Search Mailing List Archives
Eric S Johnson
crates at oneotaslopes.org
Fri Oct 26 20:07:15 PDT 2012
Whew. Stirred up a hornet's nest.
We all have good experiences to share. I worry, though, that if we spend a
huge amount of time fighting each other, we'll not be spending that time
helping the people who really need it. None of us actually disagree with
each other on whether an activist in a cyberdangerous country should be
using a government-managed VPN. We all know about MITMing, and FinFisher,
and OpenVPN, etc. etc. etc.
The most important points I think worth making is that it's really important
to a) understand the threat, and b) prioritise the response.
There are so many threats that if we try to solve all problems (both known
and theoretical), most end users simply won't accomplish much (not to
mention that our resources are limited). I can't count the number of times I
find an activist in Ethiopia, Uzbekistan, or Vietnam who's still accessing
her @yahoo.com e-mail account unencryptedly, even after having been to a
cybersecurity seminar one of us taught. Or whose OS hasn't been patched
since it was installed two years ago. Or whose entirely-unencrypted hard
drive has been taken.
So we (and those who depend on our help) are hugely benefitted by tallying
up how much/often we know a particular threat has been used to persecute
someone, and then focusing our efforts on solving that threat first ... then
solving the next-most-dangerous threat ... etc.
My main point about VPNs was that (in my experience) I know of no
situation in which we've learned that it was a government-owned VPN which
caused an activist's compromise, but I do know of lots of situations in
which the compromise resulted from lack of endpoint security or the physical
loss of unencrypted media, and some in which data were intercepted in-line.
So these latter are deserving of more attention on the part of cybersecurity
As to "99.9% of VPN users are principally looking for
cybercircumvention"--nope, no statistical proof. Just lots of real-life
experience (which is in no way minimizing the experience of everyone else on
More information about the liberationtech