Re: [liberationtech] Jacob Appelbaum's Ultrasurf Report
Hi Catherine, On 04/19/2012 03:16 PM, Catherine Fitzpatrick wrote:
Jacob Appelbaum's agenda doesn't seem to be entirely altruistic here with this Ultrasurf report.
Where did I claim altruism? I am auditing tools that claim to be perfectly anonymous because it benefits everyone to have honesty and truth in advertisement for our community of tools. I did however invest, as Ultrasurf acknowledged, a great deal of time in disclosure to Ultrasurf. I also invested a great deal of time in making positive suggestions, which were largely accepted by UltraReach. I hope you'll note that the language on their website is drastically different today if you compare it to the text on their website from a year ago. Honesty in advertisement is important information that helps users to make an informed decision and to ensure that Government funded projects at least attempting to be honest in how they sell themselves to their users.
There's a lot going on -- first, there's the desire of him (and his supporters) to attack the US government and "DC Lobbyists" merely for what they are, which is a hated government with a disliked Internet Freedom program, which has put him under investigation for his involvement in WikiLeaks (his buddies at the State Department notwithstanding).
This is nonsense. Not only do you have it all wrong, you're actually just out of your depth. It shows. I am not attacking the US government. To be quite honest, I gave this report to those around DC that asked - this includes people at State, BBG and of course, Ultrasurf - well before the report was released to the public. I did this to ensure that we could broker a discussion with Ultrasurf to ensure that Ultrasurf felt we were coordinating and being responsible. I did not give this to the Chinese or Iranian or Syrian governments nor any of their agents or anyone that I felt would do Ultrasurf harm or attempt to attack their users. I actually rather like the Internet Freedom program, it's not perfect but it's pretty good! So again - you think you know what I think but you're mistaken.
Second, there's the desire to attack any competitor of Tor, especially a competitor that adheres to the idea of proprietary versus open source software. These are religious matters.
Surely you don't suggest that for proprietary or open tools it is reasonable to never have a third party security audit? There is no competitor to the Tor Project in the field of online anonymity. There are charlitants who claim to be perfectly anonymous and untraceable - as we see with Ultrasurf - they do not live up to their advertised claims. You conflate Free and Open source software with peer review, which is understandable but a very serious mistake to make. If you suggest that peer review is a religous matter, I think you're making an even bigger mistake. Do you realize that there has been *no* peer review - even by funders of the tool? None. Zero. This is changing now and that is because of my peer review of their claims. I have even offered to help them and have given them a large amount of time in the last six months because I want them to improve. The fact that they are closed source presents them with a serious problem and I'd love to hear your suggestions for a solution with it. It appears that some governments, such as Syria and likely China release backdoored versions of software. I have some samples of a common tool which appear to have such a backdoor. AV software sometimes automatically classifies Ultrasurf as malware. This is usually a mistake. However - what happens when it actually includes malware *and* it actually has something wrong with it? Say because it has been tampered with in transit or an attacker, such as the Chinese, compromise the download servers? One solution is to offer source code and for trusted users in a community to review them, and to ensure that any changes make sense or fit with the established norms of the system. It's also possible to look at copies of the program in every linux distribution, every released copy on software mirrors and other places to compare with the expected result. Another solution is to offer digital signatures - this is something that is now happening because of my report. The downside is that China and the Stuxnet authors both clearly have the ability to falsify the selected digital signature method selected by Ultrasurf. So - again, we see no peer review and no safe method of verification. I'd love to see you solve those problems and while Open and Free software doesn't solve it all, I think it gets us a lot closer. So do please offer suggestions and try not to punt.
In other words, when a person who runs a competing open-source software solution, who has his reputation largely wrapped in it, goes and publicly attacks a proprietary software solution as inferior and even harmful, and attacks a software used by a government that has him under investigation, it's ok to question where he is going with this.
The facts stand for themselves. You're unable to evaluate those facts and as a result, you simply, as usual, attack me. I mean, you're welcome, I think the solution to "bad" speech is more speech.
There is the added dimension of the pornography issue -- Appelbaum's slam on Ultrasurf for blocking porn distracts from the fact that Tor is notoriously used for viewing pornography, including illegal child pornography.
Do you have proof that Ultrasurf blocks Child Porn Catherine? I suspect the answer is no - which well, I think that's because the answer is no. The fact of the matter is that they block access to legal US enterprises. I think that government funded services have a duty of care not to restrict access to legal US businesses - this is why I am against Amtrak censoring the internet - don't censor with public money. In any case - just to settle this issue - members of police forces around the world use Tor, as does the Internet Watch Foundation, to hunt for Child Porn - they need anonymity, so that they can find the bad guys. Do you have another suggestion for an anonymity solution that is good enough for the Internet Watch Foundation to catch sexual predators? I bet they'd love to hear it and most of all, I'm certain this list would be interested in such a solution. Frankly, I think that the good outweighs the bad in this case and I'd encourage you to admit that you don't actually know the whole story.
And there's the fact that Appelbaum has published his critique just as yet another criminal case involving the use of Tor for illegal drug sales is being publicized:
I had no knowledge of this press release from the Justice department nor would anyone else, I imagine. It's pretty ridiculous to suggest that I timed the release of my report in response to that DoJ press release. When I met them in December, we agreed upon a ninety day time frame for release of the report. The report was originally scheduled for release a month ago but Ultrasurf asked for more time. I planned the release for Monday the 16th of April as a firm deadline and they were well aware of it before publication.
There is no reason to take his concerns public, as the notion that "users need to be warned" isn't sufficient, as most users couldn't read a blog in English anyway, and most users don't care about anonymity, which they lost to their ISP anyway. They care about trying to access blocked sites, and perfection in this effort isn't required.
I disagree with you very strongly and many others in the computer security field, as well as other fields, believe that sunlight is a good way to solve problems. This report, as I understand it, has or will been translated into other languages for the benefit of non-English speaking users. I think you may be right about "most users don't care about anonymity" but I'd like you to tell us all - if you claim as a human rights worker that you won't disclose a report but you actually do disclose it against their wishes - have you done something wrong? Is honesty in advertisement important? I think it is very important and as long as they claim to be anonymous and an anonymity service, I'd ask you to consider what you're claiming to be irrelevant. The issue is that they _claim_ to be an anonymity service - it has nothing to do with your projections of a user, which are speculative at best.
So this report seems a hostile, politically-motivated attack on his part.
Only if you disregard the fact that I have worked closely with them until I felt they were stalling me and not fixing issues that needed to be fixed. They sure are working hard to fix those issues now - after nearly four months of dragging their feet - I think that's a good thing.
What's important in the fight for Internet freedom are the following principles of non-coercion:
o no one should be forced or brow-beaten into using open-source software; proprietary software is ok to use. If your opensource software is demonstrably better, it will sell itself without you having to artificially level the playing field with constant ideological attacks
We disagree about Free Software in this field and that is OK. In the area of anonymity and security, I think that we must have tools that regardless of their license, are open for review and verification. That is why Free and Open source software is on the table. It makes it easier and frankly, possible, to review claims. I'm not forcing or brow-beating anyone. I presented a paper with some serious concerns, I worked with Ultrasurf to correct a number of the most serious, and I have encouraged further third party review to improve their system. If that's brow-beating - what is your email where you directly attack me? It seems a bit duplicitous at the very least and it reeks of political attacks against me for my associations that you despise.
o no one who produces proprietary software solutions should be bullied into having to discuss their flaws openly or be forcibly outed as to their flaws;
You keep saying that I'm a bully but you fail to acknowledge that I worked with Ultrasurf, flying to another state to meet with them, disclosing the report to them privately and so on. There was no bullying.
it merely helps give ideas to authoritarian governments and doesn't really help users.
Do you have evidence for your assertion here? I'm guessing "no" but I'd like to know. Yes? No?
o if you don't like proprietary software, you don't have to wage a jihad against it, you can make your own opensource software that is supposedly better
It's not hard to do that and many people have done so.
o pluralism is the best defense against authoritarianism, not everyone being forced to go to "the best" circumvention tool or "the ISP that secures your privacy". It's precisely when the market is open with a variety of options that authoritarian is undermined
It's nice that we actually, for once, agree. Pluralism in design choices is absolutely required. It is an example of how a free market may work in a practical sense and I support that concept entirely. Security researchers who test claims are serving as a correction to overvalued ideas or solutions in the market.
o software does not have to be perfect to largely achieve its goal -- 1/99 binary thinking is a killer of freedom
There is no perfect software but there are those who claim perfection without acknowledging their imperfections. That is a real problem.
o people have the right to be wrong about software -- an open society requires that right to be wrong and to float contrary hypotheses even if they are incorrect, politically or otherwise
I agree. I also have the right to show the world that there is something wrong with that very software.
o you don't have to be technically capable to criticize software that profoundly influences all of us as we increasingly move our lives on line.
You're right - you don't have to be literate in a field of specific interest to criticize it. However, it sure would help if you acknowledged that Ultrasurf's designated enemy is however quite literate on the subject matter. Today someone pointed me at this report authored by an academic in China: https://www.scribd.com/doc/90338145/UltraSurf-analysis-by-Zhang-Lei-in-Chine...
My thoughts:
http://3dblogger.typepad.com/wired_state/2012/04/jacob-appelbaums-obfuscatio...
Thanks for your thoughts - I hope you'll address each of my points and try to be constructive. It's been a pleasure, Jacob _______________________________________________ liberationtech mailing list liberationtech@lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?" You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
participants (1)
-
Jacob Appelbaum