Jacob Appelbaum, who I take on here, here, here, and here for his attacks on the proprietary circumvention software Ultrasurf, his distorted notion of Internet freedom, and his unaccountability in tendentious argumentation about Iraq, has answered me on the closed list of liberationtech -- closed because while "anyone" can sign up for it, they do not publish their messages and it can be heavily moderated.
And my response to him has been censored by the moderator, who won't let it through on the grounds that it is a "flamewar" or contains "personal attacks". So I publish it below.
One of the many ways that Appelbaum obfuscates himself is by putting on his message header posting to liberationtech, and his Twitter account, a website that in fact is always "down" -- appelbaum.net I'm not sure how you can email from a "down" web server on to an email listserver, but obviously Jake is able to do that! [PS -- and despite the heckling from Collin Anderson, I'm not afraid to appear ignorant about how someone whose website is down is also able to send mail from that same server -- I ask questions about it because it really is odd that the website is never working.]
First, I'm putting my reply, which is in coherent paragraphs. Then, you can see his original reply below, with the usual annoying geeky snippets and carrots. When are we going to come out of the dark ages of the Internet from the Well or old usenets and such and leave that silly, cumbersome, and infuriating design in dialogue? There's got to be a better way. Of course one way is, um, thinking and synthesizing organically, and answering manually in whole paragraphs instead of clicking return and sifting through a big cut and paste.
My response -- removed by the moderator Yosem Companys:
From: Jacob Appelbaum <[email protected]>
To: "[email protected]"
<[email protected]>
Subject: Re: [liberationtech] Jacob Appelbaum's Ultrasurf Report
Jacob,
Honesty in advertising? Ultrasurf obviously makes claims that you and others don't feel they can support. The question is how one goes about "fixing" that or even if it is really the problem you claim. Most people don't read TOS or read advertising claims -- they use software and if it is easy and helps them achieve their goals, they go on using it, if it doesn't, they stop. Consumers are more savvy than you are prepared to admit. You and other critics of Ultrasurf are not conceding that most users need not anonymity, which they already lost in a place like China with state-controlled ISPs, but breachability of regime-blocked sites.
If you want to harp on honesty in advertising, you should start first at home and acknowledge that the military pictures and claims implied by military affiliation on your website don't add up. We see no evidence that the military continues to use Tor or support Tor or you in any fashion; indeed, you are under investigation by a grand jury precisely for your relationship to WikiLeaks, which is in turn investigated for incitement of the hacking and stealing of classified documents from the US government. Shouldn't users get a disclaimer involving *that* on your can of goods?
I don't need to be in a "depth" about DC lobbying and Internet funding programs to state the obvious which needs to be said here: there's a great deal of hustling going on, there is jockeying for power, and you're thick in the midst of it. Whatever supporters you have in the USG -- and you're coy about them -- surely have to be wondering what they have gotten themselves into, and as this involves *taxpayers' funds* we all get to examine this despite all your claims of our ignorance and lack of "depth".
As for giving this report around, what was the *real* timetable, and can we get a second opinion, not from you? And why was it necessary to publicize it at all in the first place and not continue to work with Ultrasurf if your concerns were truly genuine and your motives truly collegial? The necessity of a deadline or a publication in the first place isn't at all demonstrated and is only your own politicized imperative. The forced "outing" of these concerns in a tendentious package doesn't seem to have achieved your goals. Chinese users continue to use it in droves.
If you didn't give this immediately to the Chinese or Iranian or Syrian governments or their agents and think you should get credit for that (!), then...why do you think publicizing the report on your open web site *now* somehow exonerates you?! That's just plain wild -- and evidence of the alternative universe which you appear to inhabit. [PS: and his later claims that the Chinese has it "anyway" is ridiculous -- there is never a reason to make an authoritarian government's work easier for it.]
Naturally you "like" a USG Internet freedom program that evidently has funded your project. But you're part of a band of critics and re-tweeters that have savaged it, and clearly you think either you can throw it your way or do without it.
I don't "conflate" free and open source software with "peer review," I just don't share your views of it. There is absolutely nothing gained by fetishizing the "million eyes" of OSS. It's a cultic affectation that I simply don't buy -- not when the million eyes contain the authoritarian governments, and not when the million eyes can just as lief contain a stampede of brainwashed ideologues and not when million eyes very often devolves to the "tyranny of who shows up". Peer review by peers in a collegial if proprietary setting can work as well or even better.
Indeed, the belief in open source software as superior, and the set of cultural imperatives and notions that go with it, are religious in nature showing all the signs of cultic belief -- refusal to debate, demonization of dissenters, belief that everyone is wrong but the believer but is awaiting education or epiphany, imperative to convert others or the efficacy and surety of one's own faith cannot survive.
It's that last bit -- the proseltyzing imperative -- that gives it away in particular.
I'm afraid we'll simply disagree that proprietary companies "have" to have coerced outside "peer review" to be successful or safe. There's no support for this religious principle but -- faith. I don't believe it. The "serious" problems are dealt with by users and competent professionals. If some perverse-engineer is banging on the outside with hostile motives, it hardly makes for effective change, even at the psychological level, and the technological level isn't at all demonstrated. The forced outing of the "reverse-engineering" expedition undermines its authenticity.
All software solutions are vulnerable to man-in-the-middle attacks. You've re-discovered the wheel here. We all get it. AV software very often classifies such software as malware. So what? Users work around this with far more alacrity than you're prepared to admit. Digital signatures are one option which Ultrasurf has, and it's not certain that this is "because" of your report or that in fact it really offers any more "protection" against exposure and arrest and harm than any other thing on the Internet. Did I mention that the Chinese, Iranian, Russian, secret police are professionals, and you are amateurs? Have some humility.
I'm not required to provide a solution. My job here is to question *your personal accountability* once again in presenting a *tendentiously-framed finding* and doing it publicly. There is absolutely no benefit to be gained from the coercive *public* nature of what you're doing except to throw Internet freedom programs *your way*. You may have overplayed your hand here.
Peer review need not be open source or under your guidance or on your terms to be effective.
Why do we have to prove that Ultrasurf blocks child pornography?! That would be an impossible claim because you'd have to know the secret sites or even the major ones. Just because you can't do *everything* doesn't mean you can't do *something* -- and it's that basic credo of normal real life that those inhabiting the technological bubble with its binary thinking can never admit. Ultrasurf apparently opted to lesson headaches for itself and minimize (not eliminate) problems by blocking the obvious porn sites. So what? They are providing a service for people to get around *ideological* control for people wishing for political diversity, not helping people with their entertainment needs -- and that's ok. There are other options for that, so it's a red herring for you to raise it.
Ultrasurf isn't a human rights worker and doesn't have to make pledges to human rights workers -- it's a technological tool that may serve some purposes and not others. Their claim to provide anonymity may be less than it states, but *your* claim that they are eroded is in fact based on hypotheticals and edge-cases and your own suppositions from reverse-engineering. They were stalling you? But...why the imposed deadline for outing people you claim to be working with? (And with whom you apparently compete for funds?)
You've identified yourself as a "bully" -- I haven't used that term. But I do insist that you explain why on earth you can claim altruism and collegiality with these people at Ultrasurf if all along your plan was to "out" them. The deadline, the very act of discussing this openly all serve *no purpose* except to advance you politically. Users are not warned by an English-language blog on your site, and even if you hired a blimp would not necessarily follow your arcane logic.
As for evidence that what you're doing is helping authoritarian governments, I'll go back to *your own claims* in which you said you refrained from publicizing this so as not to give comfort to Syrian, etc. governments. Huh? So what changed?!
Open source bullying, coercion and ideological haranguing are not open society or an open market. The right to be wrong about software isn't coterminous -- as you've mischieviously suggested -- with demanding publication and forcibly outing people you believe to be wrong even if they are wrong. Opt-in, not opt-out.
As for your pointing to an old report, one of many bashing Ultrasurf by Chinese government officials or sympathizers, so what? It's not material to the discussion.
No society based on Bolshevik-style *coercion* with the notion that "the end justifies the means" can possibly be considered open and free.
Message: 17
Date: Fri, 20 Apr 2012 15:40:09 -0400
From: Jacob Appelbaum <[email protected]>
To: "[email protected]"
<[email protected]>
Subject: Re: [liberationtech] Jacob Appelbaum's Ultrasurf Report
Hi Catherine,
On 04/19/2012 03:16 PM, Catherine Fitzpatrick wrote:
> Jacob Appelbaum's agenda doesn't seem to be entirely altruistic here
> with this Ultrasurf report.
>
Where did I claim altruism? I am auditing tools that claim to be
perfectly anonymous because it benefits everyone to have honesty and
truth in advertisement for our community of tools.
I did however invest, as Ultrasurf acknowledged, a great deal of time in
disclosure to Ultrasurf. I also invested a great deal of time in making
positive suggestions, which were largely accepted by UltraReach. I hope
you'll note that the language on their website is drastically different
today if you compare it to the text on their website from a year ago.
Honesty in advertisement is important information that helps users to
make an informed decision and to ensure that Government funded projects
at least attempting to be honest in how they sell themselves to their users.
> There's a lot going on -- first, there's the desire of him (and his
> supporters) to attack the US government and "DC Lobbyists" merely for
> what they are, which is a hated government with a disliked Internet
> Freedom program, which has put him under investigation for his
> involvement in WikiLeaks (his buddies at the State Department
> notwithstanding).
This is nonsense. Not only do you have it all wrong, you're actually
just out of your depth. It shows.
I am not attacking the US government. To be quite honest, I gave this
report to those around DC that asked - this includes people at State,
BBG and of course, Ultrasurf - well before the report was released to
the public. I did this to ensure that we could broker a discussion with
Ultrasurf to ensure that Ultrasurf felt we were coordinating and being
responsible.
I did not give this to the Chinese or Iranian or Syrian governments nor
any of their agents or anyone that I felt would do Ultrasurf harm or
attempt to attack their users.
I actually rather like the Internet Freedom program, it's not perfect
but it's pretty good! So again - you think you know what I think but
you're mistaken.
> Second, there's the desire to attack any competitor
> of Tor, especially a competitor that adheres to the idea of
> proprietary versus open source software. These are religious
> matters.
Surely you don't suggest that for proprietary or open tools it is
reasonable to never have a third party security audit?
There is no competitor to the Tor Project in the field of online
anonymity. There are charlitants who claim to be perfectly anonymous and
untraceable - as we see with Ultrasurf - they do not live up to their
advertised claims. You conflate Free and Open source software with peer
review, which is understandable but a very serious mistake to make.
If you suggest that peer review is a religous matter, I think you're
making an even bigger mistake. Do you realize that there has been *no*
peer review - even by funders of the tool? None. Zero. This is changing
now and that is because of my peer review of their claims. I have even
offered to help them and have given them a large amount of time in the
last six months because I want them to improve.
The fact that they are closed source presents them with a serious
problem and I'd love to hear your suggestions for a solution with it. It
appears that some governments, such as Syria and likely China release
backdoored versions of software. I have some samples of a common tool
which appear to have such a backdoor. AV software sometimes
automatically classifies Ultrasurf as malware. This is usually a
mistake. However - what happens when it actually includes malware *and*
it actually has something wrong with it? Say because it has been
tampered with in transit or an attacker, such as the Chinese, compromise
the download servers?
One solution is to offer source code and for trusted users in a
community to review them, and to ensure that any changes make sense or
fit with the established norms of the system. It's also possible to look
at copies of the program in every linux distribution, every released
copy on software mirrors and other places to compare with the expected
result.
Another solution is to offer digital signatures - this is something that
is now happening because of my report. The downside is that China and
the Stuxnet authors both clearly have the ability to falsify the
selected digital signature method selected by Ultrasurf.
So - again, we see no peer review and no safe method of verification.
I'd love to see you solve those problems and while Open and Free
software doesn't solve it all, I think it gets us a lot closer.
So do please offer suggestions and try not to punt.
>
> In other words, when a person who runs a competing open-source
> software solution, who has his reputation largely wrapped in it, goes
> and publicly attacks a proprietary software solution as inferior and
> even harmful, and attacks a software used by a government that has
> him under investigation, it's ok to question where he is going with
> this.
>
The facts stand for themselves. You're unable to evaluate those facts
and as a result, you simply, as usual, attack me. I mean, you're
welcome, I think the solution to "bad" speech is more speech.
> There is the added dimension of the pornography issue -- Appelbaum's
> slam on Ultrasurf for blocking porn distracts from the fact that Tor
> is notoriously used for viewing pornography, including illegal child
> pornography.
Do you have proof that Ultrasurf blocks Child Porn Catherine? I suspect
the answer is no - which well, I think that's because the answer is no.
The fact of the matter is that they block access to legal US
enterprises. I think that government funded services have a duty of care
not to restrict access to legal US businesses - this is why I am against
Amtrak censoring the internet - don't censor with public money.
In any case - just to settle this issue - members of police forces
around the world use Tor, as does the Internet Watch Foundation, to hunt
for Child Porn - they need anonymity, so that they can find the bad guys.
Do you have another suggestion for an anonymity solution that is good
enough for the Internet Watch Foundation to catch sexual predators? I
bet they'd love to hear it and most of all, I'm certain this list would
be interested in such a solution.
Frankly, I think that the good outweighs the bad in this case and I'd
encourage you to admit that you don't actually know the whole story.
> And there's the fact that Appelbaum has published his
> critique just as yet another criminal case involving the use of Tor
> for illegal drug sales is being publicized:
>
> http://www.justice.gov/usao/cac/Pressroom/2012/045.html
I had no knowledge of this press release from the Justice department nor
would anyone else, I imagine. It's pretty ridiculous to suggest that I
timed the release of my report in response to that DoJ press release.
