Slashdot Mirror

← Back to Stories (view on slashdot.org)

Jacob Appelbaum on How OSS Improves Cryptography

Posted by timothy on from the dangerous-most-dangerous dept.

destinyland writes "Jacob Appelbaum, the Tor Project's main advocate, argues that Open Source software is necessary 'to both verify and improve' available cryptography. (Adding 'We also need that to ensure that everyone has a reasonable baseline — which is part of the cypherpunk ethos.') In this new interview, he's critical of a general public silence over government encroachments on privacy, but points to the current impact of the Tor network now as something that 'runs, is open and is supported by a large community spread across all walks of life.' And he ultimately identifies Tor as 'part of an ecosystem of software that helps people regain and reclaim their autonomy,' saying the distributed anonymous network 'helps to enable people to have agency of all kinds; it helps others to help each other and it helps you to help yourself.'"

12 of 35 comments (clear)

  1. Till... by Synerg1y · · Score: 4, Insightful

    They make running or using a proxy illegal. They have the power to do that you know. Doing that technologically though, is a whole different beast.

    1. Re:Till... by postbigbang · · Score: 4, Insightful

      Tor might be an alternative, but the best way to deal with the issue is to attack the privacy problem, head on. The post claims that there is no general public outcry, and that claim is wrong. There's lots of outcry. There's no one bribing politicians-- and that's why every thing you do is tracked, and that tracking is for sale.

      --
      ---- Teach Peace. It's Cheaper Than War.
    2. Re:Till... by elucido · · Score: 4, Insightful

      Tor might be an alternative, but the best way to deal with the issue is to attack the privacy problem, head on. The post claims that there is no general public outcry, and that claim is wrong. There's lots of outcry. There's no one bribing politicians-- and that's why every thing you do is tracked, and that tracking is for sale.

      Privacy is dead forever. Technological trends will render privacy dead no matter what laws you pass. Technology determines privacy not the law.

    3. Re:Till... by postbigbang · · Score: 3, Funny

      Uh, no.

      Privacy is part of dignity, and despite technology, I'll have my dignity. Now take your marbles and go hom, Eric.

      --
      ---- Teach Peace. It's Cheaper Than War.
    4. Re:Till... by fustakrakich · · Score: 4, Interesting

      The technology doesn't matter. A prohibition is designed to give the authorities 'probable cause' to spy on you and enter your house as they please without having to worry about that silly old constitution.

      --
      “He’s not deformed, he’s just drunk!”
    5. Re:Till... by Anonymous Coward · · Score: 3, Insightful

      Privacy is only dead if you give it up right now. It's not dead yet. There are still people holding on to whatever bits of privacy are left (and there are some). You don't have to bring devices home with microphones in them or cameras. You can still get by without a cell phone. If you can't chances are you can simply turn it off when your not using it. It isn't a perfect solution although I work with someone who does exactly this. One of my employees isn't reachable while on the road. He does have a cell phone. It is always off unless he needs to make a call. His wife calls him at work when she needs to reach him. You can use Tor to get privacy online in areas that you may not wish to be known for looking or things you may not want others to know you partake in or otherwise believe/speak.

      In the real world privacy is largely dead. It is sad that the law doesn't prohibit hidden recording devices in public places. Where cameras might be absolutely necessary (high security instillations) there should be notices posted everywhere that one might be within the range of the camera.

  2. This is obvious to anyone who has studied crypto by elucido · · Score: 4, Informative

    If the source and implementation is closed it could be backdoored from the kernel to the compiler to the random number generator to the crypto algorithm implementation.

    Here is a problem though, since Windows is closed source what good is Tor or crypto in that environment? If you have to use crypto for any reason other than to protect your passwords then its probably at risk whether you use open source or not. Just one bug or backdoor allowing a RAT to interface with your computer and gain root/superuser or anything like that and all your keys are compromised. Key generation would have to be done in hardware. Entropy is also an issue you probably wont easily solve. There is a very long way to go before any crypto implementation will be secure and mainstream. Linux has not changed that game because you install one wrong piece of software and you've got a backdoor and it could be disguised as a legit piece of software. Since not every piece of software run on Linux is open source you don't know for a fact.

  3. They wont make it illegal by elucido · · Score: 4, Interesting

    They'll just put anyone who uses it under the most intense surveillance, hack their computers, creep into their house when they aren't around, etc. This is effectively better than making it illegal because it gives users a false sense of security. While they use Tor, they are being monitored by the secret services.

    Tor does not prevent monitoring or surveillance. Surveillance that can see everything you do at your computer, everything you type, etc. What good is Tor under surveillance? It's useless if you're using it to go against the government.

  4. Re:This is obvious to anyone who has studied crypt by sqlrob · · Score: 3, Informative

    Even OSS can be vulnerable

  5. encroachments on privacy by Skapare · · Score: 4, Insightful

    In this new interview, he's critical of a general public silence over government encroachments on privacy

    That is an important issue. But what I see is an even greater silence over corporate encroachment on privacy. Left alone, I think corporations could cause even greater damage (in part because of it's huge influence on government). So this is where I focus my efforts. Things like big banks sharing out financial details ... just for profit.

    --
    now we need to go OSS in diesel cars
  6. Re:OSS helps to verify and improve cryptography by gatkinso · · Score: 2

    And, incidentally, close that side channel.

    The crypto algorithms are fairly straight forward (of you have an undergraduate degree in math). There is nothing secret there, however various intelligence agencies around the world no doubt DO have secret processes not (yet) publicly known. Most crypto is broken by either technology catching up to make a head on attack feasible, or through side channels like bugs, or compiler idiosyncrasies.

    Peer reviewed source code (along with any dependency version control and build system) hinders attackers far more than having the source code helps them.

    --
    I am very small, utmostly microscopic.
  7. Re:This is obvious to anyone who has studied crypt by DMUTPeregrine · · Score: 3, Informative

    No one is saying that being open source makes your software invulnerable, just that it makes exploitation harder. Being open source is necessary but not sufficient for a software package to be considered secure. In this context open source can simply mean that the source is available to the customers and their auditors only, not the whole world.

    --
    Not a sentence!