Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Jacob Appelbaum's Ultrasurf Report

Jacob Appelbaum jacob at appelbaum.net
Fri Apr 20 12:40:09 PDT 2012


Hi Catherine,

On 04/19/2012 03:16 PM, Catherine Fitzpatrick wrote:
> Jacob Appelbaum's agenda doesn't seem to be entirely altruistic here
> with this Ultrasurf report.
> 

Where did I claim altruism? I am auditing tools that claim to be
perfectly anonymous because it benefits everyone to have honesty and
truth in advertisement for our community of tools.

I did however invest, as Ultrasurf acknowledged, a great deal of time in
disclosure to Ultrasurf. I also invested a great deal of time in making
positive suggestions, which were largely accepted by UltraReach. I hope
you'll note that the language on their website is drastically different
today if you compare it to the text on their website from a year ago.

Honesty in advertisement is important information that helps users to
make an informed decision and to ensure that Government funded projects
at least attempting to be honest in how they sell themselves to their users.

> There's a lot going on -- first, there's the desire of him (and his
> supporters) to attack the US government and "DC Lobbyists" merely for
> what they are, which is a hated government with a disliked Internet
> Freedom program, which has put him under investigation for his
> involvement in WikiLeaks (his buddies at the State Department
> notwithstanding). 


This is nonsense. Not only do you have it all wrong, you're actually
just out of your depth. It shows.

I am not attacking the US government. To be quite honest, I gave this
report to those around DC that asked - this includes people at State,
BBG and of course, Ultrasurf - well before the report was released to
the public. I did this to ensure that we could broker a discussion with
Ultrasurf to ensure that Ultrasurf felt we were coordinating and being
responsible.

I did not give this to the Chinese or Iranian or Syrian governments nor
any of their agents or anyone that I felt would do Ultrasurf harm or
attempt to attack their users.

I actually rather like the Internet Freedom program, it's not perfect
but it's pretty good! So again - you think you know what I think but
you're mistaken.

> Second, there's the desire to attack any competitor
> of Tor, especially a competitor that adheres to the idea of
> proprietary versus open source software. These are religious
> matters.

Surely you don't suggest that for proprietary or open tools it is
reasonable to never have a third party security audit?

There is no competitor to the Tor Project in the field of online
anonymity. There are charlitants who claim to be perfectly anonymous and
untraceable - as we see with Ultrasurf - they do not live up to their
advertised claims.  You conflate Free and Open source software with peer
review, which is understandable but a very serious mistake to make.

If you suggest that peer review is a religous matter, I think you're
making an even bigger mistake. Do you realize that there has been *no*
peer review - even by funders of the tool? None. Zero. This is changing
now and that is because of my peer review of their claims. I have even
offered to help them and have given them a large amount of time in the
last six months because I want them to improve.

The fact that they are closed source presents them with a serious
problem and I'd love to hear your suggestions for a solution with it. It
appears that some governments, such as Syria and likely China release
backdoored versions of software. I have some samples of a common tool
which appear to have such a backdoor. AV software sometimes
automatically classifies Ultrasurf as malware. This is usually a
mistake. However - what happens when it actually includes malware *and*
it actually has something wrong with it? Say because it has been
tampered with in transit or an attacker, such as the Chinese, compromise
the download servers?

One solution is to offer source code and for trusted users in a
community to review them, and to ensure that any changes make sense or
fit with the established norms of the system. It's also possible to look
at copies of the program in every linux distribution, every released
copy on software mirrors and other places to compare with the expected
result.

Another solution is to offer digital signatures - this is something that
is now happening because of my report. The downside is that China and
the Stuxnet authors both clearly have the ability to falsify the
selected digital signature method selected by Ultrasurf.

So - again, we see no peer review and no safe method of verification.
I'd love to see you solve those problems and while Open and Free
software doesn't solve it all, I think it gets us a lot closer.

So do please offer suggestions and try not to punt.

> 
> In other words, when a person who runs a competing open-source
> software solution, who has his reputation largely wrapped in it, goes
> and publicly attacks a proprietary software solution as inferior and
> even harmful, and attacks a software used by a government that has
> him under investigation, it's ok to question where he is going with
> this.
> 

The facts stand for themselves. You're unable to evaluate those facts
and as a result, you simply, as usual, attack me. I mean, you're
welcome, I think the solution to "bad" speech is more speech.

> There is the added dimension of the pornography issue -- Appelbaum's
> slam on Ultrasurf for blocking porn distracts from the fact that Tor
> is notoriously used for viewing pornography, including illegal child
> pornography.


Do you have proof that Ultrasurf blocks Child Porn Catherine? I suspect
the answer is no - which well, I think that's because the answer is no.

The fact of the matter is that they block access to legal US
enterprises. I think that government funded services have a duty of care
not to restrict access to legal US businesses - this is why I am against
Amtrak censoring the internet - don't censor with public money.

In any case - just to settle this issue - members of police forces
around the world use Tor, as does the Internet Watch Foundation, to hunt
for Child Porn - they need anonymity, so that they can find the bad guys.


Do you have another suggestion for an anonymity solution that is good
enough for the Internet Watch Foundation to catch sexual predators? I
bet they'd love to hear it and most of all, I'm certain this list would
be interested in such a solution.

Frankly, I think that the good outweighs the bad in this case and I'd
encourage you to admit that you don't actually know the whole story.

> And there's the fact that Appelbaum has published his
> critique just as yet another criminal case involving the use of Tor
> for illegal drug sales is being publicized:
> 
> http://www.justice.gov/usao/cac/Pressroom/2012/045.html

I had no knowledge of this press release from the Justice department nor
would anyone else, I imagine. It's pretty ridiculous to suggest that I
timed the release of my report in response to that DoJ press release.

When I met them in December, we agreed upon a ninety day time frame for
release of the report. The report was originally scheduled for release a
month ago but Ultrasurf asked for more time. I planned the release for
Monday the 16th of April as a firm deadline and they were well aware of
it before publication.

> 
> There is no reason to take his concerns public, as the notion that
> "users need to be warned" isn't sufficient, as most users couldn't
> read a blog in English anyway, and most users don't care about
> anonymity, which they lost to their ISP anyway. They care about
> trying to access blocked sites, and perfection in this effort isn't
> required.

I disagree with you very strongly and many others in the computer
security field, as well as other fields, believe that sunlight is a good
way to solve problems.

This report, as I understand it, has or will been translated into other
languages for the benefit of non-English speaking users.

I think you may be right about "most users don't care about anonymity"
but I'd like you to tell us all - if you claim as a human rights worker
that you won't disclose a report but you actually do disclose it against
their wishes - have you done something wrong? Is honesty in
advertisement important? I think it is very important and as long as
they claim to be anonymous and an anonymity service, I'd ask you to
consider what you're claiming to be irrelevant. The issue is that they
_claim_ to be an anonymity service - it has nothing to do with your
projections of a user, which are speculative at best.

> 
> So this report seems a hostile, politically-motivated attack on his
> part.
> 

Only if you disregard the fact that I have worked closely with them
until I felt they were stalling me and not fixing issues that needed to
be fixed. They sure are working hard to fix those issues now - after
nearly four months of dragging their feet - I think that's a good thing.

> What's important in the fight for Internet freedom are the following
> principles of non-coercion:
> 
> o no one should be forced or brow-beaten into using open-source
> software; proprietary software is ok to use. If your opensource
> software is demonstrably better, it will sell itself without you
> having to artificially level the playing field with constant
> ideological attacks

We disagree about Free Software in this field and that is OK. In the
area of anonymity and security, I think that we must have tools that
regardless of their license, are open for review and verification. That
is why Free and Open source software is on the table. It makes it easier
and frankly, possible, to review claims.

I'm not forcing or brow-beating anyone. I presented a paper with some
serious concerns, I worked with Ultrasurf to correct a number of the
most serious, and I have encouraged further third party review to
improve their system.

If that's brow-beating - what is your email where you directly attack
me? It seems a bit duplicitous at the very least and it reeks of
political attacks against me for my associations that you despise.

> 
> o no one who produces proprietary software solutions should be
> bullied into having to discuss their flaws openly or be forcibly
> outed as to their flaws;

You keep saying that I'm a bully but you fail to acknowledge that I
worked with Ultrasurf, flying to another state to meet with them,
disclosing the report to them privately and so on.

There was no bullying.

> it merely helps give ideas to authoritarian
> governments and doesn't really help users.
> 

Do you have evidence for your assertion here? I'm guessing "no" but I'd
like to know. Yes? No?


> o if you don't like proprietary software, you don't have to wage a
> jihad against it, you can make your own opensource software that is
> supposedly better
> 

It's not hard to do that and many people have done so.

> o pluralism is the best defense against authoritarianism, not
> everyone being forced to go to "the best" circumvention tool or "the
> ISP that secures your privacy". It's precisely when the market is
> open with a variety of options that authoritarian is undermined
> 

It's nice that we actually, for once, agree. Pluralism in design choices
is absolutely required. It is an example of how a free market may work
in a practical sense and I support that concept entirely.

Security researchers who test claims are serving as a correction to
overvalued ideas or solutions in the market.

> o software does not have to be perfect to largely achieve its goal --
> 1/99 binary thinking is a killer of freedom

There is no perfect software but there are those who claim perfection
without acknowledging their imperfections. That is a real problem.

> 
> o people have the right to be wrong about software -- an open society
> requires that right to be wrong and to float contrary hypotheses even
> if they are incorrect, politically or otherwise
> 

I agree. I also have the right to show the world that there is something
wrong with that very software.

> o you don't have to be technically capable to criticize software that
> profoundly influences all of us as we increasingly move our lives on
> line.
> 

You're right - you don't have to be literate in a field of specific
interest to criticize it. However, it sure would help if you
acknowledged that Ultrasurf's designated enemy is however quite literate
on the subject matter.

Today someone pointed me at this report authored by an academic in China:


https://www.scribd.com/doc/90338145/UltraSurf-analysis-by-Zhang-Lei-in-Chinese

> My thoughts:
> 
> 
> http://3dblogger.typepad.com/wired_state/2012/04/jacob-appelbaums-obfuscation-about-circumvention.html
>

Thanks for your thoughts - I hope you'll address each of my points and
try to be constructive.

It's been a pleasure,
Jacob



More information about the liberationtech mailing list