Tuesday, June 5, 2012

My Tor Project/OpenITP Hackathon Live Blog Day 2: Circumvention Boogaloo


1st report back: Come up with set of recommendations for future projects, and possibly follow-up steps

1. Get user input from design phase
2. Lots of orgs out there do training (gipi.kg, for example), can have some extra functionality where they let devs know what they need to fix/enhance, and should include in funding requests et. al
3. Idea that peer-to-peer training is how software will get used, users teaching users, and similar for bugs.  The tool should give you an opportunity to send in bug reports, which may be over the tubes or send to someone else via ex. email or conversation.  Needs to originate in the tool.

------------------

GAME THEORY OF CENSORSHIP

"The mathematics of conflict.  Typically fails when you do the math wrong, and often people have bad models, so they say that it's bad people don't conform to models.

Player 1: Govt trying to control access to information
Player 2: Narod/People

Listed possible moves, Mada (sp?) model that tries to predict govt reaction to various moves, can also help with investment decisions, list what might not lead to crackdowns.
There is an academic who has two or three papers on this (name of academic will be on the public wrapup).

----------------------------

ANONYMOUS PUBLISHING

We talked anout probs of publishing services, talked about how to get users to learn about what (Iranian address?) is.

TOR Anonymous Packet Execution Framework - Framework that makes hidden servies more useable (GOOGLE THIS)

---------------------

BROKEN CERT AUTH PROBLEM

Listed a bunch of technologies that are trying to resolve existing problems. Rough concensus was that we will need several of these to tackle probs with existing models.  Each solution seemed to add some problems that were mitigated by others.

One main question was how to put user in control without overwhelming them (convergence.io has been a prob like this I (Peter) think).  Trouble with Dane is it concentrates power in the DNS hierarchy, which is where a lot of Internet abuse has occured.  But Convergence and a bunch of other tools could help.  Another thing is you now need a persistent client, which can be HUGE problem if somebody seizes it.

In addition to Convergence there's a similar plugin built by somebody at UNLV

Programming, muthafucka!

ONE TIME PAD HACK SESSION (READ: Developer presents what he has and folks poke at it to look for problems)


google one time pad open source
(version 2.0 won't be backwards compatible with earlier)

Not trying to fix key management.

Somebody suggested encrypting twice, e.g. encrypt with AES and then do one-time-pad, then if somebody flips bits or does plaintext attack, you could catch it.
Could add headers not visible until after decryption.
Ex:
Content type(?)
Mime-type
Filename
Bzip headers
Original file name

(First bit of feedback is that it's pointless)

eh, might not be perfectly random.  Any time you can have expected plaintext results, it can help you with figuring out the key.

Why punt on the most difficult part, key mgmt?  Because some people have volunteered to handle this themselves.  But is the extra complexity worth it?  I for one think it's pointless.
Dayum, somebody did some tests and found that 1st 20 bytes of bzip are predictable.

Entropy is hard to come by, and can be easily drained.
If you bring in random data from /dev/rand, and you drain the entropy, and you know where in the stream they are, then what? (well, I need to read up on random data in Linux!)

Idea here is:
BASE64ENCODE( OTP( AES( BZIP( X ))))
                  ^
  And what is the key here?  Can be a problem if rand. num. generator is broken.
s/AES/"Something Dan Bernstein wrote"

AES there to make things looks random even if you get through the pad
One thing that's really important here, is some update systems download a file with a hash attached, so you have to parse whatever you downloaded before you can verify integrity. DERP!!!

(btw, /dev/urand is garbage, guy in front and Applebaum disagree about whether it and /dev/rand are garbage or not.)
 ^---Prob is very little data generated from other devices on embedded sys., no mouse/keyboard.

Linux will often add something to the pool by hashing without crediting it.

This could be an argument for encrypt then MAC, Mosh uses this

Seems almost disingenuous to offer this and punt on where to get random data.

Given that some people think they can or can't get random data, should we supply a tool for that, too?

OTHER PROBLEMS

Whole bunch of stupid quirks here

Another fundamental problem, in the header there's a pad ID, it's a checksum of the first ~512 bytes of the pad.  That's sitting out there in the open, which is ok if you can't reverse it.  There is a risk (didn't quite get this) that you can give away the AES key.

(we went over a possible bookkeeping nightmare, if something gets mixed up, how do we know which pad to use?  Can cycle through, but can be a usability prob without some shell scripts)

PROGRAMMING, MOTHERFUCKER!!!
(this is a good talk, but I do have code to write)

SUMMARY

Is a goal to have a very small amount of code that you can audit and say "oh it's just XORing"?  Ok, then maybe we don't need all these func. calls.
And boy has this gotten complex, so we're telling users not to roll their own crypto while we roll our own crypto.  BUT it's very easy to scrutinize the way this has been structured.

What's the point of compression?  If you boil everybody's data down to bzip, becomes not-so-random.

AND WE'RE DONE WITH THAT PANEL

--------------------------------------------------

WHAT GOOGLE CAN DO TO LOOK AT LEAST MEH

Promoting HTTPS (its slogan: "Hey, we're better than Telnet!")
Let's just stop supporting HTTP (still not a bad idea)

--------------------------------------------

AFTER LUNCH

Check out Torbirdy.  It's Tor for Thunderbird!

TELEX: ANTICENSORSHIP IN THE NETWORK INFRASTRUCTURE

Operates in the network infrastructure - place a proxy in the core, not on some end host.  We use an end-to-middle proxy with a "pretend connection" at some ISP.  Doesn't provide anonymity, but more circumvents detection
Works on a form of DPI, no secrets involved (+5 points for you on that).

Threat model:
assumes
1. Threat censor controls all network infrastructure INSIDE (sound familiar?)
2. Blocks according to a block list
3. Allows HTTPS connections to unblocked websites
This is awesome
|
A---|--------proxy connection at friendly ISP*---------------notblocked.com
| ^
| |
      BLOCKLIST  

*invisible tag placed, but only visible to A, who has a private key.  At ISP
shared secret gets shared between client and proxy
request for blocked.com gets shoved into the connection.
This looks like an innocuous connection to notblocked.com.  In order to block such a proxy, the censor would have to block all possible notblocked.coms.  But we could install this on, say, the Trans-Eurasian Fiberoptic cable, which was built in part by Soros Foundation.

TEST DEPLOYMENT

CURRENT STATUS
Scaling to ISP line speeds (up to 10 gbps)
Looking to deploy to small-scale ISP

SOCIAL MIRRORING
How do you connect mirrors and folks with censored content?
Mash it up with Reddit, and have community of hosters decide what gets hosted.
Can also do this by crawling file sharing sites.  There is a proof of concept out there.  See mirrorparty.org

My Tor Project/OpenITP Hackathon Live Blog Day 1: Lots of talking, no coding


At the end of Rightscon proper and for a day after, there was a hackathon sponsored by the Tor Project and the New America Foundation's Open Internet Tools Project (OpenITP).  As you can tell, I came expecting to hack some things out with the OONI folks, but it was really just a bunch of discussion groups.  Still the discussion groups covered some fascinating topics.  Once again, errors are mine, opinions are my own, yada yada yada
----------------------------------------
INCREASING THE COST OF CENSORSHIP

Telex: Add proxy in the core that can be used to make a connection to any site look like a plain HTTPS connection to websites that would be too costly to block (e.g. credit cards, Google)

Cost can be political as well as economic.  Since Google withdrew from China, now in Hong Kong, so Chinese GOOG traffic goes through there.  Chinese traffic still censored since it goes thru Chinese web, which can be damn annoying.  What GOOG did in the past couple days, is they add reminder where if you search for X, it'll alert you if you'll running into blocking.  The Chinese govt would rather folks didn't know about this, so GOOG is increasing popularity cost of this.

