Submitted by Jon on Wed, 12/23/2015 - 10:50
This is partially a footnotes section from last week's Crpyto Saves Lives post, but every week brings new stories, and this week was a doozy. So, let's recap the whole "backdoored crypto / secret golden keys can work" argument:
(1) We can protect private information
*Cough* OPM *Cough*
Update: "Security bloggers and researchers claim to have uncovered a publicly available database exposing the personal information of 191 million voters on the Internet. The information contains voters’ names, home addresses, voter IDs, phone numbers and date of birth, as well as political affiliations and a detailed voting history since 2000."
(2) Well, we are really good at protecting super-important crypto keys that only give good guys access,
So, those luggage locks with a "golden key", now required world-wide that only trained TSA agents can pop open? Yeah, about that... - TSA's master key set was allowed to be photographed, and while that photo was quickly taken off the internet, the damage was done. Anyone can now 3D print completely functional TSA keys.
(3) Besides, adding a backdoor won't cause problems!
Submitted by Jon on Wed, 12/16/2015 - 10:16
There are many great arguments to protect truly private communications from a human rights perspective, and specifically through a Constitutional lens -- restoring the privacy of having a conversation in your living room and having your personal records stay personal are core first and fourth amendment rights which have suffered greatly in the digital age.
My work takes me around the world to support journalists, human rights activists, and a wide variety of amazing people working to improve the world. They are all facing incredible threats posed by powerful actors. These adversaries use malware, hacking, and all forms of digital attacks to compromise the networks of activists.
Open source, trusted, strong cryptographic tools -- and increasingly, trusted commercial systems such as Google's -- are their only available defense, in situations where failure can include targeted harassment, indefinite imprisonment, torture, and even death.
Encryption saves lives.
Submitted by Jon on Wed, 11/18/2015 - 16:54
I have a piece up on Medium about our SAFETAG project. It's a project that myself and another colleague have spent countless hours building out to really focus on working with small non-profits on assessing their risks and providing a framework for them to think critically about what really matters to their work, and how to most reasonably address them based on potential impact, real risk of it happening, and their capacity to change digital security practices.
It continues to be very rewarding work, and our tiny team has gotten to see a lot of amazing changes take place by the organizations which have been audited through this process. Anyhow. Check out our piece on Medium: https://medium.com/local-voices-global-change/meet-safetag-helping-non-p... , but also take a look at the framework itself at SAFETAG.org. It's an open source framework, and we'd love to see questions and commits over on our github repository!
Submitted by Jon on Tue, 09/15/2015 - 18:48
So, via @runasand, I learn that Buzzfeed's writers have PGP keys:
I cannot express in mere words how much this makes me happy in the world of normalizing real people having the ability to send actually secure email (especially to journalists!). PGP's various implementations get a lot of heat for their lack of usability, and the process itself, even with a theoretically super-easy interface, is still a complex set of ideas to understand and use in your normal communications. So every organization I see that is willing to tackle this head-on, and (hopefully!) have internal champions, mentors, support, training, and drinking games (I presume) to really encourage adoption is a huge win, be that a 3 person organization or a 100-person organization.
Still, I can't help myself:
"All of Buzzfeed's PGP Keys -- you won't believe the last one!" (Sorry, I cannot help myself) https://pgp.mit.edu/pks/lookup?search=%40buzzfeed.com&op=index
"Buzzfeed journalists can send encrypted emails -- but why they send them will blow your mind!"
"Top 10 passwords buzzfeed journalists use for PGP -- #8 will drive you crazy!"
"3 pieces of metadata not protected by encrypted emails you'd never guess!"
"5 attachments you never thought you'd be able to send encrypted to buzzfeed!"
Submitted by Jon on Sat, 01/17/2015 - 21:00
You know what hasn't gotten an update in a while? This blog! What else? The cute kittens of digital security over at I can haz digital security?.
The world is busy and imperfect. But hey, kittens!
Also - an SSL update. I've added in Cloudflare's Universal SSL to my site, and it communicates with mt backend over the old kinda-broken-ish (but not really!) CA SSL cert. I'll be moving to EFF's Let's Encrypt as soon as it's open for business. This should clear up most SSL errors for you, and if you really, really care about a direct SSL connection to this site, I trust your ability to securely contact me about getting that working for you.
Submitted by Jon on Fri, 09/26/2014 - 14:39
I am far from the first to compare digital security practices to safer sex practices. Heck, you can even see a rap career blooming as Jillian York and Jacob Appelbaum suggest that it's time that we "talk about P-G-P" at re:publica.
Talking about software and trust gets both very boring and very depressing quickly. Let's instead move on to the juicy sex-ed part!
A quick disclaimer: First, apologies for the at-times male and/or heteronormative point of view; I'd welcome more inclusive language, especially around the HTTPS section. Second, I am unabashedly pro-Tor, a user of the tor network, and am even lucky enough to get to collaborate with them on occasion. The garlic condom photo comes from The Stinking Rose..
Super-duper Unsafe Surfing
Using the Internet without any protection is a very bad idea. The SANS Institute's Internet Storm Center tracks "survival time" - the time a completely unprotected computer facing the raw Internet can survive before becoming compromised by a virus - in minutes. Not days, not even hours. This is so off the charts, that with a safer sex metaphor, using no protection is more akin to just injecting yourself with an STD than engaging in a risky behavior.
Barely less unsafe surfing
Adding in a constantly-updated anti-virus tool, and a firewall, and making sure that your operating system is up to date is akin to being healthy. You have a basically operational immune system - congrats!. You'll be fine if the person you're sleeping with has the common cold, but anything more serious than that and you're in trouble.
Using HTTPS - visiting websites which show up with a green lock icon - is also a good practice. You can even install some browser plugins like HTTPS Everywhere and CertPatrol that help you out.
HTTPS is kind of like birth control. You may successfully prevent *ahem* the unauthorized spread of your information, but you're still relying on a significant amount of trust in your partner (to have taken the pill, to withdraw), and there are things out of your knowledge that can go wrong - the pharmacist provided fake pills, or you have a withdrawal failure (please note this is about digital security advice, and not at all giving good safer sex advice - a quick visit to wikipedia is a good start for effective -- and non effective birth control methods!). With SSL Certificates, you are still trusting that the website has good practices to protect your information (insert the constant litany of password reset links you've had to deal with this year here), and there have been cases of stolen SSL certificates) and are tools to help an attacker try and intercept your encrypted traffic.
