Slashdot Mirror

← Back to Stories (view on slashdot.org)

Software to Support Human Rights

Posted by michael on from the pretty-good-publicity dept.

An anonymous reader writes "Some software rollouts have lives hanging in the balance. Human rights workers in massacre zones from El Salvador to Kosovo face prying eyes peering into their address books and logs, who follow up with bullets and poison gas. One project, Martus, takes these hostile environments into account: a leak can get whole families killed. They use encryption, distributed backup, and other techniques designed to survive the ultimate corrosive environment: vindictive armies in countrysides in the throes of war. The source code is open, to allow meaningful contributions from anyone willing to help. These people bet their lives on open source and private data. The sponsor organization, Benetech in Silicon Valley, funds projects that arm global rights workers, and people under siege, with communications tools that counterbalance the overwhelming force used to exterminate everything "Free"."

25 of 194 comments (clear)

  1. open source dangerous! by SegaVegas · · Score: 5, Insightful

    The source code is open, to allow meaningful contributions from anyone,
    [b]including people who do not mean well[b]
    watch out!

    1. Re:open source dangerous! by cperciva · · Score: 5, Insightful

      While I suspect the parent post was intended as humour, it raises a good point: How carefully do people look over contributed code before including it?

      Especially in the case of projects like this, I can see a significant danger of someone deliberately introducing a "mistake" which could completely compromise the system's security. With off-by-one errors routinely being found many years after they were initially introduced, I suspect that such an attempt could easily be successful.

      --
      Tarsnap: Online backups for the truly paranoid
    2. Re:open source dangerous! by Krapangor · · Score: 4, Funny
      How carefully do people look over contributed code before including it?

      Not often enough:
      einstien@mensa> grep -e "31337|h4x0r|0wned|phear|ph34r|r00tk17|sex|pr0n|po rn" -l -r /usr/src/Linux/* | wc -l

      237

      --
      Owner of a Mensa membership card.
    3. Re:open source dangerous! by exhilaration · · Score: 4, Informative
      How carefully do people look over contributed code before including it?

      They look over it very carefully - Patches can create security problems as well as stability issues. Maintainers aren't stupid enough to include untested patches from unknown persons. Their reputations are at stake, as is the reputation of the entire project.

      The poor example from above is pulling words from the comments - and those contain the foulest language imaginable. There was a Slashdot article a while back about this.

    4. Re:open source dangerous! by mrogers · · Score: 3, Funny
      The poor example from above is pulling words from the comments - and those contain the foulest language imaginable.

      Hey, Finnish isn't that bad.

    5. Re:open source dangerous! by Tom · · Score: 3, Informative

      Your count is slightly misleading. For example:

      Documentation/filesystems/proc.txt: echo ':DEXE:M::\x0eDEX::/usr/bin/dosexec:' > register
      drivers/sound/dev_table.h: int (*send_sysex)(int dev, unsigned char *bytes, int len);
      arch/i386/kernel/setup.c: * misexecution of code under Linux. Owners of such processors should

      and lots of @bytesex.org e-mail addresses. ;)

      --
      Assorted stuff I do sometimes: Lemuria.org
  2. With all the new US laws by miyako · · Score: 5, Insightful

    it might not be long untill we need this or something like it to protect us from our own homland security KGB.

    --
    Famous Last Words: "hmm...wikipedia says it's edible"
  3. Just wondering sonething... by Altima(BoB) · · Score: 3, Funny

    If the encryption software is open source, doesn't that mean that hostiles who want to break the encryption can use the source to make sonething to counter the encryption?

    I have a vague idea on why that's not so, but nothing definate. I heard it being compared to trying to put a sausage into a meat grinder backwards to make a pig.

    --
    Yup...
    1. Re:Just wondering sonething... by Ed+Avis · · Score: 4, Insightful

      The encryption system has two parts: an algorithm, which is publicly known, and a key, which is private. You need both to decrypt some data. The system is designed so that the key is required for decryption, it is not enough just to know the algorithm.

      OK - it might be a little bit harder if you didn't know the algorithm either, but would you trust an encryption system where the author said 'we can't disclose how it works, we're worried that if people knew that they might be able to break it'?

      --
      -- Ed Avis ed@membled.com
    2. Re:Just wondering sonething... by Ed+Avis · · Score: 3, Interesting

      Yes they can get the key out of you ('rubber hose cryptanalysis') but there are some systems where you can have several keys and each key reveals different data - so you could disclose a key which gives a dummy, fairly uninformative address book. Then there is no way to show that extra data is hidden unless you have the extra keys. This means that when you say 'I have told you everything I know' there is no way to verify that claim. This has both good and bad points.

      Disguising the data in something else like a minidisk recorder is a good idea but obviously not everyone can do that - each person must choose a different kind of disguise, so it gets tricky.

      --
      -- Ed Avis ed@membled.com
  4. Vim by Yag · · Score: 4, Interesting

    Also vim helps human rights... "Uganda licence" is a good idea to make OS Software even more useful...

