Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Here Come the Encryption Apps

Rich Kulawiec rsk at gsp.org
Fri Mar 15 09:22:49 PDT 2013


On Sun, Mar 10, 2013 at 10:29:44AM +0700, Nathan of Guardian wrote:
> Glad to see such a great level of academic investigation and discourse
> coming out of this esteemed university.

I'll give him a pass on rigor, as this is an informal article and not
intended to be a journal paper.  (Besides, I write in the same style
most of the time.)  But when he asks:

	"What app should I use if I'm trying to overthrow my government?"

I think he completely misses the point.  I think a much more fundamental
question is: 

	"Should I use ANY app?"

My answer to that is no.  In fact: HELL NO.  "Using a smartphone"
strikes me as one of the most dangerous things you could possibly
do in that situation.

Yes...I know that's not a happy statement and is likely to be unpopular
here, but let me see if I can manage to back it up.

First, if you have a government that is so awful that the only alternative
left is overthrowing it, then they control the telco.  Therefore everyone
walking around with a smartphone is providing them with a 24x7 feed of
geolocation data, to the resolution available. (And that can be selectively
improved in locations of interest.)

Second, everyone using a smartphone is providing them data for traffic
analysis.  Oh, sure, it might be encrypted, but if X sends a 27313 byte
message and shortly thereafter Y and Z get a 27313 byte message...

Third, everyone using a smartphone and transmitting/receiving IP traffic
is also providing them information about their intentions, Tor and VPNs
and HTTPS notwithstanding. ("Oh, look: every night, right after the
protests die down for the evening, X sends 300-400M of traffic out.
Gosh...I wonder what that is.")

Fourth, malware on phones is epidemic.  One might have a fighting
chance of stopping it if the phones are centrally managed and strictly
controlled (no downloading of apps, no "updates", only a few web sites
accessible, etc.) but few have the knowledge, resources and discpline
to do that.  Plus "centrally managed" is not exactly the best idea
in this context.  And of course any government faced with this threat
will probably write and release more malware.  Any government that
*thinks* they might be faced with this threat in the future could
plan ahead and embed the malware in the phones somewhere in the supply
chain prior to retail sales.

(I would.  If I were the dictator of Elbonia, I'd be embedding
malware in *every* shiny gadget because of course their closed-source
nature makes it easy for me to do so.  This would constitute an
inexpensive insurance policy -- actually, now that I think about it,
I could probably just pass the costs along to purchasers and thus get
them to fund my malware.  I'd label it as "a feature" or as some sort
of network performance/diagnostic tool.  *cough* CarrierIQ *cough*)

Fifth, it's pretty easy to shut down the cellular network.  Yes, this
might have political and economic consequences.  So?  It's still not a
good idea to use a communications medium that your adversary can turn
off at will.  (Let me note that it's not even necessary to shut it
down entirely: local/temporary disruptions suffice and are easier to
explain away.  As we've seen.)

Sixth, and let me encapsulate it as a principle:

	If you need a GUI to overthrow your government...
	you're probably not going to overthrow your government.

That's harsh, condescending, snarky...but I think it's probably true.
Sorry: revolution is hard.  And if you're faced with an oppressive,
vicious, murderous government that's fighting for its existence,
I assure you that they will have people at *their* disposal who don't
need a GUI to do whatever horrible things they have in mind.

---rsk



More information about the liberationtech mailing list