get paid to paste

FREEFOR_TECH_3

http://tns7i5gucaaussz4.onion/yW6KYPCH1j
http://piratepad.net/ep/pad/view/ro.rS15ljVTPa2/latest

* The "Concern Troll"
Part III, again, is not what I'd originally planned for it.  I made
mistake #386 (http://xkcd.com/386/) and got side-tracked.  Looks like
there will have to be a Part IV.  Sorry folks.

Internet forums that allow comments sooner or later have a "concern
troll" stop in.  This is the person that games others through the
power of skepticism.  By playing on your confirmation bias against new
ideas, they argue from a position of power.

A specific example (speaking to the Trolls):  How old is Tor?  If I
post a link to a hardcore child porn .onion site that has been online
for YEARS, will you still spread your FUD that the sick bastards that
post these photos are going to be swooped in on and picked up?  WHEN?
FREEFOR needs new tools and new battlespace, not the same old doubts
about infiltration.

The brave and stand up guys who think anyone that doesn't walk out
into the spotlight and give their name is shady - are they going to
reconsider their stance on anonymity any more thoroughly because of
your doubts?  They're already skeptical as shit, and have a right to
be - the tech guys have let them down OVER AND OVER.  They don't need
your help staying where they're at.

Either point to a vulnerability that we haven't seen before and
documented (eg: exit nodes WILL traffic analyse you), or sit down.
Your statements otherwise amount to baseless ego stoking, and don't
help.  The adults are trying to have a conversation.

When you see a concern troll, ask them for evidence.  If it's a gut
feeling or that "complicated things fail" - well, then it's up to you
to decide if you agree.  I'll keep eating this tomato.  


* Strange loops
Ken Thompson's "Reflections on Trusting Trust" is an insightful
paper.  In it, he details an attack that cuts to the quick my main
premise: technology is a legitimate answer to a lot of FREEFOR's
problems.

"Insightful" as in: if I have personally drawn the wrong conclusions
from it, some day it will get me shot.

The gist of the paper is this:  Chicken.  Egg.

At some point, we have to throw up our hands and jump into the arms of
trust.  This needs to be a conscious choice, and it loops back to the
original ideas of "progressive" and "conservative" - so I'm not
surprised at the amount of friction I'm getting over my premise.

Some people want things to stay the same forever - and that is a GOOD
thing for the flywheel of society.  Without that stabilizing force
there would be a lot more people wearing parachute pants.
Conservatism taken to extremes, however, tends to ignore the
self-selecting community of intrepid folk jaunting off and either
getting killed or coming back home with something delicious - like the
tomato.

The tomato was at one time viewed as sketchy - possibly because it's
related to nightshade.  I haven't been able to track down what people
thought it was going to do to them.  Since nightshade kills you pretty
much outright where by contrast I can stand in front of you and eat a
tomato, I'm not sure I get it.  Cumulative effects, maybe.  Maybe I'm
that ONE GUY that has tomato poison immunity.  You'll NEVER know until
you eat the damn thing already.  Life is like that.

At some point, even the most eleet ninja hacker on earth needs to give
up a bit of control and trust the computer to do its job and actually
do what it seems to be doing.

What the "Run!  It's technology and that failed once!" crowd leaves
out of a lot of its arguments is this: it's your choice, and it's not
all-or-nothing.  They also neglect to mention that people are flawed,
and in the main have a tough time pulling off dastardly plans that are
SIMPLE.  Those that have experienced the more keystone kops moments of
being shot at may understand what I am saying.

Stuxnet was a rare thing indeed, and very clever, and yet - it was
found out.  Rootkits can't survive without writeable media.  Not EVERY
computer can have an infected CMOS - there HAS to be a computer with a
"turbo" button in someone's garage that hasn't got NSA 3.0 on it.
It's madness to suggest otherwise.

A small amount of trust over a long period of time is about as good as
it gets, folks.  I can't sugar coat it.  What's your threshold?  Do I
need to go back to sleep for another ten years?  Given the drying up
of alternatives - will you entertain LOOSENING UP A BIT?  There may
not be time.  For shame if you pass up a bit of risk just to die
watching the last light of the West go out.

I've been running a Tor exit node for years and haven't been shot, let
alone subpoenaed.  The Silk Road is STILL up after Schumer's little
shitfit.  You can't swing a dead cat around in .onion space without
brushing against a link to real, G*d help us, hard candy child porn.
Asymmetric cryptography is FUNDAMENTAL to the Internet - try to pay your
monthly statement without it.  A Bitcoin is AGAIN worth around ten bucks
(unless it's the weekend and the newbies are freaking out, in which
case it may be less).

