I didn't create the situation. I'm just pointing it out. And yes, I know it would be much nicer to just go on creating app after app and rolling them out and pretending this problem doesn't exist, but ermmm...I think far more unpleasant things than mere words on a screen will happen if lots of people start betting their freedom and/or their lives on the security of their smartphones/apps. (f) And on that point (pretending), let me share with you one of the most valuable pieces of guidance that I've ever read. I have it printed out and taped above where I'm working right now. I think for many of the projects and initiatives discussed here, it's terrific advice. So even if you think my analysis here isn't worth a load of fetid dingo's kidneys, well, at least there's this:
Re: [liberationtech] Privacy, data protection questions
Rich, the point is simple, let me put it into a formula: (civility + relevant advice) / length = degree to which people consider your advice My point is that you clearly have a lot of the second piece of this formula, however your lack of the prior piece, and the lack of many people on this list (myself included at times!) leads to us wasting our breath and carpal tunnels, because the degree to which people are likely to consider are advice is inversely proportional to our lack of civility. Your second email is generally much increased in civility, but, frankly, I didn't read all of it. I understand smartphones are a disaster, but I also understand that government surveillance has many of its own critical flaws. The capability to do something technically is not the same as the ability to execute it bureaucratically, socially, or practically. Finally, I do look forward to your advice. I generally read most of your comments on this list as I find them insightful, however in this case, I was struck by your entirely hostile attitude. It's clear you have a chip on your shoulder about this stuff, maybe because you are angry people are getting funding for things you see as stupid or fundamentally flawed, maybe for another reason, quite frankly all i care about is how your attitude impacts my day. Brian On Tue, Mar 26, 2013 at 4:12 PM, Rich Kulawiec r...@gsp.org wrote: On Mon, Mar 25, 2013 at 10:57:10AM -0700, Brian Conley wrote: Mostly I'm taking issue with your nonconstructive demeanor. Clearly you have no idea how I write when I'm being nonconstructive. ;-) Think equal proportions Kingsfield[1], Vader, Snape. Season to taste with HST and Mencken, serve at full boil. I've not seen you take the Guardian Project to task for trying to solve some of the same problems. I've not seen you take Tor project or Whisper Systems to task. (a) There aren't enough hours in the day to provide extensive (security or other) critiques of everything that comes across here. And there are other people whose expertise in certain areas dwarfs mine, so until/unless I close the gap, I'll defer to them. Also I think I should occasionally STFU and listen. So I respond on-list when I feel that I have something useful to say, *usually* (but not always) when I think that has applicability beyond the particular topic-of-the-moment. Hence my comments in re Silent Circle, which are far more about the inherent insecurity of closed source software than about the specifics of Silent Circle itself -- most of which I didn't pay any attention to because I think they're irrelevant. And speaking of applicability beyond the topic-of-the-moment: (b) If you read my message carefully you'll notice that I did in fact explicitly point out that while I was using this particular project as an example, it's by no means the only one facing the exact same issue. Building a secure smartphone app is presently equivalent to trying to put the roof on a house whose foundation is sinking into quicksand and whose main floor is on fire. So what constructive thing could I possibly say? The entire smartphone ecosystem is rotten to the core: the OS vendors care far more about advertising than privacy and security [2]. Well, and they care a lot about paying attorneys so that they can all sue each other. [3] The app markets are loaded with malware, spyware, adware, and crap. And more crap. Also: still more crap. Users will download and run any shiny thing they see, doubly so if it purports to enhance their social experience -- much to the delight of the scammers and spammers running those operations. Telcos are happy to turn user tracking/surveillance/etc. into profit centers. Governments want every scrap of data they can get from carriers and there's now an entire subindustry for software that extracts data from locked phones. D'ya think if I asked them very nicely and politely they'd all stop? *crickets* There is NOTHING constructive to be done here. It's not a fixable situation at the moment or for the forseeable future. The *only* thing to do, as far as I can tell, is to stop pretending it's otherwise and stop laboring under the delusion that smartphone apps have a chance in hell of being secure in mass deployment scenarios. (c) So to re-emphasize the more general point: no smartphone apps, UNLESS you can produce a viable, workable, scalable, defensible plan to keep the phones secure in the field. Otherwise your app, whatever it does, and however nifty it is, is probably going to be undercut from the moment it's installed...or very soon thereafter, as soon as one or two governments your users are annoying decide to deploy countermeasures. (I think it's fair to say that, to a first approximation, the tempo and scale of their response will be proportional to the adoption rate and annoyance level. Thus: the better your app and the more people that use it, the sooner you should
