Slashdot Mirror
Software to Support Human Rights
An anonymous reader writes "Some software rollouts have lives hanging in the balance. Human rights workers in massacre zones from El Salvador to Kosovo face prying eyes peering into their address books and logs, who follow up with bullets and poison gas. One project, Martus, takes these hostile environments into account: a leak can get whole families killed. They use encryption, distributed backup, and other techniques designed to survive the ultimate corrosive environment: vindictive armies in countrysides in the throes of war. The source code is open, to allow meaningful contributions from anyone willing to help. These people bet their lives on open source and private data. The sponsor organization, Benetech in Silicon Valley, funds projects that arm global rights workers, and people under siege, with communications tools that counterbalance the overwhelming force used to exterminate everything "Free"."
The source code is open, to allow meaningful contributions from anyone,
[b]including people who do not mean well[b]
watch out!
it might not be long untill we need this or something like it to protect us from our own homland security KGB.
Famous Last Words: "hmm...wikipedia says it's edible"
If the encryption software is open source, doesn't that mean that hostiles who want to break the encryption can use the source to make sonething to counter the encryption?
I have a vague idea on why that's not so, but nothing definate. I heard it being compared to trying to put a sausage into a meat grinder backwards to make a pig.
Yup...
Also vim helps human rights... "Uganda licence" is a good idea to make OS Software even more useful...
And soon enough even the possession of these kinds of tools will be enough to put people in jail. After all, they were probably using them to swap MP3s or kiddie-pr0n or even plan terrorist acts.
Strong crypto is only a part of the answer (whatever that answer may be).
Xix.
"Everything is adjustable, provided you have the right tools"
The evil army will just beat your key out of you. They aren't just going to try a few codes and walk off; they are going to break out the hoses and the electric generators. They may not be able to break the encryption, but they sure as hell can break you.
Boycott Redhat, never ever use or install Redhat personally or in your work.
Redhat supported tyrannic mainland China against democratic Taiwan and gladly removed Taiwans status as independant in their latest distributions. The only reason is to make more dollars from China.
It should be notet that companies like HP and Microsoft has refused to remove Taiwans status as independant despite pressure and fines from the dictatorship in China.
There is plenty of really good distributions, there is simply no need to support tyranny.
I mean, the Government says "give me your decryption key or we will put you in jail until you do". Here the choice will be giving up your key vs. giving up your life. Unless someone is VERY dedicated and brave, they are going to give up the key when they have a gun to their head (or worse).
Freedom Is Universal
Linux-Universe
if the setting is so dangerous and THEY use truncheon keys aint this java based thing pointless.
from the website--
"Martus bulletins are created and saved locally on your personal computer. Whenever an Internet connection is available, saved bulletins are automatically sent to a Martus server."
Next thing you know, Al Queda will be using it.
eTrade SUCKS
I posted in the wrong discussion. Damnit. That's what I get for waking up and trying to be funny...
Blog Prophyts - Right On, Man
YOu replied to the wrong article. YOurs is the one before :)
Hence my other comment somewhere in here.
If it's a high profile, or an International organisation that can tell the authorities where to stick it, crypto can be very valuable. For example, to keep intercepted communications secret. OTOH, no amount of crypto is going to do you any good if they can haul you away and beat it out of you.
It's a very useful tool, but only in the right circumstances.
Xix.
"Everything is adjustable, provided you have the right tools"
it is just as useful to criminals as to human rights workers. This is not, of course, a problem per se, but
using this as a pretext, governments will simply ban possession and usage of this software. If they need any pretext, that is - in the kind of country this software is designed to be used, "human rights worker" is just another word for criminal.
This kind of software is useful to preserve personal privacy in a civilized nation. In a thugocracy, however, the police will just confiscate your computer, or you will be extradited/tortured/shot for being in possession of this software.
People interested in this might also be interested in the rubberhose project.
From the homepage:
"Rubberhose transparently and deniably encrypts disk data, minimising the effectiveness of warrants, coersive interrogations and other compulsive mechanisms, such as U.K RIP legislation. Rubberhose differs from conventional disk encryption systems in that it has an advanced modular architecture, self-test suite, is more secure, portable, utilises information hiding (steganography / deniable cryptography), works with any file system and has source freely available. Currently supported ciphers are DES, 3DES, IDEA, RC5, RC6, Blowfish, Twofish and CAST."
Ubi dubium ibi libertas: Where there is doubt, there is freedom.
If Microsoft remains as unethical as it is, it could sell palladium technology to rouge countries to help with human right's violations. If you were caught trying to crack it (which would be obvious), you would get shot!
More reasons to stop palladium, as it could be abused like this.
I see this software and I find myself very afraid. It neatly packages up a military grade cryptographic communications solution and makes it freely available to the public. While the people who it is intended for will benefit greatly from it, those who intend to do harm will also have easy access to it.
