Software to Support Human Rights

An anonymous reader writes "Some software rollouts have lives hanging in the balance. Human rights workers in massacre zones from El Salvador to Kosovo face prying eyes peering into their address books and logs, who follow up with bullets and poison gas. One project, Martus, takes these hostile environments into account: a leak can get whole families killed. They use encryption, distributed backup, and other techniques designed to survive the ultimate corrosive environment: vindictive armies in countrysides in the throes of war. The source code is open, to allow meaningful contributions from anyone willing to help. These people bet their lives on open source and private data. The sponsor organization, Benetech in Silicon Valley, funds projects that arm global rights workers, and people under siege, with communications tools that counterbalance the overwhelming force used to exterminate everything "Free"."

open source dangerous!

[SegaVegas]

The source code is open, to allow meaningful contributions from anyone,
[b]including people who do not mean well[b]
watch out!

Re:open source dangerous!

[cperciva]

While I suspect the parent post was intended as humour, it raises a good point: How carefully do people look over contributed code before including it?

Especially in the case of projects like this, I can see a significant danger of someone deliberately introducing a "mistake" which could completely compromise the system's security. With off-by-one errors routinely being found many years after they were initially introduced, I suspect that such an attempt could easily be successful.

With all the new US laws

[miyako]

it might not be long untill we need this or something like it to protect us from our own homland security KGB.

Re:With all the new US laws

[paganizer]

Hate to tell you this....
brace yourself...

We are about a year+ past needing something like this ourselves.
Unfortunately, this won't work for us, because NO PLACE would be safe for the central database server.
Our only options are freenet & things of a like nature, which are decentralized.

On the other hand, you've got nothing to hide, aren't a terrorist, so you've nothing to fear, right?

right?

RIGHT, Citizen?

in times like these it's a good thing the founding fathers realized that future governments wouldn't play by the rules.

Still Not Good

The evil army will just beat your key out of you. They aren't just going to try a few codes and walk off; they are going to break out the hoses and the electric generators. They may not be able to break the encryption, but they sure as hell can break you.

Re:Still Not Good

[ginnocent]

Excellent point. It's clear that such software requires a feature that allows a user to do the following with minimal keystrokes :-

'I'm about to be captured. Please assume anybody logging in as me is an evil cracker. Anything that can be decrypted with my key should be re-encrypted with the key of a 'safe' user who is registered with a 'safe' country'

Determining 'safe' countries and 'users' would require some care. Perhaps a voting system of some kind? or Central control by the project maintainer (via their private key)?
Both systems could be abused. The first system would be prone to the agents of the 'evil' army registering as users and overwheliming by force of numbers.

The second system would put require all other users to trust the maintainer, and could be compromised by their capture and interrogation.
(Being the maintainer of such a project would make one a target of many hostile intelligence agencies).

I think the most trustworthy system would be a variant of the first, whereby all new users had to be declared 'trusted' by unanimous vote of current 'trusted' users. Of course this wouldn't scale to well, adding new user becoming slower and more difficult as each new user is added.
Establishing trusted countries could be handled as follows :-

1) If any trusted user claims a country cannot be trusted, then the system assumes the country cannot be trusted until 'reinstated' by unanimous vote.

2) If any user who is registered to that country invokes the 'i've been captured' feature above, the country is no longer to be trusted until restored by unanimous vote.

By unanimous vote I mean a unanimous vote of trusted users in trusted countries.

Does this make sense?

Can This Work?

[DASHSL0T]

I mean, the Government says "give me your decryption key or we will put you in jail until you do". Here the choice will be giving up your key vs. giving up your life. Unless someone is VERY dedicated and brave, they are going to give up the key when they have a gun to their head (or worse).

Re:Can This Work?

[the+eric+conspiracy]

"give me your decryption key or we will put you in jail until you do"

Having the key won't do you any good once the data is sent to a server in another country.

Irony

[Jesus+IS+the+Devil]

Next thing you know, Al Queda will be using it.

Re:Irony

Well, yes. They are, in all likelyhood, also using cars, phones, GPS devices, Google, and numerous other technologies.

In fact I'd propose that we all start living in caves again, but there are two problems:

1. That's what they *want* us to do.

2. They have plenty of caves where they come from; not even 'cave technology' is safe.

In some situations

[xixax]

Hence my other comment somewhere in here.

If it's a high profile, or an International organisation that can tell the authorities where to stick it, crypto can be very valuable. For example, to keep intercepted communications secret. OTOH, no amount of crypto is going to do you any good if they can haul you away and beat it out of you.

It's a very useful tool, but only in the right circumstances.

Xix.

Don't expext the thugs to play fair

[de+la+mettrie]

I'm sure this is, technically, good cryptography software. However, keep in mind that this software is explicitly designed to hide information from governmental law enforcement authorities. Therefore

it is just as useful to criminals as to human rights workers. This is not, of course, a problem per se, but

using this as a pretext, governments will simply ban possession and usage of this software. If they need any pretext, that is - in the kind of country this software is designed to be used, "human rights worker" is just another word for criminal.

This kind of software is useful to preserve personal privacy in a civilized nation. In a thugocracy, however, the police will just confiscate your computer, or you will be extradited/tortured/shot for being in possession of this software.

Re:Don't expext the thugs to play fair

[the+eric+conspiracy]

However, keep in mind that this software is explicitly designed to hide information from governmental law enforcement authorities.

This software is also designed to widely disseminate the information. Once the cat is out of the bag on a global basis it is out of the reach of any single governmental organization.

the police will just confiscate your computer, or you will be extradited/tortured/shot for being in possession of this software.

Some people care enough to risk their lives in this cause.

Re:Don't expext the thugs to play fair

[Stonehand]

Everybody has a breaking point.

Most people, for instance, would probably talk if the alternative was seeing acid injected into the eyeballs of their coworkers, or being forced to watch the slow execution of villagers they're supposed to be helping and then to eat their remains.

Re:Just wondering sonething...

[Ed+Avis]

The encryption system has two parts: an algorithm, which is publicly known, and a key, which is private. You need both to decrypt some data. The system is designed so that the key is required for decryption, it is not enough just to know the algorithm.

OK - it might be a little bit harder if you didn't know the algorithm either, but would you trust an encryption system where the author said 'we can't disclose how it works, we're worried that if people knew that they might be able to break it'?

This concerns me greatly.

[Henry+Stern]

I see this software and I find myself very afraid. It neatly packages up a military grade cryptographic communications solution and makes it freely available to the public. While the people who it is intended for will benefit greatly from it, those who intend to do harm will also have easy access to it.

Martus is a cryptographic solution: overt, secret communications. The people who this is intended for are already under surveilance by those who wish to do them and their contacts harm, so making the already-intercepted messages unreadable is the solution to this problem.

Criminal organisations would likely need more of a steganographic solution: covert, secret communications. An often-overlooked fact about secret communications is that the mere presence of secret messages can be an indicator that something is going on.

When Nazi Germany was using the Enigma, they had their communications officers send garbage messages[1] so that the Allies would not detect a sudden burst of communications activity indicating some sort of military action.

If a terrorist organisation* were to begin using a system like this, any intelligence services watching them would be tipped off and would have to figure out what's going on the old fashioned way (we all know what that means). But, the fact is that they are alerted to what's going on and can then follow up.

If you think about these points, I hope that your fears of evil people exploiting this effort may be eased. If anything, using this (or similar) software will tip their hands and expose that something is going on.

*An organisation targetting civilians with violent actions to serve political means.

[1] Simon Singh, The Code Book. (1999) Random House, New York

Re:This concerns me greatly.

[hughk]

It concerns me that you should believe that the state is to be any more trusted with information than law-abiding individuals.

Under recent laws, not just in the US, but in other countries like the UK, you may be forced to disclose keys. The state by definition is generally law abiding, but the officers of the state are individuals. Some of those, I may trust, some I definitely will not. Yes there are criminals working for the state too.

Once information is acquired, it can not be forgotten. It may then be abused by the less honest state officials.

You raise the prospect of terrorists using this system. Look, I do not need crypto to tell a terrorist to attach. In WW2, the British SOE used the BBC to send messages to the French Resistance.

Re:This concerns me greatly.

[vadim_t]

Yay, again this argument.

Oh the horror! Imagine what would happen if terrorist organizations got their hands on communication devices that allowed them to plan attacks while being even in different countries! (also known as cell phones). Or what could happen if terrorists could obtain information about how to make explosives (chemistry books come to mind).

Come on people, this argument makes no sense at all. By that logic, we should ban all technology, since even a big wheel can be used to kill somebody! Heck, I could use the cup of tea I have here and use it as a weapon by breaking it against somebody's head.

When will people understand that there's no way of turning the world into a padded cell? Even if all technology was suddenly taken away we'd be still be able to kill people with our bare hands. What then, forbid exercise?

Re:This concerns me greatly.

[frdmfghtr]

I see this software and I find myself very afraid. It neatly packages up a military grade cryptographic communications solution and makes it freely available to the public. While the people who it is intended for will benefit greatly from it, those who intend to do harm will also have easy access to it.

Such is the price of Open Source and the desire for freedom of speech. Should a terrorist organization start using strong encryption, they could do as the Germans and send those "garbage" messages so that the level of communication traffic is relatively constant. One would have thought they would have figured this out by now, but I guess not.

I would be more concerned of such cryptography were NOT available to the public. I have just as much right to secure my data and communications as anybody, and I'm not a political activist, human rights worker, or terrorist. PGP secures data on my Windows box, and I try to encourage the use of PGP in e-mail whenever possible (besides the fact that spammers don't use it and it would make spam filtering SOOO easy, but that was the topic of another post some time ago).

Re:This concerns me greatly.

[blibbleblobble]

"I see this software and I find myself very afraid. It neatly packages up a military grade cryptographic communications solution and makes it freely available to the public."

As opposed to the people who package up miltary-grade firearms and make them freely available to the public?

Or indeed, to Iran, China, Iraq, Indonesia, and others...

Why this is a useless plan

I read the website, it seems the creators of Martus (along with humanitarian workers) are under the delusion that nothing gets done about these human rights violations because nobody knows about them.

They are wrong, people do know about them (many of them).

People don't give a shit. That's the problem, nobody wants to go solve other people's problems. It's not lack of awareness. Sure there is lack of awareness, and yes very few of the human rights violations of the world are documented.

But fundamentally, people only care about their own problems even if they are much smaller in comparison. People do not want to sacrifice for others, especially people they dont know are dont have a cultural bond with. It's a combination of ignorance and apathy, with apathy being the MAJOR dominant factor.

Martus and other projects like it will be a disappointment until people figure start caring about issues of human rights and try to solve them in a meaningful and logical manner (and that excludes the "let them kill each other" excuse/way).

Re:Possession

[KjetilK]

stop terrorism and child pr0n, with out eliminating human rights?

By setting human rights first. Always.

Re:Great idea

Hey -- I've got a BETTER idea: why don't we let the U.S. rulers NUKE anybody they don't like?
No -- wait. They're on-record as intending TO DO JUST THAT.