I spent this past Tuesday in the conference room of a hotel in the San Francisco area, talking for ten hours about internet security, literally until my voice gave out. My audience was a dozen or so political activists from a nation with a tough track record on human rights and free speech issues. Theyï¿œre a wonderful group of people - technology experts and business people proud of their nation and culture, working hard to ensure that friends and colleagues in their homeland can communicate, organize and report despite the efforts of a government willing to use a heavy hand to prevent the voicing of dissent.
My co-presenter was Roger Dingledine, cryptographer, security researcher, developer of Tor, and all-around great guy. Roger took a day off from coding, teaching and hanging out with military spooks to spend time with dissidents because heï¿œs fascinated about the ways his tools are being used.
ï¿œI developed Tor for myself,ï¿œ he tells us, ï¿œbecause I wanted to prevent myself from leaving traces in thousands of marketers databases. We knew that Tor would attract a lot of different groups who want anonymity - individuals, companies, governments - and thatï¿œs been part of the design from the beginning, but Iï¿œm still surprised at how many people around the world are using it to get around censorship.ï¿œ
Indeed, Tor is a hugely useful tool for people in China trying to evade the Great Firewall, or for people trying to publish online with a persistent, untraceable psuedonym. Roger was interested in meeting a group of dissidents to understand what their needs are and how future versions of Tor could be more useful in enabling access to information and free speech in repressive nations.
The session was a real education for both of us. Iï¿œve given three of these workshops in the past year, but this was the first with attendees all focused on the same nation, facing the same constellation of problems. We outlined many of the topics covered in the Secure NGO in a Box CD-ROM (which we may need to translate into the native language of this country - more on NGO in a Box here), covering disk wiping (Eraser), encrypted storage (BestCrypt), password management (Password Safe), as well as topics I covered in a training with Nart Villeneuve earlier this year: web filtering, filter circumvention using open and anonymized proxies, and secure publishing. Roger gave a great overview of the state of the art in cryptography, a detailed introduction to Tor and future directions for development, and an introduction to secure messaging through Off the Record Messaging.
But neither he nor I were expecting some of the questions we got and the scenarios we were presented with. After a discussion of Skype (which I recommended because of concerns with keystroke logging, and which Roger outlined some of the relevant security concerns about), one of our attendees told us a story about Skype:
ï¿œWeï¿œve had two dissidents arrested because of Skype. In one case, the police broke into his house, took his laptop and looked at his contacts list and list of calls made. Because it included the names of known activists, they arrested and detained him. In another case, I was talking with a dissident - the police were sitting two houses away, listening with a parabolic microphone. They couldnï¿œt hear me, but they heard his side of the conversation and arrested him.ï¿œ
As Roger put it to me after the workshop, ï¿œWeï¿œve got to adjust some of our threat models.ï¿œ In other words: internet cryptographers arenï¿œt generally worried about parabolic microphones. Theyï¿œre trying to enable secure transmissions in an insecure medium - the Internet - and generally assume that the people using their tools have control over their computers and the environments theyï¿œre using them in. In other words, while security researchers talk a lot about ï¿œAliceï¿œ and ï¿œBobï¿œ, those crazy kids trying to send messages to each other without eavesdropper ï¿œEveï¿œ listening in, we rarely consider secret policeman ï¿œSamï¿œ arresting Alice and breaking her fingers until she caves and gives up her contact list. And if you want these tools to work in the real world, those are the sorts of concerns you have to take very seriously.
In the nation our friends work in, a common police tactic is to seize a dissidentï¿œs laptop and copy all the files from the hard drive. Our friends believe that they then install a software keylogger and return the laptop to where it was taken from. They wait a few days for the dissident to enter the appropriate passwords, reclaim the computer, download the data and decrypt the files. Then they confront the dissident with sheafs of printouts demonstrating her anti-government treachery.
The sort of tools weï¿œre experienced with arenï¿œt especially helpful in these scenarios. I started recommending boot passwords set in the BIOS - Roger helpfully pointed out that this just locks the motherboard and encourages the thugs to remove the hard drive. Encrypted storage and using PGP to protect email both fail if the passwords are compromised. (Yes, one solution is to use PGP and carry your private keys with you wherever you go. I donï¿œt do that, and I suspect very few people are that smart and paranoid.) We found ourselves confronting questions about ï¿œbrowser hygieneï¿œ that I hadnï¿œt thought through before - when I tell Firefox to ï¿œClear Private Dataï¿œ, does it just delete the cache and history files, or does it wipe them, as weï¿œre advocating our friends doï¿œ?
An excerpt from an email Roger sent to some of our friends gives a sense for some of the problems and solutions he and I are now trying to wrestle with.
2) Using Skype ï¿œ with voice, not text ï¿œ is probably your best option right now. Youï¿œll still be vulnerable to real-world attacks (like somebody in the room listening to you), but the software itself should be pretty safe. (Itï¿œs also possible that they replaced your Skype binary with one that the authorities can tap. This seems hard to meï¿œ)
3) Wait a few weeks for Ethan to check out Off-The-Record Messaging, and hopefully heï¿œll write up a short how-to with recommendations. I havenï¿œt used it much myself, so I donï¿œt have a good sense of how usable it is for ordinary people. I just know that it provides smarter security properties than PGP for your situation.