Martus is a cryptographic solution: overt, secret communications. The people who this is intended for are already under surveilance by those who wish to do them and their contacts harm, so making the already-intercepted messages unreadable is the solution to this problem.
Criminal organisations would likely need more of a steganographic solution: covert, secret communications. An often-overlooked fact about secret communications is that the mere presence of secret messages can be an indicator that something is going on.
When Nazi Germany was using the Enigma, they had their communications officers send garbage messages[1] so that the Allies would not detect a sudden burst of communications activity indicating some sort of military action.
If a terrorist organisation* were to begin using a system like this, any intelligence services watching them would be tipped off and would have to figure out what's going on the old fashioned way (we all know what that means). But, the fact is that they are alerted to what's going on and can then follow up.
If you think about these points, I hope that your fears of evil people exploiting this effort may be eased. If anything, using this (or similar) software will tip their hands and expose that something is going on.
*An organisation targetting civilians with violent actions to serve political means.
[1] Simon Singh, The Code Book. (1999) Random House, New York
to really cover yourself on-line, and that is quite simply do not put anything that your life will depend on on your computer. Rather like all those putative criminals who leave all their contacts on their mobile phone's SIM card. Stupidity, no other word for it.
This stuff runs on Java and includes a JRE. Even assuming that computers are widespread within human rights organizations in third world countries, would a large proportion of them be powerful enough to run Java desktop applications?
I read the website, it seems the creators of Martus (along with humanitarian workers) are under the delusion that nothing gets done about these human rights violations because nobody knows about them.
They are wrong, people do know about them (many of them).
People don't give a shit. That's the problem, nobody wants to go solve other people's problems. It's not lack of awareness. Sure there is lack of awareness, and yes very few of the human rights violations of the world are documented.
But fundamentally, people only care about their own problems even if they are much smaller in comparison. People do not want to sacrifice for others, especially people they dont know are dont have a cultural bond with. It's a combination of ignorance and apathy, with apathy being the MAJOR dominant factor.
Martus and other projects like it will be a disappointment until people figure start caring about issues of human rights and try to solve them in a meaningful and logical manner (and that excludes the "let them kill each other" excuse/way).
in some parts of the world.
The Current climate in the US is leading in exactly that direction- I reckon than non government personnel will soon be limited as to which (if any) encryption tools they may possess/use. It is true that strong encryption could be used to ill effect by criminals/terrorist organizations etc. BUT it is critical that the 4th amandment not be further eroded (by the Patriot Act) than it already has.
Amendment IV
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
They may not be able to break the encryption, but they sure as hell can break you.
Then it would be pointless to encrypt in the first place. If you're so weak willed that you'll give up the content (vis encryption key) before you give up your life, then your willingness to be tortured for that access accomplishes nothing.
Now I'm sure some will come to your defense and site a situation where encryption is used for non-life-or-death data, but then the logic breaks down there, too, because while you can encrypt all your email with GPG or the like, doing so without the resolve to meet any attack the encryption may face is an indicator of just how important the content is. For most, encryption is merely a "prying eyes" issue, not an "oh fuck; they've crippled me and may kill me (or jail me for contempt of court, for those dealing with more benign powers)" issue.
Rubberhose transparently and deniably encrypts disk data, minimising the effectiveness of warrants, coersive interrogations and other compulsive mechanims, such as U.K RIP legislation. Rubberhose differs from conventional disk encryption systems in that it has an advanced modular architecture, self-test suite, is more secure, portable, utilises information hiding (steganography / deniable cryptography), works with any file system and has source freely available. Currently supported ciphers are DES, 3DES, IDEA, RC5, RC6, Blowfish, Twofish and CAST.
.tHE pRODUCT
Hey -- I've got a BETTER idea: why don't we let the U.S. rulers NUKE anybody they don't like?
No -- wait. They're on-record as intending TO DO JUST THAT.
It occours to me that (all political discussions aside) this software would be most effective on legacy equiptment and Palmtop computers. It should probably be ported to a text-based interface for DOS, Linux, and some sort of port for PalmOS.
Don't forget that their favorite present methods are surreptitious entry into your domicile to plant key logging software or hardware, etc. I'm sure they're even now using trojaned software to piggyback spyware right onto your machine without even having to jimmy your locks.
Don't you find it ironic that you're critisizing Martus' website for making a blanket statement (human rights violations exists because nobody knows about them) with your own blanket statement (most people are apathetic, so nothing can be done if you don't change most people)?
Personally, I think you're severely underestimating the people involved with the Martus project. In my experience, voluteers are almost always very aware of the apathy factor. It's usually assumed that everybody is aware of the apathy factor.