Enough.  Either you get it or you don't.  Let's roll.


* Knapsacks
The problem with this higher math protocol stuff is that if you've got
half a drunk on, it's WAY more complicated than it needs to be.  The
other problem is that if I ask you to take for granted this, this, and
this - then I'm going to get all sorts of flak and misunderstandings of
fundamentals from the perpetual wet blanket crowd.

For those of you who are willing to take my (and anyone else that
you care to ask that UNDERSTANDS the technology) word for it - here
are the talking points - if you do things right, public key
(asymmetric) cryptography GUARANTEES:

>> No one can read your mail.
>> No one can impersonate you.

Done.  Continue on to the next asterisk.

Everyone else - the people that like to know how things work (of which
I'm one) - hang in there.  I'm going to appropriate a metaphor from a
different branch of computer science.

Consider this a midlevel zoom map.  If you want to know exact steps in
the protocol and to go crosseyed at lots of sigmas and S-boxes, you'll
need to get some books by Bruce Schneier, pronto.  He's a Good Guy,
the ponytail is just subterfuge.

I have a knapsack.  If I fill it so that it is completely full, say -
of various hammers - and then I empty the hammers out onto a blanket
and throw a whole lot of OTHER hammers down with them...  I have
what's called "the knapsack problem."  Well, I don't - but you do.

That is:

It is going to be hard for you to figure out exactly which particular
hammers I used to fill the knapsack (even if I tell you the final
weight of the filled knapsack), but once I tell you the answer - it's
spittin' easy to confirm whether the hammers fit in the knapsack and
weigh the correct amount, or not.

Knowing that there are mathematical functions that have a "forward"
(filling up the knapsack and tallying the weight is dead simple)
and "backward" (adding various hammer weights together, seeing if they
fit the knapsack, is hard) like this is a fundamental insight that
will be very helpful as we talk about modern cryptography.

It is the basis for secure hashing, shared secrets, and public key -
which are all totally underused and you should learn as much as you
can about if you care about these sort of things, because they are
cool in their own right.  They allow Tontines, which are badass and
lead to real life Scooby-Doo style adventures.  I digress.

Our focus (such as it is) here at the moment, is public key.  AKA
"asymmetric" crypto.  Because it's underused, because it's 30 years
proven and you use it every day (SSL, HTTPS, and the padlock you look
for when you're banking online are based on it), and because it
counters SO many legitimate freakouts about communications
interception and impersonation.  It can also carry monetary value,
which is so important it gets its own Part IV.

Let's take our regular everyday password, and split it into two
halves.  At bottom, it really is that simple.

One half - the "private" key - I keep to myself.  I use this key to
decrypt messages people send me, and to sign messages I want everyone
to know came from me and no one else.  I guard this key EXTREMELY
carefully.

The other half - the "public" key - I tell EVERYONE.  I publish it
everywhere.  I have those that know me sign it (with their private
key, no less) so that THEIR friends know that that particular public
key is MINE.  When someone wants to send me an uninterceptable
message, they use my public key to encrypt it.  That encryption
function is one-way.  Even if you know the message I encrypted AND
the recipient's public key, it's damn hard to back out the crypto and
prove I wrote what I wrote about your wife.

Hopefully someone else will chime in at this point and talk about
session keys and perfect forward security in the context of GPG/PGP
encryption - I'm running out of steam.  The short story is: every
message you send has a different password.  A break in one message
doesn't compromise any others.  That's a Big Deal in its own right.

The software to do these math tricks is, as far as I know, not
huggable.  Half measures such as Hushmail, where you trust a third
party with your private keys are NOT ACCEPTABLE.  We fought this like
hell in the 90s over the clipper chip and key escrow.  Putting your
trust in a third party is (sorry folks) bush league, and you may as
well be using pig latin.  Force of "law" and/or incompetence will take
down your whole house of cards.  Don't build with shoddy foundations.
I mean no offense by this.

Doing it right is a subject for another pad.  The IT operations folk
here: http://tns7i5gucaaussz4.onion/Ga4RHY5uwR can straighten you out
and keep you from stumbling too deep into the Devil's Club.  If no one
there steps up, then say something and that'll be a pad by itself and
I'll do it myself.  It's that important.

At least make your keys time limited, folks.  That way as you learn
about what you're doing and make the inevitable mistakes there's a
mechanism in place for starting over.  Set an expiration date for your
private keys.  Bill Cosby would do it, G*d rest his soul.


* Shibboleth
You are a highly tuned opinion-forming machine, and after you've met
me and we've broken bread together you certainly have an opinion of
me.  You have a measure of how much you trust me.

People get burned by this, of course.  Your cell is infiltrated.  You
trust someone with your lawnmower and it comes back with the bag full
of poison ivy.  You go out shooting with someone that's otherwise
reliable and trustworthy and they treat Cooper's rules like some
people treat the Constitution.  Your significant other finds you in
bed reading the Huffington Post.

Online, it's magnified.  You don't have the benefit of all the cues
you've spent your life honing and looking out for.  You can't tell if
my laughter is sincere.  You can't see that I'm a bit wild-eyed and
have forgotten such proprieties as wearing pants.  You can't be sure
I'm even talking to you.

This is why emoticons and "@someone" forum/chat notation evolved.

Trust may not be solved, but end-to-end security has been for a long
time.  If you remember back when the Internet was just on the edge
of mainstream consciousness, we heard that you would be stupid - just
plain stupid - to do your banking online.  Magical wraith hackers or
the NSA would swoop in and sell you into slavery.  At the time, that
common knowledge was spot on because the infrastructure didn't exist.
FREEFOR is at that spot now.

Public key crypto finally got adopted (even though it'd been around
since the 70s) and now if you know what a passbook is, you obviously
breathe through your mouth.  The NSA had to go back to controlling
your mind via jet contrails.  Hackers work on your PC or the bank
website and NOBODY worries about the cable modem stealing their credit
card number when they shop at Amazon.  It's a non-issue.

The main usher for that shift is Secure Sockets Layer (SSL - the S
(more or less) in HTTPS).  Back to the padlock in the address bar.

Your bank's website (for instance) has a public key.  That key has
been signed by a chain of private keys that go all the way up to the
equivalent of the Internet Crypto Boss.  Every browser has a copy of
Internet Crypto Boss's public key, and so can verify the chain of
trust down to their own bank.

If we call it by another name, it's suddenly familiar: delegated
authority.

If the bank doesn't have a key signed by the ICB, you can still have a
secure conversation - you just have no idea if you're talking securely
to Reputible Bank of Springfield or Dispicable Vlad's House of Ripping
You Off.

So it is with you and I.  You may not know how much you can trust the
entity that holds a private key - but you can be certain that they
signed a particular document.

You may not know how much you can trust me, but you can be completely
certain no one else is able to read the message you encoded with my
public key.  Even if you put it on a postcard and send it to Internet
Crypto Boss - which is why I didn't call it the Internet Crypto Deity.

Trust metrics are the current wild frontier on the internet.
Something like Amazon's or Ebay's review system seems to be what's
evolving - it's democratic (in a good way) but falls prey to what you
might know as "astroturf" or "sybil" attacks.  The Better Business
Bureau and Consumer Reports are counters by (respectively) Government
and The Market to these sorts of attacks.

I might vouch for McDonalds and give it five stars just because I got
a free supersize out of it.  You don't know any better because you
don't know me, but willickers, McD has a LOT of five star ratings.
Then you bite into your filet-o-MDF and the whole effort was verifably
useless.  The Market (if McD doesn't get a bailout) takes care of
this, but the invisible hand can sometimes take awhile to get around
to dishing out some curbside justice.

Ideally, FREEFOR cells will have local trust, and then the Six Degrees
Of Kevin Bacon thing will help connect those isolated cells.  We'll see
what evolves.  I'm optimistic, but I'm also aware these models may not pan
out and we'll need something else.  If you want to lose some time,
look up the "small world experiment."  There are arguments for and
against it.

In isolated domains like Open Source projects and Bitcoin
over-the-counter trading circles, it works quite well.  The breaks we
see are limited in scope and don't indicate that the protocols
themselves are broken.

There have been hackers that have taken over people's accounts and
done terrible things.  Someone managed to hack an account and slip
some code into the Linux kernel a few years ago - but that was caught
before it hit the main code tree.  The Mt Gox exchange had an
administrator account get hacked and the exchange was robbed, but the
Bitcoins elsewhere were never in jeopardy.

