My Tor Project/OpenITP Hackathon Live Blog Day 1: Lots of talking, no coding

At the end of Rightscon proper and for a day after, there was a hackathon sponsored by the Tor Project and the New America Foundation's Open Internet Tools Project (OpenITP).  As you can tell, I came expecting to hack some things out with the OONI folks, but it was really just a bunch of discussion groups.  Still the discussion groups covered some fascinating topics.  Once again, errors are mine, opinions are my own, yada yada yada
----------------------------------------
INCREASING THE COST OF CENSORSHIP

Telex: Add proxy in the core that can be used to make a connection to any site look like a plain HTTPS connection to websites that would be too costly to block (e.g. credit cards, Google)

Cost can be political as well as economic.  Since Google withdrew from China, now in Hong Kong, so Chinese GOOG traffic goes through there.  Chinese traffic still censored since it goes thru Chinese web, which can be damn annoying.  What GOOG did in the past couple days, is they add reminder where if you search for X, it'll alert you if you'll running into blocking.  The Chinese govt would rather folks didn't know about this, so GOOG is increasing popularity cost of this.

Internal alternatives (Muloqot/Weibo), financial sense depends on whether there's enough of a domestic market (although I can see, ex. the Uzbek govt picking up the loss)

One thing that does increase the cost if it's more transparent.

What costs are there?
1. Econ. costs - bad for business
2. Soc. costs - I can't get to best sites thnx to filter
3. Pol. legitimacy from blocking things people think inappropriate to block

4. Retaliatory cost
Some Iranian group got in trouble for airing an interview with someone who had been tortured, and there has been some discussion of retaliatory measures (cutting of banking things).

5. Forcing regimes to brute force and individually identify things like ex. bridge nodes and have trouble with dissecting protocols
Ex. DPI plus cryptanalysis

[HAD TO GO WORK ON SOMETHING ELSE]
At this point, about all we can hope for is to make it [censorship] more expensive.
Maybe $$$ isn't so much the issue, maybe it's more about efficacy
[ANOTHER BLOCK]

Back on increasing cost, a simple way might be just deploying more proxies on popular websites.  If you have a ton of IP addresses, just run lots of proxies.  Then there's OnionSpace mirroring.

Is there enough naming and shaming of companies that enable these actions?  Many of us think there is nowhere near enough.

In Iran, there was a bandwidth throttling event and there's always one such event when there's a big event, and some guys told us it wasn't normal bandwidth throttling event, but they're adding lots of "Halal Internet" infrastructure.  ZTE was around the same time importing much of this equipment, or it looked like it.

WHERE WE GO WITH THIS

I missed all of this, and this is where I gave up on trying to code during a "hackathon", or find my baggage (!!)

--------------------------------------------

NEXT SESSION:

OONI-PROBE SESSION

It's basically a system for detecting what is being blocked in which countries and how it's happening.  It gives you the system around which you can build your own tests and deploy them in various countries
[AND IT WAS DELAYED UNTIL TOMORROW]

CRYPTO IN JAVASCRIPT

There's a browser standard being worked on at W3C that creates a standard API for Javascript crypto that can all work in the browser (hashes, AES encryption, etc.).  The uses for this are so broad that, for example, Netflix is on the committee and they want this for DRM.
In fact, PEOPLE LIKE GOOGLE could use this in their CHAT PROGRAMS

How far along is the W3C work? Pretty far along.

What are problems of Javascript crypto?  Why don't you trust it?

Well, no private data/functions, someone else can perhaps change data in the function.

One thing Cryptocat does is
I. Wait for W3C to finish (tho functions still need to be called, and who calls them can be problem).
II. Simply use browser apps.  They run inside the browser, and works much better on Chrome than on Firefox.
If you solve the problem this way, can develop whatever you want for the browser, and it becomes part of the browser saving you loading from server each time.

THREAT MODEL

NSA gets somebody to serve slightly diffrent Javascript to a specific user, which has a backdoor that can be used to spy on somebody
aaaaaaand I'm exhausted
Type without rhythm, and you won't attract the worm.

POSSIBILITIES IN JAVASCRIPT CRYPTO

really getting tired here, but now we switch over to...

SURVEILLANCE/CENSORSHIP IN AMERICA
[They did ask for a Russia expert, but I was too wiped out.  And then, have I just not focused enough on it?]

First we brainstorm about threats we see in the U.S.

1. Double-standard about whether subpoena or not required for law enforcement to install malware.

2. NSA wiretapping.  Classified FISA memo goes legal justification for it, and it's classified interpretation of secret law.

3. CISPA, which would legalize this framework in transparent way, but still doesn't declassify FISA court memo (???)
Also interesting how they tried to co-opt Silicon Valley by offering immunity from prosecution by going along.

4. Internet surveillance of companies.

5. Difference between DMCA/DHS takedown
DHS: They take your domain, could use DMCA as method, or they just send a national security letter.
DMCA has some transparency to it, however.

6. Citizen/consumer complacency

7. ISP port blocking/exclusivity agreements - "Net Neutrality"
If you had only two or three options for connectivity, you can regulate, but more competition incentivizes against exclusivity/blocking.

SOLUTIONS?

2nd amendment, because THAT makes sense in a nuclear state.

(why daf*q didn't I go to the Iran panel?  This could be much more useful for what I'm trying to do)

and the consensus was that we're screwed

8. Apple-Disney-Fox/Pravda --- or the fact that there are only so many media companies out there now.

9. Where we get our $$$ from, possible link to #8

Agh, both my laptop and I are running a low battery.  I'm going to turn this off and try to get my baggage.