Internal alternatives (Muloqot/Weibo), financial sense depends on whether there's enough of a domestic market (although I can see, ex. the Uzbek govt picking up the loss)

One thing that does increase the cost if it's more transparent.

What costs are there?
1. Econ. costs - bad for business
2. Soc. costs - I can't get to best sites thnx to filter
3. Pol. legitimacy from blocking things people think inappropriate to block

4. Retaliatory cost
Some Iranian group got in trouble for airing an interview with someone who had been tortured, and there has been some discussion of retaliatory measures (cutting of banking things).

5. Forcing regimes to brute force and individually identify things like ex. bridge nodes and have trouble with dissecting protocols
Ex. DPI plus cryptanalysis

[HAD TO GO WORK ON SOMETHING ELSE]
At this point, about all we can hope for is to make it [censorship] more expensive.
Maybe $$$ isn't so much the issue, maybe it's more about efficacy
[ANOTHER BLOCK]

Back on increasing cost, a simple way might be just deploying more proxies on popular websites.  If you have a ton of IP addresses, just run lots of proxies.  Then there's OnionSpace mirroring.

Is there enough naming and shaming of companies that enable these actions?  Many of us think there is nowhere near enough.

In Iran, there was a bandwidth throttling event and there's always one such event when there's a big event, and some guys told us it wasn't normal bandwidth throttling event, but they're adding lots of "Halal Internet" infrastructure.  ZTE was around the same time importing much of this equipment, or it looked like it.

WHERE WE GO WITH THIS

I missed all of this, and this is where I gave up on trying to code during a "hackathon", or find my baggage (!!)

--------------------------------------------

NEXT SESSION:

OONI-PROBE SESSION

It's basically a system for detecting what is being blocked in which countries and how it's happening.  It gives you the system around which you can build your own tests and deploy them in various countries
[AND IT WAS DELAYED UNTIL TOMORROW]

CRYPTO IN JAVASCRIPT

There's a browser standard being worked on at W3C that creates a standard API for Javascript crypto that can all work in the browser (hashes, AES encryption, etc.).  The uses for this are so broad that, for example, Netflix is on the committee and they want this for DRM.
In fact, PEOPLE LIKE GOOGLE could use this in their CHAT PROGRAMS

How far along is the W3C work? Pretty far along.

What are problems of Javascript crypto?  Why don't you trust it?

Well, no private data/functions, someone else can perhaps change data in the function.

One thing Cryptocat does is
I. Wait for W3C to finish (tho functions still need to be called, and who calls them can be problem).
II. Simply use browser apps.  They run inside the browser, and works much better on Chrome than on Firefox.
If you solve the problem this way, can develop whatever you want for the browser, and it becomes part of the browser saving you loading from server each time.

THREAT MODEL

NSA gets somebody to serve slightly diffrent Javascript to a specific user, which has a backdoor that can be used to spy on somebody
aaaaaaand I'm exhausted
Type without rhythm, and you won't attract the worm.

POSSIBILITIES IN JAVASCRIPT CRYPTO

really getting tired here, but now we switch over to...

SURVEILLANCE/CENSORSHIP IN AMERICA
[They did ask for a Russia expert, but I was too wiped out.  And then, have I just not focused enough on it?]

First we brainstorm about threats we see in the U.S.

1. Double-standard about whether subpoena or not required for law enforcement to install malware.

2. NSA wiretapping.  Classified FISA memo goes legal justification for it, and it's classified interpretation of secret law.

3. CISPA, which would legalize this framework in transparent way, but still doesn't declassify FISA court memo (???)
Also interesting how they tried to co-opt Silicon Valley by offering immunity from prosecution by going along.

4. Internet surveillance of companies.

5. Difference between DMCA/DHS takedown
DHS: They take your domain, could use DMCA as method, or they just send a national security letter.
DMCA has some transparency to it, however.

6. Citizen/consumer complacency

7. ISP port blocking/exclusivity agreements - "Net Neutrality"
If you had only two or three options for connectivity, you can regulate, but more competition incentivizes against exclusivity/blocking.

SOLUTIONS?

2nd amendment, because THAT makes sense in a nuclear state.

(why daf*q didn't I go to the Iran panel?  This could be much more useful for what I'm trying to do)

and the consensus was that we're screwed

8. Apple-Disney-Fox/Pravda --- or the fact that there are only so many media companies out there now.

9. Where we get our $$$ from, possible link to #8

Agh, both my laptop and I are running a low battery.  I'm going to turn this off and try to get my baggage.

Thursday, May 31, 2012

My Rightscon Rio Live Blog Day 1: Conclusion


[Disclaimer: The views and errors here are my own and do not represent anyone else, for one thing, they're likely 20% snarkier.]

Access Innovation Prize announced, focusing on gaps in human rights space

1: Blackout resilience - $25K for best blackout resilience tech.
2: Crypto - Proper integration into existing sys., encrypt. edu., or building community for use by default
3: Bounty for best patch of known/unknown platform used by activists
4: Golden jellybean - Other really cool things.  Great training program/research idea/censorship circumvention = $20K
5: Access Facebook award - Best idea to promote human rights/development on Facebook

App. process starts now and goes until August 15th.  Looking for things that are impactful, idea that has real impact for real life people and will likely turn into something real.  Also cool stuff that's new, but grounded and is measurable/sustainable.

Putting together judging panel, includes McLaughlin, for Facebook award, rep. from Facebook will come up.
*biting my tongue here on how sincere about privacy*  Brett says can also apply ideas to change Facebook platform (stop real name policies much??!!)
This is not government money (thank God/the Interwebz/Science)

And now, some info on party after conference (addresses were given, we had some lime cocktails that were the best booze I've ever had.  Yes, I'm slightly drunk while editing these notes. Don't do that, boys and girls.  Drink school, stay in drugs, and don't do milk.)

Some background on FGV, pretty much Brazil's Berkman Center/Gipi

Thoughts on regulation of Internet in Brazil.  Today no laws that regulate it today.  So people think "OK, no rules, we're free!", well instead it means many problems due to fact that there is no legislation.  One problem is proliferation of lawsuits.  One judge starts taking one decision, and other judges take other side, there's no precedent yet, Supreme Court puts out contradictory rulings.  Youtube was taken off air for a few days due to lawsuit.  Caused by "intimate conversation" involving Brazilian celebrity in Spain, vid was totally removed, Youtube was taken off air for a few days.
Lawsuits against bloggers also common, blogger got comment posted and was sued for it, no clear standard.

Data requests and content removal also a problem.  Google transparency report, Brazil is world leader in data requests coming from government bodies, above U.S.  China we don't know since they didn't provide the data.

Some years ago there was a child protection commission built to hinder and punish pedophilia.

Cybercrime commission: "azeredo law" vaguely worded law that would criminalize jailbreaking phones (4 years in jail!).  You don't wanna spend 4 years in a Brazilian jail.  After 1st vote in Senate, huge backlash which led to broader discussion.  There was a petition with tons of signatures, and before this there was talk of an Internet Bill of Rights.
Origin here is idea of protecting rights instead of direction of criminalizing.  So civil framework is collaborative law, made in very transparent way through the Internet ("consent of the networked' and all that jazz), so here Minister of Justice was present for deliberations on this. 
Key provisions were
1. Privacy
2. Limits to data retention
3. Rights of Access
4. Intermediaries' liability
5. spam
6. spam
7. spam (not a fast typer)

Lots of comments were processed, took almost a year.  This all went like Icelandic constitution.

Had some repercussions in Eur. Parliament, France, Germany, model is being used in other legislative initiatives (damn, can you even imagine Amer. politics working like this?)

Congress will vote on the "Marco Civil" (Internet Bill of Rights) hopefully in the next few weeks.

Next speaker: Sorry, I have something else on my mind.

We also don't want to be researched without our knowing about it, this is in executive protection, but we want to detail it more.   Second point is about net neutrality, we want to learn from other countries experiences and detail what neutrality is all about, we need a regulation that doesn't unconsciously impact that netutrality...out of power.  I've been running on adrenaline and caffeine all day(s).  All I can do now is listen.

Still bugging me is McLaughlin's reasoning, I'm a little uncertain about exact terms:

Internet is democratizing and decentralizing access to information
Information is power
----------------------------------------------------------------
Internet is democratizing and decentralizing access to power

(In the unlikely event you're reading this, Mr. McLaughlin, feel free to critique)

Simple, Discrete Math inductive logic.  I forget the name of the inference used.  Will come back to this later.  We're done, now cocktail party.

My Rightscon Rio Live blog Day 1: Privacy and Data Protection Online: How Companies, Governments, and Users Can Promote Online Privacy

[Disclaimer: This is meant to be completely separate from Access' Live Blog.  This is all my notes and my perspective of what was said, with at least 20% more snark.]

Privacy and Data Protection Panel

[Gap in English translation]  The major issue to deal with here is building of new methods and regulations and technical solutions to protect and enforce protection provisions on the Web.

Start with Prof. Nelson and theoretical discussion of privacy, how it has changed recently, and later broader issue of online privacy.

The major issue is relevance.  I think that historically we had two reasons for data protection: (1) human rights, [brain fart], (2) circulation of data, econ integration, since the 70s we have seen laws originally from Germany....7 countries with privacy laws that follow European model, and
strategies to foster data protection.

Education is of course important, how to use laptops, etc.

Companies need to know that this is an important asset (the translation overlaid on the Portuguese is distracting here)

[btw, many Skype server nodes are run by MSFT, learned over lunch]

Morozov, why couldn't you make it here?

Sarah Altschuler: First, I work through a corp. social responsibility law practice.  When we talk to companies about policy, we put it in a human rights practice.  For many companies, this stuff is about compliance, not human rights.  Ex. trying to push UN human rights criteria for online privacy
We work on how comps protect privacy as a human rights concern.  If the company has developed certain principles around protection of user data, then they are understood all up and down the chain of command, board to code monkeys.

We also talk about biz practices on what data you need to collect and how long, and where is it stored.  We frequently talk about location of data stores and do due diligence on countries where that data stored (Goog and Kazakhstan much?), and when it's ok to say we can't put a data center in country X.

Comm. for users, edu. component is key.  How are users engaged with platform, understand terms of service/their obligations/options.

How we make sure that requests for data are compliant with local law, and how/where they can push back.
Here there can be a large role for public sector, so U.S. can say back up dialogue with repressive regimes.  Still not dealing with repression from "the East" (Russia/Ukraine)

Q: We've been seeing some companies getting and abusing data, can you comment on some strategies that have tried to tackle that?

This is one of those where it's incredibly important for dialogue across the company about policy on user data protection, because they're trying to monetize it (predictive analytics).  But can be a problem of "What's our 3/5 year plan?" and other parts "how can we minimize disclosure and sharing?"  Can't be in separate compartments.  Some of this is what users are willing to tolerate, some of it is regulation (there was an allusion to "do not track" we'll get to later)

Bruno Magrani: Mario, We've been seeing a number of strategies adopted by companies about downloads and self-regulation.  There's some criticisms (not enough!), but what I'd like you to comment on is what are the self-regulation strategies out there now.  Are they efficient or not? 

Mario: I represent the insurance industry, which is very used to dealing with information, which is very vital to it and how it does business.  There's a number of databases involved, re: vehicles, customs, delicate information.  So the insurance sector has been dealing with data forever, and of course the volume of data has exploded of late.  So this sector--we have to view the consumer all the time, and s/he isn't passive anymore, they want information, they want to participate.  When you deal with insurance [not liking this translator, or maybe it's just me], so we decided to try to take a step ahead and get ahead of the legislation.  We're all in favor of it...now the insurance sector can't just wait for legislation, we have to deal with a situation that already exists, so we have some kind of regulatory framework (something like PCI-DSS? yes, exactly like PCI-DSS), and if you don't comply, you can be subjected to various sanctions (loss of business, bad press, etc.)
In Brazil, the insurance biz. wants to be a pioneer in self-regulation practices, even ahead of the government. 

Back to Magrani: In the distinction between regulation and self-regulation, can you say some more on this topic in terms of FTC trying light "we don't want to break it" approach, or whether this has been effective in protecting user's privacy online and [something about business models]

Altschuler:  It's hard to tell if this User's Bill of Rights thing has been effective.  I'm a Washington lawyer, I don't expect Capitol Hill to make sense, and we're dealing with an institution that doesn't understand these issues all that well.  Also a problem, since the biz. community would rather self-regulate than deal with "series of tubes" people.  We work a lot with GNI, where you commit to principles, but it isn't one size fits all.  Do you have practices/processes out for ind. review and assessment, and are you engaging with civil society groups on this?  I see that as part of the effort to get companies on board with self-regulation.  We have another practice in our firm on sec. and data privacy specifically.  We're working very much on compliance and data breach policy, and there you have a lot of significant fines for data breaches.  I'm not one to think that tech. isn't the full answer, but we really don't have a lot of legislators who understand this, and so I very much prefer self-regulation.

Magrani: More technical approach to data protection?

JAKE APPLEBAUM!!!:  First I think everyone has right to speak freely and to read.  So we have to talk about privilege a little bit, so to talk about privacy, we have to talk about how companies are incentivized to do what we want.  In some cases, insurance industry is surveillance industry, they surveill an area to determine rates.   Facebook can be recontextualized as Stasibook, given opportunities for snitching and spying.  In the case of Skype, my understanding is that when MSFT acquired Skype, they agreed to add lawful intercept (read: spy) capabilities.  But when your tech. is reduced to whether or not you have due process, you have failed (WIN!).  So there have been several cases where Skype has been weakened (ex. CALEA), so for Skype to comply with these laws, they leave everyone in a vulnerable state, and instead of making these kinds of compromises, companies like Skype should be pushing for end-to-end secure communication.  We should have something like Diaspora, and maybe that will work, but the $$$ really comes from surveillance, and it's very hard that way to get Facebook to throw away its pool of money.  We need to recontextualize this like safe sex, we have a responsibility to ourselves and others for secure communications, and when we don't use it, there is a transitive danger to others.

Look these up, he recommends them, therefore they're cool
ZRPT
OSTel - can install on your phone tomorrow
TechSecure from Moxie Marlinspike (a little Googling and looking at Marlinspike's site (which is worth a visit regardless) didn't show anything.  Post a comment if you know what he was referring to)
RedPhone
CryptoPhone
Gipsi (sp? Again, not sure what he was referring to)

J.A: Companies can still make money on this, and with tech. like this
First, we have to admit there's a problem, first the police and later the state.
For the FBI to intercept my phone calls, her phone has to be insecure, and then someone can track her and all her calls
For that to happen, we all have to have the same problem.  We can stop this, at the cost of not listening to my phone calls
This can't happen without large econ. incentives to change the way we look at this stuff.  OSTel has built a full telecom system with full secure encryption.  We all need to make a decision that all being secure, including the bad guys beats all insecure with some bad guys caught.

Magrani: How can we convince governments/ incentivize them to demand more security protections?

Other guy: We are in a society with different players.  How many of you have decided to accept ??????  another thing, that issue of self-regulation...[sorry, the double speech (Portuguese and English translation) is a huge problem here.]Claims there are no borders on Internet and now very self-

[Network made my computer barf for a sec, not much lost in interim]

Not sure if I'm not paying close enough attention, or he's not actually saying anything.  Happens all the time with lawyers.
From what I am getting, he's talking completely past what Applebaum said
yup, if you want all of this, see the legit liveblog.  So, who's here?  Yeah, I got nuthin'.

How long has this guy been talking?  30 minutes?  Made mention of national sec. exceptions

after notes on paper from Applebaum: 1st, we should question idea that state has power to suspend rights.  Ex. in Greece '06 & Vodafone PM & several pols were tapped, guy behind it found suicided.  Creates real risk of abuse that previously belonged to the military. Internet challenges the national security state  If Google can  be compromised by the Chinese, no one can do better.  To me it's very scary to hear people talk about state as if it's perfect.  How many cops who have committed police brutality on Internet?  Lots more than child pronographers.  If we want to give privacy, we have to give to the bad guys as well.

Response: ...yeah..

Questions: From developer, question for Applebaum, I understand need to keep Tor intact, but where does the line need to be drawn for privacy?  Should we go further and say cops can't follow people in the street?  CCTV?  Cameras?
Applebaum: I'll see your trolling and raise you.  It's important to point out we're talking about expansion of police powers.  History with FBI has not been exclusively that they will be used as sold.  Does cop have right to follow you?  Maybe.  Should you have right to impersonate a cop and follow? Maybe on halloween.
From analog sense, it's like every road should have cameras and mics, and only some people have access to that equip.  This is not a world I want to live in.  I don't want a world where cops can do covert surveillance.  We should not allow the Internet to go in ways that society should not have gone but has gone anyways.  Not building backdoors is a matter of accountability.  Prob. here is sec. agencies get a free pass.  We don't know from facts that they're being honest.  With technology, we can equalize much of this (this is a big leap from the way I've thought, but I kinda like it).

What is a best practice for an insurance company that does surveillance?  It's not clear that beyond regulations, corporations have any incentive to make a decision to keep data private

A. Altschuler: I do see a role for regulation.  Large fines for data breaches have incentivized beefing up on data security.  I think in some of the more iterative conversations.  I think there's a lot of a role for multi-stakeholder approach (take a shot, we've expanded the drinking game now beyond mentions of the Arab Spring)

Question: From judge from state of Rio de Janeiro, concern in terms of privacy.  Is there any means to virtualize a page with false data in false social network, e.g. web page with false data?

[Here the double-speak plus probably my own exhaustion took over.]
END

My Rightscon Rio Live Blog, Day 1

[Disclaimer: This is meant to be completely separate from Access' Live Blog.  This is all my notes and my perspective of what was said, with at least 20% more snark.]



Here's my notes from the first conference panel I attended at Rightscon, "Open Empowerment - How Digital Natives are Changing the World and What it Means for Democracy, Human Rights, Criminality, and Security ".  It's a little scattershot, but there's some fun stuff in here.

Creating rule of law in cyberspace

Open empowerment

[tak dali = Russian for etc.]

World Bank study of countries since the 50s,
level of econ. development, everything below blue line can be based
on "human factors", rest is "leveraging" information, sci. progress, claim is
individual empowerment good for business (yeah, we'll need the slides).

For those from rights community, ICT really broke info. monopoly (soviet
graphic up there)
again comparison to Guttenberg

and now space is being contested (yes, a certain kind of dictatorship
died in 1991). 

Open global commons vs. corporatized/state-dominated space is key battlefield here.

first item: technological change, "has outpaced ability of regulators to act proactively", uhm, no, Misra anecdote.
well, example of cloud computing...ehhhhh....
raises significant issues of rights, ex. in Canada, 30% of Google's cloud hosted there, who's jurisdiction (recall Kazakh example a year back).

90% of Canadian email cleaned by company in Portland, Ore., now grey area question, still being tackled by int'l law.

MOBILE TECHNOLOGIES
Eh, Tajikistan is "the global north', #itsforlatinamerica

THE INTERNET OF THINGS (IPv6 + NATs)

Cloud computing + mobile + internet of things = Inet is now completely generative limited by only "intellect" and "capital" (as if there's no relation there)

Demographics of Cyberspace

U.S. 15% of Inet population, center of gravity being pushed to South and East, out of Silicon Valley.

3 in 5 poor users in failed states, median age of 18, significant youth cultures, so demands to practice what you preach + upward mobility
Think Malenkaya Vera (a very important late Soviet film that captured the full extent to which the USSR had failed to meet its promise of a classless society) and tak dali, Nazarbayev knows.

Globalized cybercrime

Ah, those old KGB thugs.  Much less risky to steal somebody's credit card number in New York than to fight over Rubles in Petropavlovsk.
Forming new underclass of cyberspace that will force us to face certain basic social issues.

Take a shot each time someone mentions the Arab Spring #rightscondrinkinggame
New form of protest possibly forming with the Internet.  Picket lines were illegal until the 20s in the U.S. Should DDoS be a 21st century picket
line?  EEEEEEEEHHHHHHHHHHHHHHHHH..........

BORDERS IN CYBERSPACE

[Many things we know from CIS research/Morozov]

RELATION TO LATIN AMERICA

Open empowerment, two extremes (one photo, iphones, one photo a gun)

empowerment has taken Econ. rather than political forms.  Damn I should have tried the mobile conference.

Latin America one of the faster growing ICT markets.  60% users located in Brazil and Mexico.  4% through mobile phones (!!!), not like CIS AT ALL
2/3rds under 35, 1/3rd under 24.  Only just now beginning to worry about adult things (family, etc.).  Reasons for engaging in cyberspace only
now starting to reach forefront.  Latin American also most overrepresented in social media.  84% of Internet users use Facebook, which has overtaken
Orkut (maybe explains those fake friend requests I keept getting), almost certainly identityy theft.  In Costa Rica, phishing sites have jumped 14,000%

Arms/narcotrafficking has taken advantage, too. 

QUESTIONS
Is there some uniformity in how "digital natives" are pursuing their econ./soc. agendas?
What gov. reaction will occur?  Securtitization (large and disproportional) of cyberspace?
Role of civil society?
What tools should we in civil society groups should build?

PANEL:
Rafal Rohozinski : CEO, SecDev Group
Robert Muggah : Fellow, Instituto de Relações Internacionais, Pontifícia Universidade Católica do Rio de Janeiro
Misha Glenny : Writer & Professor, Columbia University
Camino Kavanagh : Senior Programme Coordinator & Fellow, NYU Centre on International Cooperation

Case of Mexico
Gangs that have taken to the Internet/gang culture, comment please?
Drug traffickers have dominated social media until recently, they're the ones who for the last 8-10 years have been able to almost
systematically control entire communities (sound familiar?).  They have millions of dollars invested in human intel, for buying off govt's. 
This could be helpful for tackling heroin trade in C. Asia.
20 years ago, an AS/400 was intercepted, imagine what they have now

Where do they get their cyber-capabilities?
Anywhere from 10-20K people disappeared in Mexico thnx to cartels.  Many of these people (cartel folks) came from high-tech backgrounds. 
Also in control of toll roads, so by the time you arrive they know who you are. 

Have they tried to buy into ISPs?  Ex of Anonymous vs. Mexican cartels seems to be tie-in
There does seem to be one, it seems like they could buy in to get info on two bloggers who were disappeared, and possibly through 4 generals
who were arrested for their connections.  It's still a developing story.


#YoSoy132 demonstrations, 1st time folks using tech. (and offline too) against the cartels, comments?
When you live in this kind of destruction and see this movement of students essentially reclaiming lost territory, it's an exciting thing.
Popular image going around on Twitter is a pic of a dove pooping on Televiso (Mexican media network).

[Where's the key special sauce here that could be applied to C. Asia?  I can't help but think it's in the political culture.]

We're talking about several Latin Americas here, let's talk about Argentina.  Could you talk a little about key challenges of cyber security rights
vs. legit gov. functions?

[Gap due to switch to Spanish/Portuguese headphones]

That has precisely to do with use of agents for criminal, like child porn for instance and other things which are considered pending, for example in Eur. Council.

These are offenses that are transnational, so we need int'l support, and possible chance for int'l agreements for extradition.  We're working
very intensely with regulation of service networks.  And I do believe that there is lack of development of Argentina's legislation, not only lack of
knowledge from operators but also lawyers, and mea culpa, we (judges, lawyers, etc.) all have to be more informed #fortheolds.  Also necesssary to
emphasize lack of IT experts,

Budapest Convention as potential model, very Eurocentric in some ways.  Defends interests more for developed north.  Is there Latin American sawse here?

In the questions we ask, BRIC countries are not going to add to these conventions, since they weren't invited, so they have the option to not adhere
(well, Russia would skip in the first place, but anyway...).  So it will be very difficult to fight cybercrime, there have been some advances within
the UN (hahahaha), and that could be excellent, but we have to take long-term view, not easy to do due to red tape.

Gustavo/Roberto - Open Empowerment (ok, I forgot the question)
There's a paper on Open Empowerment on the SecDev website.  Int'l level, no Latin American country has signed on to Budapest Convention.
Some Eurocentric perspective and less relevance to local realities, no country has signed on since 2004 (!!!).  Limited Latin American role, which
will hopefully change with more awareness.  OAS Comprehensive Inter-American Strategy for Cybersecurity Threats (for terrorism, telecom, collaboration)
has helped out tho (U.S. dominated?  They have their place, I guess).  At least 4 kinds of responses adopted:

1. Aligning and codifying legal frameworks for cybersecurity/cybercrime.  Legis. action, including Brazil revisions to penal code.

2. Specialized police units for cybercrime (phishing, ident. theft, etc.) not much for cartels and narcotrafficking

3. Computer search teams usually outside of government

4. Exec. branch entities, for managing internal infrastructure within governments.

Some observatories on cyberbullying too, issue of militaries involved too, not much militarization of cyberspace yet.  Only Brazil has Cyber
Defense Command est. 2010.  Not as much as America/Eastern Europe/China. 

Only official filtering policy in Cuba (well, we know about isolated decisions in Venezuela, elsewhere via court order).

what about Central America?  Largely recovering from conflicts and drug trade, lots of security aid.  What do you think about securing that region?

Good question, really understudied.  Point is levels of penetration, great heterogeneity.  Brazil/Argentina well above global average.  Honduras/El Salvador/ Carribean < 20%
Important to recognize variation.  On those challenges, speaker has been working on tracking changes across the region. 

Murder rates very, very high in Central America/Latin America/Carribean - El Salvador/Carribean/Brazil (!!!) etc.
Threat often from gangs, nobody really knows how many.  What we've seen is "heavy handed" responses for at-risk youths, heavy deployment of police.
Started in 2003 and has spread.  U.S. assistance has come in to help with this, billions of $ poured in for sec. initiatives (alphabet soup of initiatives)
So we have a climate of securitization in parts of Central America.  What is clear is that there is a significant lack of capacity to deal with this
threat.  So we're at a real transition moment of low capacity and high potential. 

So paradox now is movement of empowerment for pol. purposes started here with original Rio conference (Earth Summit?), first solidarity networks came from here, now being taken over by criminal groups and attempts to contain neg. aspects of mobilization online.  So Turkmenistan/Uzbek. might find allies in Latin America who do this for economic reasons.

QUESTIONS

Isn't answer to gangs on Internet to deal with gang crime rather than using the tech. against them?
John Dillinger once said he robbed banks because that's where the money is.  Criminality in the culture, won't disappear.  Since transnational,
tech. comes in and countries will respond.  That doesn't mean we go into root causes [brain fart, missed end]

Gangs in previous forms to transnationals today often used as pretext for strong heavy handed response (aka the boogeyman.  Uzbekistan has the IMU,
Latin America has gangs). 

There's a big difference between gangs and cartels.  A cartel is much more sophisticated, very much state capture, a la Bakiyev and drug agency abolition.

GO GO GADGET PORT. TRANSLATOR

Guy here looks like Zuckerberg with glasses.  Maybe he's here in disguise

(for all the Internet boosterist-sounding comments, damn I'm glad I came).  Also, I have no idea what the question was, no translation.  Maybe it was a comment.

When you say that pols are more and more under influence of cartels, and you say we should try to fight more with tech. means, aren't we actually giving more power to cartels if they control the gov't?

(ME: AYUH).  In some ways this is the paradox of state capture, there's no simple answer to that.  Where does regulation/empowerment come from?  Tech. or laws?  In many ways from both, cyberspace is synthetic domain built by engineers and can be influenced by laws.  So responsibility of engineers to understand the pol. consequences of their design decisions.  There's no true and right path, just several tricky and haphazard experiments.

[I missed the question, it's just before lunch.] - But it was LLOOOONNNGGGGGG

Guiana, we've seen cartels buying into cartels for money laundering and other criminal activities.

Conventional sec. reform approaches are often state-bound, but with cyberspace it gets interconnected with military and intelligence concerns.  A lot to do with information sharing and tak dali.

Issue of stigmatization and youth important here.  Many youth groups clustered together as gangs, need to meake sure that sec. response doesn't expand beyond gangs proper.

We've seen communities if not in full control by cartels then severely intimidated (hanging bodies have that effect).  That's why YoSoy132 is so important, also old and young people, and expanding all throughout Mexico.

END

Saturday, January 7, 2012

The Pete B. Awesome Show, Great Job! Starring Evgeny Morozov, Epic Sax Guy, and Scumbag Zuckerberg

"Когда переехал не помню,
Наверное был я бухой,
Мой адрес не дом и не улица,
Мой адрес сегодня такой."
-WWW by Leningrad

Words cannot express the sheer amount of epic contained in this picture:



I remember, way back in the summer of 2009, I had just finished my first degree at UMaine, and I was trying to find some theoretical framework or just an overall guidepost into the hazey crazy world of the Eurasian Internet. A little bit of digging around UMass' Computer Science and Political Science department web pages pointed me to Jane Fountain and her book Building the Virtual State: Information Technology and Institutional Change. In fact, it led me to a whole special issue of the Social Science Computer Review devoted to articles discussing said book. I remember seeing one critical view, Donald Norris' "Building the virtual state...or not? A Critical Appraisal", and thinking I'd read it and get started on the book before I came to UMass. I read through all of Norris' article (yes, I have to admit I still haven't read Fountain's book) and I got to this passage at the end:

"In addressing the Internet and the World Wide Web and their relationships to governmental organizations, Professor Fountain (2001) made a number of claims about their potential effects that are contrary to the relatively settled findings of the field. In particular, she argued that 'the reorganization of government as a consequence of the Internet signals an institutional transformation of the American state' (p. 10)...The predominant view from the social sciences, based on empirical research over a number of years, is just the opposite. Although IT may have the potential to be transformative, the history of IT and government shows that it has not been transformative. As Kraemer (1991) observed: 'Rather, information technology has tended to reinforce existing organizational arrangements and power distribution in organizations. Moreover, information technology will have the same effects in the future because of fundamental relationships between technology's use, control of technology, and interests served by the technology.' (p. 167)" (Norris p. 421-422)

Maybe American/first world politics is a different space where Fountain's claims hold or Norris was misrepresenting what she was saying, but when I read that (and not noting a key distinction I'll spell out at the end of this post), everything I had been reading about the Caucasus and Central Asia for the past year stood up and sided with Norris' take on the role of IT in government. Having finished Norris' article, I took a break, looked over the CNN website, and found Evgeny Morozov's TED Talk. I was blown away; he had, in the space of 10 minutes, spelled out everything I had been thinking for the past 4 hours in much more detail. So a few months ago I saw that he and Jonathan Zittrain, whose The Future of the Internet--And How to Stop It I've waded a few dozen pages into were speaking at the Mass Humanities 8th Annual Symposium "Cyberspace and Civic Space: The Impact of the Internet on Our Democracy", I rented a car for that weekend and drove out to Boston with a friend.  Now in past posts I've used American names for people in Central Asia when I'd rather not use their real names, so let's use Central Asian names here in America and call my friend Murat.  Before we left, I figured that a conference like this would dearly need more of an international flavor, so I brought my Kyrgyz kalpak, a going-away present from my host family back in Bishkek, and I offered to loan Murat the Uzbek tyubiteika I bought at a museum in Khiva, which we both wore more or less throughout the conference.

After a mix-up with our Australian-accented GPS fairy, we finally made it to Robsham Theater at BC just as the first session, the one on the political impact of the Internet, was wrapping up.  Thus I only have notes from the second session in its social impact and the third session on its cultural impact.  Everything I have to say about the first panel (which, unfortunately, was the one with Morozov) comes from having only watched the video and not having been there in person.  Rather than summarize the discussion, I'm going to walk through my reaction to what was said at each session, so go ahead and follow along as you read.

After everyone is introduced, Mike Klein starts talking about the Sunlight Foundation, and I don't have much to say about his spiel except that I think it ties back to the quote I wrote above from Norris.  As Kline notes, a lot of this transparency work used to be done by investigative reporters, but now we have these shiny new applications that publicize the same information...and it is handled by the same old actors in American politics, and this point is a great transition to somebody like Morozov, who tells us that he's been writing for the past few years about how authoritarian governments have adapted to the challenges posed by these new technologies.  I also don't have much to say about his opening statement, largely because I had already read and grokked The Net Delusion about eight months before this symposium, but I want to take what he said about how it might not be possible to use various web sites without providing information like your real name a step further.  We already know that the Uzbek government rolled out their own social networking site a few months ago.  If we even forget that and look at a more successful site like Vkontakte or Odnoklassiki, can you imagine localized alternatives to Spotify or Pandora or Amazon emerging in these countries and being used to gather data on the opposition and make predictions about potential future members of the opposition?  I can't see any reason why this wouldn't happen if it hasn't happened already, but feel free to disagree with me in the comments.  He then goes on to talking about how we need to think about what an Internet that meets the needs of citizens as well as consumers would look like.  He seems to have dropped hints about this kind of thing in various speeches and talks on Youtube, stating that it will be the subject of his second book.  All I can say is I hope I'm not in Bishkek when it's published.

Eli Pariser more or less sets the stage for Charles Steelfisher's remarks and boy do I have a rant about what he said, well, a few disagreements, well, a few quibbles.  First, while the voter file doesn't say who you voted for, it can be reasonably assumed that if you have somebody who shows up to vote in primary, then they did vote for a candidate whether or not said candidate had an opponent.  Yes, there is the phenomenon of "ballot fatigue" where voters sometimes vote in only a few races and leave the rest of the ballot blank, but you can estimate it by comparing vote totals.  Second, access to the voter file varies according to state laws.  In Maine, you can pay a fee to get a copy of the voter file, and the definition of the kind of organization you have to be affiliated with is so broad that you don't have to be affiliated with either of the 2 major parties to get it.  The third quibble I have is with Steelfisher's comment that the use of "Big Data" for electioneering purposes means that you spend very little time actually talking to voters, or only to the specific voters you're trying to influence most.  To this I respond:



Now I come from a very low-level background when it comes to electioneering.  The largest campaign I've ever had a major role in was for a Maine State Senate seat with about 30,000 people.  Maybe it's different in the Big Leagues, but in the Peter Bourgelais School of Political Organization, you use "Big Data" to prioritize the same ol' analog voter outreach tactics (canvassing, friendbanking, house parties, etc.) that have been used for decades, and you can get a spillover that doesn't occur online.  Anyone who has canvassed a typical suburban or rural neighborhood for any appreciable amount of time knows that knocking on one person's door, even if they're home, does not always mean that you only talk with that one person.  You can reach that person, their spouse, their kids (who might be of voting age or have teachers/friends of voting age, and teachers can be extremely useful for political organizing), and even the folks next door and across the street!  On that note, I have said way too much about American politics on a blog that's supposed to be about the Eurasian Internet and the politics it lives on.  It's only just now, having seen the video for this panel, that I realize the symposium was focused on the Internet IN AMURRICA.  I still have some more things to say that, I think, are applicable outside the U.S., but none of them come from the remainder of this panel, so let's go to an intermission.


During the break, Murat and I met up with Kasym, another old friend from UMass.  We shot the breeze for a little while until the second panel got started, and first Lois Brown, then Cullen Murphy, and then Kate Crawford started to put me to sleep.  That's a little harsh.  I'm sure they all know their stuff, but by then I was starting to figure out that most of the panelists were crafting their message to a very general audience, and not <nose position="raised"><accent type="British" class="Upper">those of us in the Techno-Intelligentsia</accent></nose>.  Then Virginia Heffernen woke me up.

I want to respond to her statements by describing my formative experiences with the Internet, how it influences the problems I grapple with today, and how that affected my reaction to Kasym's question at the end of the panel.  My first experience with the Web, although I'm not sure if it was outside of a proprietary network, was from roughly 1990-3.  My mother had a Compuserve subscription with some Internet access for medical research on an IBM AT clone running MS-DOS 3.0, and every month I'd get an hour of play time on some simple text-based dungeon crawler games.  There was a sense that the Internet was something you logged on to, spent a very limited amount of time on, and then disconnected from to retreat back to the world of hard drives and floppy disks.  Then, from 1993-8, we got Windows 3.1 and Internet Explorer, and I began to get a sense of an outside Internet that had Web pages that took forever to load on a 28.8k modem, chat rooms and the trolls that inhabited them (yes, it was a simpler time and nobody thought of sexual predators), and, yes, at a young age, I mostly used it for games.  Then, from 1999-2005, several things happened.  We got broadband, with my new interest in programming I started spending some of my new found Internet time on sites like Qbasic.com and RPGDX, and one manifestation of the usual teenage clique nonsense was that all the kids I knew were on sites like IMDB as I was geeking out.  Then, in the summer of 2005, just before my first year of college, somebody pointed me to Facebook, and it was only until much later that I really appreciated what had been diminished by that last transition into social media.  On the one hand, if I had been in junior high/high school in the mid-late 2000's, I might have felt like a little less of an outcast than the other kids, because instead of spending all of our time on separate sites that dealt with different subject matter and never interacted, we would have swapped bad Youtube clips and bad song lyrics like the youngsters do these days on their Twitter-pods.  On the other hand, I think I learned a lot from my old programming haunts, and if you'll forgive the use of an old 90's cliché, it was a lot easier back then to take an exit on the Information Superhighway and get on to a back road.  Thus the way I've often thought about these problems of Internet censorship, surveillance, and propaganda have been in terms of creating "a space" where opposition activists can securely communicate and organize in the face of a Big Brother adversary that is interested in monitoring, stopping, and/or co-opting their activities.  I can certainly understand what she means by "losing my fighting spirit", but I'm not as bothered by it.  I don't care if Pandora selects the right song in my playlist, but I do care about how the SNB could make use of sites like Muloqot.  I don't think that these spaces are "magical" in any way (and this, perhaps, is in part influenced by the fact that my old Internet haunts were involved in such "magic"), or that they can in any way greatly supercede many offline political/social/economic realities, but it is certainly important that they be preserved.

This is why I agree with Siva Vaidhyanathan that we need to collectively back off from the "Internet is Magic" hype, although I think he ultimately shot himself in the foot by praising the folks at Google so much.  Wait, the Blogspot platform that this blog is hosted on is owned by Google.  Uhhhhmmm....they're all brilliant wizards out there at Mountain View.  I love Google App Engine!  Praise be to Goooogle, Aaaaaaammmeeeeeennnn...

It was around this time I was really starting to disengage with what the panelists were saying.  This wasn't because of the focus on the States, but because it was all just so much skimming over the surface.  Yes, I know the Facebook like tag can be used to track users even when they're not on Facebook.  Yes, I know about the iPhone tracking controversy.  Oh ja ja ja, "attach big responsibilities to big data".  I stopped paying attention to the discussion and had a look at the folks seated nearby.  Sitting next to me on my right were Murat and Kasym.  Murat had pulled out his laptop, and Kasym was fiddling with his iPhone.  To my left was some hipster-looking guy (well, he had those black, thick-rimmed glasses associated with hipsters) doing something on a laptop.  I remember my eyes wandering, and I caught a glimpse of what looked like Python or Ruby code.  Who was this guy?  Let's call him HipsterGlasses for now.

Anyway, I had a really visceral, reflexive reaction to Kasym's question, and so did HipsterGlasses.  When Vaidhyanathan mentioned that protesters were being tear-gassed or pepper-sprayed in Tahrir Square, the mic didn't pick it up, but HipsterGlasses interjected "and shot!" as he was speaking.  I looked over and enthusiastically nodded.  While there was (and is) a community of nerds on RPGDX and the intense mystical experience of seeing the code I dream up manifested in the screen (often after a few hours of debugging), I still had a home and school life outside of it at least, and at most parallel to it.  Likewise, there's some really good writing out there about how the overthrow of Mubarak can be explained as part of a movement over the course of millenia against the pharaohs and an excellent interview with Stephen Cohen on how the protests in Russia aren't just about Putin's long-term attempt to become a tsar, but also about the failure of privatization in the 90's.  How do you get to a point where an address isn't a house or a street, but a website?  Any talk of a "Facebook revolution" only serves to make Mark Zuckerberg look far more like a humanitarian than he actually deserves.



Scumbag Zuckerberg is no Internet Park Ranger.

Finally, and maybe this is just my 90's-centric view of the Internet talking, but I just don't see the big deal with the #Guyscallmethings tag.  With that, we're at the end of the panel and another intermission sponsored by the Brisco Shortening Comedy Hour


Once we got back to the theater holy shit HipsterGlasses, aka Chris Csikszentmihályi was there on the stage!  Then first Perry Wu and Charlie Kravetz started talking and I began to zone out again.  For all the talk about how the Internet has transformed our culture, I kept thinking of online entities like 4chan *pause*, Anonymous *pause*, and OnionSpace.  I also couldn't get the Avenue Q tune "The Internet is for Porn" out of my head, and my notes say "We're listening to Bach, just for the lulz".  I could go on a long anecdote about how the facial recognition software Kravetz talked about could perhaps be used on the opposition in authoritarian regimes, but I think that dead horse has been beaten enough already, and I think a lot of dead horses were being beaten by this third panel.  Here, I think, was a problem with the way this symposium was structured.  I think whoever structured this symposium was going for a "Three Blind Men and an Elephant" approach: consider three different categories of influence on "meatspace" by "cyberspace" and put them together to grasp the all-important Big Picture. But with the format we were given, we kept getting a short introduction to the same problems with different window dressing over and over and over.  If you'll forgive a tangent about political philosophy, in ancient and early modern political thought, none of these distinctions existed.  There was the polis, which sometimes meant the ancient Greek city-state but more generally meant any community of humans living together, and all of the things we call "society" and "culture" were discussed as political phenomena, and it looks like one consequence of partitioning them out like this is that we get a superficial treatment of all.  If I were the tyrant of the Mass Humanities board, I would have reorganized the whole symposium around a series of problems or themes like anonymity, dialogue, etc.  But if I were the tyrant of Mass Humanities, I wouldn't be writing this blog post.

Thus it was no surprise to me when Chris C. got up and explained, it a lot of good, solid detail, that technological innovation is an inherently political act in the broad definition of politics that I just described, because it either inherently disrupts or (more often than not) reinforces the way humans live in community with each other. 

Then we get to the final boss of the symposium, aka the Chuck Norris of Internet policy, aka Jonathan Zittrain.  Zittrain starts to describe Amazon Mechanical Turk to us, and I agree with his prediction about its future use.  I can, of course, see this exact technology used in various parts of the CIS, especially as smart phones become more affordable.  Never mind whether a private investigator or the Boston Police use a gamified system.  What if the SNB uses it?  I think, at least in this context, you can't respond to that kind of development without at least a diplomatic response (setting aside the steaming pile of fail that is the State Department's Internet Freedom policy) that takes into account American technologies are being used in authoritarian regimes, and now I think I'm starting to bore myself.  There were a lot of other things said during this panel, but I think I'm going to wrap up my discussion of the symposium proper, as I think the boredom I experienced while sitting through it has crept on to this blog post.

After the last session concluded, we all went out to the lobby, where we could buy the various panelists' books and get them signed.  Murat bought a copy of The Net Delusion, and, as Murat mentioned to Morozov that I was "your biggest fan", Morozov signed two copies of his book, one from a kid in an Uzbek tyubiteika, and another already read cover to cover and extensively commented on by some long-haired twenty-something wearing the rare combination of the xkcd Linux cheat sheet T-shirt and a Kyrgyz kalpak. 

Was that it?  I had been trying to think of a good question to ask Morozov for a while before this symposium, and, especially having missed the political session, I guess I was too starstruck at the book signing to ask the one question I had.  The book signing took very little time, and as best as I can recall, a little while later he was over near the entrance to the theater chatting with somebody.  I walked over and said something like "Mr. Morozov, if you have a minute [he said he did], I've been a fan since the TED talk you gave back in 2009.  I'm a second bachelor's student in Computer Science at UMass-Amherst, and I have a BA in Political Science already, and I've been trying ot work towarfds a career related to Internet censorship and surveillance in the former Soviet Union, and more specifically in the Caucasus and Central Asia.  Now I'm not asking you for contacts, but I'm wondering if you have any advice on how I could turn this interest into a career path, and what kind of career path that would be given that the State Department is what it is."  "Well, it's not so much the State Department, but first you should get a graduate degree," he said.  "Would that be a law degree?"  I asked.  "Yeah," he said, "or something like Science and Technology Studies, or STS.  You might have a little trouble explaining your interests, but that would be a good way to get the intellectual background necessary.  As far as careers go, there are more or less two paths you could take.  There's the policy analyst role at a think tank like the Brookings Institute, especially as Internet censorship becomes more mainstream.  Then there's more of an activist role, in which case you work in the region."  "So with an NGO like the Civil Initiative on Internet Policy?" I asked.  He paused for a second.  "Do youe mean Gipi?"  he asked.  "Yeah, " I said. "Гражданская Инициатива..."  "Yeah yeah, " he said.  "We fund them through Soros..."  I mentioned that I was interning there next semester (stay tuned for updates on this starting in early February) and we talked about Gipi for a little bit.  I thanked him, he wished me luck, and just as I was walking away, I passed Chris C., "I like your shirt", he said.  Somewhere behind me, Morozov laughed and said "Yes, and he a hat from Kyrgyzstan as well."  That moment alone made the entire trip worth it.  After two years in the soul-crushing, bureaucratic meat-grinder that is UMass-Amherst (with a few exceptions), somebody had seen and, I'm sure, appreciated the importance of Computer Science inside the yurt.  I've tried my best to keep the fanboy level of this post to a minimum, but what Kasym said when I went over to the exit to meet him and Murat was too good to leave out: "Dude, you look positively post-coital."

After sleeping over at Murat's place where I also shrugged off my peculiar strain of Beatlemania, we had an uneventful drive back to Amherst.  As the car rental place was relatively close to the UMass campus and the buses were running on a weekend schedule, I took a good 20 minutes to walk back.  On the way, I passed Gordon Hall.  It's a relatively small building on the edge of campus and just a few doors down from Fraternity Row proper.  There was a sign out front with a whole bunch of interesting-sounding research groups I had never heard anything from, like the "National Center for Digital Government", the "Center for Heritage & Society", "Something something Science, Technology and Society", and "General Specific's Secret Military Base"...on second thought that last one might not have been there, but it might as well have been there for all I'd heard from these places.  Although it was Sunday, the front door was unlocked and I figured I'd have a look around.  Most academic buildings on campus have all kinds of fliers for different lectures and talks related to what people are doing in whatever department is based there...and there was nothing.  Maybe I just needed to go to a different floor, but all I saw was bare walls and a lounge with a giant plaque with a list of donors.  I did, when doing some research for this post, look up the NCDG and some associated content, and I drew two conclusions from it.  First, Jane Fountain doesn't appear to be what I interpreted as a "cyber-utopian".  Most of her research appears to be focused on how IT operates "behind the desk", or how bureaucracies are affected by ICT.  I'm not saying that that's bad, but my background is in Political Science, not Public Administration, and we do deal with separate questions.  Second, even outside of that distinction, the dictatorships that researchers associated with the NCDG don't appear to be the same kind of regimes I'm studying.   Their website has a list of "Recent Publications by NCDG Affiliates" which includes Phillip Howard's The Internet and Islam: The Digital Origins of Dictatorship and Democracy.  Again, I haven't read the book, but he did give this talk where, just in the last two minutes, he says that the countries that don't fit his model are the ones that don't have an open Internet, but have taken steps to restrict it and use it as a propaganda tool.  I'm here at UMass to get my CS degree, and after this spring I have one more semester left.  Then I can't go back to the CIS soon enough.

Monday, November 14, 2011

It's Mystery CompSci Theater 460: Tunisian Edition

Ohai readers,

One of the classes I'm taking this semester is Computer Science 460: Intro. to Computer and Network Security (an old website from the course is linked in for reasons I'd rather not get bogged down in). It covers exactly what the description says it covers, and one of the things we have to do in this class is give a short presentation on a recent security vulnerability. I took a break from my usual hunting grounds to give this presentation on Tunisian Javascript injection shortly before the "Jasmine Revolution". It was kind of rushed, and putting Javascript code on a PowerPoint slide seemed like a better idea before I gave the presentation, but I think it's a cool illustration of the kinds of tricks that are possible in an authoritarian regime where all of the IT infrastructure is under strict state control.

Yes, I know there was a presidential election in Kyrgyzstan. I will probably blog about this when I go home for Thanksgiving Break.