“We’ve got to adjust some of our threat models”

I spent this past Tuesday in the conference room of a hotel in the San Francisco area, talking for ten hours about internet security, literally until my voice gave out. My audience was a dozen or so political activists from a nation with a tough track record on human rights and free speech issues. They’re a wonderful group of people – technology experts and business people proud of their nation and culture, working hard to ensure that friends and colleagues in their homeland can communicate, organize and report despite the efforts of a government willing to use a heavy hand to prevent the voicing of dissent.

My co-presenter was Roger Dingledine, cryptographer, security researcher, developer of Tor, and all-around great guy. Roger took a day off from coding, teaching and hanging out with military spooks to spend time with dissidents because he’s fascinated about the ways his tools are being used. “I developed Tor for myself,” he tells us, “because I wanted to prevent myself from leaving traces in thousands of marketers databases. We knew that Tor would attract a lot of different groups who want anonymity – individuals, companies, governments – and that’s been part of the design from the beginning, but I’m still surprised at how many people around the world are using it to get around censorship.”

Indeed, Tor is a hugely useful tool for people in China trying to evade the Great Firewall, or for people trying to publish online with a persistent, untraceable psuedonym. Roger was interested in meeting a group of dissidents to understand what their needs are and how future versions of Tor could be more useful in enabling access to information and free speech in repressive nations.

The session was a real education for both of us. I’ve given three of these workshops in the past year, but this was the first with attendees all focused on the same nation, facing the same constellation of problems. We outlined many of the topics covered in the Secure NGO in a Box CD-ROM (which we may need to translate into the native language of this country), covering disk wiping (Eraser), encrypted storage (BestCrypt), password management (Password Safe), as well as topics I covered in a training with Nart Villeneuve earlier this year: web filtering, filter circumvention using open and anonymized proxies, and secure publishing. Roger gave a great overview of the state of the art in cryptography, a detailed introduction to Tor and future directions for development, and an introduction to secure messaging through Off the Record Messaging.

But neither he nor I were expecting some of the questions we got and the scenarios we were presented with. After a discussion of Skype (which I recommended because of concerns with keystroke logging, and which Roger outlined some of the relevant security concerns about), one of our attendees told us a story about Skype:

“We’ve had two dissidents arrested because of Skype. In one case, the police broke into his house, took his laptop and looked at his contacts list and list of calls made. Because it included the names of known activists, they arrested and detained him. In another case, I was talking with a dissident – the police were sitting two houses away, listening with a parabolic microphone. They couldn’t hear me, but they heard his side of the conversation and arrested him.”

As Roger put it to me after the workshop, “We’ve got to adjust some of our threat models.” In other words: internet cryptographers aren’t generally worried about parabolic microphones. They’re trying to enable secure transmissions in an insecure medium – the Internet – and generally assume that the people using their tools have control over their computers and the environments they’re using them in. In other words, while security researchers talk a lot about “Alice” and “Bob”, those crazy kids trying to send messages to each other without eavesdropper “Eve” listening in, we rarely consider secret policeman “Sam” arresting Alice and breaking her fingers until she caves and
gives up her contact list. And if you want these tools to work in the real world, those are the sorts of concerns you have to take very seriously.

In the nation our friends work in, a common police tactic is to seize a dissident’s laptop and copy all the files from the hard drive. Our friends believe that they then install a software keylogger and return the laptop to where it was taken from. They wait a few days for the dissident to enter the appropriate passwords, reclaim the computer, download the data and decrypt the files. Then they confront the dissident with sheafs of printouts demonstrating her anti-government treachery.

The sort of tools we’re experienced with aren’t especially helpful in these scenarios. I started recommending boot passwords set in the BIOS – Roger helpfully pointed out that this just locks the motherboard and encourages the thugs to remove the hard drive. Encrypted storage and using PGP to protect email both fail if the passwords are compromised. (Yes, one solution is to use PGP and carry your private keys with you wherever you go. I don’t do that, and I suspect very few people are that smart and paranoid.) We found ourselves confronting questions about “browser hygiene” that I hadn’t thought through before – when I tell Firefox to “Clear Private Data”, does it just delete the cache and history files, or does it wipe them, as we’re advocating our friends do…?

An excerpt from an email Roger sent to some of our friends gives a sense for some of the problems and solutions he and I are now trying to wrestle with.

2) Using Skype — with voice, not text — is probably your best option right now. You’ll still be vulnerable to real-world attacks (like somebody in the room listening to you), but the software itself should be pretty safe. (It’s also possible that they replaced your Skype binary with one that the authorities can tap. This seems hard to me…)

3) Wait a few weeks for Ethan to check out Off-The-Record Messaging, and hopefully he’ll write up a short how-to with recommendations. I haven’t used it much myself, so I don’t have a good sense of how usable it is for ordinary people. I just know that it provides smarter security properties than PGP for your situation.

4) Tor will be helpful right now in getting around filtering. If you encourage ordinary people to use it just for bypassing the filtering, then it won’t be so bad to be found with the Tor client installed. Also, remember my discussion of the diversity of current Tor users — if you get your local businesses using it for better security on the Internet,
that could make it even more socially acceptable. Please let me know if you have any further questions about Tor — it might also be smart to translate the Tor GUI (called Vidalia) and/or some basic instructions.

5) Even though I’m not entirely happy with Torpark, it’s probably your best option for now as a Tor client in an Internet cafe, since you don’t need to install Tor on the computer…

6) The crypto is not your weakest link. The security of your local computer is much more critical, and much more at risk. Probably the most important part of my ‘crypto’ slides were the quotes about how easy it is to think that crypto is going to completely solve your problem.
But the other side of the coin is that one of your top priorities has to be to figure out how to maintain the physical security of your computers, so you can trust what they’re running. Which leads to:

7) If you buy new laptops, consider buying Apples — not only because they are better at not getting spyware installed as you browse the Internet, but also because your attackers may not be as familiar with them. (The same goes for Linux laptops, but only if your users are prepared to figure out how to use them — Linux is easy if there are other Linux
users around, but hard if you’re the only person in the city using it.)

I suspect Roger and I will both get smarter about several topics – keystroke logging, secure messaging, the difficulty of modifying the Skype binary, filesystems encrypted with graphical passwords – as we work with our friends over the next few months. But it’s worth noting that we wouldn’t be thinking about these problems if we hadn’t had the chance to talk with folks working on the front lines. Tools like Martus – which allows human rights organizations to encrypt and store offsite reports about rights violations – only get developed when smart geeks start working closely with human rights workers. Occasionally, we get lucky and a tool for anonymous browsing turns out to be a boon for circumventing censorship… but that’s the exception, not the rule.

To a certain extent, this is the problem I was trying to solve with Geekcorps – I wanted to get software developers interested in problems in the developing world and see what solutions they could come up with in conjunction with African and Asian geeks. I don’t know that I can put cryptographers on airplanes to repressive nations and ask them to get smart about realworld security problems and strategies, but it’s a strategy worth thinking about.

Unfortunately, most of the time, the people who are really smart about computer security are remarkably stupid about users. PGP’s key signing mechanisms and distributed network of trust is a solution that only a geek could love. Try explaining “transitive trust” to human rights activists who work from cybercafes, don’t own their own computers, and are listening to you in their third language – you’ll figure out pretty quickly why activists who know they’re being watched use Yahoo! Mail rather than the PGP system you’ve spent a day training them on. Solutions like Hushmail are steps in the right direction, but tools need to be as easy as comparable tools… which is why I spent a lot of time pushing people towards the https interface to Gmail as a great first step in increasing their security.

We need a lot more contact between the activists and the geeks to design the tools we really need. We need more folks like Roger to take days from their schedule, get on airplanes and explain what they can and can’t do. We need more activists to give us feedback on what their problems really are. We need folks like “Sleepless in Sudan” to help document how they stayed invisible, and friends like Alaa to explain why they’ve elected to be visible despite real and present danger.

And finally, we need to understand that every tool we build has multiple uses. The fine folks at Blazing Tools may feel like they’re doing the world a service when they introduce the “Perfect Keylogger” to catch cheating spouses or protect their children from Republican congressmen – would they feel as good if they learned their tools were imprisoning dissidents? I fear that for every Tor – a tool that’s proved useful in far more ways than might have been imagined – there are other tools that turn out to have dark uses we haven’t yet considered.

I’ll be posting some slides from the talks once I’ve removed reference to the specific group we were working with this week. In the meantime, my slides from a similar talk in Manila (along with 6.5 hours of audio!) are available online…

This entry was posted in Geekery, Human Rights. Bookmark the permalink.

