http://tns7i5gucaaussz4.onion/yW6KYPCH1j http://piratepad.net/ep/pad/view/ro.rS15ljVTPa2/latest * The "Concern Troll" Part III, again, is not what I'd originally planned for it. I made mistake #386 (http://xkcd.com/386/) and got side-tracked. Looks like there will have to be a Part IV. Sorry folks. Internet forums that allow comments sooner or later have a "concern troll" stop in. This is the person that games others through the power of skepticism. By playing on your confirmation bias against new ideas, they argue from a position of power. A specific example (speaking to the Trolls): How old is Tor? If I post a link to a hardcore child porn .onion site that has been online for YEARS, will you still spread your FUD that the sick bastards that post these photos are going to be swooped in on and picked up? WHEN? FREEFOR needs new tools and new battlespace, not the same old doubts about infiltration. The brave and stand up guys who think anyone that doesn't walk out into the spotlight and give their name is shady - are they going to reconsider their stance on anonymity any more thoroughly because of your doubts? They're already skeptical as shit, and have a right to be - the tech guys have let them down OVER AND OVER. They don't need your help staying where they're at. Either point to a vulnerability that we haven't seen before and documented (eg: exit nodes WILL traffic analyse you), or sit down. Your statements otherwise amount to baseless ego stoking, and don't help. The adults are trying to have a conversation. When you see a concern troll, ask them for evidence. If it's a gut feeling or that "complicated things fail" - well, then it's up to you to decide if you agree. I'll keep eating this tomato. * Strange loops Ken Thompson's "Reflections on Trusting Trust" is an insightful paper. In it, he details an attack that cuts to the quick my main premise: technology is a legitimate answer to a lot of FREEFOR's problems. "Insightful" as in: if I have personally drawn the wrong conclusions from it, some day it will get me shot. The gist of the paper is this: Chicken. Egg. At some point, we have to throw up our hands and jump into the arms of trust. This needs to be a conscious choice, and it loops back to the original ideas of "progressive" and "conservative" - so I'm not surprised at the amount of friction I'm getting over my premise. Some people want things to stay the same forever - and that is a GOOD thing for the flywheel of society. Without that stabilizing force there would be a lot more people wearing parachute pants. Conservatism taken to extremes, however, tends to ignore the self-selecting community of intrepid folk jaunting off and either getting killed or coming back home with something delicious - like the tomato. The tomato was at one time viewed as sketchy - possibly because it's related to nightshade. I haven't been able to track down what people thought it was going to do to them. Since nightshade kills you pretty much outright where by contrast I can stand in front of you and eat a tomato, I'm not sure I get it. Cumulative effects, maybe. Maybe I'm that ONE GUY that has tomato poison immunity. You'll NEVER know until you eat the damn thing already. Life is like that. At some point, even the most eleet ninja hacker on earth needs to give up a bit of control and trust the computer to do its job and actually do what it seems to be doing. What the "Run! It's technology and that failed once!" crowd leaves out of a lot of its arguments is this: it's your choice, and it's not all-or-nothing. They also neglect to mention that people are flawed, and in the main have a tough time pulling off dastardly plans that are SIMPLE. Those that have experienced the more keystone kops moments of being shot at may understand what I am saying. Stuxnet was a rare thing indeed, and very clever, and yet - it was found out. Rootkits can't survive without writeable media. Not EVERY computer can have an infected CMOS - there HAS to be a computer with a "turbo" button in someone's garage that hasn't got NSA 3.0 on it. It's madness to suggest otherwise. A small amount of trust over a long period of time is about as good as it gets, folks. I can't sugar coat it. What's your threshold? Do I need to go back to sleep for another ten years? Given the drying up of alternatives - will you entertain LOOSENING UP A BIT? There may not be time. For shame if you pass up a bit of risk just to die watching the last light of the West go out. I've been running a Tor exit node for years and haven't been shot, let alone subpoenaed. The Silk Road is STILL up after Schumer's little shitfit. You can't swing a dead cat around in .onion space without brushing against a link to real, G*d help us, hard candy child porn. Asymmetric cryptography is FUNDAMENTAL to the Internet - try to pay your monthly statement without it. A Bitcoin is AGAIN worth around ten bucks (unless it's