Photo by By [!!!] Sweet Peas Photography [!!!]
There goes Evgeny Morozov on Twitter cheering Jacob Appelbaum (@ioerror) for his take-down of a circumvention software which "DC lobbyists" and the US government promote called Ultrasurf.
(Certain geeks hate Ultrasurf for the mere fact that it is proprietary and not open-source software; open-source software is a cult with strict religious beliefs, and that's where the problem begins; it's a turf war, because Ultrasurf was invented by Chinese dissidents in what is also regarded as a sect if not a cult, Falun Gong.)
MOROZOV'S WAR
It's important to remember that Morozov has made a career of trying to thwart the US government in its Internet freedom programs as I've noted before. His motivation for this remains opaque to me. I'm all for shedding hacker hype and cyber-utopian woo-woo, but that's no reason not to have an Internet freedom program.
Evidently Morozov just avidly distrusts the US government, and finds what they do so much "bullshit" or something. He angrily fought the ill-fated Haystack program (and yeah, I get the problem with that, but as I discovered, the US never supported it and the "kiss of death" never happened); he and the Arab bloggers seemed busy at one point trying to keep US support out of what later became the Arab Spring.
I don't see the need for this whatsoever.
So Morozov's objection is largely political and largely social -- i.e. as a social media influencer on the side of the cyber-skeptics, and for open-source geeks and against the US broadcasting officials, he's all for trashing anything that gives people any sort of false sense of security against authoritarian governments, because he wants you to know -- in case you're having a hard time remembering! -- that authoritarian governments are going to beat you, and you can't win!
Now, Jacob Appelbaum purports to be performing a Public Service by "blowing the whistle" publicly on what he sees as the flaws of Ultraserve, a mean imperialist-backed running-dog circumvention tool (unlike that wholesome and organic opensource Tor circumvention software that @ioerror runs, see!).
The first thing to do in addressing this discussion is to completely discard the notion that you can't have an opinion on this and can't call bullshit when you sense it because you are "not technical" or "not a coder" or don't have a degree in computer programming from Stanford University or haven't learned to code "on the Internet" from your buddies in the IRC.
WHY IT'S OK TO CHALLENGE GEEKS
You do that because intelligent people have opinions and seek to engage on all matter of things from medicine to nuclear weapons even if they "aren't experts". It's more than fine to do. Indeed, it's imperative, given how ethics-free so many hackers are.
And what I've discovered by asking curious questions from several experts on circumvention is basically two things:
o they disagree among themselves; that's what geeks do, they disagree. We seldom hear about these disagreements because they are like a religious sect that doesn't want you to see their group as weak by seeing the internal criticism, but they do disagree;
o some have an informed criticism of what Appelbaum is saying, but don't go public with it, basically out of a sense of the "honour of uniform," i.e. guild loyalty or simply prudence.
Now, what's the most obvious thing the non-specialist but thoughtful critic of software can say about what Appelbaum is doing here? Instead of quietly telling the makers of Ultrasurf that their software has flaws, he has only "given them a deadline" of a few months and then "told all" because they thinks they "only understand force". (He's right about that much, I suppose: geeks do only understand force, in my experience.)
So...If his "altruistic" purpose is to sound the alarm to users that they are in danger of being outed by the Chinese or Russian or other authoritarian governments, then he "has" to blog about this because the "word has to get out".
Sooooooo....how many Chinese or Russian or Iranian bloggers or tekkies or just plain surfing people can read Jacob's English-language blog on the Tor site? Mkay. Not that many. Certainly some of the Ultrasurf honchos in Silicon Valley can, but not most Chinese.
But let's say that through that awesome-sauce rhizomatic process whereby geeks of the world find each other and even know enough English to understand each other on technical things, they *do* get the word about this horrid flawed full-of-holes commercial software that *gasp* the evil American State Department favours and Freedom House rated fourth on the list of such tools?
Are they going to care...that much?
No.
PSYCHOLOGY OF RECIPROCITY -- 'I KNOW THAT THEY KNOW THAT I KNOW"
Because here are the other points that have to be said about all this -- and to follow it, you don't have to be so much technically-minded, as just to think about the psychology of reciprocity and game theory a little bit.
So, number one, the Chinese or Russia ISP, which is required to access the Internet, already knows who you are. Perhaps you managed to sign up with a fake name, but not likely, if it is attached to the country's phone system. Sure, you can use a proxy and use the circumvention tools. But your ISP can see you doing that very thing.
So if you are worried about not letting the secret police know what you're up to, you've already failed, so to speak, by putting out a red flag to them that you can be seen encrypting or proxying. Oh, sure, some systems avoid even that appearance by appearing to bounce you around to innocuous sites. But that may make a pattern that the secret police watch, too. More to the point, if you are a hard-core dissident who needs to get out reports on, say, torture in prison or plans for a march in the public square, you're already somebody the police watches like a hawk and you're going to have to try to use Internet cafes or cutaways at other people's houses or who knows what.
BELARUS -- OPPOSITION SKYPE CONVOS IN THE GOVERNMENT NEWSPAPERS
All the circumvention in the world (and I know for a fact that they used it avidly) couldn't save a lot of the Belarusian democracy activists and alternative candidates when they were arrested for demonstrating on the square. The police burst in and took their computers. Either they opened them up with a handy Firefox browser that "helpfully" saves all your passwords for you to all your social media and such, because otherwise it's a nuisance, or, if you were more careful, they either find what you've left open accidently, or even beat your password out of you, or crack it themselves.
It was a trivial matter for the still appropriately-named KGB of Belarus to get the Skype conversations of all the major opposition figures and spill them into the still-appropriately named newspaper Sovietskaya Belarus. Few people want to trade keeping their Skype log-on details to themselves in exchange for their relatives being arrested or harmed in some way -- and who knows, maybe the KGB found a backdoor in Skype that I've heard some tekkies say does exist. Skype is supposed to be pretty secure, but there it is. I suspect what's most likely is that it was left open on the task bar.
My point is that when the secret police go after you, they are usually going after you not because Ultrasurf had a flaw that leaked your identity or they hacked your Facebook page. That is, sure, that happens and sure, we should try to close off those holes, but perfection is impossible and usually the dynamics of arrest are different than this: Google engineer Wael Ghonim used a pseudonym on Facebook (in violation of their rules); he was caught anyway.
MOST PEOPLE DON'T USE ULTRASURF FOR ANONYMITY
OK, but let's press on to what the "flaws" are in Ultrasurf. I'm told that most people in fact don't want circumvention to hide their own identity -- they don't bother, don't care, or find it too hard, given the situation above I just described. They just want circumvention to get to sites that are blocked. There are so many people doing this that the Chinese or Russian or Iranian governments may not get to them all, or they may just watch some of them to see what they do.
That is, if the point of Appelbaum's overheated moral panic about the flaws of Ultrasurf are that it...doesn't hide the user very well, it turns out that most people say: so what? They don't care. Their purpose -- unlike the script kiddies and hackers and WikiLeakers who make up the secret society around Appelbaum! -- is not to hide their identity.
That's hard for some especially in the human rights or politics business to accept this obvious fact. But it is the case. Most people just want to get to the sites. Remember -- sure, there are those who want to comment pseudonymously on Chinese social networks -- but there's a power law there to which Chinese society isn't immune. Usually 10 percent of the people provide 90 percent of the content anywhere when it comes to user-generated content, and that includes forums. And on forums, it's more like 2 percent of the people regularly posting original posts, and the others just reacting, sometimes only with a "like" -- the vast majority of people don't go public, don't interact, not even on their own Facebook pages, which are underpopulated with content in many cases. Again, power users of the sort who bother to think about these things in the first place vigorously dispute this, but then, they aren't being honest. They should look at all the FB pages of their friends; the friends of friends; then they may "get it".
Another point of Appelbaum's critique is that the download can be spoofed. That is, the KGB can intervene and put its own download of the software in the way of the "real" download, and therefore put in "phone home" features that track you. But then, go back to the first points. Most people are already tracked by their ISPs and already know they are and already have reached a point of mainly not caring, they just want to view the forbidden sites.
Some may dispute this; I don't. I guess because I see how people really behave in these oppressive countries. There's a range of carelessness to lack of concern, but the reality is, people just don't use all the "tradecraft" we might urge on them as do-gooders, or as human rights activists very keenly focused on personal security.
OPEN SOURCE CULTISTS SELECTIVE CONCERN ABOUT ENCRYPTION
Here's the thing: people are continuing to use Ultrasurf despite this panic-mongering that Appelbaum is doing; they will go on using it. The Ultrasurf people may be shrugging at him by now; they may or not fix things; some of them may never be fixable. Those geeks should recall what they always tell us about DRM (digital rights management for copyright protection) -- it "can't" be done because the "Internet isn't meant to work that way" and it can always be hacked and spoofed. "If you can see it, you can copy it."
So the same works for supposedly secure log-ons and encryption of any kind, really, on the same principle. Oh, I get it that there may be different regimens involved. But the principle of the thing philosophically is the same: there really is no such thing as solid Internet security that will lock up you and your personal information and your online expressions and gestures like a drum, forever, and ever amen. It's good to try to do that anyway, and "good enough" is reasonable to go for -- it isn't contaminated if it is 1 out of 99 (unlike the usual geek yes/no binary thinking and approach to every problem). But I simply won't let geeks engage in the flagrant moral hypocrisy and intellectual dishonesty of saying we "can't" secure IP on the Internet but we "can" encrypt their anonymity and "security" (and I'm not alone in this).