14 Responses to “We’ve got to adjust some of our threat models”

  1. Alaa says:

    glad you and others are rethinking threat models. but yeah someone should tell the story of how Egyptian activists learned to just forget about privacy.

    but it’s not for anyone, alot of it is also about being already known to the government, I can see how a new group not known at all to the government can benefit from encryption and stuff, but there are other physical world problems you have to deal with, secrets leak in sooooo many ways.

    but the main reason why we stopped worrying about secrecy and privacy in Egypt has nothing to do with technology or the techniques used by the state, it was the price you pay for the paranoia, your weakest link isn’t your bloody computer it’s your fellow activist, a increasing concern for privacy among groups of activists means everyone will be accused of being a spy which is enough to cripple any initiative, not to mention the situation where you spend more time protecting the secret fact that you are an activist than doing actual activism (for some reason this seems to be enough to satisfy whatever it was the drove you to activism in the first place hence it’s danger, secrecy is a drug). and finally the simple fact that the more secret you are the more isolated you are.

    also with the Egyptian government it’s not about information, it’s about execuses to act (your class can be an excuse though). more often than not the private stuff they collect they spread inside activist networks to wreck havoc (photos of two prominant activists having an extra marital afair being forwarded via email by all your comerades, which means the only thing I need t encrypt is p0rn yaaay).

    but that doesn’t mean there is never need for secrecy and privacy, we do benefit from having an occasional friendly face or source inside the system and these need to be kept secret, baheyya is not a known activist by being anonymous she does protect herself (though I guess more from her peers than from her government).

    my approach is to remember that these techs are designed to make it more expensive to crack the tech than to crack the hands of those who use them, if they already know about you ask yourself how cheap is it to torture me, if it’s too cheap then embrace the fact and stop worrying about anonymity, if it’s not that cheap then it’s worth spending a few weeks learning the tools (good luck finding someone on the other side who knows how to use them though).

    oh well I’m rambling as usual.

  2. Ethan says:

    Thanks for weighing in, Alaa. The comments you made at Rhodes about the importance of being visible and not neccesarily being concerned about anonymity stuck with me… which was why I ended the post with a nod to you and the approach you’re taking to these issues. I’d love to see you write about the decisions you guys made about being visible – it’s an important story and one that I’m trying to tell to anyone who’ll listen.

    But not everyone is as brave as you guys are. I find people around the world who want to speak up and act up, but are worried about the consequences for themselves and their families. My goal is to help more people feel like they can become active and get involved with movements designed to create change.

    But your reminder that it isn’t the tech – it’s the people – is a really important one. Or, as my friend Akwe told me before I visited to Zimbabwe, “All these boats leak.” That’s not an issue I have much advice on – perhaps that’s another place where you guys can share some wisdom and thinking.

  3. Luis Villa says:

    I dunno about the skepticism about Linux, Ethan. This sounds like a perfect job for a tailor-made linux distro where all of this is set up and configured by default. Especially for the kinds of tasks you’re talking about here (web browsing, IM, VOIP, encrypted data storage) Linux is fairly straightforward and reliable at this point. Hell, I bet you could work up a proposal for Mark Shuttleworth to fund it all if you promised to base it on Ubuntu :)

    Perhaps tangentially, have the Tor guys pondered setting up secure remote storage accessible via Tor? i.e., something like freenet? Seems like pairing the two is a no-brainer.

  4. Ethan says:

    The skepticism is the standard usability skepticism, Luis. The folks using these machines are often not very technically sophisticated. One of the questions we are asking is whether folks outside the country in question can get access to these machines via remote desktop and other utilities to be able to search for keyloggers, etc. But it’s an idea worth taking a closer look at – I’ll talk to our colleages and, perhaps, to Shuttleworth about the issue.

    As far as remote storage – that’s more or less what Martus does, but it would be interesting to try to do it in a distributed, open source fashion via Tor. I’ll raise it with Roger… There’s an indexing issue as well – you can’t just store it, you need to be able to search through it and disseminate it as well. But should be a solveable problem.

  5. Alaa says:

    ethan that distributed storage thingie you’re talking about sounds more and more like freenet, whatever happened to that initiative

  6. One of the things I always stress is that people need to identify their own threat model and then work out a solution (not always technical). I don’t think there will be a one size fits all technical solution to these problems for a variety of reasons.

    Additional levels of security require the user to take extra steps which can be an inconvience (installing software, passwords/keys etc…) and sometimes the soluition that are reccomended are overly complex (like the https/gmail vs. pgp/gpg example you give).