Slightly Safer Surfing
With digital security, a lot like with safer sex, some methods can be combined for a greater effect, but layering other methods can be a horrible idea. Adding using anti-virus tools, firewalls, system updates, and HTTPS on top of any other method here is a universally Good Thing.
Using a VPN is like using a condom, provided by your partner for this encounter, and given to them by a source neither of you have any real trust in. Asking the manufacturer for information about exactly how it's made, or what its expiration date is will often result in grand claims (but no hard evidence). Requests to see the factory floor and verify these claims are presumed to be jokes. The VPN-brand condom generally works, and is definitely fast and easy, but you're placing a lot of trust in a random company you found while searching the Internet, and probably also the cheapest one you found. On top of that, you're also still trusting your partner to not have poked any holes in the condom.
Overall, It's still much better to be using the VPN than not, and if you trust your partner (i.e. the website or service you're going to), and you trust the VPN provider for whatever reason - perhaps a widely trusted company has given an independent audit of the VPN, or you or your workplace has set it up yourself - then for most situations you're pretty safe. Layering a VPN on top of the above tools is good, but layering VPNs on VPNs or on other networks is actually not dissimilar to layering condoms - it actually makes failure in very weird (and, lets face it, awkward) ways /more/ likely.
Still, though, wouldn't it be better if you could rely even less on trust, and have that trust backed up with evidence that you yourself can look at?
Using Tor is like using a condom which you not only know has gone through extensive testing, you can even visit the factory floor, look at the business' finances, and talk with the engineers and factory staff. It's /still/ not 100% safe, but it is a heck of a lot safer, and you can verify each and every claim made about what it does and does not do.
And to be clear here, if you're logging in to a website over Tor, that website now knows who you are (you're no longer anonymous to them, and possibly others watching you do this along the wire), and that website is storing your password and may fail to protect it at some point. That website can still turn out to be malicious and attack you, and very powerful adversaries can even specifically try and intercept traffic coming from a website and going into the super-secret Tor network, change it, and include an attack they know works well against out of date versions of the browser you're using. An out of date Tor browser is like an expired condom - it's best not to bet your life on it.
To really (over-)extend the analogy, the Tor-branded condom business happens to be heavily funded by a religious organization that is strongly against birth control (and indeed has an entire project that tries to undermine birth control methods, to the point of installing secret hole-punchers in condom factories). This same organization (it's large!) does have a different and vocal component that strongly supports safer sex, and not only funds giving away condoms, but also the production of them. It's not, seemingly, the most logical set up, but hey, we're talking religion, politics and sex - logic doesn't always come in to play here.
Like sex, there is no truly "safe" way to play on the Internet, and it's unrealistic to expect that abstinence from the Internet is realistic. So, be careful out there, adopt safer practices, and keep your wits about you. Good luck!
Submitted by Jon on Fri, 09/19/2014 - 09:05
There's a budding conversation on "trust" over in the twitterverse. I began a draft post a while back that compared Tor (the amazing privacy and anti-censorship network and all privacy-protecting software to condoms. More on that soon, but let's actually talk about how you might have trust in a software project, using Tor as an example. Tor has been in the news recently, and I've had a ton of people ask me about how safe it is to use, so I figured one click-bait headline is as good as another in having an open and honest discussion about Tor.
First, let's be transparent. Tor - not unlike the Internet itself - did in fact start out as a project by the US Naval Research Laboratory, and does continue to receive funding by the US Government to support freedom of expression around the world, with targeted efforts to enable free speech and access to uncensored information in countries where Internet connections are heavily filtered.
So, can you trust Tor? How do you know that the NSA hasn't forced Tor into building a "back door" into the Tor software, like they did with RSA Security, and many other pieces of software you use daily, or like what has historically happened to privacy-protecting services like hushmail?
The answer is actually that you should not actually need to trust the organization behind Tor in order to be confident that the software is built to be safe. This is enabled by the fact that Tor is open source - meaning you can read every line of the code they use to build the software you install. Of course, even with open source software, you're trusting whoever is compiling it do do so on a secure system and without any extra malicious intent. The Tor Project answers this problem by using "deterministic builds", which let you check, independently, that the code posted publicly is the code you're running.
If you use Windows or Mac, both "closed source" operating systems, you are absolutely, 100% trusting that no one in the company, nor any government with significant sway over these companies, has snuck in code to allow remote spying. You have no way to inspect the code running your operating system, and every tool you use on top of it is vulnerable to being undermined by something as simple as a hack to the tiny piece of software that tells your computer how to talk with the keyboard, which could just as easily also store every password you have ever typed in. You're also trusting your ISP, every web site you log in to, and thousands of other intermediaries and companies, from the ones who provide SSL Certificates (enabling the "green lock" of a secure website) to the manufacturer or your wifi router and cablemodem to not betray your trust by accident, under duress, or with malicious intent.
Of course, even back in the green pastures of open source, there is no "absolute" level of trust, no matter how much we'd like there to be. Rare is the user who actually checks the "signature" of the download file against the posted "signature" online to make sure the tool they're about to install is the intended one. And even rarer is the user who checks in on the deterministic build process (and it's still fragile, so hard to guarantee even so). Even at this level, you are trusting the developers and others in the open source and security community to write solid code and check on it for bugs. The Tor Project does an exceptional job at this, but as heartbleed reminds us, huge, horrible bugs can go unseen, even in the open, for a long time. You're also trusting all the systems that the developers work on to not be compromised, and to be running code that is also in more or less good condition, and to be using compilers that aren't doing funny things.
For what it's worth, this is hardly a new problem. In my unhumble opinion, I'd still rather have this more open model of shared trust in the open source world than rely on any single company, whose prime motive is to ship software features on time.
So - can you trust Tor? I do. But saying that I "trust" Tor doesn't mean I have 100% faith that their software is bulletproof. All software has bugs, and particularly security software requires a lot of work on the part of the user to actually make it all work out as expected. It's time to talk about trust less as a binary and more as a pragmatic approach to decision making based on best practices, source availability, and organizational transparency.
