I spent this past Tuesday in the conference room of a hotel in the San Francisco area, talking for ten hours about internet security, literally until my voice gave out. My audience was a dozen or so political activists from a nation with a tough track record on human rights and free speech issues. They’re a wonderful group of people – technology experts and business people proud of their nation and culture, working hard to ensure that friends and colleagues in their homeland can communicate, organize and report despite the efforts of a government willing to use a heavy hand to prevent the voicing of dissent.
My co-presenter was Roger Dingledine, cryptographer, security researcher, developer of Tor, and all-around great guy. Roger took a day off from coding, teaching and hanging out with military spooks to spend time with dissidents because he’s fascinated about the ways his tools are being used. “I developed Tor for myself,” he tells us, “because I wanted to prevent myself from leaving traces in thousands of marketers databases. We knew that Tor would attract a lot of different groups who want anonymity – individuals, companies, governments – and that’s been part of the design from the beginning, but I’m still surprised at how many people around the world are using it to get around censorship.”
Indeed, Tor is a hugely useful tool for people in China trying to evade the Great Firewall, or for people trying to publish online with a persistent, untraceable psuedonym. Roger was interested in meeting a group of dissidents to understand what their needs are and how future versions of Tor could be more useful in enabling access to information and free speech in repressive nations.
The session was a real education for both of us. I’ve given three of these workshops in the past year, but this was the first with attendees all focused on the same nation, facing the same constellation of problems. We outlined many of the topics covered in the Secure NGO in a Box CD-ROM (which we may need to translate into the native language of this country), covering disk wiping (Eraser), encrypted storage (BestCrypt), password management (Password Safe), as well as topics I covered in a training with Nart Villeneuve earlier this year: web filtering, filter circumvention using open and anonymized proxies, and secure publishing. Roger gave a great overview of the state of the art in cryptography, a detailed introduction to Tor and future directions for development, and an introduction to secure messaging through Off the Record Messaging.
But neither he nor I were expecting some of the questions we got and the scenarios we were presented with. After a discussion of Skype (which I recommended because of concerns with keystroke logging, and which Roger outlined some of the relevant security concerns about), one of our attendees told us a story about Skype:
“We’ve had two dissidents arrested because of Skype. In one case, the police broke into his house, took his laptop and looked at his contacts list and list of calls made. Because it included the names of known activists, they arrested and detained him. In another case, I was talking with a dissident – the police were sitting two houses away, listening with a parabolic microphone. They couldn’t hear me, but they heard his side of the conversation and arrested him.”
As Roger put it to me after the workshop, “We’ve got to adjust some of our threat models.” In other words: internet cryptographers aren’t generally worried about parabolic microphones. They’re trying to enable secure transmissions in an insecure medium – the Internet – and generally assume that the people using their tools have control over their computers and the environments they’re using them in. In other words, while security researchers talk a lot about “Alice” and “Bob”, those crazy kids trying to send messages to each other without eavesdropper “Eve” listening in, we rarely consider secret policeman “Sam” arresting Alice and breaking her fingers until she caves and
gives up her contact list. And if you want these tools to work in the real world, those are the sorts of concerns you have to take very seriously.
In the nation our friends work in, a common police tactic is to seize a dissident’s laptop and copy all the files from the hard drive. Our friends believe that they then install a software keylogger and return the laptop to where it was taken from. They wait a few days for the dissident to enter the appropriate passwords, reclaim the computer, download the data and decrypt the files. Then they confront the dissident with sheafs of printouts demonstrating her anti-government treachery.
The sort of tools we’re experienced with aren’t especially helpful in these scenarios. I started recommending boot passwords set in the BIOS – Roger helpfully pointed out that this just locks the motherboard and encourages the thugs to remove the hard drive. Encrypted storage and using PGP to protect email both fail if the passwords are compromised. (Yes, one solution is to use PGP and carry your private keys with you wherever you go. I don’t do that, and I suspect very few people are that smart and paranoid.) We found ourselves confronting questions about “browser hygiene” that I hadn’t thought through before – when I tell Firefox to “Clear Private Data”, does it just delete the cache and history files, or does it wipe them, as we’re advocating our friends do…?
An excerpt from an email Roger sent to some of our friends gives a sense for some of the problems and solutions he and I are now trying to wrestle with.