When I met them in December, we agreed upon a ninety day time frame for
release of the report. The report was originally scheduled for release a
month ago but Ultrasurf asked for more time. I planned the release for
Monday the 16th of April as a firm deadline and they were well aware of
it before publication.
>
> There is no reason to take his concerns public, as the notion that
> "users need to be warned" isn't sufficient, as most users couldn't
> read a blog in English anyway, and most users don't care about
> anonymity, which they lost to their ISP anyway. They care about
> trying to access blocked sites, and perfection in this effort isn't
> required.
I disagree with you very strongly and many others in the computer
security field, as well as other fields, believe that sunlight is a good
way to solve problems.
This report, as I understand it, has or will been translated into other
languages for the benefit of non-English speaking users.
I think you may be right about "most users don't care about anonymity"
but I'd like you to tell us all - if you claim as a human rights worker
that you won't disclose a report but you actually do disclose it against
their wishes - have you done something wrong? Is honesty in
advertisement important? I think it is very important and as long as
they claim to be anonymous and an anonymity service, I'd ask you to
consider what you're claiming to be irrelevant. The issue is that they
_claim_ to be an anonymity service - it has nothing to do with your
projections of a user, which are speculative at best.
>
> So this report seems a hostile, politically-motivated attack on his
> part.
>
Only if you disregard the fact that I have worked closely with them
until I felt they were stalling me and not fixing issues that needed to
be fixed. They sure are working hard to fix those issues now - after
nearly four months of dragging their feet - I think that's a good thing.
> What's important in the fight for Internet freedom are the following
> principles of non-coercion:
>
> o no one should be forced or brow-beaten into using open-source
> software; proprietary software is ok to use. If your opensource
> software is demonstrably better, it will sell itself without you
> having to artificially level the playing field with constant
> ideological attacks
We disagree about Free Software in this field and that is OK. In the
area of anonymity and security, I think that we must have tools that
regardless of their license, are open for review and verification. That
is why Free and Open source software is on the table. It makes it easier
and frankly, possible, to review claims.
I'm not forcing or brow-beating anyone. I presented a paper with some
serious concerns, I worked with Ultrasurf to correct a number of the
most serious, and I have encouraged further third party review to
improve their system.
If that's brow-beating - what is your email where you directly attack
me? It seems a bit duplicitous at the very least and it reeks of
political attacks against me for my associations that you despise.
>
> o no one who produces proprietary software solutions should be
> bullied into having to discuss their flaws openly or be forcibly
> outed as to their flaws;
You keep saying that I'm a bully but you fail to acknowledge that I
worked with Ultrasurf, flying to another state to meet with them,
disclosing the report to them privately and so on.
There was no bullying.
> it merely helps give ideas to authoritarian
> governments and doesn't really help users.
>
Do you have evidence for your assertion here? I'm guessing "no" but I'd
like to know. Yes? No?
> o if you don't like proprietary software, you don't have to wage a
> jihad against it, you can make your own opensource software that is
> supposedly better
>
It's not hard to do that and many people have done so.
> o pluralism is the best defense against authoritarianism, not
> everyone being forced to go to "the best" circumvention tool or "the
> ISP that secures your privacy". It's precisely when the market is
> open with a variety of options that authoritarian is undermined
>
It's nice that we actually, for once, agree. Pluralism in design choices
is absolutely required. It is an example of how a free market may work
in a practical sense and I support that concept entirely.
Security researchers who test claims are serving as a correction to
overvalued ideas or solutions in the market.
> o software does not have to be perfect to largely achieve its goal --
> 1/99 binary thinking is a killer of freedom
There is no perfect software but there are those who claim perfection
without acknowledging their imperfections. That is a real problem.
>
> o people have the right to be wrong about software -- an open society
> requires that right to be wrong and to float contrary hypotheses even
> if they are incorrect, politically or otherwise
>
I agree. I also have the right to show the world that there is something
wrong with that very software.
> o you don't have to be technically capable to criticize software that
> profoundly influences all of us as we increasingly move our lives on
> line.
>
You're right - you don't have to be literate in a field of specific
interest to criticize it. However, it sure would help if you
acknowledged that Ultrasurf's designated enemy is however quite literate
on the subject matter.
Today someone pointed me at this report authored by an academic in China:
https://www.scribd.com/doc/90338145/UltraSurf-analysis-by-Zhang-Lei-in-Chinese
> My thoughts:
>
>
> http://3dblogger.typepad.com/wired_state/2012/04/jacob-appelbaums-obfuscation-about-circumvention.html
>
Thanks for your thoughts - I hope you'll address each of my points and
try to be constructive.
It's been a pleasure,
Jacob
Recent Comments