The Crypto Project Revives Cypherpunk Ethic 77
Trailrunner7 writes "When a small group of activists announced the debut of The Crypto Project earlier this year, for many, ahem, mature, security and privacy advocates it brought to mind memories of the original cypherpunk movement that began in the 1990s and that group's seminal efforts to encourage the use of strong cryptography and anonymity online, as well as its successes and failures. The two groups are not allied by anything other than ideology, but The Crypto Project's leaders are aiming to follow in the footsteps of the cypherpunks, build on their accomplishments and make security and privacy tools freely available to the masses. The group is working on a number of projects right now, including setting up an anonymous remailer, putting up a Convergence notary and setting up a Tahoe-LAFS grid. Threatpost has an interview with Sir Valiance, one of the leaders of the project, who talks about the need for better privacy and anonymity online and why the cypherpunks are still important today."
Privacy and anonymity online... (Score:1, Interesting)
That will never be possible when you're on their wire. never never never... The entire concept is absurd.
Re:Privacy and anonymity online... (Score:5, Interesting)
The whole point of encryption is making it so that sending your stuff over somebody else's wire doesn't let them know what it is.
As for anonymity, there are ways for that as well, like what Tor does.
True, the owner of the wire has quite a lot of control, but to truly make encryption and Tor impossible would mean changing the way the net works so radically that it would become a lot less useful. And then people will come up with some way around that, like adhoc wifi networks or something of that sort.
Re:Privacy and anonymity online... (Score:4, Interesting)
I'm not so sure about that. There is no end to the layers of obfuscation and detection which leads to an arms-race where (for short periods) anonymity and privacy are theoretically (and for those committed enough, practically) possible.
However as far as arms-races go, I believe this one is asymmetric. It eventually has only one solution (for the state): outlaw encryption.
But that's unnecessary (Score:5, Interesting)
to truly make encryption and Tor impossible would mean changing the way the net works so radically that it would become a lot less useful.
Ah, but to defeat Tor or encryption, it doesn't have to be made impossible - it just has to be made so as to be not trustworthy. So let's say a friendly agency captured a few (or more) Tor nodes, and co-opted a few root certificates (ahem, Iran). These tools don't have to be defeated 100% of the time, they just have to be defeated in principle for them to crumble.
It's sort of like privacy terrorism - the targets are largely symbolic rather than practical, and the goal is to instill fear rather than defeat in a straightforward manner.
And then people will come up with some way around that, like adhoc wifi networks or something of that sort.
Which, I fear, would allow even easier avenue of attack for certain organizations who like to do that. Anything ad-hoc has to be able to find a way to trust something it's never met before (by definition). That's prone to attack too. There are advantages and weaknesses to both centralization and decentralization.
Re:Privacy and anonymity online... (Score:4, Interesting)
True, the owner of the wire has quite a lot of control, but to truly make encryption and Tor impossible would mean changing the way the net works so radically that it would become a lot less useful.
Whishful thinking. How many people do you know personally that run a Tor exit node? How many of them would you consider 100% trustworthy? Compromised exit nodes offer a lot of possibilities: browser ID'ing, code injection, traffic analysis. How about the programs you run over Tor. Are you 100% sure they don't leak private information? Have you checked their source code and internet protocols? What about the endpoints? Are they secure? Do they use SSL? Which SSL encryption do they use, super-secure RC4 like Google search? Can you be identified from your browsing behavior?
Agencies like the NSA have the expertise, the money, and the infrastructure to own the majority of exit nodes. Not only that, if they wanted to and got the funding, they could easily own the majority of all Tor nodes. I'm not saying that they do or that you should assume they do (they might not have an incentive, as they are probably already drowning more valuable data), but that you shouldn't rely on Tor's anonymity too much.
Moreover, bear in mind what others have already pointed out. There are many dirty tricks to undermine the trustworthiness of projects, especially since it's highly likely that many private crypto implementors are on the secret payroll of some government. Take e.g. a look at Wikileaks for the results of such campaigns.
However, if a government wants to get rid of Tor officially there is a much easier way. They just prohibit it and that's it. Use of Tor is easy to identify. The same for encryption in general. Or you just make it illegal not to give away the password to authorities when they want it like in the fascist UK.
Re:Privacy and anonymity online... (Score:4, Interesting)
You're not supposed to trust a Tor exit node. Every Tor instruction I've seen mentions that you should use an anonymizing proxy to erase the things that allow browser IDing.
For leaking private information, there exist programs that monitor traffic and tell you when for instance DNS requests are made without going through Tor.
Yes, getting all this right is certainly tricky. But it's not a new idea, and countermeasures for untrustworthy exit nodes are already in place.
But that's where what I said about making the internet less useful comes in. Yes, the government can forbid encryption. But what about the countless VPNs used by foreign companies, internet banking and shopping, the myriad of old or embedded systems that automatically do encrypted transfers, the encryption built into operating systems?
In some backward third world country that might be possible, but anywhere else such a thing would carry a very high cost attached.
Then if it still happens, people will figure out how to transfer data in a hidden way.