8 March 2013
Where We Are Right Now on Comsec
From: Tom Ritter <tom[at]ritter.vg>
Date: Fri, 8 Mar 2013 13:05:30 -0500
Subject: Re: Summary of where we are right now
To: <cypherpunks[at]al-qaeda.net>, <cypherpunks[at]lne.com>
> So they figured it was easier to just get suckers to use some form of
> encryption (including and specifically TOR) to send the red flag that
> someone wanted to hide something, so "look over here!".
I don't agree that the NRL [Naval Research Laboratory] funded Tor for this
purpose, but I do agree that our tools today (Tor, mixmaster/mixminion, PGP
mail, RedPhone, TextSecure, OTR, etc) are easily distinguishable in traffic
streams, and that this is a problem. Just as Riseup collects a bunch of people
who care a lot about privacy onto one mailserver - people using these tools
are likely to be interesting.
Skype, Facebook, Gmail - for all their problems, they are ubiquitous, and
don't draw attention.
> 3. But we are going to win. Yeah, we're gonna win. Why? Because we want
> It's not enough to encrypt: The type and context of encryption had to
> hidden as well. Kind of the network version of Rubberhose. But these
> kids who grew up not watching TV because it didn't interact with them,
> they who will create a stego virus to propagate fake stego everywhere
> Facebook or whatever. It's them who are going to create TOR services
> operate ubiquitously behind the scenes, so that most users dob't even
> they are using it. Hiding the form of encryption will itself be the
> frontier as crypto becomes ubiquitous.
A friend I talked with recently told me he thought it was easy to set up
an anonymity system that worked great for you and your friends, and near
impossible to build one that worked well for everyone else. Once it got popular
or you became a target of investigation, people would put the effort into
detecting it. Otherwise, it would continue along, looking like another
TLS/SSH/Skype/whatever that just a little bit odd... Tor faces this problem
I don't see us as having won, I see us as now knowing how to fight.
We know the devices they will use to easily detect our traffic, and in most
cases we can get access to them. We must make our protocols indistinguishable
on the wire. We know the ubiquitous services and protocols that we must work
within or disguise ourselves as.
We know (some of? most of?) the statistical attacks adversaries of the future
can conduct - we must make them as difficult and expensive as possible for
them to achieve.
We know how woefully inadequate the user interfaces and requirements of the
first generation of tools were, and we know where we must go: to browsers,
smartphones, tablets, and consumer operating systems.
We have a much better idea of how normal people will react to our tools,
and thus how much effort we must make to make them usable, and push for ubiquity.
We know what requirements are unreasonable of us to make upon people, and
that we must design systems where those requirements are worked around, dulled,
or the single 'sharp edge' of the system.
[Beginning of thread:]
From: Tyler Durden <camera_lumina[at]hotmail.com>
Subject: Summary of where we are right now
Date: Thu, 7 Mar 2013 21:28:32 -0500
Since I haven't seen anything come off of the list for a while and since
I've imbibed some nice single-malt, I will for the fuck of it summarize where
things are. Any Cypherpunk with some kinda balls will tell me I'm completely
and absolutely full of shit, but at least I tried, so do better.
1. We won. With Bitcoin and Silk Road along with encrypted peer-to-peer sharing
networks (oh yeah and TOR), it's pretty clear we won. There's a lotta popular
literature out there now discovering Cypherpunks anew. Some form of Crypto
is out there, for those that want to use it, that can can make it real pain
in the ass for TLAs to discover that your "Afghan" is really just a form
of 80s retro-pot.
2. No, we didn't win yet: TOR is a honeypot. That's right, motherfucker:
You do know who really gave TOR its initial impetus, right? And you know
why they did that? They did it precisely because it was too obvious and too
expensive to pull EVERYTHING back to Virginia or wherever. So they figured
it was easier to just get suckers to use some form of encryption (including
and specifically TOR) to send the red flag that someone wanted to hide something,
so "look over here!". Anything TOR'd is certainly backhauled to the greater
DC area and, if there are any additional meta-meta-data risk flags, they'll
red light it to begin cracking. If they can't crack within reasonable time/cost
budgets (given the risk), and if they for some reason feel a little nervous
about you, well they'll just find out where you are and attack your shitty
machine. Oh, you use Linux? Well that's totally different. It's not like
they hired any brilliant math or crypto geek coming out of college or grad
3. But we are going to win. Yeah, we're gonna win. Why? Because we want to.
It's not enough to encrypt: The type and context of encryption had to be
hidden as well. Kind of the network version of Rubberhose. But these young
kids who grew up not watching TV because it didn't interact with them, it's
they who will create a stego virus to propagate fake stego everywhere on
Facebook or whatever. It's them who are going to create TOR services that
operate ubiquitously behind the scenes, so that most users dob't even know
they are using it. Hiding the form of encryption will itself be the final
frontier as crypto becomes ubiquitous.
4. Bitcoin, motherfucker. Crazy old cackling May was right. Or at least,
he was right enough. Right enough for me to buy pot or 'cid or shrooms over
the internet and have them sent to my Unabomber shack. Even
less...tasteful...forms of porn will be tolerated precisely because THEY
can't reveal what they can do, at least not unless their own salaries are
in jeopardy. Adrian Lamo? No doubt THEY looked for someone who had contact
Manning so that they could hide what they had intercepted and what they could
do. But they will keep hiding what they can do while a real economy takes
over and sorts out its own.
Yeah, that's it. It's downhill from here. Cypherpunks are dead because they
are no longer needed, so long live the King of the Anarchy.