Re: [liberationtech] Privacy, data protection questions
On Fri, Mar 22, 2013 at 04:29:38PM -0700, Brian Conley wrote: Nose to the grindstone Andrew. Use Rich's email to remind you this is hard, but its still worth doing. I've read this multiple times and I still have no idea how your remarks relate to what I wrote in re the (in)security of smartphones, the resulting pervasive malware epidemic and the subsequent serious architectural problems for application developers, including but not limited to this one. (serious architectural problems == you're building on enemy territory, this probably won't end well) Neither coffee nor scotch (both applied liberally) have yielded any enlightenment, so I must now ask: Whiskey Tango Foxtrot, Over? ---rsk -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Privacy, data protection questions
Rich, Mostly I'm taking issue with your nonconstructive demeanor. I've not seen you take the Guardian Project to task for trying to solve some of the same problems. I've not seen you take Tor project or Whisper Systems to task. You have essentially shat on someone's head who is taking a risk by being open and asking for feedback. As this is a LIST that numerous people have mentioned is beneficial to them as a place for discussion one might expect common courtesy to prevail. I know that is not the general tendency on the internet, where trolls abound. Perhaps we could all try to be a bit less trollish, and perhaps more gnomish. I would present Steve Weis' critical, yet cordial response to Crypho on another thread as a good example: Hi Yiorgis. The ways of asserting the authenticity of served [JavaScript] always reduce to trusted code executing on the client. You need to trust whatever is authenticating the served application. You can't get around it. This approach always ends up with either trusting the service or running client-side code. The former is a perfectly fine business model and the standard for almost all web apps, but you can't make the claim that the government and our staff cannot access your data. It's simply not true, and not just because there might be incidental bugs you're working on fixing. It's fundamentally untrue. I appreciate the challenge you are trying to tackle and understand that delivering client-side code across all browsers and platforms is a non-starter for an early startup. If it were an easy problem, we wouldn't be having this discussion. I wish you luck in solving it. Regards, Brian On Mon, Mar 25, 2013 at 5:52 AM, Rich Kulawiec r...@gsp.org wrote: On Fri, Mar 22, 2013 at 04:29:38PM -0700, Brian Conley wrote: Nose to the grindstone Andrew. Use Rich's email to remind you this is hard, but its still worth doing. I've read this multiple times and I still have no idea how your remarks relate to what I wrote in re the (in)security of smartphones, the resulting pervasive malware epidemic and the subsequent serious architectural problems for application developers, including but not limited to this one. (serious architectural problems == you're building on enemy territory, this probably won't end well) Neither coffee nor scotch (both applied liberally) have yielded any enlightenment, so I must now ask: Whiskey Tango Foxtrot, Over? ---rsk -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Brian Conley Director, Small World News http://smallworldnews.tv m: 646.285.2046 Skype: brianjoelconley -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] Privacy, data protection questions
We're in the late prototype phase for Groundsourcehttp://groundsourcing.com, a mobile data collection and engagement platform -- designed for journalists, researchers, NGO's and others to use to gather first-hand knowledge. We've used the prototype to validate the need for the platform, and now privacy data protection have moved front and center as we ramp up for a beta phase later this spring/summer. We've had some early discussions with the Tor Project about protecting journalists using the platform in countries with repressive regimes (down the road). We're also looking into using Wickr for encrypting communications. In the short term, we need advisors who can help guide our decisions around privacy and personal data collection protection. Let me know if you're interested in helping us navigate these issues. I'd be happy to demo the platform for anyone who's interested -- and I am also beginning the search for a CTO/technical co-founder to lead on these and other tech/strategic decisions. We're looking for people who share our mission to put human experience and unmet needs at the heart of storytelling and decision-making, while giving sources control over the data that they share and their level of engagement. Comment here, or email me personally if you want to follow up. Best, Andrew Haeg http://www.linkedin.com/in/andrewhaeg @andrewhaeg @groundsourcing 612.501.0690 -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Privacy, data protection questions
