Some follow up to the inquiry I started with this post on the odd goings on with Snowden's PGP keys, such as they are.
The discussion continued on this page of search results in a key-mining exercise.
Twitter Inanities
Last night there was a flurry of posts and Twit-fighting on this subject sparked by @streetwiseprof, (Craig Pirrong) a controversial finance professor now in the midst of a scandal that seems manufactured by the New York Times for its own agenda, and @libertylynx, a pseudonymous gadfly whom I've long blocked (along with @streetwiseprof now) for "invalid interlocutor" behaviour. In a series of tweets, LL wanted to make sure I knew about the suspicions surrounding a Dutch cybersecurity expert. Why does the company supposedly "continually go after RSA" but not Kaspersky, do you think? Those were her words.
Yes, I get all this. Sure, they both write useful things on the Snowden case, and I used to happily consult with them openly on this story, as there is something to be said for "crowd-sourcing" of a defined sort, two heads are better than one, etc. The problem in dealing with these two libertarians is that they tend to take extreme views and heckle and vilify anyone who steps out of their ideological zone. Then when you try to call them out on these nasty tactics, they accuse you of projection, bullying, and so it goes in the usual boring Internet forums way -- it's not worth belabouring.
A very typical example of what I mean unrelated to me is the blast by @streetwiseprof of someone as an "idiot" because they took the completely mainstream view that a minimum wage is a requirement for a liberal society. I'm aware that there are different viewpoints about the minimum wage, social democrats in Germany thinking that increasing it helps business and capitalism, libertarians like Pirrong thinking it harms capitalism and the state should completely get out of the way of relations between workers and employers. It doesn't matter now for this conversation, but my point is that both @streetwiseprof [email protected] take vehement and often hostile views and can be hard to deal with -- you don't need me to prove this, it isn't only in regards to me, just look at their timelines.
A number of people see this and simply quietly withdraw, but these two don't seem to concede how they are viewed in the community of Russia-watchers and blocked by others, too; instead, their response to call-outs of their belligerence is to say "no, you" and accuse me of bullying and -- the classic teenage Internet put-down -- to "get help" etc. Tiresome -- so let me focus on the issue at hand.
Is All Work with Russia Tainted by the FSB?
@Libertylynx essentially had two points to make a) because I've blocked her I've missed the all-important news (so they thought) that the person under study -- Ron Prins -- works with Russia and seems uncritical of Kaspersky and that opens up suspicion of him re: the Snowden affair (especially if he shows up in the keys) and b) there is a mistake in my post yesterday (which she mischaracterized as being"full of errors". But I already knew about the Russian/Kaspersky issues, they are not somehow a secret, and the challenge is somehow to explicate them meaningfully.
Corrected Mistake
The mistake on my post (the only one I'm aware of) is obvious and easy to fix which is that Ron wrote "[email protected]" not "[email protected]" -- but it amounts to the same thing. The addresses sound fake and appear to be fake.unrelated to the real National Security Agency. That is, nsa.org is for sale, the nsa.org website offers this gag mailing address for a mere $159 a year, what a bargain! -- and doesn't seem to be a real address so it is a real address, just not the National Security Agency. It hardly seems likely that that real NSA would have a funny handle like "Crypto Ron" also the same name as a well-known cybersecurity researcher who has been in business since 1999 -- but it may be related to an NSA site for kids or something like that.
Der, I get it that if [email protected] doesn't return a bounced email, that may not mean anything because 1) bounced mails can take awhile or 2) the NSA may have a policy of not returning bounced emails but instead hanging on to them to see what's what. It seems like the kind of place that would do that : ) It doesn't matter. The point is simple: these addresses sound fake and likely are. A simple thing to do in cases like this is to leave a comment on my blog with the correction but naturally anonymous people, even those using proxies, fear leaving URL trails and fear accountability for comments they can't delete.
None of these Addresses for Ed Are Likely Valid
More to the point -- and I thought this was so obvious that it didn't bear mentioning -- one address for Ed is ridiculous -- [email protected] -- because lavabit email service was long ago shut down -- the owner himself shut it down when the FBI came calling months ago looking for Ed's email. This was a whole drama of its own that has been well-covered so I thought it went without saying. There'd be no way that Ed could still be using that address, which, even if somehow lavabit.com's email was put working again with the feds now watching it, would be glowing and radioactive.
The page shows the revocation of keys related to Booz, Allen -- again, obviously, Ed isn't using that email anymore and it was discontinued. That leaves the hushmail address, and maybe he is using that, but given that it has been publicized, likely he isn't. But maybe it's "good enough" if you use PGP with it.
PGP Key Publication System Can Be Manipulated
Again, I'm not an expert on PGP and cybersecurity -- I just ask a lot of questions when I detect bullshit and agendas, and try to understand.
Given what we know about PGP --- a) that it can be deliberately invaded by people who "infect" it to sow distrust or to grief and that b) people mining the keys are outing what some view as privacy and that may cause a further drive toward obfuscation by some -- we can't ever assume that these types of revelations appearing on Cryptome are authentic. Maybe they are, maybe they aren't. As this post explains:
Finally, there seems to be some amazing misconceptions about keyservers, keys and the web of trust. In particular this
http://cryptome.org/2013/07/mining-pgp-keyservers.htm circulated recently and it pained me to see because it suggested various wreckless conclusions that were dangerously off the mark[0] (and used pgp.mit.edu, hah). While it is true that we've jokingly called the OpenPGP web of
trust "the original social network" because of the exposed social relational graphing that can be done by querying keyservers, and it is for this reason that many activists I know do not want to have signatures uploaded to keyservers (and instead use the bulky local-only
signature work-around)...
... but for some reason people seem to think that if it is on a keyserver, is true, or it means something that it doesn't. People don't realize critical things, such as the fact that I can create a key with the UID Nadim Kobeissi and upload it to the keyservers[1]. That doesn't mean that is the real Nadim's key (this is what exchanging key fingerprints and doing certifications is for, so you can know, with a certain degree of certainty, that this person is the person who controls that secret key material).
Except that...geeks don't follow their own discovered best practices and keys continued to be posted in the open and continued to be mined with benefit, including on Snowden, Greenwald, Poitras and Appelbaum.
If you don't have a previous relationship with someone and can't meet them in real life to exchange keys, and you don't to risk "bare-backing on the Internet and riding with the NSA" as Appelbaum puts it, using regular email, then you have no choice but to post to public key-servers evidently. So maybe this page is Ron Prins' way of simply trying to check in and see what he can find or get out of trying to communicate with Snowden.
Jacob's Many-Coloured Enemies
This interesting article mounting a theory of how Jacob Appelbaum's enemies aren't only the US government but a whole host of other players gives us a glimpse into the murky world of cybersecurity and cyberwar. I don't follow cybersecurity regarding malware and exploits etc much because a lot of that either seems to be Russian government cyberwarfare against the West, or the spite of Russian geeks simply screwing with the world, or for financial gain. The political activities are more interesting to me than the chaos or commercial activities, but obviously, they all intertwine. I've had the impression especially since Snowden that some of the cybersecurity gurus -- Bruce Schneier is an obvious one, Mikko another -- are devoted more to the cybersecurity of their guild of people and their select clients than they are to notions like "governments" or "corporations" that they don't feel any particularly ideological loyalty to.
In any event, what stands out with the "Enemy of the Cyberstate" piece is that lots of people want what is in Appelbaum's apartment or on his USB sticks or in his back pocket. Terrorists, among them. (Imagine, the spectacle of CIA agents following Appelbaum protectively because they are worried that something worse than them will get him.) But also just commercial cybersecurity firms that would love to be able to sell the service of protecting against Snowden or finding out more about Snowden for any interested customers of any type. Do we have any doubt that there are legions of consultants now selling "Snow Shovels" and "Anti-Freeze" packages to prevent future Snowies?
But...You Have to Show Your Work
The thesis of @LibertyLynx, who follows Russia, cybercrime, international finance etc. is that Prins firm Fox-IT is somehow cooperative with Kaspersky uncritically -- which is tantamount to cooperation with the Kremlin -- and that somehow it is "soft" on Kaspersky criticism and only goes after RSA (and who doesn't, these days -- oh, well, 98% of the attendees of their conference at least didn't think they had to boycott it, but...)
Well, here's the thing. When you make insinuations like this, as a friend has put it very well, you have to "show your work." You have to show the connections and links of how you got to this premise and justify it with more than a hunch.
I think this is particularly important given that quite a few people in the Russian field (who are critical of the Kremlin) have a hunch that Snowden works with the Kremlin, but Greenwald and the rest of Team Snowden refuse to accept well-informed hunches from area studies experts. Our hunches aren't mere Cold War whims -- they are related to real chapters and verses of how you come and go from this country and the strange ease with which the WikiLeaks gang does this. And surely at the end of the day, our well-informed hunches about the Kremlin and Snowden are at least as valid if not more than his built-in conviction that the US government always and everywhere does evil. No matter. It's still good to try to show your work.
Kaspersky's Ties to Russian Intelligence
My diagnosis of Prins yesterday is that he works with Russian on cybercrime because, well, that's where the cybercrime is and he's in that business. He is a typical Dutch lefty who is droll about Americans and is happy to take a poke at those he thinks are gullible, and he's happy to golf-clap if the NSA's servers are DDoS'd. But it's quite a leap from that to saying that he colludes with the Kremlin.
First, as to Kaspersky himself. Noah Shachtman then at Wired produced an article very widely-read in the community in 2012 that probably caused a fair number of people to discontinue their Kaspersky subscriptions. I know I did -- not the least because they had coercively automatically re-subscribed and debited a credit card as an opt-out choice rather than opt-in, something I hate, and something they didn't use to do. I used to have Kaspersky years ago when I thought that the best company to fight Russian malware was a Russian company, back in the 1990s. They had a very satisfying bug-squishing animation, too. But then I changed to AVG after Putin, reasoning that a Czech firm would be both good at getting Russian malware but not as vulnerable to the Kremlin. Then I got back to Kaspersky again merely because it came on a new computer or something.
The article naturally provoked great indignation from Kaspersky himself and the tech press wich tilts toward anti-government sentiment dutifully recorded this as did Citizens' Lab in Toronto; Kaspersky said he was "like Indiana Jones." Oh, I don't know. I don't believe that. But Kaspersky himself has had his own troubles with the government -- unless, of course, he put out those stories to gain street cred. No one in cybersecurity in Russia could avoid dealing with the FSB just like many in cybersecurity in the US could avoid dealing with the NSA. They are not morally equivalent.
Dutch Stand up to Russians
But let's try to parse what all this means for the sake of the Snowden keys' context. Fox-It does business with the Dutch goverment; the Dutch, in case you haven't followed them, are no Kremlin patsies. They stood up to the Russians over their Arctic 30 members and the Artice 30 ship itself was sailing under the Dutch flag. The Dutch persisted despite having their ambassador roughed up. I've found the Netherlands over the years much better than some of the other West Europeans instanding up to Moscow on human rights concerns. Naturally, there are also quite a few apologists for the Kremlin as in any European country. But it's not a default. My point is that this company couldn't do all the business with the Dutch government it does and be craven with Moscow -- it woudn't be prudent.
Cybersecurity is a Business
Next, if Kaspersky was really such a colleague, they might not make much of finding an exploit in Fox-It's own product. Yet they blocked the exploit in their colleague's product and consumers even bitched about it. Krebs reported the exploit in a PDF reader found by an Italian researcher; Fox-It reported on the KINS malware, which was anti-Kaspersky. I mean, even if it supposedly cooperates with the Kremlin, and then others cooperate with it for the sake of collegial industry ties, it doesn't mean they don't catch the right people. Fox-It fixed their vulnerability. Here, Kaspersky uncovered malware against South Korea. Life goes on in this business.
Cybersecurity is at the end of the day a profitable business. If you only played to one side, you might not earn credibility to get customers.
To be sure, I totally get it that if Kaspersky is the one that discovered Stuxnet, which ran smack against American interests as they are the ones to have planted it in the Iranian atomic industry, and that surely aligns with Russian government interests, that makes them appear a tool of the Kremlin. But plenty of people don't like Stuxnet without being Kremlin tools. I can't justify cyberwarfare in this fashion myself if I advocate against sabotage as a method in general. The problem is that in a less-than-ideal world, if you would rather not have actual "kinetic" war, as the wonks term it, then you'll have to accept cyberwarfare as a less bloody alternative, and that means Stuxnet. The problem is that Stuxnet then cause reputational damage when inevitably discovered, and then spread and complicated other systems not targeted. It's surely a debatable topic.
Ideological Tests
The moral of the story is -- show your work, as our math teachers used to say. Putin and the Kremlin regulars are certifiably bad people. Kaspersky deals with them and the FSB and is therefore rightfully questioned, but then, so does every big Russian business. Western companies deal with this bad government and possibly tainted businesses and that makes them suspect. But maybe they are just doing business, maybe it is credible, and maybe you need more proof before making allegations.
A proof that @LibertyLynx very often demands of the targets of her anti-Kremlin ire is that they line up with us and affirm the Magnitsky Act, denounce the jailing and killing of journalists and human rights activists, and condemn the "foreign agents" act and Russian anti-Internet freedom legislation.
But the problem with demanding this loyalty test is that it sounds just like something the KGB would do. Jacob Appelbaum does not acquire legitimacy for me if he suddenly learns how to mouth at a conference that oh, isn't it terrible that Pussy Riot was jailed; Jillian York doesn't acquire legitimacy by admitting that yes, the Russians passed some restrictive Internet legislation; that is, demanding ideogical assent like this is coercive in just the way the Bolsheviks themselves are, and accepting it as proof of now "correctness" is not persuasive. I just don't expect people who don't share my views and my interest in Russia to get up and espouse the same human rights doctrines as I do, and trying to get them to utter them is not proof of their balance, anyway. What's more important is whether they collude with the Kremlin in doing something like denouncing Pussy Riot.
Recent Comments