Slashdot Mirror

← Back to Stories (view on slashdot.org)

Jacob Appelbaum on How OSS Improves Cryptography

Posted by timothy on from the dangerous-most-dangerous dept.

destinyland writes "Jacob Appelbaum, the Tor Project's main advocate, argues that Open Source software is necessary 'to both verify and improve' available cryptography. (Adding 'We also need that to ensure that everyone has a reasonable baseline — which is part of the cypherpunk ethos.') In this new interview, he's critical of a general public silence over government encroachments on privacy, but points to the current impact of the Tor network now as something that 'runs, is open and is supported by a large community spread across all walks of life.' And he ultimately identifies Tor as 'part of an ecosystem of software that helps people regain and reclaim their autonomy,' saying the distributed anonymous network 'helps to enable people to have agency of all kinds; it helps others to help each other and it helps you to help yourself.'"

35 comments

  1. Till... by Synerg1y · · Score: 4, Insightful

    They make running or using a proxy illegal. They have the power to do that you know. Doing that technologically though, is a whole different beast.

    1. Re:Till... by postbigbang · · Score: 4, Insightful

      Tor might be an alternative, but the best way to deal with the issue is to attack the privacy problem, head on. The post claims that there is no general public outcry, and that claim is wrong. There's lots of outcry. There's no one bribing politicians-- and that's why every thing you do is tracked, and that tracking is for sale.

      --
      ---- Teach Peace. It's Cheaper Than War.
    2. Re:Till... by elucido · · Score: 4, Insightful

      Tor might be an alternative, but the best way to deal with the issue is to attack the privacy problem, head on. The post claims that there is no general public outcry, and that claim is wrong. There's lots of outcry. There's no one bribing politicians-- and that's why every thing you do is tracked, and that tracking is for sale.

      Privacy is dead forever. Technological trends will render privacy dead no matter what laws you pass. Technology determines privacy not the law.

    3. Re:Till... by postbigbang · · Score: 3, Funny

      Uh, no.

      Privacy is part of dignity, and despite technology, I'll have my dignity. Now take your marbles and go hom, Eric.

      --
      ---- Teach Peace. It's Cheaper Than War.
    4. Re:Till... by fustakrakich · · Score: 4, Interesting

      The technology doesn't matter. A prohibition is designed to give the authorities 'probable cause' to spy on you and enter your house as they please without having to worry about that silly old constitution.

      --
      “He’s not deformed, he’s just drunk!”
    5. Re:Till... by Anonymous Coward · · Score: 3, Insightful

      Privacy is only dead if you give it up right now. It's not dead yet. There are still people holding on to whatever bits of privacy are left (and there are some). You don't have to bring devices home with microphones in them or cameras. You can still get by without a cell phone. If you can't chances are you can simply turn it off when your not using it. It isn't a perfect solution although I work with someone who does exactly this. One of my employees isn't reachable while on the road. He does have a cell phone. It is always off unless he needs to make a call. His wife calls him at work when she needs to reach him. You can use Tor to get privacy online in areas that you may not wish to be known for looking or things you may not want others to know you partake in or otherwise believe/speak.

      In the real world privacy is largely dead. It is sad that the law doesn't prohibit hidden recording devices in public places. Where cameras might be absolutely necessary (high security instillations) there should be notices posted everywhere that one might be within the range of the camera.

    6. Re:Till... by daem0n1x · · Score: 1

      There will come a time when everything is illegal, and it will be left to the police or the government to decide who to prosecute.

      This way we can have the illusion of living in a democracy but in fact we'll be under the paw of an arbitrary power. Of course the normal guy who doesn't stand out will never notice it, but those who bother the rich and powerful will be quickly and effectively silenced, in a completely legal way. It's already happening, for example with patents and copyright.

      Wasn't this how Egypt was ruled for decades?

      Isn't this a reality with illegal immigrants in Europe and the US? Everybody knows they exist, everybody pretends they don't, they don't have any rights or any political weight.

      Has anybody watched Lars Von Trier's "Dogville"?

    7. Re:Till... by elucido · · Score: 1

      Privacy is only dead if you give it up right now. It's not dead yet. There are still people holding on to whatever bits of privacy are left (and there are some). You don't have to bring devices home with microphones in them or cameras. You can still get by without a cell phone. If you can't chances are you can simply turn it off when your not using it. It isn't a perfect solution although I work with someone who does exactly this. One of my employees isn't reachable while on the road. He does have a cell phone. It is always off unless he needs to make a call. His wife calls him at work when she needs to reach him. You can use Tor to get privacy online in areas that you may not wish to be known for looking or things you may not want others to know you partake in or otherwise believe/speak.

      In the real world privacy is largely dead. It is sad that the law doesn't prohibit hidden recording devices in public places. Where cameras might be absolutely necessary (high security instillations) there should be notices posted everywhere that one might be within the range of the camera.

      A tin foil hat wont protect you from a high tech privacy invasion. There is no privacy and no way to defend yourself against the snooping potential of the electromagnetic spectrum.

  2. This is obvious to anyone who has studied crypto by elucido · · Score: 4, Informative

    If the source and implementation is closed it could be backdoored from the kernel to the compiler to the random number generator to the crypto algorithm implementation.

    Here is a problem though, since Windows is closed source what good is Tor or crypto in that environment? If you have to use crypto for any reason other than to protect your passwords then its probably at risk whether you use open source or not. Just one bug or backdoor allowing a RAT to interface with your computer and gain root/superuser or anything like that and all your keys are compromised. Key generation would have to be done in hardware. Entropy is also an issue you probably wont easily solve. There is a very long way to go before any crypto implementation will be secure and mainstream. Linux has not changed that game because you install one wrong piece of software and you've got a backdoor and it could be disguised as a legit piece of software. Since not every piece of software run on Linux is open source you don't know for a fact.

  3. OSS helps to verify and improve cryptography by Anonymous Coward · · Score: 0

    It also lets me easily see exactly what's being done, so I can more easily find a workaround or an exploit.

    1. Re:OSS helps to verify and improve cryptography by Anonymous Coward · · Score: 1

      Because security through obscurity Just Works!

    2. Re:OSS helps to verify and improve cryptography by gatkinso · · Score: 2

      And, incidentally, close that side channel.

      The crypto algorithms are fairly straight forward (of you have an undergraduate degree in math). There is nothing secret there, however various intelligence agencies around the world no doubt DO have secret processes not (yet) publicly known. Most crypto is broken by either technology catching up to make a head on attack feasible, or through side channels like bugs, or compiler idiosyncrasies.

      Peer reviewed source code (along with any dependency version control and build system) hinders attackers far more than having the source code helps them.

      --
      I am very small, utmostly microscopic.
    3. Re:OSS helps to verify and improve cryptography by Anonymous Coward · · Score: 0

      Hey man, have a heart with these little fur-less creatures of Burston-Marsteller. They work so hard to help those poor folks living in the Slums of Redmond ! Don't be so cold-hearted and destroy their little lies without a bit of compassion. OK ?

  4. They wont make it illegal by elucido · · Score: 4, Interesting

    They'll just put anyone who uses it under the most intense surveillance, hack their computers, creep into their house when they aren't around, etc. This is effectively better than making it illegal because it gives users a false sense of security. While they use Tor, they are being monitored by the secret services.

    Tor does not prevent monitoring or surveillance. Surveillance that can see everything you do at your computer, everything you type, etc. What good is Tor under surveillance? It's useless if you're using it to go against the government.

    1. Re:They wont make it illegal by Anonymous Coward · · Score: 1

      That kind of effort would generally require a significant amount of resources if applied to more than a few hundred people. The only practical widespread surveillance they could pull off is somehow infecting everyone's computers with malware.

      It would be far, far easier for them to just make it illegal and call it a day.

    2. Re:They wont make it illegal by Anonymous Coward · · Score: 1

      No- but you can use a hardened environment with Tor and it becomes much more difficult to legally conduct surveillance until there is at least suspicion (and Tor doesn't equal suspicion). At that point it highly depends on what the person is doing. If they are posting copyright infringing material? Probably not going to draw the attention of the authorities where the authorities are going to be able to identify a person of reasonable intelligence. Bomb threats? (there are lots of these and identifying a person could be difficult from a large crowd if its been passed through tor; example schools have lots of kids who would be potential candidates for such activity; few kids really like school). Child porn? Again- unless there posting pictures/video/etc that could be a tough one. I'm pretty confident that there are lots of people out there. Just given the significant number of reports every day and the utter hopelessness of police catching every perp....

    3. Re:They wont make it illegal by Anonymous Coward · · Score: 1

      The only practical widespread surveillance they could pull off is somehow infecting everyone's computers with malware.

      http://windows.microsoft.com/windows

      Your point is?

    4. Re:They wont make it illegal by Synerg1y · · Score: 1

      Take a look at the majority of internet people: pedos, crackers, scammers caught online and you'll see a similarity of them leaking their personal info somewhere online (forum account, IRC, etc...), the only one I can think of that actually got reverse engineered and traced were the guys running a giant botnet serving malware to the tune of 6 million in supposed revenue. So unless you're doing something on that scope, the feds probably won't care. Oh, and they take missing kids & child abuse (porn would fall under this) pretty seriously too.

    5. Re:They wont make it illegal by flyingfsck · · Score: 1

      Are you suggesting that there still are (common garden variety) computers that are not infected with malware?

      --
      Excuse me, but please get off my Pennisetum Clandestinum, eh!
    6. Re:They wont make it illegal by elucido · · Score: 1

      Apparently you don't know the technology very well or the capabilities. Putting thousands of people under surveillance at a time is easy and is being done. I'm talking tens of thousands. It's expensive to scale up into the millions but millions of people wont be expert enough to use Tor and use it properly, and they probably know who all the most expert types are and are building files on them.

    7. Re:They wont make it illegal by elucido · · Score: 1

      No- but you can use a hardened environment with Tor and it becomes much more difficult to legally conduct surveillance until there is at least suspicion (and Tor doesn't equal suspicion). At that point it highly depends on what the person is doing. If they are posting copyright infringing material? Probably not going to draw the attention of the authorities where the authorities are going to be able to identify a person of reasonable intelligence. Bomb threats? (there are lots of these and identifying a person could be difficult from a large crowd if its been passed through tor; example schools have lots of kids who would be potential candidates for such activity; few kids really like school). Child porn? Again- unless there posting pictures/video/etc that could be a tough one. I'm pretty confident that there are lots of people out there. Just given the significant number of reports every day and the utter hopelessness of police catching every perp....

      No it doesn't. They will find out you're using Tor and that is all they'd have to know to suspect you're a terrorist.We aren't talking about the USA.

  5. Re:This is obvious to anyone who has studied crypt by sqlrob · · Score: 3, Informative

    Even OSS can be vulnerable

  6. Eat a Renault 4, Wear salami in your ears... by Dogtanian · · Score: 0

    there neighbour started doing this 4 only about and as of now took care of the mortgage on there condo and got a top of the range Renault 4. go to,

    "There" neighbour bought a "top of the range Renault 4"? Seriously?!

    It makes a change from lying to us that he bought a Ferrari, or some other bullshit... perhaps you're trying to appeal to people who like 1960s and 70s French economy cars... :-)

    --
    "Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
  7. encroachments on privacy by Skapare · · Score: 4, Insightful

    In this new interview, he's critical of a general public silence over government encroachments on privacy

    That is an important issue. But what I see is an even greater silence over corporate encroachment on privacy. Left alone, I think corporations could cause even greater damage (in part because of it's huge influence on government). So this is where I focus my efforts. Things like big banks sharing out financial details ... just for profit.

    --
    now we need to go OSS in diesel cars
  8. Re:This is obvious to anyone who has studied crypt by DMUTPeregrine · · Score: 3, Informative

    No one is saying that being open source makes your software invulnerable, just that it makes exploitation harder. Being open source is necessary but not sufficient for a software package to be considered secure. In this context open source can simply mean that the source is available to the customers and their auditors only, not the whole world.

    --
    Not a sentence!
  9. I'm a history buff by Anonymous Coward · · Score: 0

    So OSS means something a little different when I see it.

  10. Re:This is obvious to anyone who has studied crypt by Anonymous Coward · · Score: 0

    Why stop at Linux?

    What good does it do to run software on Linux when you run on an Intel CPU with proprietary microcode?

    You have obviously not *studied* security, although you raise real concerns. A security analysis requires defining a threat model.

    The more obscure the threat model (such as Intel injecting a Tor backdoor into the microcode of its CPUs), the less weight it is given.

  11. Office of Strategic Services? by Anonymous Coward · · Score: 0

    I thought the OSS was supposed to break cryptography?

  12. Re:This is obvious to anyone who has studied crypt by david_thornley · · Score: 1

    Yeah, and Ken Thompson's proposal is very brittle. If I've got two C compilers that aren't rigged in exactly the same way, I can defeat his mechanism almost trivially, and detect it almost as easily. If you get all your software from one source (*cough*Microsoft*cough*), you can't trust it any more than you can trust its source. If it's closed-source (*cough*Visual Studio*cough*), you either try to reverse-engineer it from the binary or trust (or not trust) it as is.

    --
    "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
  13. Well by Anonymous Coward · · Score: 0

    Afaik the core work done on the current Intel microprocessors comes from their Israeli subsidiary. Think what they could have done to 80% of the world's PCs.

    This might be conjecture, but the Zionists have the habit to break the rules all the time. We just don't hear it because they play a pivotal role in the west and most of the journalists are corrupt whores who will cave in as soon as "anti-semitism" is mentioned.
    Terror by the Jews is politically correct and only when somebody else does it, there are bad vibes.

    We better get ourselves some GNUprocessors with the VHDL inspectable for everybody.

    A start might be http://en.wikipedia.org/wiki/OpenSPARC

  14. Easy to defeat Mr Tompson by Anonymous Coward · · Score: 0

    You use as many compilers you can get your hands on and compile the compiler in question on each platform/compiler. Slow and exotic compilers are welcome, too, as you need them only once. Then each of the resulting binaries will compile the compiler again. You perform an md5 fingerprint on all of the secondary executables. They must all be the same, if there is nothing fishy.

    If they are not identical, you do a binary diff and nail down the malware. Dead easy and mechanical.

    This scenario is about as dangerous as "virus custom-designed to kill the pres-or-dent".

  15. Re:This is obvious to anyone who has studied crypt by elucido · · Score: 1

    Why stop at Linux?

    What good does it do to run software on Linux when you run on an Intel CPU with proprietary microcode?

    You have obviously not *studied* security, although you raise real concerns. A security analysis requires defining a threat model.

    The more obscure the threat model (such as Intel injecting a Tor backdoor into the microcode of its CPUs), the less weight it is given.

    I'm not using an Intel based CPU. That being said I'm aware of that and other potential backdoors which is why I said what I said.

  16. Re: microcode comes from Israeli subsidiary by Anonymous Coward · · Score: 0

    Afaik the core work done on the current Intel microprocessors comes from their Israeli subsidiary. Think what they could have done to 80% of the world's PCs.

    This might be conjecture, but the Zionists have the habit to break the rules all the time.

    Second that.

    If I had mod points I'd donate 'em all to you, gladly.