A Geek With Guns

Chronicling the depravities of the State.

Archive for the ‘Crypto-Anarchism’ tag

Saving the Internet

without comments

I guess today is the annual Save the Internet celebration. What I mean by that is that a bunch of websites have gotten together in a bid to once again circlejerk about saving net neutrality. I call it a circlejerk because, like the last several years, this year the websites participating in this “action” are urging people to contract various government officials and beg them to enforce net neutrality. Of course, since this “action” has taken place so many times I have my doubts about the effectiveness of pleading with government officials.

Instead of urging you to waste your time by contacting people who don’t give a shit about you I’m going to offer an alternate idea. Unfortunately, I already know that this proposal will be unpopular because it requires people to take actual action. TANSTAAFL. If you want a neutral Internet you’re going to have to work for it.

Longtime readers probably already know what I’m going to propose because I’ve proposed it before. The only way to enjoy a neutral Internet is to own the infrastructure and enjoy the ability to run it however you goddamn please. So my proposal is to build out small interconnected mesh networks. Why mesh networks? First, they’re relatively cheap to build. You don’t have to bury a bunch of fiber optic cable or build expensive cellular towers. All you need is off-the-shelf hardware loaded with freely available firmware. Second, mesh nodes are controlled by the individuals who own them, not a single entity. This makes it difficult to enforce undesirable rules on the mesh network because there isn’t a single entity to buy off or coerce. Third, large scale mesh networks are a proven technology. Catalonia has one called Guifi.net, which has been operating and expanding since 2009.

Obviously this proposal will initially rely on the currently established Internet to interconnect geographically separated mesh networks. If this proposal took off though this condition would be temporary because eventually the meshes would grow numerous enough and large enough where they could be directly interconnected. Once that happens the need for the currently centralized Internet would cease along with the centralized control that is the root of the net neutrality problem.

If you really want to “save the Internet” don’t wasted your time by pleading with government officials, take some direct action and start learning about building your own infrastructure.

Written by Christopher Burg

July 12th, 2017 at 11:00 am

The Future is Bright

without comments

A writer at The Guardian, which seems to be primarily known for propagating left-wing statist propaganda, has shown a slight glimmer of understanding. While neoconservatives and neoliberals fight for power over other people, crypto-anarchists have been busy working in the shadows to develop technology that allows individuals to defend themselves from the State:

The rise of crypto-anarchism might be good news for individual users – and there are plenty working on ways of using this technology for decent social purposes – but it’s also bad news for governments. It’s not a direct path, but digital technology tends to empower the individual at the expense of the state. Police forces complain they can’t keep up with new forms of online crime, partly because of the spread of freely available encryption tools. Information of all types – secrets, copyright, creative content, illegal images – is becoming increasingly difficult to contain and control. The rash of ransomware is certainly going to get worse, exposing the fragility of our always connected systems. (It’s easily available to buy on the dark net, a network of hidden websites that are difficult to censor and accessed with an anonymous web browser.) Who knows where this might end. A representative from something called “Bitnation” explained to Parallel Polis how an entire nation could one day be provided online via an uncontrollable, uncensorable digital network, where groups of citizens could club together to privately commission public services. Bitnation’s founder, Susanne Tarkowski Tempelhof, hopes Bitnation could one day replace the nation state and rid us of bureaucrats, creating “a world of a million competing digital nations”, as she later told me.

The biggest threat to statism is individual empowerment. While technology is a two-edged sword, serving both the State and individuals without concern for either’s morality, it is difficult to argue that it hasn’t greatly helped empower individuals.

A combination of Tor hidden services and cryptocurrencies have done a great deal to weaken the State’s drug war by establishing black markets where both buyers and sellers remain anonymous. Weakening the drug war is a significant blow to the State because it deprives it of slave labor (prisoners) and wealth (since the State can’t use civil forfeiture on property it can’t identify).

Tor, Virtual Private Networks (VPN), Hypertext Transfer Protocol Secure (HTTPS), Signal, and many other practical implementations of encryption have marvelously disrupted the State’s surveillance apparatus. This also cuts into the State’s revenue since it cannot issue fines, taxes, or other charges on activities it is unaware of.

3D printers, although still in their infancy, are poised to weaken the State’s ability to restrict objects. For example, the State can’t prohibit the possession of firearms if people are able print them without the State’s knowledge.

But if the State disables the Internet all of these technologies fall apart, right? That would be the case if the Internet was a centralized thing that the State could disable. But the Internet is simply the largest network of interconnected networks. Even if the State shutdown every Internet Service Provide (ISP) in the world and cut all of undersea cables, the separated networks will merely have to be reconnected. That is where a technology like mesh networking could come into play. Guifi.net, for example, is a massive mesh network that spans Catalonia. According to the website, there are currently 33,191 operating nodes in the Guifi.net mesh. Shutting down that many nodes isn’t feasible, especially when they can be quickly replaced since individual nodes are usually cheap off-the-shelf Wi-Fi access points. Without the centralized Internet a span of interconnected mesh networks could reestablish global communications and there isn’t much the State could do about it.

Statism has waxed and waned throughout human history. I believe we’re at a tipping point where statism is beginning to wane and I believe advances in individual empowering technologies are what’s diminishing it. Voting won’t hinder the State. The Libertarian Party won’t hinder the State. Crypto-anarchists, on the other hand, have a proven track record of hindering the State and all signs point to them continuing to do so.

Keybase Client

without comments

Keybase.io started off as a service people could use to prove their identity using Pretty Good Privacy (PGP). I use it to prove that I own various public accounts online as well as this domain. Back in February the Keybase team announced a chat client. I hadn’t gotten around to playing with it until very recently but I’ve been impressed enough by it that I feel the need to post about it.

Keybase’s chat service has a lot of similarities to Signal. Both services provided end-to-end encrypted communications, although in slightly different ways (Keybase, for example, doesn’t utilize forward secrecy except on “self-destructing” messages). However, one issue with Signal is that it relies on your phone number. If you want to chat on Signal with somebody you have to give them your phone number and they have to give you theirs. This reliance on phone numbers makes Signal undesirable in many cases (such as communicating with people you know online but not offline).

Keybase relies on your proven online identities. If you want to securely talk to me using Keybase you can search for me by using the URL for this website since I’ve proven my ownership of it on Keybase. Likewise, if you want to securely talk to somebody on Reddit or Github you can search for their user names on those sites in Keybase.

Another nice feature Keybase offers is a way to securely share files. Each user of the Keybase client gets 10GB of storage for free. Any data added to your private folder is encrypted in such a way that only you can access the files. If you want to share files amongst a few friends the files can be encrypted in a way that only you and those designated friends can access them.

On the other hand, if you’re into voice and video calls, you’re out of luck. Keybase, unlike Signal, currently supports neither and I have no idea if there are plans to implement them in the future. I feel that it’s also important to note that Keybase, due to how new it is, hasn’t undergone the same level of rigorous testing as Signal has so you probably don’t want to put the same level of trust in it yet.

Written by Christopher Burg

June 8th, 2017 at 11:00 am

You are Responsible for Your Own Anonymity

without comments

Reality Leigh Winner (who, despite her name, was not a winner in reality) is currently sitting in a cage for the crime of leaking classified National Security Agency (NSA) documents. Unlike Edward Snowden, Reality didn’t purposely go public. But she made a series of major mistakes that allowed the NSA to identify her after she leaked the documents. Her first mistake was using a work computer to communicate with The Intercept:

Investigators then determined that Ms Winner was one of only six people to have printed the document. Examination of her email on her desk computer further revealed that she had exchanged emails with the news outlet, the indictment said.

By using a work computer to communicate with The Intercept, she made hard evidence against her easily available to her employer.

Her second mistake was physically printing the documents:

When reporters at The Intercept approached the National Security Agency on June 1 to confirm a document that had been anonymously leaked to the publication in May, they handed over a copy of the document to the NSA to verify its authenticity. When they did so, the Intercept team inadvertently exposed its source because the copy showed fold marks that indicated it had been printed—and it included encoded watermarking that revealed exactly when it had been printed and on what printer.

Most major printer manufacturers watermark any pages printed by their printers. The watermarks identify which printer printed the document. In addition to the physical printer, the watermark on the document posted by The Intercept also included a timestamp of when the document was printed.

Reality’s third mistake was trusting a third-party to guard her anonymity. Because of The Intercept’s history of working with leakers it’s easy to assume that the organization takes precautions to guard the identities of its sources. However, a single mistake, posting the printed document without editing out the watermark, gave the NSA enough evidence to narrow down who the leaker could be.

The lesson to be learned from this is that you alone are responsible for maintaining your anonymity. If you’re leaking classified materials you need to do so in a way that even the individual or organization you’re leaking them to is unable to identify you.

Written by Christopher Burg

June 7th, 2017 at 11:00 am

What Could Kill Bitcoin

with 2 comments

I greatly appreciate Bitcoin. By enabling pseudonymous transactions it has made many forms of commerce, specifically those deemed illegal by various governments, easier. It also offers an opportunity for individuals to conceal at least some of their wealth from the State. However, Bitcoin exists in a market environment, which means a superior competing product could come along at any moment and topple it.

When Bitcoin first came on the scene its community promised low transaction fees. They often compared the transaction fees of, say, Western Union to the miner fees of Bitcoin for sending money across the globe. At the time sending money via Bitcoin was significantly cheaper.

Fast forward to today. The price of sending Bitcoin has skyrocketed. If you want a Bitcoin transaction to clear in a reasonable amount of time you’re looking at a transaction fee of over $2.00 (as of this writing). Why is this? It’s because the Bitcoin network is running into a block size ceiling problem. This problem has created an environment where more transaction are being made then can be processed so convincing miners to process your transaction requires offering a significant reward. No problem, right? It’s just the market at work after all.

It’s true, Bitcoin’s current state is an example of supply and demand. Demand has exceeded the supply of miners so the price to get transactions cleared has increased. But markets are finicky things. If enough people decide that they’re unwilling to spend $2.00 on a transaction fee for a $5.00 coffee they’re going to look for a better solution. Bitcoin isn’t the only cryptocurrency in town so failing to address the block size ceiling problem will likely encourage consumers to find an alternate cryptocurrency.

Considering this you would think that the Bitcoin community is working diligently to solve the problem, right? As it turns out, not so much. Now a lot of the Bitcoin community is changing its tune. Instead of addressing the issue they are denying the fact that low transaction fees were a selling feature of Bitcoin not too long ago. In addition to denying the past they’re trying to explain how high transaction fess are acceptable. I highly doubt most consumers see the “wisdom” in paying a $2.00 transaction fee to buy a $5.00 espresso at Starbucks. And that’s the thing, for a cryptocurrency to succeed it needs to be useful.

I can hear some Bitcoin advocate saying, “But, Chris, Bitcoin will simply become the new gold while another cryptocurrency will become its silver!” Gold and silver run into a divisibility problem. You can only divide gold so far until it becomes difficult to use. Nobody is going to pay for a coffee using gold dust because it’s a pain in the ass. Instead they use a less valuable metal, silver, for smaller payments. Cryptocurrencies don’t have this problem. You can divide a cryptocurrency down to as many decimal places as you want and it’ll be equally easy to use. Whether a cup of coffee costs me 1 Bitcoin or 0.000001 Bitcoin doesn’t make a usability difference to me. This means that any cryptocurrency that takes over Bitcoin’s current task of handling small transactions will likely rise to dominance overall.

Governments have been unable to destroy Bitcoin but the unwillingness of its community to address technical problems very well could lead to its destruction.

Written by Christopher Burg

June 1st, 2017 at 10:00 am

CryptoPartyMN Meeting Tonight

without comments

For those of you who don’t know, CryptoPartyMN is a group that focuses on teaching individuals how to utilize secure communication tools. We meet every other week and host a few hands-on workshops each year. With the sudden concern about privacy as it related to Internet Service Providers (ISP) tonight’s meeting will discuss Virtual Private Networks (VPN).

If you’re interested in learning about defending your privacy against your ISP please feel free to join us.

Written by Christopher Burg

April 4th, 2017 at 11:00 am

Posted in Events

Tagged with , ,

Private Solutions to Government Created Problems

without comments

Earlier this week the United States Congress decided to repeal privacy protection laws that it had previous put into place on Internet Service Providers (ISP). While a lot of people have been wasting their time begging their representatives masters with phone calls, e-mails, and petitions, private companies have begun announcing methods to actually protect their users’ privacy. In the latest example of this, Pornhub announced that it will turn on HTTPS across its entire site:

On April 4, both Pornhub and its sister site, YouPorn, will turn on HTTPS by default across the entirety of both sites. By doing so, they’ll make not just adult online entertainment more secure, but a sizable chunk of the internet itself.

The Pornhub announcement comes at an auspicious time. Congress this week affirmed the power of cable providers to sell user data, while as of a few weeks ago more than half the web had officially embraced HTTPS. Encryption doesn’t solve your ISP woes altogether—they’ll still know that you were on Pornhub—but it does make it much harder to know what exactly you’re looking at on there.

As the article points out, your ISP will still be able to tell that you accessed Pornhub, since Domain Name Server (DNS) lookups are generally not secured, but it won’t be able to see what content you’re accessing. As for DNS lookups, solutions are already being worked on to improve their security. Projects like DNSCrypt, which provides encrypted DNS lookups, are already available.

If you want to protect your privacy you can’t rely on the State’s regulations. First, the State is the worst offender when it comes to surveillance and the consequences of its surveillance are far worse. Sure, your ISP might sell some of your data but the State will send men with guns to your home to kidnap you and probably shoot your dog. Second, as this situation perfectly illustrates, government regulations are temporary. The government implemented the privacy regulations and then took them away. It may restore them again in the future but there’s no guarantee it won’t repeal them again. Any government solution is temporary at best.

Cryptography offers a permanent solution that can protect Internet users from both their snoopy ISP and government. HTTPS and DNSCrypt will continue to work regardless of the state of privacy regulations.

Written by Christopher Burg

March 31st, 2017 at 10:00 am

Vault 7 isn’t the End of Privacy

with 2 comments

There has been a lot of bad stories and comments about Vault 7, the trove of Central Intelligence Agency (CIA) documents WikiLeaks recently posted. Claims that the CIA has broken Signal, can use any Samsung smart television to spy on people, and a whole bunch of other unsubstantiated or outright false claims have been circulating. Basically, idiots who speak before they think have been claiming that Vault 7 is proof that privacy is dead. But that’s not the case. The tools described in the Vault 7 leak appear to be aimed at targeted surveillance:

Perhaps a future cache of documents from this CIA division will change things on this front, but an admittedly cursory examination of these documents indicates that the CIA’s methods for weakening the privacy of these tools all seem to require attackers to first succeed in deeply subverting the security of the mobile device — either through a remote-access vulnerability in the underlying operating system or via physical access to the target’s phone.

As Bloomberg’s tech op-ed writer Leonid Bershidsky notes, the documentation released here shows that these attacks are “not about mass surveillance — something that should bother the vast majority of internet users — but about monitoring specific targets.”

The threats of mass surveillance and targeted government surveillance are very different. Let’s consider Signal. If the CIA had broken Signal it would be able to covertly collect Signal packets as they traveled from source to destination, decrypt the packets, and read the messages. This would enable mass surveillance like the National Security Agency (NSA) has been doing. But the CIA didn’t break Signal, it found a way to attack Android (most likely a specific version of Android). This type of attack doesn’t lend itself well to mass surveillance because it requires targeting specific devices. However, if the CIA wants to surveil a specific target then this attack works well.

Avoiding mass surveillance is much easier to deal with than defending yourself against an organization with effectively limitless funds and a massive military to back it up that specifically wants your head on a platter. But unlike mass surveillance, very few people have to actually deal with the latter. And so far the data released as part of Vault 7 indicates the surveillance tools the CIA has developed are aimed at targeted surveillance so you most likely won’t have to deal with them.

Privacy isn’t dead, at least so long as you’re not being specifically targeted by a three letter agency.

Vault 7

without comments

WikiLeaks dropped a large archive of Central Intelligence Agency (CIA) leaks. Amongst the archive are internal communications and documents related to various exploits the CIA had or has on hand for compromising devices ranging from smartphones to smart televisions.

I haven’t had a chance to dig through the entire archive yet but there’s one thing that everybody should keep in mind.

The government that claims to protect you, that many people mistakenly believe protects them, has been hoarding vulnerabilities and that has put you directly in harm’s way. Instead of reporting discovered vulnerabilities so they could be patched, the CIA, like the NSA, kept them secret so it could exploit them. Since discovery of a vulnerability doesn’t grant a monopoly on its use, the vulnerabilities discovered by the CIA may very well have been discovered by other malicious hackers. Those malicious hackers could, for example, be exploiting those vulnerabilities to spread a botnet that can be used perform distributed denial of service attacks against websites to extort money from their operators.

Remember this the next time some clueless fuckstick tells you that the government is there to keep you safe.

While I haven’t had a chance to read through the archive, I have had a chance to read various comments and reports regarding the information in the archive. By doing this I’ve learned two things. First, the security advice posted by most random Internet denizens is reminiscent of the legal advice posted by most sovereign citizens. Second, the media remains almost entirely clueless about information security.

Case in point, a lot of comments and stories have said that the archive contains proof that the CIA has broken Signal and WhatsApp. But that’s not true:

It’s that second sentence that’s vital here: It’s not that the encryption on Signal, WhatsApp (which uses the same encryption protocol as Signal), or Telegram has been broken, it’s that the CIA may have a way to break into Android devices that are using Signal and other encrypted messaging apps, and thus be able see what users are typing and reading before it becomes encrypted.

There is a significant difference between breaking the encryption protocol used by a secure messaging app and breaking into the underlying operating system. The first would allow the CIA to sit in the middle of Signal or WhatsApp connections, collect packets being sent to and from Signal and WhatsApp clients, and decrypting the packets and reading the contents. This would allow the CIA to potentially surveil every WhatsApp and Signal user. The second would allow the CIA to target individual devices, compromise the operating system, and surveil everything the user is doing on that device. Not only would this compromise the security of Signal and WhatsApp, it would also compromise the security of virtual private networks, Tor, PGP, and every other application running on the device. But the attack would only allow the CIA to surveil specific targeted users, not every single user of an app.

The devil is in the details and a lot of random Internet denizens and journalists are getting the details wrong. It’s going to take time for people with actual technical knowhow to dig through the archive and report on the information they find. Until then, don’t panic.

Written by Christopher Burg

March 8th, 2017 at 11:00 am

CryptoPartyMN Meeting Tonight

without comments

I don’t have a lot of material for you today since I was busy prepping for tonight’s CryptoPartyMN meeting.

Tonight we’ll be discussing how cryptography can be used to defend against phishing scams. Everybody is welcome. We’re meeting at Rudolphs Bar-B-Que at 6:30 pm.

Written by Christopher Burg

February 7th, 2017 at 10:00 am

Posted in Events

Tagged with , ,