News: "U.S. May Help Chinese Evade Net Censorship"

Greg Broiles gbroiles at well.com
Fri Aug 31 12:31:31 PDT 2001 

At 02:43 PM 8/31/2001 -0400, Fausting wrote:
>Tim wrote:
> >But, as with Kirchoff's point, the attacker is going to get the design
> >eventually.
>If getting the design "eventually" were good enough, why the keen interest
>in putting in a large order for the beta? There's a reason.

What's the reason?

If the goal was disassembly and analysis, it wouldn't be necessary to buy 
more than one copy - and even buying one copy is mostly a formality, though 
it's probably a lot cheaper and faster than any of the other ways people 
might get it. Still, it wouldn't exactly be a big problem for them to buy a 
single copy (or a few copies) with more-or-less untraceable addresses and 
credit cards. If they disclosed their identity, they already had what they 
needed, or were sure they could get it one way or another.

The beta was available - I've forgotten the exact timing, by now - to 
anybody with a credit card and an Internet connection, and CD-ROM copies of 
the beta were handed out at web/internet-oriented conferences.

ZKS was not (nor is anyone else with distribution on any interesting scale) 
faced with the choice "Shall I let the various three-letter-agencies have a 
copy of my software?". ZKS was faced with the choice "Would we like to get 
a lot, a little, or no money from the NSA?", and it's hard to blame them 
for taking the cash. Further, they've been open (since late 1999/early 
2000, at least) about wanting to encourage and facilitate law enforcement 
and intelligence community use of their system, so that those groups come 
to see ZKS/Freedom as a system which has good and bad aspects, instead of 
just bad ones .. in hopes that a more nuanced (or conflicted) view of 
Freedom's utility would slow down or stop regulatory activity aimed at ZKS.

>Maybe in the long run, it's right to view any objections as being little
>more than irrelevant, moralistic hand-waving. But I don't find the "they're
>going to compromise it anyway so why not make a buck when we can" line of
>reasoning particularly satisfying.

Well, no, it's not especially elegant or poetic, but it's simple economics, 
which are at the heart of both successful business and successful 
cryptography. If ZKS refused to sell to NSA, what would have changed, 
except for their ability to crow "We told NSA to fuck off!" ..?

>All place-in-the-pecking-order issues aside, roughly how long do you think
>it's going to take before "dissident-grade untraceability" becomes a
>reality?  If anyone deigns to show me why the prospects are better
>than "bleak", I'd love to be proven wrong.

"Dissident-grade untraceability" (DGU) is an elusive goal - if you look at 
what's theoretically possible, we've got it now (and have had it for ~ 20 
years, albeit with an unfriendly UI). If you look at what's deployed, we'll 
probably never get there, because it's a multi-layered problem, where holes 
appear in layers far beyond the control of any individual or organization.

Maybe ZKS can give me really great privacy within the 7-layer stack, but 
they can't do anything about someone torturing me until I confess to crimes 
I did (or didn't) commit, or undercover agents who pretend to be fellow 
dissidents but are actually secret policemen, or snoopy busybodies who 
notice that every time I use the computer at the local cybercafe, a few 
hours later a new issue of The Squealing Rodent hits Usenet full of 
irresponsible rumors about the Administration .. or that during the months 
I was on "vacation" in solitary confinement, no new issues were published.

DGU is just like other kinds of security - it's not a product or service 
you can buy from someone, even if you're really careful to pick the right 
vendor. Maybe you can pick a vendor who does a good job within their area 
of responsibility - and maybe you can pick a vendor who'll tell you really 
clearly which problems they solve and which problems they don't - but it's 
silly to expect anyone (be it ZKS or SafeWeb or anonymous remailers or 
anyone else) to provide perfect untraceability on a silver platter, such 
that users don't need to pay any attention themselves. You'll never get 
real-world perfect untraceability if you've got human beings at the ends of 
the "anonymous" communication pipes.


--
Greg Broiles
gbroiles at well.com
"We have found and closed the thing you watch us with." -- New Delhi street kids

More information about the cypherpunks-legacy mailing list