  5. Possession by xixax · · Score: 5, Interesting

    And soon enough even the possession of these kinds of tools will be enough to put people in jail. After all, they were probably using them to swap MP3s or kiddie-pr0n or even plan terrorist acts.

    Strong crypto is only a part of the answer (whatever that answer may be).

    Xix.

    --
    "Everything is adjustable, provided you have the right tools"
    1. Re:Possession by enigmiac · · Score: 4, Interesting

      what makes you think there is an answer? this is an issue that I am torn on. how is it possible to stop terrorism and child pr0n, with out eliminating human rights? I believe very strongly in personal freedom, but at the same time, I believe that my rights end where yours begin. as long as what I'm doing doesn't affect anyone else, I don't see how it can be wrong. at the same time, how can we tell when some form of communication is about to affect others negativly without inspecting it all (which I find deplorable)? if anyone has an answer, I'd love to hear it

    2. Re:Possession by arvindn · · Score: 5, Informative
      Freenet is an internet infrastructure for completely anonymous communication (its been mentioned on /. before). I imagine it would be an excellent tool for human rights workers. Note that freenet is not tailored for specific content or applications, and so anyone can benefit from it.

      If most people (or atleast a majority of people) started using freenet, it would change the internet in a fundamental way: it would be no longer possible to outlaw freenet. I don't see this happening anytime soon, because most people still enjoy freedom of speech. But if there were to arise a global dictator, technology has given us a way to fight back.

  6. Still Not Good by Anonymous Coward · · Score: 5, Insightful

    The evil army will just beat your key out of you. They aren't just going to try a few codes and walk off; they are going to break out the hoses and the electric generators. They may not be able to break the encryption, but they sure as hell can break you.

    1. Re:Still Not Good by ginnocent · · Score: 3, Insightful

      Excellent point. It's clear that such software requires a feature that allows a user to do the following with minimal keystrokes :-

      'I'm about to be captured. Please assume anybody logging in as me is an evil cracker. Anything that can be decrypted with my key should be re-encrypted with the key of a 'safe' user who is registered with a 'safe' country'

      Determining 'safe' countries and 'users' would require some care. Perhaps a voting system of some kind? or Central control by the project maintainer (via their private key)?
      Both systems could be abused. The first system would be prone to the agents of the 'evil' army registering as users and overwheliming by force of numbers.

      The second system would put require all other users to trust the maintainer, and could be compromised by their capture and interrogation.
      (Being the maintainer of such a project would make one a target of many hostile intelligence agencies).

      I think the most trustworthy system would be a variant of the first, whereby all new users had to be declared 'trusted' by unanimous vote of current 'trusted' users. Of course this wouldn't scale to well, adding new user becoming slower and more difficult as each new user is added.
      Establishing trusted countries could be handled as follows :-

      1) If any trusted user claims a country cannot be trusted, then the system assumes the country cannot be trusted until 'reinstated' by unanimous vote.

      2) If any user who is registered to that country invokes the 'i've been captured' feature above, the country is no longer to be trusted until restored by unanimous vote.

      By unanimous vote I mean a unanimous vote of trusted users in trusted countries.

      Does this make sense?

  7. If you really care about freedom! by Anonymous Coward · · Score: 4, Informative

    Boycott Redhat, never ever use or install Redhat personally or in your work.

    Redhat supported tyrannic mainland China against democratic Taiwan and gladly removed Taiwans status as independant in their latest distributions. The only reason is to make more dollars from China.

    It should be notet that companies like HP and Microsoft has refused to remove Taiwans status as independant despite pressure and fines from the dictatorship in China.

    There is plenty of really good distributions, there is simply no need to support tyranny.

  8. Don't expext the thugs to play fair by de+la+mettrie · · Score: 5, Insightful
    I'm sure this is, technically, good cryptography software. However, keep in mind that this software is explicitly designed to hide information from governmental law enforcement authorities. Therefore

    it is just as useful to criminals as to human rights workers. This is not, of course, a problem per se, but

    using this as a pretext, governments will simply ban possession and usage of this software. If they need any pretext, that is - in the kind of country this software is designed to be used, "human rights worker" is just another word for criminal.

    This kind of software is useful to preserve personal privacy in a civilized nation. In a thugocracy, however, the police will just confiscate your computer, or you will be extradited/tortured/shot for being in possession of this software.

    1. Re:Don't expext the thugs to play fair by the+eric+conspiracy · · Score: 4, Insightful

      However, keep in mind that this software is explicitly designed to hide information from governmental law enforcement authorities.

      This software is also designed to widely disseminate the information. Once the cat is out of the bag on a global basis it is out of the reach of any single governmental organization.

      the police will just confiscate your computer, or you will be extradited/tortured/shot for being in possession of this software.

      Some people care enough to risk their lives in this cause.

  9. A related project by ronys · · Score: 4, Informative

    People interested in this might also be interested in the rubberhose project.

    From the homepage:

    "Rubberhose transparently and deniably encrypts disk data, minimising the effectiveness of warrants, coersive interrogations and other compulsive mechanisms, such as U.K RIP legislation. Rubberhose differs from conventional disk encryption systems in that it has an advanced modular architecture, self-test suite, is more secure, portable, utilises information hiding (steganography / deniable cryptography), works with any file system and has source freely available. Currently supported ciphers are DES, 3DES, IDEA, RC5, RC6, Blowfish, Twofish and CAST."

    --
    Ubi dubium ibi libertas: Where there is doubt, there is freedom.
    1. Re:A related project by cliffiecee · · Score: 4, Interesting

      You didn't snip enough to tell folks the REAL power of Rubberhose.

      It is possible to create encrypted containers 'embedded' in other ecrypted containers (Matryoshka-doll fashion), each protected with a password. So when the 'thugs' come knocking, you can give them a password which will unlock the outer container, without compromising the inner ones (which, obviously, aren't visible- you have to KNOW they exist).

      Of course, the thugs already know about this software, so you can repeat the above process- give them three passwords and then say "that's all there is"- they can't prove otherwise.

      Let's be pragmatic, though- this is only going to work if you believe the thugs would let you go if they couldn't prove anything. Otherwise, it's simpler to use gpg and a cyanide pill.

  10. This concerns me greatly. by Henry+Stern · · Score: 4, Insightful

    I see this software and I find myself very afraid. It neatly packages up a military grade cryptographic communications solution and makes it freely available to the public. While the people who it is intended for will benefit greatly from it, those who intend to do harm will also have easy access to it.

    Martus is a cryptographic solution: overt, secret communications. The people who this is intended for are already under surveilance by those who wish to do them and their contacts harm, so making the already-intercepted messages unreadable is the solution to this problem.

    Criminal organisations would likely need more of a steganographic solution: covert, secret communications. An often-overlooked fact about secret communications is that the mere presence of secret messages can be an indicator that something is going on.

    When Nazi Germany was using the Enigma, they had their communications officers send garbage messages[1] so that the Allies would not detect a sudden burst of communications activity indicating some sort of military action.

    If a terrorist organisation* were to begin using a system like this, any intelligence services watching them would be tipped off and would have to figure out what's going on the old fashioned way (we all know what that means). But, the fact is that they are alerted to what's going on and can then follow up.

    If you think about these points, I hope that your fears of evil people exploiting this effort may be eased. If anything, using this (or similar) software will tip their hands and expose that something is going on.

    *An organisation targetting civilians with violent actions to serve political means.

    [1] Simon Singh, The Code Book. (1999) Random House, New York

  11. Why this is a useless plan by Anonymous Coward · · Score: 3, Insightful

    I read the website, it seems the creators of Martus (along with humanitarian workers) are under the delusion that nothing gets done about these human rights violations because nobody knows about them.

    They are wrong, people do know about them (many of them).

    People don't give a shit. That's the problem, nobody wants to go solve other people's problems. It's not lack of awareness. Sure there is lack of awareness, and yes very few of the human rights violations of the world are documented.

    But fundamentally, people only care about their own problems even if they are much smaller in comparison. People do not want to sacrifice for others, especially people they dont know are dont have a cultural bond with. It's a combination of ignorance and apathy, with apathy being the MAJOR dominant factor.

    Martus and other projects like it will be a disappointment until people figure start caring about issues of human rights and try to solve them in a meaningful and logical manner (and that excludes the "let them kill each other" excuse/way).

  12. The real benefit of Martus by regen · · Score: 4, Informative

    is not that it uses cryptography. It basicly uses pgp, which you or any terrorist or human rights (HR) activist could download. But the software isn't about just sending encrypted messages, which is all terrorists would want.

    The point is that in Martus, the crypto is integrated into a package that allows HR groups to a) send the data to a secure server, where there is b) a central database, and c) allow other, approved groups to view the data. This allows HR groups to get the info out from problematic areas to a place where the international community can see what's going on. Sure, terrorists could use the software to send messages, but what the heck do they need a database for? For HR groups, the problematic gov't could come cart off every computer and piece of paper in their office, and the data would still be secure and accessible. And as soon as they got access to another computer, they could start adding to it again.

    --
    The Economics of Website Security
  13. Re:Java by hughk · · Score: 3, Informative
    The main offices all have reasonable systems, Pentium 2s or better. Roaming field workers for HROs may have quite reasonable laptops. Field offices may have just 486s. PCs tend to get looted or are gratuitously destroyed by militia, so you don't really want to have your latest cool stuff there.

    Please remember that Java can be compiled. When it is, it can run ok even on older systems. We did a stock exchange client in Uzbekistan in Java on a 32MB 66MHz 486 under Win98SE because that was all they had available for the dealers at the exchange.

    --
    See my journal, I write things there