On Fri, Mar 22, 2013 at 09:58:17AM -0500, Andrew Haeg wrote: We're in the late prototype phase for Groundsourcehttp://groundsourcing.com, a mobile data collection and engagement platform -- designed for journalists, researchers, NGO's and others to use to gather first-hand knowledge. We've used the prototype to validate the need for the platform, and now privacy data protection have moved front and center as we ramp up for a beta phase later this spring/summer. We've had some early discussions with the Tor Project about protecting journalists using the platform in countries with repressive regimes (down the road). We're also looking into using Wickr for encrypting communications. In the short term, we need advisors who can help guide our decisions around privacy and personal data collection protection. Ok. Here's some advice. You're not going to like it. ;-) Sorry. But better now than later, when lives are on the line. I'd like to ask you to open a web browser and use your favorite search engine to search for: mobile malware epidemic smartphone malware android malware windows phone malware and similar. Then I'd like you to explain how you propose to keep all those mobile phones secure in the face of routine malware, let alone targeted and custom malware crafted by hostile governments who would very much like all those journalists and researchers and NGOs you mentioned to STFU because they're saying and reporting and doing things those governments find...disturbing. Forget all the other security and privacy issues for a moment (some of which I touched on in a previous list message [1]): how, EXACTLY, do you propose to keep those phones from being infested just like a gazillion other phones already are or will be real soon now? Because once those endpoints are compromised, all the crafty routing and anonymization and encryption layers you could possibly put in place aren't going to matter very much. And those endpoints WILL be compromised (probably much sooner than you think) because they're going to be in the hands of journalists and researchers and NGOs, *not* in the hands of paranoid clueful paranoid diligent (did I mention paranoid?) geeks. Oh, sure, someone sufficiently knowledgeable, cautious, etc. can probably keep *one* phone secure. Just like someone with those qualities might be able to keep a single Windows system secure. There are people on this list who are capable of both of those things. But dozens? Hundreds? Thousands? Being carried around all over the place by their owners? There's not a chance in hell. None. This is not a solved problem in computing. Nor is there even a hint of a twitch of a notion of a suggestion of a whisper that it will be solved anytime soon. It's not even solved for people who've stacked the deck in their favor (e.g., those who have the luxury of centralized control) let alone for those who are allowing end users to connect their own. And most of them aren't painting big targets on their chests, they're just caught up in the general crossfire...unlike *your* users, who are self-nominating to be on the business end of some very serious attention from some very determined, clueful and nasty people -- people who probably *already* have been working on building or buying custom malware for phones because of course that's what any prudent adversary with sufficient resources would be doing just about now. Yeah, okay, so I'm making the point at your expense, and I don't really mean to do that, so I'll make it in the more general case: look, people, unless you can produce a plan -- and more than that, a plan that's been proven in the field to work -- for keeping, let's say, a population of, oh, a thousand independent scattered phones free of malware, then you CAN'T deploy your whizbang singing dancing smartphone app because it's going to be promptly undermined. Any government worthy of the term oppressive is going to 0wn each and every phone of interest and is going to install trackers, spyware, keystroke loggers, and whatever else occurs to them, and you're not going to stop them. At best, you might figure out that this is happening after-the-fact and remediate some of them...until they go back out in the field and get infested again. Lather, rinse, repeat. Not to put too fine a point on it (but I suppose I will anyway): If someone else can run arbitrary code on your computer, it's not YOUR computer any more. [2] The phone may be in a journalist's hand or it may be in a researcher's pocket, but it's not theirs. *Not any more*. Which means that your liberation app, the one that you designed and developed and sweated over, the one that your user is trusting to send and receive sensitive information, the one that's connecting to a backend through umpteen layers of encryption and obfuscation and misdirection and whatever...is now running on the
Re: [liberationtech] Privacy, data protection questions
Nose to the grindstone Andrew. Use Rich's email to remind you this is hard, but its still worth doing. Also remember you aren't going to solve these problems, but you may make it easier for people who want to act. Lastly, if Rich is really getting you down, click this link: http://2.bp.blogspot.com/-w7WBItj9rgA/UCv2vNYVuhI/AW0/U1yNrdmndV8/s1600/haters_gonna_hate3.jpg That said, do speak to Nathan Freitas, Harlo Holmes, Hans Christoph-Steiner and others at the Guardian Project, and Bryan Nunez, et al at Witness about Informacam, IOCipher, and other steps they're taking to solve some of these problems. Don't just innovate, collaborate. I'd also like to talk to you about our work on StoryMaker an app to allow individuals to produce compelling stories and publish them via Tor among other features. cheers Brian On Fri, Mar 22, 2013 at 3:50 PM, Rich Kulawiec r...@gsp.org wrote: On Fri, Mar 22, 2013 at 09:58:17AM -0500, Andrew Haeg wrote: We're in the late prototype phase for Groundsource http://groundsourcing.com, a mobile data collection and engagement platform -- designed for journalists, researchers, NGO's and others to use to gather first-hand knowledge. We've used the prototype to validate the need for the platform, and now privacy data protection have moved front and center as we ramp up for a beta phase later this spring/summer. We've had some early discussions with the Tor Project about protecting journalists using the platform in countries with repressive regimes (down the road). We're also looking into using Wickr for encrypting communications. In the short term, we need advisors who can help guide our decisions around privacy and personal data collection protection. Ok. Here's some advice. You're not going to like it. ;-) Sorry. But better now than later, when lives are on the line. I'd like to ask you to open a web browser and use your favorite search engine to search for: mobile malware epidemic smartphone malware android malware windows phone malware and similar. Then I'd like you to explain how you propose to keep all those mobile phones secure in the face of routine malware, let alone targeted and custom malware crafted by hostile governments who would very much like all those journalists and researchers and NGOs you mentioned to STFU because they're saying and reporting and doing things those governments find...disturbing. Forget all the other security and privacy issues for a moment (some of which I touched on in a previous list message [1]): how, EXACTLY, do you propose to keep those phones from being infested just like a gazillion other phones already are or will be real soon now? Because once those endpoints are compromised, all the crafty routing and anonymization and encryption layers you could possibly put in place aren't going to matter very much. And those endpoints WILL be compromised (probably much sooner than you think) because they're going to be in the hands of journalists and researchers and NGOs, *not* in the hands of paranoid clueful paranoid diligent (did I mention paranoid?) geeks. Oh, sure, someone sufficiently knowledgeable, cautious, etc. can probably keep *one* phone secure. Just like someone with those qualities might be able to keep a single Windows system secure. There are people on this list who are capable of both of those things. But dozens? Hundreds? Thousands? Being carried around all over the place by their owners? There's not a chance in hell. None. This is not a solved problem in computing. Nor is there even a hint of a twitch of a notion of a suggestion of a whisper that it will be solved anytime soon. It's not even solved for people who've stacked the deck in their favor (e.g., those who have the luxury of centralized control) let alone for those who are allowing end users to connect their own. And most of them aren't painting big targets on their chests, they're just caught up in the general crossfire...unlike *your* users, who are self-nominating to be on the business end of some very serious attention from some very determined, clueful and nasty people -- people who probably *already* have been working on building or buying custom malware for phones because of course that's what any prudent adversary with sufficient resources would be doing just about now. Yeah, okay, so I'm making the point at your expense, and I don't really mean to do that, so I'll make it in the more general case: look, people, unless you can produce a plan -- and more than that, a plan that's been proven in the field to work -- for keeping, let's say, a population of, oh, a thousand independent scattered phones free of malware, then you CAN'T deploy your whizbang singing dancing smartphone app because it's going to be promptly undermined. Any government worthy of the term oppressive is going to 0wn
