Monthly Archives: August 2013

Next Time, Pay Attention.

When the extra-judicial harassment of drug addicts began, in the 80s, or even back in the 60s, no one cared. “Ew, they’re drug addicts.”

We filled our prisons with young blacks and latinos destroyed by the drug trade, sent our Vietnam vets there, our crack addicts and tweekers. We got used to not caring about them. We hired police and taught them it didn’t matter what they did to those people and their communities.

When the extra-judicial harassment of Arabs began, in the 90s and then many times worse after 9/11, it was, we said, to be expected. “Well, they’re Arabs.”

On a few occasions, I stood outside in a protest of Arab registration in America where a still unknown number of men went into DHS offices, and never came home. We all watched the surveillance and intimidation of Muslim and Arab communities in America, the UK and Europe and said to those governments, it’s ok, because those communities have extremists.

Now the extra-judicial harassment of journalists has begun. And a bunch of folks are saying “How could this happen?”

You’ve been letting it happen and grow for 50 years. Congratulations on noticing. Now do something about it, because you’re next.


An Open Reply to Zooko and Jon

Dear LeastAuthority and Silent Circle (aka Zooko and Jon),

I too know and like you both! I too admire your work, have tremendous confidence in your abilities, and it’s been amazing to watch your efforts, both sophisticated and useful, grow over time. I want to be customers of you both when I am less broke. Personally, I enjoy talking and hanging and hiking and all manner of things with you! (Zooko I really must go back to the mountains with you one day) That was a very sweet and erudite discussion of the problems of verifiability and technical trust and Open Source and Descartes and Godel. Seriously, I could totally have that talk with both of you while sipping nice port out of little crystal glasses.

But no one is going to attack the customers of either Silent Circle or Tahoe-LAFS by compelling you to deliver a malicious update. If they want to do it the hard way, they’re going to use an iTunes update or a Skype update or just attach a filed called interesting-shit.jpg.exe to a forged email to your customers. If they want to or can attack your customers the easy way, your customers will end up under fluorescent lighting in an airless room surround by buzzcuts with toothy rictus smiles. Your customers will have the distinct sense that while they’d like to see your customer’s computer/phone or else, they’re cool with or else for a while if your customers want to play that way.

The first way is of course stealthier, which is the real reason they go after hosted services, because that’s a stealthy way of monitoring communications, and gets you a historical record. (Which is also why I’m all like “No encrypted email! Encrypted email baaaad!” all the time.)

But if they’re going to own the endpoint, there’s no point in interfering with your two companies who are loud and skittish and likely to pull a “Ladar”.

They could own the end point any number of ways with off-the-shelf shit, and go home early for the weekend. If they really want to do bulk collection they’ll just send a malicious update of Angry Birds.

Seriously, attacking a target through your apps would be stupid and likely to get out. So they’re not going to. They’re going to use the vast number of easy weaponized apps built on top of the thriving 0day market to scoop not only every bit your targeted customers send you, but everyone else too. And it’s great! They won’t ever get caught for this. I don’t even have to provide links and evidence for what I’m saying because we all, everyone who works vaguely in this field, already know this.* But this is not just your customer’s problem, it’s your problem, too.

This all brings me to my point in my normally circuitous way. And Jon, you made this point in part, but for me, not nearly hard enough. These debates on crypto and code verification are actively beginning to annoy me, because malware/phishing is fucking terrible and the real fucking problem and everyone is ignoring it. I don’t mean you in particular are annoying me, but in general this tendency is. I worry watching two people as respected as you do this continues to distract people from our terrible problem. It’s like watching a couple gentlemen have a lengthy and erudite discussion on the merits of the front door’s lock while the back of the building is actually on fire.

I really do appreciate discussions of verifiability on an intellectual level. If I wasn’t also that kind of dork I would never have made it through the majority of my life hanging out with you people. I can sit around with friends trying to figure out when the halting problem comes into play in game situations. I teach writing with Shannon’s information theory in mind. I understand the dopamine rush of a *solution*. But we don’t have that luxury anymore, because everything and everyone is getting owned like crazy.

The answers to the malware problem are probably not verification. They are probably many answers, messy answers, and not always provable or even always effective. I think that’s why we don’t like them, because they aren’t elegant. And because we like to imagine malware can’t happen to us. It happens to people who don’t know better and live far away, but are also much more likely than us to do the kind of work that gets targeted by hostile actors.

I don’t mean to over-focus on you, because you guys aren’t close to the worst on this. We need to fix the industry’s incredibly broken threat model, because malware is everyone’s problem. You’re trying to protect your users’ data, period. Not just when it’s in your little mathematical garden, but before it gets there an after it leaves, because otherwise your mathematical garden is irrelevant to the real world. This problem is, for our kind, much harder than proving Godel wrong, because it’s tractable but huge and it’s messy and it will never, ever, ever feel right.

If we don’t start focusing some of our attention on malware, crypto is going to be irrelevant in yet another way.



* People who are not the people this is addressed to who would never make this mistake anyway, don’t even talk to me about AV. I mean, don’t even.

The Bit I Liked Most

As Ada took me back through the Lord of the Rings.

“I wish it need not have happened in my time,” said Frodo.
“So do I,” said Gandalf, “and so do all who live to see such times. But that is not for them to decide. All we have to decide is what to do with the time that is given us.”

Such times as these. Transition times, when new things are trying to not be crushed by old. Times like those that Paine said try men’s souls. Times when you can finally understand how people can see the round ups coming, and choose to stand. Drought times of soul and spirit.

Me, Aaron, and What I Said to MIT

MIT came out with its report on Aaron’s case and his death. I was interviewed by Hal Abelson and the lawyer assisting him May 3rd of this year. It was a difficult interview. I talked about what it was like being investigated along with Aaron. I told them how Aaron saw MIT, why he did what he did there, and what his relationship with data was. I told them things I had come to understand over years of knowing, loving, and living with him. This, for reasons both valid and not, vanished from the final report.

I, like many of the people close to him, wasn’t satisfied with the report. I didn’t appear in the final report beyond confirming factual details. However, I recorded my side of the interview. I share that with you here, and I will expand on it as I find the time.

The blank bits are were I have omitted personal information.