Submitted by Jon on Mon, 02/24/2014 - 09:56
Senator Cruz's office's response to my personal note about surveillance I sent as part of TheDayWeFightBack:
Thank you for sharing your thoughts regarding the National Security Agency's surveillance program. Input from fellow Texans significantly informs my decision-making and empowers me to better represent the state.
During my time in the Senate, I have consistently reiterated my support of programs that can detect impending threats to our homeland or diplomatic and military facilities abroad. It is imperative, however, that we strike an appropriate balance between remaining vigilant against terrorism and protecting the civil liberties guaranteed to the American people by the Constitution.
Unfortunately, the government has eroded the American peoples' trust by the secrecy surrounding these surveillance programs. I will continue working with my Judiciary Committee colleagues and the entire Senate to review existing law and the actions of the Administration to ensure that we protect our Constitutional liberties. In doing so, I hope to guarantee true accountability in these programs so that we protect Americans from the threats of both terrorism and unwarranted government intrusion.
Thank you for sharing your views with me. Please feel free to contact me in the future about any issue important to your family. It is an honor to serve you and the people of Texas.
Senator Ted Cruz
Submitted by Jon on Sat, 01/25/2014 - 04:51
I spent this past week in Kiev. You may have heard something about the protests, and possibly even about some of the policy changes and new laws that sparked them. I was working with colleagues, journalists and human rights activists, supporting and training them as quickly as possible on digital security basics, and making sure they had contacts to reach out to for timely support.
It was a trip that was scheduled many months ago, when Ukraine was on the cusp of joining the EU. Things, to put it mildly, changed. Obviously, the violent protests have been featured widely in the news, but those capture only the most visible challenges the country is facing. Legislation pushed through with no regard for legal proceedings last Thursday promise to have a chilling effect on free speech, tight limits on media, even citizen journalists, and will devastate the civil society organizations, labeling them as "foreign agents" and taxing them as for-profit corporations if they take any international aid funding.
In the few days I was there, we experienced a "test" of new censorship capabilities as twitter and facebook -- critical messaging and coordination channels for activists -- went dark in Kiev for almost half an hour. People near the protest areas received ominous SMS messages on their phones telling them that they had been registered as present at the (illegal, under the new law) protest.
One note of import - there are two main areas of the protest - EuroMaidan is the months-long, Occupy-on-steroids encampment in Maidan Square. Though well barricaded off, it is a peaceful protest, with daily concerts and speeches on a well-equipped stage, a huge jumbotron, laser-light projections and more. Businesses - from a Nike storefront to a local brewpub to a carousel - are going on with business as normal within the barricaded-off area. The scenes of burning tires, tear gas and molotov cocktails is from the nearby Grushevsky St, where protesters gathered to confront Parliament after their "passage" of this Black Thursday law.
It is inspiring to see the passion and focus of people working to protect and expand their rights, and it is humbling to be able to lend support in any form. However, the challenges aren't getting any easier. The digital tools which provide the most security are also difficult to use, and more difficult to use correctly. They still "stick out" as unusual, and face an uphill battle against popular systems with little if any security.
This has to change. Privacy is not some abstract concept in these situations, it is the economic well-being, and too often, the pure survival of activists, journalists, and their contacts. When we allow policies and practices that undermine security and privacy, we're not just revealing embarrassing factoids about our call history, or even the three felonies a day you're probably committing as a US citizen - we are undermining our global dream of a world of nations with democratic rule, where their citizens can enjoy basic human rights without fear.
The world is ready for this, but when the current Ukrainian government points at American domestic policies as models of their newly crafted censorship and surveillance laws, it's a sign that we as Americans are not drinking our own koolaid (with a hat-tip to the many dedicated civil servants who are working hard to further human rights).
Submitted by Jon on Mon, 10/21/2013 - 17:50
Google has been making headlines with their shiny Project Shield which wraps PageSpeed with other tools to defend sites against denial of service attacks. The history of the denial of service, however, runs deep, and underlines that no centralized response to it will ever be able to cost-effectively scale against a distributed attack.
Let's rewind back to the 90s. Denial of service was a very, very different thing then - it was a tool for free expression, not one used to mute dissenting opinions as it is today.
In the dot-com boomtimes of the late 90s, I was absolutely fascinated by the digital protests that sprung up in reaction to Mexico's treatment of the Zapatista Movement. Floodnet was an activist art project by the Electronic Disturbance Theater. Floodnet was simply a website you could visit and it would direct your browser to constantly reload pages on the website of the Mexcian government. In addition to overloading the website with thousands of requests from you and our fellow programmers, you could add in a political message with each page load, to force the government's server to fill their log files with messages like "human rights not found."
"The FloodNet application of error log spamming is conceptual Internet art. This is your chance to voice your political concerns on a targeted server. [...] The server may respond to your intentional mistake with a message like: "human_rights not found on this server." So by creatively selecting phases, you can make the server voice your concerns. It may not use the kind of resources that the constant reloading uses (FloodNet automatically does that too), but it is sassy conceptualism and it invites you to play with clever statements while the background applet is running." (via http://www.thing.net/~rdom/ecd/ZapTact.html)
This original "denial of service" attack was seen as the digital mirror of a classic "sit-in" protest. It was a way for a David to strike back at a Goliath through technology. However, this, ahem, "sassy" political activism began an arms race that today is dominated by Goliaths alone. Instead of a tool of protest, denial of service attacks are today tools of retribution and ways to mute dissenting voices. They are massively automated and distributed, and are run not by rowdy bands of dissidents, but by well-organized for-hire groups (https://krebsonsecurity.com/2013/05/ragebooter-legit-ddos-service-or-fed...) and even from government infrastructures.
The only defense, so far, has been equally massive, and centralized, commercial services. This is a growing industry with its own round of disruptive innovators all to itself. This current business innovation is helping to move from the monolithic services protecting online infrastructures at high costs to a more scalable model, with services that smaller websites can benefit from. Still, back-end models are the same - providing shelter from DDoS attacks by having sufficient servers and bandwidth to absorb whatever their proprietary tools and filters cannot outright block.
Open source models to fight back have been conspicuous in their absence - until now.