Jacob claims Ultrasurf doesn't even connect to the blocked addresses (leave aside the issue of how much the user is protected). But that's not what I'm hearing from those using it and from those following it.
Again: the overwhelming majority of people using these tools do not care about anonymity. That's hard for hard-core operatives and cadres in circumvention communes like Tor to hear, but they need to.
Naturally, what Appelbaum's retort to this obvious point, given his paper, will be is that "But Ultrasurf advertises anonymity as a feature, and don't really secure it, in fact they expose their users."
And the answer is to keep telling the truth about this situation while Appelbaum is clutching his pearls: most people don't care about exposure of identity because it's already exposed to their ISP. Snake-oil? But it's easy to use, unlike Tor, not slow, like Tor, and it mainly reaches the blocked sites. That's the issue!
THE INTERNET IS UNTRUSTWORTHY!
Much of Appelbaum's paper is a reiteration of the basic truth that all even casual Second Life users know -- untrustworthy parties make untrustworthy viewers and compromise you, your identity, your information, and user-generated content. Welcome to the Internet, kids! Rogue viewers do rogue things, and the company can try to control them with a specific registration policies and such (the first step against unruly geeks is to establish at least organic law over them -- that much can be done, and policies can be made in the real world -- Appelbaum disdains "privacy by policy" among such organic laws but too bad!). Of course, the operating environment for Ultrasurf or Tor isn't such that the makers can log-off or IP block or hash-mark block those attempting to log on to their servers because they don't have control over all the servers used in the hopping and proxying, to cut a long story short.
It turns out that Ultrasurf has a bright idea about solving the classic spoofing problem with some sort of novel "handshaking," like a secret handshake for a secret society, let's say, by analogy. Jacob is mad that they won't tell him about this, and as a proprietary company with proprietary code, don't let him tinker with this. Too bad!
Ultrasurf, mindful of the sinister intermediary problem, says you can email a guy to get a copy of the download, i.e. that would be a way of solving the "trust" issue. Appelbaum claims the email address ([email protected]) doesn't work and the server rejects queries. Maybe he's blocked? I sent a query just now and it went through fine. I didn't get an answer yet; but I didn't get a returned email error.
Those are the kind of little, checkable details that often unravel the Jacob Appelbaum mystique -- you know, like the fact that the soldiers shooting at gunmen and journalists in Iraq didn't know they were journalists, and didn't know that a van that raced to the scene to pick up wounded carried children in it. That sort of thing.
When somebody writes a big-ass donos like this on software, replete with obscure tables of numbers and terms and witty in-jokes like "turtles all the way down," most people back off. Not I.
I point out the problem here: the people who really know something about this subject, either within the State Department or in various countries who are in various IT communities aren't going to cross Appelbaum publicly. Part of the reason they won't do that is because they don't think airing the problems of software insecurity is in the best interests of "the cause" (understood differently by different people). They also don't want to have a public wrangle with someone they might think is "brilliant" or "one of us".
That's a problem for the general public, the voter, the taxpayer. But like everything else in life, whether it's nuclear power stations or stem-cell research, you either trust the government, or you don't. You can trust them in principle and still be critical! If you have a liberal elected government with one of the most liberal presidents in history running an Internet freedom program, and it's still not good enough for you, I can't help you. If you think we should always knee-jerk distrust every government activity has horridly tainted, I can't help you, because I don't think that is necessary. It's a war in cyberspace; you fight it as best you can.
It will never be perfect in the sterile, obsessive, hyper-vigilant way that Appelbaum wishes (and possibly that's why Tor is complicated, slow, and insular and touchy about criticism). Too bad!
It's good enough for government work, as they say -- and lots of ordinary people, too. As for the problems of *gasp* *the horror* incorporating third-party software into their product, gosh, is Appelbaum now a candidate for the pro-SOPA chorus concerned about the copyright of software?! (You find even Stallmanites can be hysterical about licensing when its their licensing). As for the problem of retaining user data and everything else -- again, welcome to the Internet! You're soaking in it!
Finally, I want to vigorously and vehemently say that I don't care if I've said something technically incorrect here or woefully techinically stupid or anything of the sort. What's important is to keep documenting the Unaccountable Jacob Appelbaum. Once again, for motives that have to do more with power and swagger than really wishing to help users under authoritarian regimes, we've been doled out a great ration of bullshit, and it needs to be called out.
Recent Comments