the weekend and the newbies are freaking out, in which case it may be less). Enough. Either you get it or you don't. Let's roll. * Knapsacks The problem with this higher math protocol stuff is that if you've got half a drunk on, it's WAY more complicated than it needs to be. The other problem is that if I ask you to take for granted this, this, and this - then I'm going to get all sorts of flak and misunderstandings of fundamentals from the perpetual wet blanket crowd. For those of you who are willing to take my (and anyone else that you care to ask that UNDERSTANDS the technology) word for it - here are the talking points - if you do things right, public key (asymmetric) cryptography GUARANTEES: >> No one can read your mail. >> No one can impersonate you. Done. Continue on to the next asterisk. Everyone else - the people that like to know how things work (of which I'm one) - hang in there. I'm going to appropriate a metaphor from a different branch of computer science. Consider this a midlevel zoom map. If you want to know exact steps in the protocol and to go crosseyed at lots of sigmas and S-boxes, you'll need to get some books by Bruce Schneier, pronto. He's a Good Guy, the ponytail is just subterfuge. I have a knapsack. If I fill it so that it is completely full, say - of various hammers - and then I empty the hammers out onto a blanket and throw a whole lot of OTHER hammers down with them... I have what's called "the knapsack problem." Well, I don't - but you do. That is: It is going to be hard for you to figure out exactly which particular hammers I used to fill the knapsack (even if I tell you the final weight of the filled knapsack), but once I tell you the answer - it's spittin' easy to confirm whether the hammers fit in the knapsack and weigh the correct amount, or not. Knowing that there are mathematical functions that have a "forward" (filling up the knapsack and tallying the weight is dead simple) and "backward" (adding various hammer weights together, seeing if they fit the knapsack, is hard) like this is a fundamental insight that will be very helpful as we talk about modern cryptography. It is the basis for secure hashing, shared secrets, and public key - which are all totally underused and you should learn as much as you can about if you care about these sort of things, because they are cool in their own right. They allow Tontines, which are badass and lead to real life Scooby-Doo style adventures. I digress. Our focus (such as it is) here at the moment, is public key. AKA "asymmetric" crypto. Because it's underused, because it's 30 years proven and you use it every day (SSL, HTTPS, and the padlock you look for when you're banking online are based on it), and because it counters SO many legitimate freakouts about communications interception and impersonation. It can also carry monetary value, which is so important it gets its own Part IV. Let's take our regular everyday password, and split it into two halves. At bottom, it really is that simple. One half - the "private" key - I keep to myself. I use this key to decrypt messages people send me, and to sign messages I want everyone to know came from me and no one else. I guard this key EXTREMELY carefully. The other half - the "public" key - I tell EVERYONE. I publish it everywhere. I have those that know me sign it (with their private key, no less) so that THEIR friends know that that particular public key is MINE. When someone wants to send me an uninterceptable message, they use my public key to encrypt it. That encryption function is one-way. Even if you know the message I encrypted AND the recipient's public key, it's damn hard to back out the crypto and prove I wrote what I wrote about your wife. Hopefully someone else will chime in at this point and talk about session keys and perfect forward security in the context of GPG/PGP encryption - I'm running out of steam. The short story is: every message you send has a different password. A break in one message doesn't compromise any others. That's a Big Deal in its own right. The software to do these math tricks is, as far as I know, not huggable. Half measures such as Hushmail, where you trust a third party with your private keys are NOT ACCEPTABLE. We fought this like hell in the 90s over the clipper chip and key escrow. Putting your trust in a third party is (sorry folks) bush league, and you may as well be using pig latin. Force of "law" and/or incompetence will take down your whole house of cards. Don't build with shoddy foundations. I mean no offense by this. Doing it right is a subject for another pad. The IT operations folk here: http://tns7i5gucaaussz4.onion/Ga4RHY5uwR can straighten you out and keep you from stumbling too deep into the Devil's Club. If no one there steps up, then say something and that'll be a pad by itself and I'll do it myself. It's that important. At least make your keys time limited, folks. That