According to a new poll a majority of people think the “dark net” should be shut down. Given the non-stop negative press it receives and the constant whining from governments about the “dark net” this is no surprise. What people in Western countries don’t appreciate is just how important the “dark net” is to those living under repressive regimes. It is also an important place for journalists and whistle blowers. I’ll go even further and say that anonymous speech is a human right we all should be able to enjoy regardless of where we live. It seems to be a natural human instinct to fear and attack what we cannot control and do not understand. I suspect most people do not understand the so called dark net or Tor hidden services. They fear it because of the negative publicity and sensational news reporting on the subject. They fear it because it is not under some kind of “control.” In my opinion, this is exactly why we should value it - because it is not controlled. Because government oppression and public opinion cannot shut it down. The spirit of the age seems to be working against freedom right now - calls to ban end to end encryption, ban so called “burner” phones, ban hate speech, ban tor, and ban anonymous speech. If we don’t fight back hard now we will lose our free speech rights and once lost those freedoms may never be recovered. I recently read 1984 for the first time and it was terrifying. But the most terrifying thing is that I can see such a state actually existing and many people would be just fine with it. Freedom doesn’t belong to the left wing or the right wing, it belongs to every human being. Don’t give it up for a little perceived safety. You won’t be safer in a police state, but you will be well on your way to living in hell.
One thing I’ve found recently is that it can be hard to explain to people who don’t understand the nature of encryption on the Internet exactly why we can’t have a system of encryption that keeps the bad guys out but can let the good guys in. It sounds so simple in the abstract, our government should not be denied the ability to get to important data just because it is encrypted. What is wrong with key escrow or back doors? No matter what I say about encryption keys being stolen, governments being corrupt, etc. I just can’t seem to make my point the way I want to.
Fortunately Bruce Schneier has posted a blog piece that makes the case for us. It is called “Encryption is Harder Than It Looks.” This piece does a great job of explaining just why good encryption cannot and should not be undermined. He points out two truths in cryptography:
- Cryptography is harder than it looks.
- Complexity is the worst enemy of security.
And gets right to the point:
“Cryptography is harder than it looks, primarily because it looks like math. Both algorithms and protocols can be precisely defined and analyzed. This isn’t easy, and there’s a lot of insecure crypto out there, but we cryptographers have gotten pretty good at getting this part right. However, math has no agency; it can’t actually secure anything. For cryptography to work, it needs to be written in software, embedded in a larger software system, managed by an operating system, run on hardware, connected to a network, and configured and operated by users. Each of these steps brings with it difficulties and vulnerabilities.”
“Although cryptography gives an inherent mathematical advantage to the defender, computer and network security are much more balanced. Again and again, we find vulnerabilities not in the underlying mathematics, but in all this other stuff. It’s far easier for an attacker to bypass cryptography by exploiting a vulnerability in the system than it is to break the mathematics. This has been true for decades, and it’s one of the lessons that Edward Snowden reiterated.”
“The second truism is that complexity is still the worst enemy of security. The more complex a system is, the more lines of code, interactions with other systems, configuration options, and vulnerabilities there are. Implementing cryptography involves getting everything right, and the more complexity there is, the more there is to get wrong.”
“Vulnerabilities come from options within a system, interactions between systems, interfaces between users and systems- everywhere.”
A security researcher told him:
“If anyone tells you that [the vendor] can just ‘tweak’ the system a little bit to add key escrow or to man-in-the-middle specific users, they need to spend a few days watching the authentication dance between [the client device/software] and the umpteen servers it talks to just to log into the network. I’m frankly amazed that any of it works at all, and you couldn’t pay me enough to tamper with any of it.“
Says Schneier - “The designers of this system aren’t novices. They’re an experienced team with some of the best security engineers in the field. If these guys can’t get the security right, just imagine how much worse it is for smaller companies without this team’s level of expertise and resources. Now imagine how much worse it would be if you added a government-mandated back door.”
Please take a moment to read his post. I think every business leader, politician, and anyone else with an opinion on the encryption debate should read his post and the references he provides. If we don’t stand strong on encryption now, we will never gain back the ground that is lost.
The Electronic Frontier Foundation announced that they are launching the Electronic Frontier Alliance to bring together diverse groups of activists and organizations. The idea is for the Alliance to be a central “hub” of information and activity in the fight for digital rights and civil liberties. It is encouraging to see that they are reaching out to a broad range of ideologically diverse groups - from BLM to the Tea Party. Any organization that champions free speech and digital rights must do so for all groups regardless of political affiliation.
“The Alliance will bring together groups pursuing a range of strategies and tactics—from hacker spaces crowdsourcing the open source development of software tools, to student groups hosting teach-ins and documentary screenings.”
To join the group an organization must affirm 5 fundamental principles:
free expression: people should be able to speak their minds to whomever will listen.
security: technology should be trustworthy and answer to its users.
privacy: technology should allow private and anonymous speech, and allow users to set their own parameters about what to share with whom.
creativity: technology should promote progress by allowing people to build on the ideas, creations, and inventions of others.
access to knowledge: curiosity should be rewarded, not stifled
These principles are the bedrock of a free and open internet and society. Give the EFF whatever support you can. They deserve it.
Congress is once again getting worked up about the need to pass legislation that will effectively make strong encryption the enemy. The The International Business Times is reporting that Congress is “discussing various pieces of legislation that would address the use of encryption and could potentially require that tech companies build backdoors into their products for law enforcement officials.” The attacks on encryption are all too predictable after terrorist attacks occur. Unfortunately, the general public does not understand encryption technology or the need for it. It is an abstract concept in most people’s minds that quickly gets pushed aside when they become frightened. Indeed, most members of Congress do not understand how encryption makes the internet a safer place than it would otherwise be. They also don’t understand why you can’t just “break it a little bit” and still have good security. Encryption helps secure people’s privacy in a concrete and meaningful way. It is precisely at times like this that there needs to be a strong push to protect privacy and resist knee jerk reactions. Members of Congress must be made aware of how requiring tech companies to backdoor their products would devastate their international sales and ruin their credibility. They should also know how those backdoors would open the doors to hackers and criminals. Look for more attacks on anonymity and anonymizing tools like no contract cell phones. This is only the beginning. Big government wants unlimited control of everything - the Internet and you as well.
It was reassuring to hear Apple engineers threaten to quit their jobs rather than hack the iPhone. Now comes another encouraging post from the engineers who work at the Tor Project. In a statement issued on Mike Perry’s Tor Blog it is reported that Tor Engineers would rather resign than compromise the integrity of the Tor network. Fortunately, Tor is open source and its code can be reviewed and verified by outside experts. This makes malicious code hard to hide. Tor is used by people all over the world to communicate sensitive information in a secure way. Without it, those fighting for freedom in very dangerous countries would have one less tool with which to accomplish their work of bringing the truth to light. We should all salute the integrity and determination of those working on and sustaining the Tor network.
Well, its official now. President Obama is all for a key escrow concept that undermines privacy and security. He may not have used that term but that is exactly what he wants. At the same time, the FBI is also proving to the world that it is not content with just that one Apple iPhone in the San Bernardino case. A leaker has revealed that it is now going after WhatsApp. WhatsApp offers an instant messaging application with end to end encryption. This gives WhatsApp the ability to ensure customer privacy and inadvertently evade court ordered wiretaps. There are very few details of the WhatsApp situation because the whole case is under seal. The only thing they will say is that it isn’t a terrorism case. Which goes to show, this isn’t just about terrorism, its about the government’s insatiable appetite to get whatever the hell it wants.
Specifically, President Obama said:
“You cannot take an absolutist view on this,” Obama said at the South by Southwest festival in Austin, Texas. “If your argument is strong encryption no matter what, and we can and should create black boxes, that I think does not strike the kind of balance we have lived with for 200, 300 years, and it’s fetishizing our phones above every other value.”
“The question we now have to ask is, if technologically it is possible to make an impenetrable device or system, where the encryption is so strong there’s no key, there’s no door at all, then how do we apprehend the child pornographer? How do we solve or disrupt a terrorist plot?” Obama said. “If in fact you can’t crack that at all, government can’t get in, then everybody’s walking around with a Swiss bank account in their pocket.”
The Obama Administration’s schizophrenic position on encryption stems from its desire to be all things to all people: strong on encryption on the one hand while wanting some kind of key escrow program on the other. I don’t see how anything other than a key escrow program will satisfy the government a this point. The FBI position in the WhatsApp case illustrates the same points. Only a key escrow program will give the government what they want while pretending to promote strong encryption and safe communications and data storage. In fact, a requirement that companies be able to provide all customer data to the government could end up outlawing Tor and all encryption with perfect forward secrecy. Make no mistake, key escrow undermines strong encryption and violates people’s fundamental right to privacy. Some things are so private and personal that they should be beyond the government’s reach – one of those things is our computer hard drives. In this day and age computer storage is an extension of the person – people pour their lives and souls in their computers. Whether that is a smart thing to do or not is irrelevant – it is a reality we must live with. If, in the future, there is technology that can hack your brain, do you want a court order to be the only thing standing between you and a machine that can rape your brain and lay all your private thoughts and emotions bare for all the world to see? I don’t, but that is where this is headed. I hate to say it, but maybe it’s time for big US Tech companies to consider moving their operations offshore (and taking their jobs with them) to locations that are more privacy friendly. In the future I plan to add some pages to this site detailing easy steps anyone can take to safeguard their privacy – Tor, VPNs, encryption applications, disk cleaners, etc.
Here are the relevant links: