I am proud of this opinion piece I wrote for the MIT Technology Review, back during the height of the Apple v. FBI legal battle over encryption and forced backdoors. While I am clearly a fan of strong encryption, I am also grounded with regards to the limits of what it can achieve. Ultimately, my point was to call out some of the ways in which encryption of message content still leaves us vulnerable to surveillance by adversaries of all kinds, whether legal or not.
A View from Nathan Freitas 6 Ways Law Enforcement Can Track Terrorists in an Encrypted World
Government officials want us to believe that encryption is helping terrorists, but law enforcement still has plenty of tools to get the data. November 24, 2015
The phrase “the terrorists are going dark” has come back in vogue after the Paris attacks, referring to assertions that encryption is somehow enabling the communication of future attackers to go undetected. But the public is being presented with a false choice: either we allow law enforcement unfettered access to digital communications, or we let the terrorists win. As always, it is not that simple.
Read the full article here: https://www.technologyreview.com/s/543896/6-ways-law-enforcement-can-track-terrorists-in-an-encrypted-world/
(I was also very honored to get my very own illustrated avatar… )
(Originally, posted on Medium and Fold, but here since this is my *real* blog after all, and if the Internet went down, I still will have my local blog archive, and can run a teeny tiny WordPress server on my own computer, local network and/or $9 computer).
This last Friday and Saturday, a group of tool developers, designers, user advocates, security experts, tinkerers and curious humans gathered at the Berkman Center on Friday and Saturday for discussions, teachings and hands-on learning about the past, present and future of nearby network communication technology…. and to answer the basic question “If there was suddenly no Internet, what would we do?”.
I call this new communication space between all of our devices “Wind”, as it is a counterpart to the Web, but very different in its shape and basic nature.Wind Farm is an event designed to understand how to better harness the power from the Wind, and shape it to our needs.
We had over 40 participants from Microsoft Research, the Open Technology Institute (part of New America Foundation), F-Droid (Free Software Foundation Europe), Tibet Action Institute, Rights Action Lab, the Briar Project, the Guardian Project, DeNovo (out of UC Berkekey’s TIER group), NYU, USC, members of the local Nepali community, and fellows from Harvard’s Berkman Center and Nieman Foundation. We all realized that there is a shared core problem that needs to be solved, around the basic “dialtone” or “chime” that let’s people near you, and their smart devices, know that you are there, available and interested in communicating about a specific topic, or using a specific set of information.On day two, powered by donuts and coffee, I (Nathan) gathered our experts together with curious participants in our outdoor introductory workshop and simulation event… the event we simulated? An alien invasion where our telecommunication system for the planet was about to be taken out by their mother ship. The participants were taught basic skills like using Bluetooth, NFC, Wifi and other tools to share information directly between their smartphones, instead of using the Internet.
Everyone also learned how to fold an origami pinwheel, and adorn it (or themselves) with a 1KB read/write capable near field communication sticker chip. If you can turn a square piece of paper into a beautiful, functional pinwheel, and make it a portable, power free hard drive by putting a sticker on it, then you can do just about anything!
We taught people how to transfer apps between their Android phones directly, since Google Play and other app stores don’t work when the Internet doesn’t exist. To do so, we used F-Droid and the App Swap feature.
One of the missions to help build a new, nearby community-powered network was to deploy an adhoc wifi mesh system, using Commotion
, across the Harvard campus. Using some elevated platforms (aka fire escape), we managed to build a five-hop system that connected 23 Everett Street to Harvard Yard, with nothing but handheld antennas, battery packs, and the creativity of determined humans…
Simultaneously with the Wifi-mesh, we also deployed multiple covert battery and solar-charged PirateBoxes(Boxen?)
throughout campus, and used them in a data relay “Pony Express” manner. Two teams with four relay runners each moved photos between each pirate box, to reach their end goal. Every PirateBox also contained a full, offline/nearby copy of the Guardian Project’s F-Droid repo app store, for local app distribution.
To coordinate communications between teams throughout the afternoon, we used the Gilga app (aka Pinwheel)
to send messages using only Bluetooth and WifiDirect… it was the first medium scale test of the technology (with 10-20 users communicating together at any given team), and it worked as expected. Each team needed to use the app to send critical messages about media being shared through out the local nearby networks.
If you’d like to learn more about the concept of Wind, and the entire Wind Farm event, you can read on at WindFarm0.link
. We will be holding more Wind Farm events in the coming months, so that you, too, can be prepared for a day without the Internet, and app and tool builders can understand the unique challenges this type of situation creates.
First Look has broken news about a CIA program to target Apple’s XCode toolchain, that is required to develop native MacOS and iOS apps:
The result of the attack, if successful, is that the compiled binary you send to your end-users contains a backdoor, without the original source code or encryption you might use ever needing to be compromised.
This news fits well with Hans recent post on a very well social engineered phishing attack we received on our Google Play developers account. I see a lot of attacks, and this one nearly fooled me:
I think this is a fairly broad set of adversaries, both state and non, who are beginning to use this tactic. The idea that toolchains and distribution systems of app developers are as much a target of surveillance and compromise as end-users or the networks they use is a fairly new realization to many, that many people out there are still waking up to.
What’s the solution? Well, overall hardening of systems and workflow for people building apps is a great start, but there are also some very exciting new approaches to this problem. Chiefly, right now is the idea of reproducible builds (aka multi-party loosely affiliated notaries to make sure source code = binary app), which you can read about here:
From today’s Boston Globe, my lighthearted prediction for 2015:
Thanks to an unshakable fear that their own gossip-laden e-mails (not to mention business strategies and classified documents) will be leaked to the world, the people of 2015 will finally decide that it may not be a good idea to have a copy of every message sent stored forever online. A new e-mail tagline will be popularized, stating: “In order to conserve our collective personal and professional reputations, we recommend you permanently delete this e-mail upon reading. Seriously.” The upside of all this ephemerality is that many more people will end up getting to “Inbox Zero,” causing a marked increase in the gross national happiness of the planet. Whether it is embracing iMessage and WhatsApp’s end-to-end encryption features, or following the Electronic Frontier Foundation’s recommendation to use super-secret apps like SilentText, TextSecure, and ChatSecure, 2015 turns out to be the year that message encryption (and deletion!) goes mainstream. If you are under 21, this new year will validate your obsessive use of SnapChat as visionary and path-paving to your future career in national security or Hollywood.
Read more from other brilliant minds here.
I’ve posted a small manifesto on the (not) mesh experiments I have been posting here. I now call the concept Statuscasting, though I feel that this is a term with a short self life. My goal is to move away from the baggage of mesh, and be as open minded as possible on how mobile devices can communicate without internet or telecommunications infrastructure.