4) Tor will be helpful right now in getting around filtering. If you encourage ordinary people to use it just for bypassing the filtering, then it wonï¿œt be so bad to be found with the Tor client installed. Also, remember my discussion of the diversity of current Tor users ï¿œ if you get your local businesses using it for better security on the Internet, that could make it even more socially acceptable. Please let me know if you have any further questions about Tor ï¿œ it might also be smart to translate the Tor GUI (called Vidalia) and/or some basic instructions.
5) Even though Iï¿œm not entirely happy with Torpark, itï¿œs probably your best option for now as a Tor client in an Internet cafe, since you donï¿œt need to install Tor on the computerï¿œ
6) The crypto is not your weakest link. The security of your local computer is much more critical, and much more at risk. Probably the most important part of my ï¿œcryptoï¿œ slides were the quotes about how easy it is to think that crypto is going to completely solve your problem. But the other side of the coin is that one of your top priorities has to be to figure out how to maintain the physical security of your computers, so you can trust what theyï¿œre running. Which leads to:
7) If you buy new laptops, consider buying Apples ï¿œ not only because they are better at not getting spyware installed as you browse the Internet, but also because your attackers may not be as familiar with them. (The same goes for Linux laptops, but only if your users are prepared to figure out how to use them ï¿œ Linux is easy if there are other Linux users around, but hard if youï¿œre the only person in the city using it.)
I suspect Roger and I will both get smarter about several topics - keystroke logging, secure messaging, the difficulty of modifying the Skype binary, filesystems encrypted with graphical passwords - as we work with our friends over the next few months. But itï¿œs worth noting that we wouldnï¿œt be thinking about these problems if we hadnï¿œt had the chance to talk with folks working on the front lines. Tools like Martus - which allows human rights organizations to encrypt and store offsite reports about rights violations - only get developed when smart geeks start working closely with human rights workers. Occasionally, we get lucky and a tool for anonymous browsing turns out to be a boon for circumventing censorshipï¿œ but thatï¿œs the exception, not the rule.
To a certain extent, this is the problem I was trying to solve with Geekcorps - I wanted to get software developers interested in problems in the developing world and see what solutions they could come up with in conjunction with African and Asian geeks. I donï¿œt know that I can put cryptographers on airplanes to repressive nations and ask them to get smart about realworld security problems and strategies, but itï¿œs a strategy worth thinking about.
Unfortunately, most of the time, the people who are really smart about computer security are remarkably stupid about users. PGPï¿œs key signing mechanisms and distributed network of trust is a solution that only a geek could love. Try explaining ï¿œtransitive trustï¿œ to human rights activists who work from cybercafes, donï¿œt own their own computers, and are listening to you in their third language - youï¿œll figure out pretty quickly why activists who know theyï¿œre being watched use Yahoo! Mail rather than the PGP system youï¿œve spent a day training them on. Solutions like Hushmail are steps in the right direction, but tools need to be as easy as comparable toolsï¿œ which is why I spent a lot of time pushing people towards the https interface to Gmail as a great first step in increasing their security.
We need a lot more contact between the activists and the geeks to design the tools we really need. We need more folks like Roger to take days from their schedule, get on airplanes and explain what they can and canï¿œt do. We need more activists to give us feedback on what their problems really are. We need folks like ï¿œSleepless in Sudanï¿œ to help document how they stayed invisible, and friends like Alaa to explain why theyï¿œve elected to be visible despite real and present danger.
And finally, we need to understand that every tool we build has multiple uses. The fine folks at Blazing Tools may feel like theyï¿œre doing the world a service when they introduce the ï¿œPerfect Keyloggerï¿œ to catch cheating spouses or protect their children from Republican congressmen - would they feel as good if they learned their tools were imprisoning dissidents? I fear that for every Tor - a tool thatï¿œs proved useful in far more ways than might have been imagined - there are other tools that turn out to have dark uses we havenï¿œt yet considered.
An interesting commentary, Ethan.
The point about encouraging the wider acceptance of useful tools is worth remarking on.
This can have a downside as well, since your audience is considering tools that the criminal element also find of use. This further blurs the line between the true criminal and the merely dissident, which is surely a goal of any repressive authority?
Clumsily put, my point is that removing the need for secrecy (which is, I presume, what your audience would like to achieve) would also bring into relief the other activities that thrive on it. Conversely, an authority which represses, and which therefore triggers the sort of secret irrepressibility your audience is involved in, is also encouraging an environment where crime can flourish.
The problem of getting caught with incriminating info on your computer can perhaps be countered by not storing it there: put it on the network somewhere - I'm thinking of Amazon's S3 or EC2 services (though they cost), or even .Mac's iDisk. Authorities want your username/password? Set up a second account with only innocent info on it and give them THAT password when they ask. Or perhaps some version of Freenet could be used to turn the network into the storage medium.
Wow, thanks for the information and a very informative article.
I am thinking of installing Tor on my computer. I have absolutely nothing to hide but I might just do it for personal privacy and protection. I if did install it and the Government(UK) found out, what would happen to me?
Hundreds of thousands of people use Tor every day. Most are using it to prevent their surfing from being recorded in commercial databases because they don't want to receive targetted advertising or have their movements tracked. Very few people are using it in the way I'm describing here... though it's very important that the tool be available for both purposes. What will happen to you if you use it in the UK? Nothing at all - there are tens of thousands of other users in the UK and there's certainly nothing that would legally prevent you from routing your net surfing through other computers that allow you to access them in that way.
Thanks very much Ethan :)