Okay.  So now we know that once we meet somewhere, we have ways of
verifying that we're the same person that was here yesterday - and we
can be certain we're talking ONLY to that person.

About that "meeting somewhere" part.


* Rally points
To line up shoulder to shoulder is noble.  It's one kind of rally
point and it's one kind of opposition.  I applaud it.  I join in it.
I believe though that there are other options for Action hanging low
from the tree.

The way things CAN be, we don't need to stand shoulder to shoulder to
get everything done.  Come Zombiepocalypse, yes, this distributed way
of doing things is not exactly ideal (unless you take the long view,
and realize that "distributed system" can easily be a synonym for
"Darwinism").

Cash is a distributed system.  By way of cash, I'll also explain
Assassination Politics.

If I want to go shoot some smelly agent of the state in the face, and I
need just a touch of money for the unpapered suppressed Barrett
carbine I'll need and a ghillie suit that's not COMPLETELY last year, I
might carefully (so that I am not observed) put up posters saying "if
you want Sheriff Dumbneek dead, put a ten dollar bill at GPS
coordinates: -150W, 30N."  If enough people care to listen to me and
I'm not completely retarded collecting the money when no one is
looking, I can then go and get my hands dirty.

I don't have to trust the people leaving the cash.  I trust the cash.
Slim Shady and his crew don't have to trust me in order to hand over the
hardware, they just trust the cash.  Cletus down at the Holler and Fire
doesn't care about my ideologies - he hands over a #10 large ghillie
in New Wood Forest Reed Stealth Slayer Autumn Green and clocks out at
five just like every other day.  Every disgruntled nutburger that
(carefully) leaves $10 at -150W, 30N has left "only" $10 there - not
risked the next 10-50 years of their life in Club Fed and not paid
zillions of dollars that I'm going to abscond with.

John Robb, Internet ginger elitist buzzword ninja, warns us: "don't
fork the insurgency."  I REALLY don't want to.  There are a LOT of
great blogs out there, you probably already know 90% of them.  What
they can't do, out in vanilla internet space, is get specific.

Where the tech may be proven but not mainstream - we can make public,
credible threats.  We don't even have to take action.  But we do have
to put EFFORT and TIME into it.  We have to ACT like we're going to
take action.  We have to overcome the inertia of disbelief in the
people we would stand against.

Back to the cash-and-poster metaphor: I need a place to put that
poster, and I need cash.

The poster is Tor space - .onion hidden services.

Tor hidden services allow anyone that knows what they are doing to
host a website that cannot be located or shut down.  The owner of that
site in turn has no way to tell who's reading it.  It's like a
masquerade ball hosted inside of a mystery castle wrapped in an
enigma - or possibly some other metaphor that is more comprehensible.

This is an ideal location for targeting packets.  This is an ideal
location to post cash bounties for oath-violating "law enforcement"
officers.  This is a technology that's a decade old that is going
shockingly underused by The Good People.

Tor hidden services are not based on trust in a single person, or a
company, or a government, or any sort of slight of hand.  They are based
on plain math that you can hold in your own filthy stinking hands and
read.  That's the leap of faith.

Computers don't work on fairy dust, I promise you.  Ask anyone that
doesn't believe in fairies.  They are based on math.  Math says to
bring it.

Setting Tor hidden services sites up is not that hard - in someone else's
copious free time, someone not me can come up with a layman's guide to
getting a site up and running.  You can then verify for yourself its
anonymity.  But that's a whole other kettle.


* Exeunt
I didn't realize how long winded I was getting, so I'm going to break
out the next section - the cash in the cash-and-poster metaphor - into
Part IV.  Hopefully you got some use out of this - if you'd care to
please leave feedback.

I know I sure as heck lose interest when confronted by a big wall of
text, but the other side of the coin is that I love to read new posts
by people I respect.  If I don't know where the community (such as it
is) stands, you're going to get what you get.

And to whomever mirrored these posts here:
http://xqz3u5drneuzhaeo.onion/users/mccrgl7x/launchpad.html - thank
you - that you found value in what I'm doing is another node in the
network effect, plus, it made my day.  Post a Bitcoin address at the
site and I will donate to it.  It starts here, folks.  The more of us
there are, the more powerful we get, the more the future starts to look
kick-ass again, rather than ass-kicked.

Godspeed, and thanks for reading.  You are the resistance.  See you in
Part IV - working title: "The oft-told story of the Rei stones."

Pasted: Jul 17, 2011, 11:12:01 pm
Views: 45