way as you learn about what you're doing and make the inevitable mistakes there's a mechanism in place for starting over. Set an expiration date for your private keys. Bill Cosby would do it, G*d rest his soul. * Shibboleth You are a highly tuned opinion-forming machine, and after you've met me and we've broken bread together you certainly have an opinion of me. You have a measure of how much you trust me. People get burned by this, of course. Your cell is infiltrated. You trust someone with your lawnmower and it comes back with the bag full of poison ivy. You go out shooting with someone that's otherwise reliable and trustworthy and they treat Cooper's rules like some people treat the Constitution. Your significant other finds you in bed reading the Huffington Post. Online, it's magnified. You don't have the benefit of all the cues you've spent your life honing and looking out for. You can't tell if my laughter is sincere. You can't see that I'm a bit wild-eyed and have forgotten such proprieties as wearing pants. You can't be sure I'm even talking to you. This is why emoticons and "@someone" forum/chat notation evolved. Trust may not be solved, but end-to-end security has been for a long time. If you remember back when the Internet was just on the edge of mainstream consciousness, we heard that you would be stupid - just plain stupid - to do your banking online. Magical wraith hackers or the NSA would swoop in and sell you into slavery. At the time, that common knowledge was spot on because the infrastructure didn't exist. FREEFOR is at that spot now. Public key crypto finally got adopted (even though it'd been around since the 70s) and now if you know what a passbook is, you obviously breathe through your mouth. The NSA had to go back to controlling your mind via jet contrails. Hackers work on your PC or the bank website and NOBODY worries about the cable modem stealing their credit card number when they shop at Amazon. It's a non-issue. The main usher for that shift is Secure Sockets Layer (SSL - the S (more or less) in HTTPS). Back to the padlock in the address bar. Your bank's website (for instance) has a public key. That key has been signed by a chain of private keys that go all the way up to the equivalent of the Internet Crypto Boss. Every browser has a copy of Internet Crypto Boss's public key, and so can verify the chain of trust down to their own bank. If we call it by another name, it's suddenly familiar: delegated authority. If the bank doesn't have a key signed by the ICB, you can still have a secure conversation - you just have no idea if you're talking securely to Reputible Bank of Springfield or Dispicable Vlad's House of Ripping You Off. So it is with you and I. You may not know how much you can trust the entity that holds a private key - but you can be certain that they signed a particular document. You may not know how much you can trust me, but you can be completely certain no one else is able to read the message you encoded with my public key. Even if you put it on a postcard and send it to Internet Crypto Boss - which is why I didn't call it the Internet Crypto Deity. Trust metrics are the current wild frontier on the internet. Something like Amazon's or Ebay's review system seems to be what's evolving - it's democratic (in a good way) but falls prey to what you might know as "astroturf" or "sybil" attacks. The Better Business Bureau and Consumer Reports are counters by (respectively) Government and The Market to these sorts of attacks. I might vouch for McDonalds and give it five stars just because I got a free supersize out of it. You don't know any better because you don't know me, but willickers, McD has a LOT of five star ratings. Then you bite into your filet-o-MDF and the whole effort was verifably useless. The Market (if McD doesn't get a bailout) takes care of this, but the invisible hand can sometimes take awhile to get around to dishing out some curbside justice. Ideally, FREEFOR cells will have local trust, and then the Six Degrees Of Kevin Bacon thing will help connect those isolated cells. We'll see what evolves. I'm optimistic, but I'm also aware these models may not pan out and we'll need something else. If you want to lose some time, look up the "small world experiment." There are arguments for and against it. In isolated domains like Open Source projects and Bitcoin over-the-counter trading circles, it works quite well. The breaks we see are limited in scope and don't indicate that the protocols themselves are broken. There have been hackers that have taken over people's accounts and done terrible things. Someone managed to hack an account and slip some code into the Linux kernel a few years ago - but that was caught before it hit the main code tree. The Mt Gox exchange had an administrator account get hacked and the exchange was robbed, but the Bitcoins elsewhere were never in jeopardy. Okay. So now we know that once we meet somewhere, we have ways of verifying that we're the same person that was here yesterday - and we can be certain we're talking ONLY to that person. About that "meeting somewhere" part. * Rally points To line up shoulder to shoulder is noble. It's one kind of rally point and it's one kind of opposition. I applaud it. I join in it. I believe though that there are other options for Action hanging low from the tree. The way things CAN be, we don't need to stand shoulder to shoulder to get everything done. Come Zombiepocalypse, yes, this distributed way of doing things is not exactly ideal (unless you take the long view, and realize that "distributed system" can easily be a synonym for "Darwinism"). Cash is a distributed system. By way of cash, I'll also explain Assassination Politics. If I want to go shoot some smelly agent of the state in the face, and I need just a touch of money for the unpapered suppressed Barrett carbine I'll need and a ghillie suit that's not COMPLETELY last year, I might carefully (so that I am not observed) put up posters saying "if you want Sheriff Dumbneek dead, put a ten dollar bill at GPS coordinates: -150W, 30N." If enough people care to listen to me and I'm not completely retarded collecting the money when no one is looking, I can then go and get my hands dirty. I don't have to trust the people leaving the cash. I trust the cash. Slim Shady and his crew don't have to trust me in order to hand over the hardware, they just trust the cash. Cletus down at the Holler and Fire doesn't care about my ideologies - he hands over a #10 large ghillie in New Wood Forest Reed Stealth Slayer Autumn Green and clocks out at five just like every other day. Every disgruntled nutburger that (carefully) leaves $10 at -150W, 30N has left "only" $10 there - not risked the next 10-50 years of their life in Club Fed and not paid zillions of dollars that I'm going to abscond with. John Robb, Internet ginger elitist buzzword ninja, warns us: "don't fork the insurgency." I REALLY don't want to. There are a LOT of great blogs out there, you probably already know 90% of them. What they can't do, out in vanilla internet space, is get specific. Where the tech may be proven but not mainstream - we can make public, credible threats. We don't even have to take action. But we do have to put EFFORT and TIME into it. We have to ACT like we're going to take action. We have to overcome the inertia of disbelief in the people we would stand against. Back to the cash-and-poster metaphor: I need a place to put that poster, and I need cash. The poster is Tor space - .onion hidden services. Tor hidden services allow anyone that knows what they are doing to host a website that cannot be located or shut down. The owner of that site in turn has no way to tell who's reading it. It's like a masquerade ball hosted inside of a mystery castle wrapped in an enigma - or possibly some other metaphor that is more comprehensible. This is an ideal location for targeting packets. This is an ideal location to post cash bounties for oath-violating "law enforcement" officers. This is a technology that's a decade old that is going shockingly underused by The Good People. Tor hidden services are not based on trust in a single person, or a company, or a government, or any sort of slight of hand. They are based on plain math that you can hold in your own filthy stinking hands and read. That's the leap of faith. Computers don't work on fairy dust, I promise you. Ask anyone that doesn't believe in fairies. They are based on math. Math says to bring it. Setting Tor hidden services sites up is not that hard - in someone else's copious free time, someone not me can come up with a layman's guide to getting a site up and running. You can then verify for yourself its anonymity. But that's a whole other kettle. * Exeunt I didn't realize how long winded I was getting, so I'm going to break out the next section - the cash in the cash-and-poster metaphor - into Part IV. Hopefully you got some use out of this - if you'd care to please leave feedback. I know I sure as heck lose interest when confronted by a big wall of text, but the other side of the coin is that I love to read new posts by people I respect. If I don't know where the community (such as it is) stands, you're going to get what you get. And to whomever mirrored these posts here: http://xqz3u5drneuzhaeo.onion/users/mccrgl7x/launchpad.html - thank you - that you found value in what I'm doing is another node in the network effect, plus, it made my day. Post a Bitcoin address at the site and I will donate to it. It starts here, folks. The more of us there are, the more powerful we get, the more the future starts to look kick-ass again, rather than ass-kicked. Godspeed, and thanks for reading. You are the resistance. See you in Part IV - working title: "The oft-told story of the Rei stones."