A lot of people don't give a shit, and each for thier own different reasons. However, there *are* a lot of people who do care and actually dedicate thier time to make a change. While thier work doesn't make the problems go away, contributions like this help.
While apathy/involvment can be a big factor in fighting issues like these, you're also forgetting political/commercial factors. For every political/commercial interests abusing human rights, there are usually opposing political/commercial interests who would love to expose thier opponent's corruption/evil to topple thier regime. Documenting human rights abuses, especially if it can indict key political figure can be extremely useful.
If Martus's system can make the process of gathering/distributing of key evidence more effective, kudos to the Martus team.
While everything I might have said may not be true, atleast I have enough imagination to realize my own ignorance and shortsightedness.
"Communism is like having one [local] phone company " - Lenny Bruce
is not that it uses cryptography. It basicly uses pgp, which you or any terrorist or human rights (HR) activist could download. But the software isn't about just sending encrypted messages, which is all terrorists would want.
The point is that in Martus, the crypto is integrated into a package that allows HR groups to a) send the data to a secure server, where there is b) a central database, and c) allow other, approved groups to view the data. This allows HR groups to get the info out from problematic areas to a place where the international community can see what's going on. Sure, terrorists could use the software to send messages, but what the heck do they need a database for? For HR groups, the problematic gov't could come cart off every computer and piece of paper in their office, and the data would still be secure and accessible. And as soon as they got access to another computer, they could start adding to it again.
The Economics of Website Security
For the purposes of argument, you have to assume that the world's best hardware is enslaved to the people who want to kill human rights activists; it really needs rigorous testing if the source code has been available to the bad guys for about 2 years.
Then again, maybe the activist groups have their own great coders and have secretly forked the source for continuing development, and are relying on obscurity as well as advancement to protect them against the bad guys.
Get off my launchpad!
I only saw powder on that website, and they sell it through retailers/dealers. I don't think that's a fair comparison.
Get off my launchpad!
Yes, but which human's rights do we set first?
0 1 - just my two bits
Redhat supported tyrannic mainland China
Oh please, if you all feel so strongly about tyrannic China, then why don't we see a boycott of Chinese products? Take a look around you and see how many products you use all the time that were "made in China". My Microsoft mouse, my Logitech mouse, my keyboard at work, some of the parts inside my computer, my Microcom modem etc, all made or assembled in China. Americans don't want to support China's tyranny, but they don't feel so strongly about it that they will stop buying China's cheaper products as a protest.
The article demonstrates well that open source software can be used by those who want to document human rights abuses. This is good where the open source project are cryptography protocols and algorithms.
However, repressive regimes can also use the open source nature of networking protocols to spy on its own residents or limit what they can do over the internet. The repressive government just makes its own malware based upon the freely available source code.
Privaterra is an organization dedicated to training human rights workers to use encryption tools to ensure their safety. Less about new software, and more about training people to use the software that already exists.
There are so many quotes and astersisks implying irony up there that some of it was bound to be lost, due to one-off and sign errors, if nothing else.
Now before I get modded down, I be to remind whoever might read this that what I am saying is FACT. - bogaboga
It works under Linux just fine as far as I can tell. The binary distribution is Windows only.
For DOS, you would need to do a C based client interface re-write, but the protocol for this is XMLRPC, so it's not out of the realm of possibility. We look forward to your version.
As far as the PalmOS, it's not as useful as you might think. Most of these countries don't have a use for hand-helds that are relatively expensive, get lost, broken. When you are out in the field collecting data, you need a good old fashioned pencil and paper.
Since bulletins are going to an offsite server and originated with a private key, Marus could add a signing/timestamping service. That could come in really handy if and when the reports are used as evidence at a war crimes trial.
They should also have something like PGP's designated revoker functionality, so that when a friend notices that you've been abducted by the Gestapo, the friend can invalidate your private key, making it impossible for the Gestapo to forge bulletins from you.
Unless they're using open source software.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
We quite appreciate being slashdotted! Some great and insightful comments. I'll start by addressing two main ones:
1. Crypto is not the end-all security answer.
We agree. Much of our documentation is designed to educate about this issue. The main security threats to this data are not someone cracking a strong crypto solution, by our attack analysis. It's the bad password, snooped keyboard strokes, torture, etc. We are also pretty upfront that today's strong crypto is the next generation's college coding project. Our crypto makes HR data 99% more secure (maybe 95%). The most important thing is that it gives these groups more control over their information and makes it a lot less likely that it will be lost.
2. The Al Quaida concern.
The terrorist groups already use/have access to secure communications for email. Martus is designed for human rights bulletins. While it is conceivable that terrorists could use it, why would they if they have better tools for their needs? I like to use the example of guns/machetes/hoes. All of them can be used in committing genocide. Hoes just happen to be far better for farming than for killing, and it's rare for them to be used as a weapon. Design is a strong signal of intention.