The Deflect Project, created by the eQualit.ie technology collective based out of Montreal and Dublin, is responding to that gap. They focus on providing protection for activists and journalists around the world, who are subject to DDoS attacks from those who disagree with their views all the way to their own governments. Thanks to grant funding, Deflect is able to offer their services for free to independent media sites, NGOs and non-profits -- but the technology model under the hood is the real game-changer.
Submitted by Jon on Fri, 10/11/2013 - 16:52
(Or, how to remind anyone snooping your email of your fourth amendment rights)
So clearly we have a situation here where we failed to learn from the past. Fourteen years ago (Exactly in a few days - Oct 21!), we were protesting ECHELON, which was (is) a "worldwide computer spy network [that] reportedly scans all email, packet traffic, telephone conversations, and more in an effort to ferret out potential terrorist or enemy communications. Once a communication is plucked from the electronic cloud, certain keywords allegedly trigger a recording of the conversation or email in question."
In response (along with a short burst in activity around people trying to figure out how to use PGP), hackers added amusing bonus keywords in the parts of emails that humans rarely see (where junk like the path the email took, listserv details, and so on goes) - many, including myself, added the 4th Amendment to the US Constitution, as well as participating in "Jam Echelon day," when everyone added what we presumed at the time were these mythical "trigger words:"
ATF DOD WACO RUBY RIDGE OKC OKLAHOMA CITY MILITIA GUN HANDGUN MILGOV ASSAULT RIFLE TERRORISM BOMB DRUG KORESH PROMIS MOSSAD NASA MI5 ONI CID AK47 M16 C4 MALCOLM X REVOLUTION CHEROKEE HILLARY BILL CLINTON GORE GEORGE BUSH WACKENHUT TERRORIST.
As an aside: maannnnnn, do you remember the 90s? Was that an unpleasant walk down memory lane or what?
Anyhow, this amusing idea that this would work for more than a few minutes just doesn't seem to die, and someone's trying it with a new "security" tool called ScareMail that "takes keywords from an extensive US Department of Homeland Security list used to troll social media websites and utilizes them “to disrupt the NSA’s surveillance efforts by making NSA search results useless.” "
While that's ... well, whatever. It's a nice thought, right? Probably not very useful overall. Anyhow, it gives me a small boost of civic pride to tweak my email settings and put the fourth amendment text back in to almost every email I send out. This requires an actual email client (Thunderbird works nicely), and some configuration hacking:
- Go to Edit → Preferences → Advanced → General → Config editor
- Right click, new, "string"
- For 'Enter the preference name' use "mail.identity.id1.header.header1"
- For the string, add "X-Fourth-Amendment: The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
- If you have multiple mail accounts, you'll have to do this for each one, using id2, id3, etc. and header2, header3, etc.
- Restart thunderbird, make sure you didn't break anything. For more details, peek at http://kb.mozillazine.org/Custom_headers
Submitted by Jon on Fri, 04/12/2013 - 09:29
I've been reflecting on some of the challenges I've faced across multiple organizations trying to leverage the power of technology to create positive social change. This reaches way back to my work as a Peace Corp volunteer, up through grad school, my time as a contributing editor at OLPCNews, and through multiple NGOs balancing tech, impact, and budgets.
Obviously, there's no definite one-size-fits all approach to implementing technology in any sector, much less the world of the international NGO that stretches from hip online platforms to how to best use dusty Nokia feature-phones.
Here are the principles I've come up with to date. I took these to Twitter in a lively discussion, and want to expound upon them a bit more:
- Build for sustainability. Minimize what you have to build yourself, and leverage existing platforms
This means giving strong preferences to open source platforms or at least existing services that meet a set of criteria (their service meets your needs, you own your data, shared values, track record...) For any service, someone, somewhere has already built a powerful framework that will be constantly updated and improved, and bakes in thousands of features (security, translation, powerful content management, mobile interfaces, etc.) which will be effortless to turn on when you discover you need them. Focus your precious software development budget on the much smaller number of things that are custom to your work and don't exist. This greatly reduces the initial dev costs as well as ongoing maintenance costs.
- Seriously, don't build it yourself.
Submitted by Jon on Wed, 09/05/2012 - 15:21
Quick quiz. Which of these should not be protected as free speech?
[ ] A gun (you know, the kind you can hold and shoot)
[ ] Plans for a nuclear weapon
[ ] Political statements (lots and lots of them)
[ ] Detailed instructions on how to communicate privately
[ ] Detailed instructions on how to make an archival, digital copy of a DVD
The answer is either none or all of the above - we are in a world where free speech (in the form of computer code) can create real world objects and actions that are themselves regulated or outright illegal. But if the action is illegal, is the code that causes it also illegal? If so, the line gets very blurry very quickly. If not, we still have some fascinating problems to deal with, like printable guns. Regardless, we need to educate policy makers to understand this digital frontier and be prepared to defend free speech when this gets unpleasant. Spoiler: It's already unpleasant. Our world is defined by code, where programmed actions have very real, tangible effects.
Code of Protest
Civil disobedience can take some weird forms. While today masked digital vigilantes of Anonymous act as a curious type of Internet immune system; reacting against gross infringements of cyber liberty, their methods are not as new as you might think. In the late 90s, the Electronic Disturbance Theater (http://en.wikipedia.org/wiki/Electronic_Disturbance_Theater) was supporting the Zapatistas by flooding Mexican government sites with a rudimentary DDoS (Distributed Denial of Service) attack, which brings a webserver down by overloading it. This concept is at the heart of LOIC, Anonymous's "Low Orbit Ion Cannon" (http://en.wikipedia.org/wiki/Low_Orbit_Ion_Cannon). EDT's version, "Floodnet," had the nice touch of requesting webpages with names like "human rights" from the government sites, resulting in errors clogging up the server reading something like "404 - human rights not found." Asking for a webpage is pretty clearly something akin to shouting at a rally, or a "cyber sit-in" (http://angelingo.usc.edu/index.php/politics/cyber-sit-ins-grassroots-to-gigabytes/) - get enough people to do it, and it causes some level of annoyance - but it's still an act of speech.
Free speech and a dead-end for copy controls
Fortunately, CSS was not particularly well crafted, and was quickly and thoroughly broken with a chunk of code nicknamed decss by a Norwegian teenager nicknamed "DVD Jon". This caused a slight bit of controversy. DVD Jon was accused of theft in Norway, and users in the States were threatened with fines and jailtime for re-distributing it under the DMCA law.
In a predictable story arc, the next chapter of this story is of course the Internet digerati of the day getting royally teed off and causing a ruckus. The source code of decss was immediately turned into graphic art, secretly embedded in photos, turned into poems, and even a song (http://www.youtube.com/watch?v=GekuuNqAiQg) - a gallery of creative works using or containing the decss code remains online: http://www.cs.cmu.edu/~dst/DeCSS/Gallery/ . DVD Jon won his case (http://news.bbc.co.uk/2/hi/technology/3341211.stm) and we all celebrated the somewhat obvious win for free speech and consumer power.
Private speech and munitions export controls
We can rewind even further back to the early 90s, when Phillip Zimmerman published the entire source code of his powerful encryption tool, PGP, in a book (of the paper, box-shaped physical object type). Now, encryption this powerful was classified (until 1996) as a "munition" and subject to export controls with the types of penalties you might expect for selling military equipment on the black market. Had PGP been released as a program, it would obviously fall into this categorization. As text in a book, however, it appeared to be protected as free speech. The stupidity of the distinction of course also spurred many to make t-shirts and code snippets of this "illegal" code. Eventually, a series of court cases (Bernstein v. United States, Junger v. Daley) establishing that source code, indeed, counts as free speech.
Free speech and real munitions
Code is speech, code is reality.
In linguistics, you have the concept of "Illocutionary Acts" - acts which are embodied in language. There aren't many - no matter how I say that I'm going to go for an after-work run, the act of running can only be done by my whole body. Oaths are the best example of these acts - speaking the oath is making the oath, and that combination of idea and action is a powerful sentiment.
And every line of code can be just as powerful.
Submitted by Jon on Fri, 06/08/2012 - 20:27
|"The telescreen received and transmitted simultaneously. Any sound [...] would be picked up by it, moreover, so long as he remained within the field of vision which the metal plaque commanded, he could be seen as well as heard.[...] [T]hey could plug in your wire whenever they wanted to. You had to live--did live, from habit that became instinct--in the assumption that every sound you made was overheard, and, except in darkness, every movement scrutinized.||[The] promising technology in a set-top box that can, “can distinguish who is watching, potentially allowing Intel to target advertising”. The technology could potentially identify if the viewer is an adult or a child, male or female, and so on, through interactive features and face recognition technology.|
Speculative fiction nailed reality, but missed the target on who was doing the spying.
The title here is, of course, from a later passage:
Submitted by Jon on Wed, 11/09/2011 - 09:32
The trend I'm most interested in right now is actually as much offline as it is on. It really hit me a few weeks ago as I was reading through the minutes of an Occupy General Assembly. Here was a huge meeting with multiple viewpoints that was being successfully self-facilitated, prioritizing issues and moving quickly. This was a committee that was being collaborative, open, transparent, and still ... effective.
It really got me thinking on how we are are becoming accustomed to new social constructs in movements, government, and business. These concepts are familiar to anyone who's delved into the nuts and bolts of open source software -- like collaboration, shared or no ownership, team-building, and radical transparency -- but they're popping up everywhere offline.
So, I want to tackle the convergence of these concepts offline with the democratization of tools online
By democratization, I really mean simplicity and open to all. An important pre-condition to this is basic access, but we are increasingly living in an access-rich world, thanks to mobile. This year, Africa surpassed both European and the Americas and is now the second largest market for mobiles - behind only the Asia/Pacific region.
But beyond access, there is a new "digital divide" if you will -- the ability to create and engage in a participatory experience. Things like Twitter and blogging have long been low barriers of entry for getting your voice heard online. The exciting development in this arena is that it is mindbogglingly easy to create complex sites and apps with drupal and wordpress, at least compared to the work this would have taken 10 years ago.
This combination of a simple toolbox and open social constructs is powerful.
The past few years have been accelerating this convergence. Blogs and Wikipedia have permanently altered publishing, Twitter, Facebook and foursquare have opened up your social life, and Yelp and Tripadvisor have changed your customer service interactions with travel and dining destinations.
But more importantly, crowdfunding models like Kiva and Kickstarter are toe-in-water steps towards creating collaborative business models by seeking out customers and supporters in a very early stage and rallying their support around potential projects and products. Co-working spaces provide entry-level incubation for young startups with great perks of cross-startup networking and talent sharing. These fast prototyping models reduce overall risk and create engaged, evangelical customers and partners.
The social change sphere has jumped in to this intersection and is spawning hundereds of really exciting co-creation models. We've seen this in crisis mapping (Snowpocalypse, Haiti, Thailand), protest movements (Moldova, ArabSpring, OWS), open data mashups combining entrepreneurs and civic data (Apps4Democracy, UN Global Pulse), and even countries crowdsourcing their own constitutions (Iceleand and now Morocco)
The availability of these easy to use platforms and expectations of openness and co-creation is forcing new levels of engagement in all sectors. People are no longer OK with occasional, reactive, or superficial engagement.
My first human interaction with a brand shouldn't be after I post a negative tweet - nor should it be a annual 10 page user survey that never changes anything. I want to help build their business and be engaged at a strategic level, even though I'm "just" a consumer
If that sounds a bit insane and totally unscalable, just replace business with government and consumer with citizen and it suddenly sounds less crazy.
Business, non-profits, social enterprises, and governments will all need to open up not only their data or their superficial interactions, but begin to fully collaborate with their communities on their policies and business plans.
This means that 2012 holds a huge potential for global co-creation and new organizational frameworks, and anyone who doesn't begin to engage customers, supporters and citizens in this way is going to be shut out by organizations that aren't merely building their business with their users in mind, but building their business with their users.
With these concepts of shared ownership, highly functional teams, collaboration and transparency, combined with online structures that parallel these same values, we have a world where decentralized, democratized power structures forming across the digital/analog borders. This changes governance, economics, social change and business.
Holy shit, this is going to be a wild, fun ride.
Submitted by Jon on Fri, 10/21/2011 - 08:57
Let me be clear - I have a difficult relationship with the Occupy movement.
