Archive for August 2nd, 2012
Chimps With Guns and The Bloggers Who Give Them Ammo: The Mysteries of Crypto and Privacy Elude Many
Out of the Mouth of the Ill Informed and Lacking Perspective….
Once again Quinn Norton takes on a subject not so much as a reporter, but as a pom pom cheerleader of notions that she has little claim to comprehending only to espouse them on wired.com as fact. Of course when questioned on the validity of her ideals being spewed onto the internet and the reporting thereof she has done, she once again looks hurt and demands a retraction of sorts to the author. Well, now it’s my turn to put my two cents in and jerk another jewel like tear from her eye. The story this time concerns “Cryptocat“, an ostensibly download free service for chatting online with people in an encrypted session.
Now, this would be all grand and wonderful if the chat program/session/technology were in fact bullet proof, however, as Quinn fails to understand, there are problems with the implementation that have been brought up by others and there are valid arguments that the system is indeed subvert-able with the right attacks against it. Of course another failure on the part of Quinn is to also understand that the end point (i.e. the end users machine) may also be pre-pwn’ed and thus, your idea of having a “sekret chat” are, well, null and void.. But, I digress here. Quinn just doesn’t have the technical background nor it seems the ability to think a bit laterally while making dangerous statements about “overthrowing governments” with such tools as Cryptocat.
“This Cute Chat Site Could Save Your Life and Help Overthrow Your Government”
Really? You want to make this statement and get people to actually use a system that is as yet untested against attacks for overthrow of governments or saving lives? Wow, you really have no idea what you are talking about. The hubris alone of the quote/title is enough to send me into apoplectic fits of Tourretts Syndrome. Then, today I see you in a tweetup about how you want the author of the paranoia article to apologize or something along those lines for calling you out in his piece? I really look forward to your reply to this then because I am going to tear this ideal down just like your slanted reporting on Anonymous and OWS. It seems you have a paradigm issue with reality and you need to sit back a bit and listen to the community at large who may know a bit more than you do.
It might save some lives in the end….
Crypto: A Munition Not Long Ago…
Crypto has been around since the dawn of time. As such over time it has been used in many ways and in many implementations. Many of these uses though have been around the idea of war or espionage. Up until rather recently even, the type of cryptographic schemes we are talking about in Cryptocat were in fact considered “munitions” depending on their strength here in the US and in other places. At the time of this writing though, it is no longer considered a munition per se, however, it is illegal to port out some high end types of crypto to nation states on the naughty list. This does not mean though that they don’t get their hands on the tech, but, there is an attempt by governments anywhere to keep the crypto genie in the bottle to protect their own data.
In the case of Cryptocat though, this is not a munition strength solution and due to its flaws, should not ever be considered a viable means to real privacy or security. In fact, if you really want to keep something secret the only good way is to have a one time pad, but, even that can be subverted if the pad is stolen or replicated (as the Russians found out during the cold war) So, suggesting that Cryptocat be used in any kind of serious situation other than maybe wanting a little privacy (i.e. nothing illegal or perceived thereof as being so by anyone) is just plain stupid as well as dangerous.
Crypto and it’s use by the masses is a convenience to secure their data from being stolen. Military strength crypto is a different matter, and neither systems usually come in an easily accessible and no install required fashion. We have seen lately all of the attacks on the online forms of crypto including CHAPP this last week at Defcon20. These systems will always be under attack and at some point they may all be subverted. Hell, look at Quantum Crypto being broken! NOTHING IS A SURE THING and we all need to understand the perils of what we do with such systems. So, once again I say that it takes a bit more forethought than just logging onto a site or even downloading a plug in for a browser and believing the stories about it’s safety by pundits on Wired.
Frankly, you’d be better served by just using TOR and going to the DARKNET and chatting on an IRC or chatroom.. It’d be safer.. Until you give up too much info about yourself….
Once Upon A Time, Spies Used Crypto and Tradecraft…
All of this though, all of the technology always has had a means of being carried to the intended recipient. In the spy business this was carried out by “Tradecraft” Tradecraft means the tricks to hide things as well as of techniques to meet in secret to pass information. In the case of today’s internet world, the idea of having a server or site that offers a “secret meeting space” is a bad one because you are advertising it, thus making it a target and you as well by proxy of using it. Instead I would put it to you that if you really care about privacy and you have something to convey to someone else secretly, you do so in a way that no one will know it ever happened in the first place.
Dead drops, chalk markers on fence posts, or even the ubiquitous X in tape on a window with a light shining on it (X-Files) is better than advertising you are going to a place like cryptocat to have a conversation with anyone. In fact, you have to tell the other person about the meeting to start with and provide intel to anyone looking to snoop on you anyway, and this is done by those unaware of tradecraft, in the open. Even the “Illegals” who were caught here in the US a couple years back, were using tradecraft as well as crypto programs on laptops etc to pass data and have conversations. In the end these were foiled as well (bad implementations of crypted chat and bad habits with passwords) which only helped bring the Russian program down. These people were meeting at underpasses as well as having drive by’s with vans hosting an adhoc network via wifi.
So, when I look at this drivel on Wired about being safe and secure, lacking any real understanding of how security works never mind cryptographic systems, I kinda get a little peeved. You wanna play in the grown up world? You need to learn how to play.
Geopolitics of The Internets and Civil War…
Today we are seeing great changes attempting to happen in the Middle East as well as all over the globe. We are also seeing the governments of the world attempt to keep their control over things by using technology as well. For every piece of technology someone like Moxie comes up with, someone else is going to come out with another piece that will subvert it. This is the nature of things today and unfortunately, there are some governments out there who lack any kind of empathy for their citizens. In many cases, as we have seen in the Arab Spring and all of the things post it’s blooming, people have been killed or disappeared for speaking their minds. Syria is the latest in this and we are seeing it live today. While the government tried to keep the people down and the nets dark, others tried to keep them open.
Anonymous and the movements against overzealous prosecution as well as those advocating civil and privacy rights are being watched and infiltrated as we speak. Technology is a means to an end, unfortunately that technology can be subverted and used against those using it to protect themselves. One must know the technology and the problems with it before using it cognizantly. This unfortunately is not the case in what is being advocated and advertised by Quinn Norton on Wired with regard to Cryptocat. This I say specifically where she makes declamations about overthrowing governments with things like untested crypto schemes.
Doing so does a disservice to anyone looking to make a change.
Know Your Technology and Your Methods Before You Plan A Revolution…
In the end, I just wanted to point all of this out. The people who are in the know (cipherpunks) should be listened to. In the case of Quinn, she seems to have a distorted view that they are elitist and bad. Maybe they are elitist, maybe they are eggheads who can’t park a bicycle right, either way, they should be listened to and their counsel taken into account. Without comprehension of the technology you will fail in the end. As Quinn liked to point out in her piece on wired, it was a “no install” program and seems to have a bent on getting the “common man” to use it, the only way it really being so is if the masses need not comprehend how to install something on a computer. This too is a real disservice to everyone and a dangerous precedent.
I mean.. To drive a car you have to have a license.. So you want to load crypto and plan a revolution with unlicensed drivers?
If you are going to use Cryptocat just be aware of the limitations. If you want to just have a private chat with a friend go right ahead.. If you think you are the next Sabu or Che Guevara.. I’d think twice.