Sunday Post on Crypto, Trust, and Political Action on the Web — Outsourced to David P. Reed

I’m a lurker (mostly) on a listserv for MIT’s Center for Future Civic Media (C4), which pops up some fascinating discussions about news, social networking, and political life on and through the web.

Recently, there was a flurry of posts on the announcement from the Haystack that work on the system designed to encrypt and obscure the source of internet communications in Iran had halted.

That announcement was followed by the effective end of the project, which had aimed at providing political dissidents secure ways to communicate.

That sequence of events led to considerable back and forth among the C4 community, in part looking at the perennial problem of hype in the tech/software world outpacing reality.

The more significant strand to the convesation (it seemed to me) focused on something else: the underlying issue of whether or not it is possible to produce a genuinely secure set-up that could enable the kind of sunlight the Iranian dissidents sought (and needed) and their supporters outside Iran hoped to provide.

That’s something of obvious (again, to me) importance, especially in the context of the broad privacy-for-connection trade-off we are all committing ourselves to these days.

In that vein, MIT (and much elsewhere besides) computer scientist  David Reed weighed in with the crucial observation, which he kindly gave me permission to post below.

The shorter, just to get you going: computer/information security depends on two factors: the technical/technological and the human.  The strength or lack thereof of one factor does not alter the qualities of the other.  Therefore, no technological approach to information security (on which, in the Iranian case and many besides, lives depend) can provide genuine safety.

Key quote (from David’s conclusion):

Here’s the problem, then: we can’t even *talk about* the technology clearly, because we want to impute properties of perfection, goodness, morality, etc. to it.

And now to the whole thing:

Poking around a bit more on the [Haystack] controversy, let me suggest that it has roots back to (the original “Swedish” anonymous remailer).  I (not so publicly) questioned crypto-activist friends promoting at the time regarding their promotion of use of that service, given that their was no way they could *personally* assure us that was not a trap placed carefully by one or more government or quasi-government agencies.

The response I got was that it was based on public key crypto, and the guy operating it was a “good guy”.

In other words – the crypto (which was undoubtedly strong, and open source) and the “goodness” of the guy were given equal weight, and both had to be working to ensure privacy of communications.  Despite most of these friends, who were well-known political activists, never having met this guy personally!

Here’s the problem, as I mentioned in part in my invited talk at USENIX Security this year:

Humans are prone to the “fallacy of composition”.  That is, there are certain properties of systems that don’t pass from the parts to the whole.  (the parts may all have X, but the system as a whole does not, OR the system as a whole can have X, when none of the parts have X).  Yet it is common for the brain to reason: “because one or more of the parts have X, the whole has X”.

Security is a set of qualities that are not composable.  They just aren’t.

We buy into the fallacy of composition because we (Hilary Clinton, the press, …) want to believe that we can fix a problem merely by using some wonderful “part” – in this case Haystack.

So where I’m going with this is that perhaps before we start trying to find “blame” in this hype-fest, we start by asking the question:
is it possible for someone to supply “security” in the form of an Internet service OF ANY KIND (open source or not, tested or not) that meets the goals?

Because security is not composable, the answer is NO.

So why are we beating up Haystack?  It can’t do the job, and one can tell just by looking at it from the outside – recognizing that any such system entails the fallacy of composition in many, many ways.

Is Tor better?  Not really.  If it had been reported like Haystack, it probably would have been “exposed” in the same way to have weaknesses that are honestly expressed by its own developers.  Would the developers have succumbed to the temptation to provide the “money quotes” supporting the hype?

What if Tor had been used by Iranian dissidents?   Given the weaknesses, surely they were putting their lives at risk due to its weaknesses, just as if Haystack were used.

I’d suggest that there is very little light, and a lot of heat, in the blogosphere and the press about this technology-centric view of political action.

There’s something broken in a world where someone can say with a straight face the phrase “liberation technology”!   Technology cannot be measured in that dimension in general, and if we are talking about the “fallacy of composition”, it applies hugely to the dimension of “liberty” (which has become a right-wing word) or “liberation” (the left-wing word).

Here’s the problem, then: we can’t even *talk about* the technology clearly, because we want to impute properties of perfection, goodness, morality, etc. to it.

To put all this another way, there is an old spook joke about secrecy and security:

How can you tell if a secret is safe?  If only two people know it…

…And one of them is dead.

My thanks to David for his willingness to share these thoughts to an audience beyond the C4 gang.

Image:  Henri Regnault, “The Spy,” 1880.

Explore posts in the same categories: Middle East, quis custodiet ipsos custodes, Sharp thinking, Technology, tyranny, Uncategorized

Tags: , , , , , , ,

You can comment below, or link to this permanent URL from your own site.

3 Comments on “Sunday Post on Crypto, Trust, and Political Action on the Web — Outsourced to David P. Reed”

  1. Jim Says:

    May I humbly suggest that you apply the same level of rigor in your criticism of those with whom you agree as those whom you do not? Unless you have quoted Reed out of context, he does not know WTF he is talking about regarding TOR v. Haystack. His larger points about security are well taken, but there is a world of difference between the two. Haystack was classic security snake oil. TOR OTOH, is a model of how security products should be created. Reed is drawing a false equivalence between TOR and Haystack based on the absurd notion that a weakness or strength of a security product doesn’t exist until it’s hyped in the press. Haystack was a black box that had and has totally unknown security qualities. TOR strengths and weaknesses are pretty much as well known as can be made with current state of the art. It’s not at all clear that being hyped would discover any significant holes as he predicts, because the people with the expertise and incentive to do so already know about TOR. TOR is in fact much better by any measure recognized by someone with a passing familiarity with subject. For all I know Reed may otherwise be expert in the subject but just let his rhetoric get away from him in support of the point he was trying to make.

    (For support of why the “open” approach used by TOR is objectively better, you could ask any cryptology expert, but I highly recommend Bruce Scheier’s blog as he writes effectively for intelligent layman).

    Cheers, and keep up the McArdle beatings until her work improves.😉

    • Tom Says:

      Jim —

      Thanks for reading, and taking the time to write a detailed response.

      To the last point — I don’t think that McArdle’s work is going to improve; that misses her raison d’etre. I see my role as making sure that her circle of influence shrinks. But thanks for the encouragement.

      As to your larger concern. I’m really concerned with broadcasting the broad point that the internet is not truly secure for most users. (Individual computers aren’t either, but that’s a different story.)

      A couple of points: first, David’s remarks are not out of context, I hope — though he can certainly weigh in on that. In any event, the passage above is the complete text of the message he wrote at that point in what would become a long thread on the Haystack collapse.

      To David’s point — I don’t think the crux of the argument is that TOR is the same as Haystack in every detail; rather it is that no security solution, no matter how formally perfect its design, solves the human factors problem, and it is in that sense that TOR and Haystack share a point of vulnerability. Again, David may frame his argument differently, or I may have misunderstood him, but that’s the point I hope to disseminate as broadly as possible, which I think is the one with which you concur:

      There are no purely technological solutions to the question of trust.

      Again, my thanks for your response — and I’ll be interested to see the conversation advance.

  2. JakeR Says:

    Not quite, Siegfried. The source of the spooks’ aphorism is none other than our greatest scientist 225 years back, one Benjamin Franklin, who observed, “Three can keep a secret if two [sic] of them be dead.”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: