Technology for a better world • 23 March 2012 • The SnowBlog
Technology for a better world
Have you noticed how much the topics of privacy, secrecy, surveillance, leaks, spying, censorship and the role played by social media in uprisings have been in the news lately? Tunisia, Egypt, Libya, Syria and Yemen have pitted their ability to censor criticism and suppress online dissent against the ability of disgruntled citizens to share what they know and what they plan to do about it.
And yet if you were to attend a conference of bleeding-edge security experts like, say, the Chaos Communication Congress (CCC) in Berlin, you might be horrified to find just how insecure all modern communication is. (Note: CCC is the kind of conference that's full of brilliant girls and guys with piercings and tattoos who know what they're talking about, not the kind with guys in suits offering to sell you a new firewall-in-a-box.)
Even if you're not that technically-minded you might like to scare yourself a little by watching one of CCC's presentations on, say, how easy it is for someone to clone your mobile phone's ID as you walk down the street, and then to intercept your calls or pretend to be you (link). Police forces routinely track citizens via their mobiles - and in some places they set up their own temporary cell phone towers to give them greater access - which extends not just to the supposed bad guy's communications, but everyone whose phone is captured by that tower. At home that's troubling, in some parts of the world you'd have no way of knowing whether your calls home or to your office were now a matter of record at the local Ministry of Truth. Elsewhere in the CCC archives you could find out about the newly discovered vulnerability of HP printers. Everyone has a big old LaserJet in their office but until recently no one really thought about the fact that each one was in a effect a little computer on their network, with no anti-virus software and no firewall, no password required or monitoring in place, doing pretty much whatever it was told by anyone on the LAN. That's vaguely worrying, but it becomes seriously troubling when you look at how easy it is to secretly change the firmware that runs on those printers. For eminently practical reasons from a simpler time, HP lets you just send a special print job to the printer in order to upgrade the software it's running - and it doesn't mind much where that print job comes from. So imagine someone sends in a job application to a big firm and includes a copy of their CV attached to which is a malicious firmware upgrade hidden in the same file. The HR department prints out the CV and now their printer is running hacked software. That printer can now call out through their firewall (much easier than getting in from the outside) and act as a relay for whatever an attacker wants to get up to on the company's network. Farfetched, you might say, but you can watch a demo of it in action right here.
In repressive regimes we see the other side of the coin. There are a number of Western firms who use their knowledge of network vulnerabilities to make surveillance equipment which then ends up in the hands of dictatorships where it's used to spy on restless citizens. Sometimes the manufacturer's excuse is that they sold the equipment to third-parties who then sold it on; at other times no excuse is offered. But you can imagine how dispiriting it is for, say, Syrian activists to read President Obama's words that "
...what the Syrian regime is doing is unacceptable." (source) and then to discover the equipment that's used to spy on and capture them is made in California (source).
And it's not just those who live under dictatorships who have to worry; so do those who simply want to report on them. Western journalists can get to almost any trouble-spot on the planet these days and they can file stories with their editors back home over satellite phones that will work almost anywhere. But it turns out - you won't be surprised to hear - that many of those satellite phones are totally insecure. Some even broadcast the user's exact GPS location in an unencrypted transmission that can be intercepted by someone with the right equipment. Which is probably how awesome veteran journalist Marie Colvin and her colleague Rémi Ochlik of the Sunday Times came to be killed a few weeks ago in Syria: the Syrian Army knew exactly where they were phoning in their revealing reports from.
We live in a world where some innocent-seeming decision that some programmer took about where to store a piece of data resulted - indirectly - in two journalists being blown to bits. When you trust your life to technology the tiniest technical details matter - and most of us know nothing about that.
The list of countries who still don't choose their leaders in free elections is a long one - and it's likely that most of them put a lot of effort into spying on those citizens who are most likely to push for democracy. Helping those who are prepared to risk their lives so that their community can live free is clearly something we want to support. And I personally think there are better ways to do that than by invading the country in question.
One such way is to support the TOR Project. They make The Onion Router (=TOR) which is nothing to do with the satirical magazine The Onion and everything to do with letting oppressed citizens use the web without every word they type ending up in an intelligence dossier somewhere. By disguising web traffic and bouncing page requests between multiple 'relay nodes', TOR makes it difficult for repressive authorities to identify those they would most like to 'disappear'. If you want a really fascinating and rather moving account of the cat-and-mouse game played between the TOR architects and the dictatorships keen to break through TOR's protection so that they can get their hands on the activists it hides, then go here.
You can donate to TOR, you can run a TOR node to help others use the web in safety, or you can download a copy for yourself. Even if you don't think the government are spying on you, a simple thing like placing an Amazon order while you're using the WiFi in some random coffee shop could leave your credit card details in the wrong hands. TOR can keep you safe (though there are some gotchas you must avoid - details here).
TOR always has the problem that the channels they are trying to protect run over the public internet. It's a constant battle to hide vulnerable users when a repressive authority owns the physical infrastructure. That's part of why another project, the Briar initiative, has come into being. They're developing tools to help democracy activists in un-democratic places use secure local connections to talk to each other while keeping Big Brother out of the loop. By making local links between laptops and smartphones, which make use of chains of trust among activists, those in danger of a visit from the secret police can keep many of their most sensitive communications off the internet altogether.
It's not difficult for me to imagine a single project like TOR or Briar changing the world for the better beyond anything an invasion, diplomacy or embargoes can achieve. After all, dictators always enjoy minority support - otherwise they wouldn't need to be dictators. They stay in power by stopping their opponents from organising (or from drawing breath in many cases). Technology like TOR's, and soon Briar's, can help to give the majority their power back.
Briar are currently looking for funding from the Knight News Challenge, and I really hope their project is chosen.
Without getting on my high horse about it, the recent U.S. invasions have cost $3 trillion (source) and left two countries in ruins. A few hundred thousand dollars to support the right projects could bring about much better outcomes by helping countries in similar situations rescue themselves. That's value for money.