Crypto fallacies

This post is a follow-up on what I tweeted yesterday – hours before the constitutional council gave its approval of the new French Intelligence bill. First tweet is here

Where I come from

Before writing this article, I think it’s important to give some context about what I’ve done the last few years.

So, before joining the Telecomix Crypo Munition Buro and #telekompaketet, I wasn’t that much in security and crypto. I learned that on the late, and with some specific goals in minds – I’ll be back to that later. I was a mercenary sysadmin, working for anyone willing to pay me to maintain their system.

I didn’t understood the difference between free software and open source back in the time, neither was I aware of a lot of issues in the world. Looking to it through my small internet periscoped visor. Most of the news I was reading back in the time were tied to computer, video games and – to some extent – foreign diplomacy.

Not the mainstream media, but not much better. I worked for government and the police – maintained the fingerprint database used by cops and sold by the former Sagem – now known as Morpho XL. I worked for oen of the traditionalist newspaper. For startup trying to build customer profile and senders of millions of mails.

But I was reading those few news. I was joining the twitter (2009 … damn, that’s already 6 years?) and already having fight with people humping on the Facebook boat.

Because what was clear for me was that my privacy should be kept under my own personal control, not under the control of anyone or anything else. I always been shy about sharing data over over public and free network who will track you in the end.

I got this habit of watching for my privacy since high school. I accessed the internet for the time at this time. And at home we even had high-speed internet (512 Mbps in 1997, was part of an 31337, not chasing for those AOL 50h of free internet CD Roms).

I got this habit not because of the teaching of someone, but because of my father. See, my father wasn’t an abusive one. He was kinda distant, avoiding me, but he was not an abusive one. At the time we had internet and when I discovered some of the endless possibilities of the computers being connected to each other, I also learned that my father was a paedophile. He has been convicted for that. Twice. At least the second time it was related to detention of pictures from internet.

Yep, that’s about how I learned how it was important to understand how things works and why it was paramount to protect your privacy. Because cops would breaks into your house and seize your hardware for the sole purpose of you living in the same house than a sexual offender.

So, everything started there for me. Since then I always had a full encrypted drive, I’ve used the privacy mode in my browser as much as I could, I learned to delete cookies and Internet Cache on a lot of browsers (from Netscape Navigator and Mozaic to chrome to Internet Explorer 6).

This is when I started caring for the law about computers and communication. And censorship. I did not really get a grasp of what politics where, but still, I was keeping an eye at it.

Got a degree in computer science and got working, trying to earn my independence and to get out of my parents house – almost 20 years later I still can’t speak to my father and yes, it’s part of the reason I’m severely depressed – and so on.

We’re now in 2009, end of the year and I’m bored at work. There is a lot of signal coming from Tunisia that things will getting ugly there. That’s when I started to act for someone else than me.

I was self hosted, so I had spaces. And root access to my servers. Slim Ammanou was interviewed in some media I was reading (Cant’ remember if it was Read Write Web fr or the blog of Jean Marc Manach, not really important I guess). And some people were doing mirrors of censored blogs in Tunisia.

I was bored, I did knew bash, so I scripted some things to help. WHen someone figured out that the ATI was dropping the SSL around facebiik to catch login and password, I crote a one line that could generates gigabytes of fake password for a specific account.

And someone told me to join IRC and I haven’t fired up an IRC client since the 2000′ so it felt a bit odd, but then a lot of things changed for me, starting with the immolation of Mohamed Bouazizi, the Egyptian revolution and the Syrian civil massacre.

During those last five years I developed my security and crypto skills, and tried to train activists who needed it to communicate. I’ve quit my job and worked for an NGO for nearly a year and a half, chain burning-out myself to the point of severe anxiety disorder and depression, mixed with my attention disorder it doeswn’t goes well.

So this is where I come from. I hope that it will helps you to understand what and why I’m going to say the next few things.

Crypto fallacies

The crypto fallacies is to think that your freedom relies on the tool you use. That, if you use the correct tools, in the way they’re intended to, then you have nothing to fear from an oppressive regime.

It’s false, first because IT security on the general computing is a disaster – and I’m not sure it can be fixed anytime soon – but lmost of all it’s false because you’re opposing an oppressive regime.

If you’re not actively opposing an oppressive regime, you’re silently accepting it and then you’re an accomplice. So, you’re opposing an oppressive regime. An oppressive regime as one specific characteristics, it’s using arbitrary detention and arrest to spread terror and keep thing under control. And no amount of crypto can fight that.

I’ve seen kill list in Syria, written with a carbon pen on a piece of paper. Based on denunciation by neighbors, assumptions by people or just because people did not live in the correct address. I’ve seen people getting shot for no other reason than their skin color, or the way they were dressed.

But most of all, I’ve seen people getting arrested, tortured and shot at because they were protesting into the street. And that’s the thing cryptonerds needs to understand. In the end, the purpose of an activists, is to get in the street, to oppose – violently – the state, and end up in jail (in the bes case scenario). The crypto, or the tech gyzmo you can provides them with won’t prevent that.

Also, if your freedom relies on a specific piece of tech, or a specific knowledge, it means that each and every people who has no access to it can’t be free. Which raises an issue that I have not seen adressed by the most vocal voices in the OpSec for activists people. Sure, you can do IT Training in Mali, but when you have power outtage several hours a day and when the temperature will frequently raises above 40°C, most of our tech is made unusable – believe me, we tried that.

I’ve also seen crypto nerds going extremists and refusing to even consider talking to an activists over an unencrypted channel. That’s an interesting stance since then, the activist would never know how to do that

That’s also a good way to forbid communication, which is mandatory for coordinating actions, getting information out, and care about people. If we would follow those extremists, we would end up in an autistic mode without communicating because it would exposes you to a risk. Risk that still needs to be determined.

And, in the end, if you want to undermine and destroy an oppressive regime, you need to accept the risks. You need to accept that you’ll end up in jail. You need to accept that you’ll be beaten up. You need to accept the fact that if you do not take the streets, then it’s your opponent who have them. And you need to take that back.

And you cannot do it from a computer.

Sure, sysadmin and service operators providing good oppo
rtunistic cryptography, with fluid interface and where the security doesn’t get in the way of the user, while protecting their users from the government are needed – and it’s the path I’ve choose, but you have to accept that it’s illegal in most states. Even in NATO countries, or in the EU.

But those sysadmins won’t be protected by crypto. Their freedom is at risk as soon as they decide to fight and to help. And no crypto tool you can use can tight your organisation to a point where no exterior influence can destroy it. We’ve seen it before – with Sabu for instance – we’ll see it again because that’s how things works.

The only thing crypto will buy you is time. This time should be used to coordinate, to share, to care, but it won’t get you out of jail (even TPB founders did serve time). But that’s about it, once you’ll be in the street, you’ll end up in jail whatever the crypto you’re using.

And that is called OpSec (Operation Security). The purpose of OpSec is to be able to run an operation. If the crypto you’re using makes you unable to run it, then you’ve failed your OpSec. And running no Operation is also an Operational failure.

So, yes, crypto is usefull, because it gives you time and space to breathe. It allows you to get some room to distress and coordinates. But your freedom does not rely on a piece of tech. It relies only on you to take it.

Go into the street.