2) Using Skype — with voice, not text — is probably your best option right now. You’ll still be vulnerable to real-world attacks (like somebody in the room listening to you), but the software itself should be pretty safe. (It’s also possible that they replaced your Skype binary with one that the authorities can tap. This seems hard to me…)
3) Wait a few weeks for Ethan to check out Off-The-Record Messaging, and hopefully he’ll write up a short how-to with recommendations. I haven’t used it much myself, so I don’t have a good sense of how usable it is for ordinary people. I just know that it provides smarter security properties than PGP for your situation.
4) Tor will be helpful right now in getting around filtering. If you encourage ordinary people to use it just for bypassing the filtering, then it won’t be so bad to be found with the Tor client installed. Also, remember my discussion of the diversity of current Tor users — if you get your local businesses using it for better security on the Internet,
that could make it even more socially acceptable. Please let me know if you have any further questions about Tor — it might also be smart to translate the Tor GUI (called Vidalia) and/or some basic instructions.
5) Even though I’m not entirely happy with Torpark, it’s probably your best option for now as a Tor client in an Internet cafe, since you don’t need to install Tor on the computer…
6) The crypto is not your weakest link. The security of your local computer is much more critical, and much more at risk. Probably the most important part of my ‘crypto’ slides were the quotes about how easy it is to think that crypto is going to completely solve your problem.
But the other side of the coin is that one of your top priorities has to be to figure out how to maintain the physical security of your computers, so you can trust what they’re running. Which leads to:
7) If you buy new laptops, consider buying Apples — not only because they are better at not getting spyware installed as you browse the Internet, but also because your attackers may not be as familiar with them. (The same goes for Linux laptops, but only if your users are prepared to figure out how to use them — Linux is easy if there are other Linux
users around, but hard if you’re the only person in the city using it.)
I suspect Roger and I will both get smarter about several topics – keystroke logging, secure messaging, the difficulty of modifying the Skype binary, filesystems encrypted with graphical passwords – as we work with our friends over the next few months. But it’s worth noting that we wouldn’t be thinking about these problems if we hadn’t had the chance to talk with folks working on the front lines. Tools like Martus – which allows human rights organizations to encrypt and store offsite reports about rights violations – only get developed when smart geeks start working closely with human rights workers. Occasionally, we get lucky and a tool for anonymous browsing turns out to be a boon for circumventing censorship… but that’s the exception, not the rule.
To a certain extent, this is the problem I was trying to solve with Geekcorps – I wanted to get software developers interested in problems in the developing world and see what solutions they could come up with in conjunction with African and Asian geeks. I don’t know that I can put cryptographers on airplanes to repressive nations and ask them to get smart about realworld security problems and strategies, but it’s a strategy worth thinking about.
Unfortunately, most of the time, the people who are really smart about computer security are remarkably stupid about users. PGP’s key signing mechanisms and distributed network of trust is a solution that only a geek could love. Try explaining “transitive trust” to human rights activists who work from cybercafes, don’t own their own computers, and are listening to you in their third language – you’ll figure out pretty quickly why activists who know they’re being watched use Yahoo! Mail rather than the PGP system you’ve spent a day training them on. Solutions like Hushmail are steps in the right direction, but tools need to be as easy as comparable tools… which is why I spent a lot of time pushing people towards the https interface to Gmail as a great first step in increasing their security.
We need a lot more contact between the activists and the geeks to design the tools we really need. We need more folks like Roger to take days from their schedule, get on airplanes and explain what they can and can’t do. We need more activists to give us feedback on what their problems really are. We need folks like “Sleepless in Sudan” to help document how they stayed invisible, and friends like Alaa to explain why they’ve elected to be visible despite real and present danger.
And finally, we need to understand that every tool we build has multiple uses. The fine folks at Blazing Tools may feel like they’re doing the world a service when they introduce the “Perfect Keylogger” to catch cheating spouses or protect their children from Republican congressmen – would they feel as good if they learned their tools were imprisoning dissidents? I fear that for every Tor – a tool that’s proved useful in far more ways than might have been imagined – there are other tools that turn out to have dark uses we haven’t yet considered.
I’ll be posting some slides from the talks once I’ve removed reference to the specific group we were working with this week. In the meantime, my slides from a similar talk in Manila (along with 6.5 hours of audio!) are available online…