On the one hand - it's about damned time. Finally we have a large, sustained protest movement nation-wide and even globally that's rightfully upset about some core problems. It's not politically aligned, it's well-spoken, and it has been resilient enough to overcome being ignored by the media and has crafted its own story. That it has been inspired in part by the Arab Spring and Tahrir Square in particular, which were inspired in part themselves by MLK's non-violent protests gives a heart-warming feeling of global solidarity and social justice.
Further, it's very exciting that Occupy comes at a turning point in history where our social constructs and technologies make it possible to really manage a movement through collaboration instead of by a hierarchy, and a world where people have a powerful online voice and the ability to shake things up if they get out of hand (not without challenges in the realm of privacy and government censorship ).
Don't just Occupy
Submitted by Jon on Fri, 09/23/2011 - 05:26
A colleague and I have the first of two articles posted on FastCompany - discussing the role of automation in job creation -- and destruction:
Look deeply into the beady little electronic eye of your vacuum-cleaning robot, and you’ll see a machine bent on world domination. For now, it focuses on finding and eradicating dirt, but every time it gets into a particularly extracted fight with a wall, your feet, or a house pet--you know it has larger ambitions. More concerning than the Roomba’s aggressive policy stance against furniture legs is what it as a product means for labor, job creation, and automation.
We’re used to a well-worn path in manufacturing, and business in general. An extra bright cave-dweller figures out how to use a round object to help move large things, early adopters begin to share the practice, and then pretty soon everyone is using wheels. Eventually, artisan wheel-makers find themselves out of a job when factories start pumping out robot-manufactured wheels, and we move on as a society--wheels are now a given commodity.
The thing is, those robots have taken over the factory floor, and are moving upstairs.
Submitted by Jon on Wed, 08/10/2011 - 15:46
The events in London over the past few days have been deeply interesting in the wake of last month's conversation on mobile and online activism during and after #ArabSpring. In this case, the actors are different, but the response patterns are similar - the embattled government pushing on technology providers to share private data or turn off mobile messaging services. In this case, it's RIM/Blackberry in the middle, with calls from MPs to "curfew" Blackberry messaging, and RIM itself offering to help policy by sharing message contents. This promptly led to the Blackberry site being hacked, with the hacker posting:
"We have access to your database which includes your employees information; e.g - Addresses, Names, Phone Numbers etc. - now if u assist the police, we _WILL_ make this information public and pass it onto rioters ... do you really want a bunch of angry youths on your employees doorsteps?"
Obviously, that's not a very nice thing to do, particularly considering it's unlikely any of these employees had much to do with this decision in the first place.
The lines are not quite as clear as one would like, though. All protests are messy, and it's rarely clear who is in the right. Many countries claim to be representative democracies of one flavor or another. If youth were protesting a regime in yet another Middle East/North African country, we would be globally shaming RIM/Blackberry for cavorting with the government. Of course, in the case of London, it seems to be more a gang of thugs and looters than a political statement.
The challenge, of course, is that the technology vulnerabilities might be useful to authorities during a riot, but are also useful to authoritarian governments in squelching a revolution. Not unlike wikileaks, you don't get to pick and choose who benefits from the technology, or who is made vulnerable by it.
Ashoka Changemakers is hosting a competition supported by Google to source innovative ideas in the Citizen Media space solving some of this tension around privacy, speech, and trust. There's some amazing thoughtwork in the space getting recorded at the Ashoka News and Knowledge blog.
All of that is a long introduction to the better-late-than-never summary of the July ICT4D Meetup. You know that it's a good technology discussion when it turns into a people discussion, and so went our conversation around Online Activism after #ArabSpring : What's Next?.
Our panelists discussed the strange role of being an Egyptian following along from abroad via social media, the roles of traditional and new media in civic engagement, and examples of online activism around the world, from Azerbaijan to Spain.
The core topic we kept coming back to was that the excitement around new technologies was justified, social media is a tool, not a movement. So while a cat-and-mouse game around technology will likely continue, the core of any social change is the people involved, not whatever tools they are using. Check out the twitter stream here.
Submitted by Jon on Thu, 07/14/2011 - 08:00
If May 3rd gets to be World Press Freedom Day, then after today's events, July 14 (in addition to already being Bastille Day) should be Citizen Media Day.
The "celebrations" really started yesterday, with Ashoka Changemakers (with the support of Google) launching a global competition (fully supported in nine languages, no less) to source innovative ideas in citizen media. I've got to say, I love how the timeline goes "backwards" in Right-to-Left languages like Arabic. Many thanks to our work with Ashoka Israel in launching Kikar (loosely, "Market square") in Hebrew.
Later in the day, at 5:30pm, I will be moderating a panel on "Online Activism after #ArabSpring : What's Next?" - there are a few seats still available, more information and RSVP at http://www.meetup.com/intlrel-76/events/23103221/ . Follow along on twitter with the hashtag #AAS, and there's a remote possibility we may be able to livestream the event.
Finally, we get to wind down at Circa Bistro with a happy hour co-hosted with ICTWorks - information and RSVP here: http://ict4drinks-july14.eventbrite.com/.
Submitted by Jon on Tue, 05/03/2011 - 08:47
May 3 is World Press Freedom Day. To celebrate my ability to post things I find inspiring to the Internet (where as many as 10 people other than my mother might read it (Hi Mom - happy mother's day in advance!)), here is a collection of tangentially related links on freedom, privacy, and the role of ICT in press freedom and citizen voice.
Does Facebook have int'l development impact?
http://www.ictworks.org/news/2011/05/04/does-facebook-have-any-internati... (What about SMS? http://researchspace.csir.co.za/dspace/bitstream/10204/3419/1/Butgereit3... )
Freedom of the press in India: http://www.nytimes.com/2011/04/28/technology/28internet.html
Finally, someone is building an SMS listserv: http://www.mobileactive.org/smsall-growth-sms-mailing-list-pakistan-1
How governments censor: http://www.cpj.org/reports/2011/05/the-10-tools-of-online-oppressors.php
Getting around government censorship: http://www.freedomhouse.org/template.cfm?page=383&report=97
Nearly half of NYT reports have sourced WikiLeaks so far in 2011: http://www.theatlanticwire.com/global/2011/04/over-half-2011s-new-york-t...
The US government doesn't think it needs a warrant to search electronic communications: http://www.aclu.org/blog/free-speech-technology-and-liberty/does-governm...
Live from Uganda -- political unrest, strikes, and an attempt to block Facebook and Twitter traffic: http://globalvoicesonline.org/2011/04/19/uganda-government-attempts-to-b... , One ISP stands its ground: https://twitter.com/#!/MTNUGANDACARE/status/58844526369976320
Submitted by Jon on Tue, 04/19/2011 - 10:16
This is brilliant, and a bit funny. Until some innocent person taking a stroll is killed for insurgency.
A long quote from this blog by way of Warren Ellis and BoingBoing, emphases mine:
In summary, several Chinese language, but overseas based, websites have been blogging on the creation of a ‘Jasmine Revolution’ in China. This has been motivated, of course, by events in MENA, and the timing has been significant because it has coincided with two important political conferences in Beijing, but it appears to have no real-world substance whatsoever, to have begun as a hoax at best, and to exist only in cyberspace, and cyberspace outside China at that. But the interesting bit is the real world effect it is having inside China, and the momentum it is generating.
Submitted by Jon on Thu, 01/06/2011 - 11:21
Ashoka's Changemakers is running a global competition with the Omidyar Network to source the most innovative approaches for providing property rights to those who lack them around the world.
If you're reading my blog, you probable understand the importance of being able to define and claim your ownership of property - it affects the stability of your living situation, your ability to qualify for (micro)finance, and your ability to even get a job by having a "real" address. Not to mention the obvious personal dignity values of having a place you can call your home, and the hands-down value in women's land ownership in stabilizing communities.
As part of our competition process we let the world decide who among our finalists have the best ideas, giving everyone the ability to crown the winners. So go and read the ideas of the semi-finalists, create an account and vote for your favorites at http://www.changemakers.com/property-rights/semifinalists#tab-section
Submitted by Jon on Wed, 12/08/2010 - 21:02
We are also supporting the development of new tools that enable citizens to exercise their rights of free expression by circumventing politically motivated censorship. We are providing funds to groups around the world to make sure that those tools get to the people who need them in local languages, and with the training they need to access the internet safely. [ ... ] We want to put these tools in the hands of people who will use them to advance democracy and human rights, to fight climate change and epidemics, [...]
Great ideals, sure, but what about WikiLeaks? Who in this day and age would vocally and publicly support tools that would "[circumvent] politically motivated censorship" when these crazies could be terrorists being censgored by a friendly government, or when their "free speech rights" could be potentially tied to copyrighted material?
WikiLeaks has changed political discourse, and quite possibly the path of the Internet's evolution. I can't claim to have completely digested my own views on this, but here's a start, and some links to a lot of great thoughtwork on the situation.
1) Maybe this is the world we want. Long discussions about the value of a hegemonic global political system and its values on stability (at the cost of human rights, generally speaking) aside, the USA's political power is in flux right now, and possibly fading out. Do we want another superpower to emerge and dominate the world? USA, for all our foibles, has some strong ideals around democratic rule and human rights. We don't always practice those, but they're at least core to our political discourse. A truly multipolar world needs global-level democracy, and it's tools like wikileaks that begin to create that. Well, that, and a roving band of crypto-anarchists who get pissed off at this ham-handedness and decide to take the websites of mastercard and visa down. And Wikipedia. And torrent-sharing sites. Any tool that's good at promoting human rights in repressive regimes is also good at enabling dissidents, whistleblowers, pedophiles, and people swapping mp3 files. You don't get to pick and choose who uses these things, and trying to do so destroys their value immediately. These tools also lend themselves towards mob rule, so we need to choose our next steps carefully. As a side note, if you really disapprove of harshly, externally-enforced transparency of what you consider private details, then I really hope you're not reading this from a link on Facebook.
2) It's OK to be a Voltaire here. While not technically his own words, he certainly held and espoused the concept: "I disapprove of what you say, but I will defend to the death your right to say it." Wikileaks is being, well, over the top and careless in what it's releasing. The Collateral Murder video seems pretty clearly whistleblowing. The cable leaks are un-aimed. Clay Shirky summed this up solidly:
I am conflicted about the right balance between the visibility required for counter-democracy and the need for private speech among international actors. Here’s what I’m not conflicted about: When authorities can’t get what they want by working within the law, the right answer is not to work outside the law. The right answer is that they can’t get what they want. [...]
Over the long haul, we will need new checks and balances for newly increased transparency — Wikileaks shouldn’t be able to operate as a law unto itself anymore than the US should be able to. In the short haul, though, Wikileaks is our Amsterdam. Whatever restrictions we eventually end up enacting, we need to keep Wikileaks alive today, while we work through the process democracies always go through to react to change. If it’s OK for a democracy to just decide to run someone off the internet for doing something they wouldn’t prosecute a newspaper for doing, the idea of an internet that further democratizes the public sphere will have taken a mortal blow.
It's OK, if not strongly encouraged, to be not a big fan of WikiLeaks, but still supportive of their right to exist and disseminate "leaked" information. Would the US be upset if this was a leak of internal Chinese diplomatic ramblings, or North Korea, or Iran -- or would we be chalking another success up for "the little guy" in the global struggle for democracy and freedom of speech? We're all sovereign States here, at some level, there should be at least an illusion of equal rights among States.
3) Don't be Grand Moff Tarkin. Yeah, a Star Wars reference for good measure. The actual reference is to some parting advice from Leia on his tough stance around the use of force to put down rebels; "The more you tighten your grip, Tarkin, the more star systems will slip through your fingers." As an anonymous commenter on the BoingBoing story above said;
I think you misunderstood what she said. The attacks are the tool. Just look at the effect its had on wikileaks. Its gone from being hosted on a single server with rather unsafe DNS etc to being mirrored over 1000 times across the world!
Truely this government is driving the development of anti-censorship tools and increasing the power of free speech online.