    Anonymity and censorship circumvention options are becoming more and more user friendly and effective. Users facing censorship and surveillance have a variety of options that are not too difficult to implement, but not for users who face threats of computer seizure, keylogger/trojan installation when authorities sieze their laptops etc…

    For example, if your latop is seized and then returnes you should probaby wipe and re-install. How many people will actually do that?

    Another option? Only use your computer for normal, personal use, when engaging in activism use a bootable OS (like knoppix), no need to worry about keylogers etc… but you’ll likely want to have a remote storage system for your docs email etc…

    On of the ares that seem to be missing is services. there seems to be a lot of sowftare development and training activities but not that many people/ngo’s etc… that provide services for activists/ngo’s who can’t really afford them.

    As mention above one of the common ones I hear is the need for remote storage. But also for hosts for circumvention software etc…

    Semms to me that there is a need to look into solution for providiong services as well as training and software to confront some of these issues you’ve raised.

  7. Luis Villa says:

    The skepticism is the standard usability skepticism, Luis.

    Fair. I think for this sort of minimal use case those concerns are at this point really overblown. If anything, you’re better off in the Linux case here, since you can remove unnecessary or unsafe functionalities, which is going to be difficult/impossible with a Windows install. If you want a general purpose computer, though, that happens to have secure communications software, you’re right that Windows is probably a better choice (though I’d argue much less secure.)

    One of the questions we are asking is whether folks outside the country in question can get access to these machines via remote desktop and other utilities to be able to search for keyloggers, etc.
    You’ve certainly got that with a Linux system; arguably (given shell access and the amenability of Linux systems to remote manageability) much more powerfully in the Linux case than in the Windows case.

    I’d suggest a much better way to ensure there are no keyloggers/etc. installed is to use a liveCD or other similar tool, where the base system is read-only and can’t be modified by anyone. At that point, you’re secure against anything except hardware attack, which can’t be diagnosed remotely anyway.* (I have no idea if such a thing can be done with Windows.)

    At any rate, I don’t have much time to do anything with this these days, but I know someone who might be interested in getting involved and has the necessary skills to whip up a simple proof-of-concept liveCD for you. With luck they’ll get one of the Berkman job openings they are applying for and you’ll be able to discuss it with them in person soon ;)

    *NB: for the particularly paranoid case, I think you can avoid the keylogger problem on all platforms by using accessibility tools (on-screen keyboards, available on all major platforms, for example, or dasher), which would meant that the third-party spyer would have to reconstruct mouse movements and map those to strings instead of tapping the keyboard.)

  8. Bev Clark says:

    I resonated a lot with what Alaa had to say particularly on the points of isolation and paranoia. I think the more we as information activists can be open, visible and contactable, we help re-imagine the reality that we’re living in – that is, we don’t actively contribute to the censorship and secrecy which is often the state that our oppressors wish us to live under (making us fear them and fear each other).

    One of the tactics we use is to be as open as possible when we publish information in Zimbabwe. When we need to communicate about specific and sensitive issues such as meetings, funding proposals, sources of money (etc) then we engage encryption.

    At Kubatana we have found that people have responded very positively to us as an organisation because they can come visit, telephone and have face to face contact with us.

    Sadly, as Alaa mentions, it is more often the case of being, as we call it here “shopped” (spied on) by so called allies within your own movement. There are just too many ways you can be caught out and to block them all is impossible. But encrpyt essentials.

  9. Ethan says:

    Nart, Luis – I really like the LiveCD idea. I’m going to pursue this, seeing if I can leverage the expertise of either some of the Ubuntu folks or other Linux hackers who’ve built these for specific purposes. If we could build a LiveCD in the local language for these activists, specifically using the sets of tools we’re talking about, that would be a truly lovely way to work through all but the hardware keylogger issues.

    Bev, Alaa, thanks for both weighing in on the security/paranoia/leaky boats issues. As I think more about the secrecy issues, I wonder if there’s a distinction between people who’ve decided to be active, visible and face the consequences of their activism, versus those who want to be active but can’t yet get their heads around those consequences. I think it’s important to make it possible for that second group to use anonymity to begin working on what they’d want to share as activists… but both because the tools aren’t the problem and because the boats leak, it’s a mistake to reassure that second group that encryption alone will protect them. Instead, perhaps activists have to get their heads around the issue that eventually being active is going to involve being visible and facing those consequences.

    For the friends I helped last week, that’s a hard pill to swallow – those who are active basically have had their lives destroyed. Then again, I don’t have to tell either of you how serious the consequences of being an activist can be.

    Thanks for sharing these thoughts, everyone.

  10. Great post and comments, your blog really brings a balanced perspective. The notion that technology is a bit player rings true.

    I know as I develop our corporate network within China that we will respect Chinese law and require that all Internet browsing from within China pass through the ‘Chinese firewall’. Since we will inform people that this is the case I expect that they will behave accordingly.

  11. Seth Vidal says:

    Luis pointed me over here and after reading through all the comments my first thought was immediately: OLPC Tor-enabled. A grid network as the OLPC people seem to have in mind and tor-capability on the outside for allowing the students/children using OLPC machines to anonymously comment/circumvent filtering/censorship mechansms would seem to me to be putting anonymizer software in the places where it could most virtuously be used.

    You might consider contacting some of the OLPC people.


  12. Pingback: Luis Villa’s Blog » really, really secure computing isn’t quite here yet

  13. Geeky Activist says:

    Wow! I had no idea that there were people with actual know-how who were attempting to work on these issues! This is very exciting!

    In that case, let me please post some ideas I’ve had for what I would like to have to be an effective activist, with the hopes that some developers will make them a reality. Really, it would just be a linux/BSD LiveCD with the following:

    Full multimedia/web media support (except where it requires anything with closed source)

    Two strictly separated Firefox browsers – one with integrated Tor and I2P support (plus accessories like Privoxy, NoScript, AdBlock, TorButton, etc.) that CANNOT escape those networks, and one conventional Firefox for non-anonymous browsing, with VERY strong visual clues about which is being used (ie, one has a gray skin and one has a bright red skin, and consider the colorblind as well).

    Syndie (magnificent little program with a lot of potential)

    FreeNet/GNUnet (if it’s even worth using, I haven’t kept up)

    GPG + Mail client (Thunderbird w/ EnigMail or another)



    IRC client

    Various P2P file-sharing clients

    Secure FTP server that allows full-TLS transfers, listing and authentication *with a GUI* (may not even exist?)

    Full wifi support including wifi security/cracking tools and MAC address changer

    Full support for crypto smart cards and crypto USB dongles

    Open Office or other word processor

    Media creation/editing tools

    CD/DVD burning tools

    A GPG signature on the .iso!

    I would use this paired with a computer that has no operating system installed – just a number of encrypted TrueCrypt volumes that contain my data, profiles, and application attributes. I would keep the master key for these volumes encrypted with a non-exportable key on a smart card or dongle. This system, implemented properly, provides the following benefits:

    There is zero chance of any executable files being modified or installed.

    The is absolutely no data available from a “computer kidnapping” without the smart card itself – which can be kept on one’s person at all times and thoroughly destroyed quickly and easily.

    It allows secure and private communication, browsing and publishing of many varieties through many media.

    Please, please, someone with the knowledge to do so, PLEASE create this! You will be doing the world a huge favor, and will be a greater freedom fighter than you can imagine!

  14. jive says:

    Geeky Activist- I haven’t analyzed the VirtualPrivacyMachine, but but it looks at first glance to be the best publicly distributed well thought out solution in existence. I would still have allot of concerns… to name a few:

    1. Virtual machines can provide a false sense of security, understand what they can and can’t do.
    2. Does this prevent data leakage to the disk, or other media?
    3. What encryption is available?
    4. What else might I be concerned about? For example, all digital cameras leave a digital fingerprint. Publishing pictures using the same camera on two different forums can be linked together, and if one is anonymous whee the other isn’t you can be identified.


    Some interesting De-anonymization examples that should fail in any solution, even with flash, java, and other plug-ins enabled are:


    My story:

    I learned at an early age not to trust anyone. All I can even say today on this anonymous form is I have reasons you can’t begin to imagine. Try living in a world that hates you, and not hating it back. I have lived in a society that hates me for things I don’t even control. I have never done anything for anyone to hate me, and yet everyone does. I can’t say a single peer of mine in this entire country has publicly spoken out. I have good reason to believe most committed sucide early on, were murdered, or have lengthy prison sentences.

    I was probably the only non-Muslim on September 11 that was glad to see the trade centers go down. Those trade centers represented to me hope. Why should I care about an entire society that tortured me my entire life.

Comments are closed.