This is the first of many problems of this sort, and here we are showing off all the tricks in our playbook. Over at Crooked Timber, Henry puts it more succinctly:
The US response to Wikileaks has been an interesting illustration of both the limits and extent of state power in an age of transnational information flows. The problem for the US has been quite straightforward. The Internet makes it more difficult for states (even powerful ones such as the US) to control information flows across their own borders and others. [The jurisdictional problems of the Internet] makes it much harder for the US and other actors to use the traditional tools of statecraft[...]
However, there is a set of tools that states can use to greater effect. The Internet and other networks provide some private actors with a great deal of effective transnational power. Banks that operate across multiple jurisdictions can shape financial flows between these jurisdictions.
The Internet has this amazing and annoying problem that's baked pretty deeply in to its architecture - it is designed to move information as efficiently as possible. This makes censorship attempts backfire every time. Somehow, no one has learned this.
4) Shooting the messenger is a fast way to being uninformed. Disabling, hobbling, and otherwise subjecting tools to political will is a very dangerous path. Amazon has a great business around providing "elastic" computing and hosting services to companies, and I'm going to bet that anyone using Amazon's services is re-examining their hosting choices right about now. Breaking the DNS system to take the main wikileaks site off the web -- I'm sure that sounded like a brilliant idea, and it's going to reignite a debate around the US's control of huge swaths of the DNS system, and probably make that power very difficult to enact both politically and technically. Again, the trust in what was considered a trusty tool has been eroded, and anyone working on hot-button issues is going to take extra care such that they have secondary systems to provide future resiliency against a similar attack. Beyond the points made in (3), we're hurting normal business that trusts these services to be reliable. Ethan Zuckerman has a good Q&A about this at the Columbia Journalism Review
5) Don't forget the real story. Did Julian Assange actually commit a crime in the US? He's not a citizen, he didn't do any of this in the US, and he's not the one who stole the classified documents. And he hasn't been charged with a crime (in the US, yet). Are we really pursuing someone for re-broadcasting already leaked, classified documents? That worked so well with the Pentagon Papers.
Hey, at least we live in interesting times.
Submitted by Jon on Tue, 06/16/2009 - 07:46
A critical network upgrade must be performed to ensure continued operation of Twitter. In coordination with Twitter, our network host had planned this upgrade for tonight. However, our network partners at NTT America recognize the role Twitter is currently playing as an important communication tool in Iran. Tonight's planned maintenance has been rescheduled to tomorrow between 2-3p PST (1:30a in Iran).
As much as I fear what happens after the honeymoon with SMS and social media under repressive governments, currently they provide an amazing tool for immediate news even during crisis, citizen voice and discussion.
Update: The State Department is now involved; http://ac360.blogs.cnn.com/2009/06/16/state-department-to-twitter-keep-i... :
By necessity, the US is staying hands off of the election drama playing out in Iran, and officials say they are not providing messages to Iranians or “quarterbacking” the disputed election process.
But they do want to make sure the technology is able to play its sorely-needed role in the crisis, which is why the State Department is advising social networking sites to make sure their networks stay up and running for Iranians to use them and helping them stay ahead of anyone who would try to shut them down.
Submitted by Jon on Mon, 06/15/2009 - 14:54
iRevolution has a good, academic-style breakdown of challenges and communication technologies for use to communicate securely within repressive regimes:
It covers a lot of ground, balancing ease of use against level of security, and is looking for input!
Submitted by Jon on Sun, 06/14/2009 - 10:01
The Daily Dish reposts a call to action from Twitter: ALL internet & mobile networks are cut. We ask everyone in Tehran to go onto their rooftops and shout ALAHO AKBAR in protest #IranElection, and comments:
That a new information technology could be improvised for this purpose so swiftly is a sign of the times. It reveals in Iran what the Obama campaign revealed in the United States. You cannot stop people any longer. You cannot control them any longer. They can bypass your established media; they can broadcast to one another; they can organize as never before.
Submitted by Jon on Tue, 05/19/2009 - 11:34
As always, Ethan Zuckerman brings together all the threads surrounding the Guatemala protests, including information about the arrested Twitter user and some "trending topics" muckraking:
I ran a little tool I developed a few weeks back to check the frequency with which phrases and hashtags appear on Twitter. #escandalogt isn’t hugely frequent, registering at 0.052% - compared to #swineflu, for instance, which was running at over 2% at the height of hype/hysteria. What’s interesting is that #escandalogt is about as frequent as several of the tags listed on Twitter’s “Trending Topics”, getting more use than #fixreplies, #GoogleFail and #theoffice, all currently featured on the right sidebar. It’ll be interesting to see whether #escandalogt emerges there… or whether this is a sign that those topics aren’t entirely algorithmically generated and some human curation is involved.
Submitted by Jon on Wed, 05/13/2009 - 09:35
You might have heard about the posthumously released video by a Guatemalan lawyer accusing his president of assassination in the event of his death, for not participating in a money-laundering scheme. If not, read about the video on boingboing.
It's ignited a full-blown protest against corruption in a country known for not being kind to activism. There are live protests ongoing and rumored additional strikes and protests against the government and its narco-trafficking connections, and a very active online media component (local TV stations are avoiding the events like the plague, but online outlet Libertopolis is broadcasting the protests, and there is a twitter hashtag (#escandaloGT). Read more on different citizen media and follow updates at boingboing's coverage of the scandal, and CNN's slanted coverage: "Guatemala rejects allegations of role in lawyer's death," which follows Guatemala's own media's tactic of not speaking about the mass protests:
Submitted by Jon on Wed, 03/25/2009 - 12:47
I recently saw Ken Banks present at a local speaker series run by IREX. He gave an updated version of this presentation from POPTech, on the power of mobile phones in citizen empowerment, NGO communication, and a host of other amazing stories of using the available, appropriate technology in remote and rural locations which are often off-grid and without Internet access. By attaching a computer (Linux, Mac, or Windows) to a cell phone with a data cable and installing his (free, open source) software, FrontlineSMS, that computer is turned into a messaging hub; sending and receiving text messages via the cell phone to hundreds of contacts.
That's pretty amazing. Three reasonably available pieces of hardware and you have a tool to send alert messages out, receive election monitoring information through, or communicate with field medical workers to coordinate and track supplies and treatment information. Or track corruption. Or report human rights violations. Or share news and tips in places where the media is not independent, as one of the FrontlineSMS success stories shows: