Daniel M. Skube

@daniel

Javascript | Cryptography | Jiujitsu | Freedom

893 words

https://keybase.io/dmskube Thank Guestbook
You'll only receive email when Daniel M. Skube publishes a new post

The Delusion of Innocence: Bitcoin & Mass Shootings

For ~150 years, American schools were free from violence. This is amazing, considering schools offer no means of physical protection greater than a locked door.

Since Columbine, this has changed. Police patrol hallways, tech companies search social media for red flags, and onlookers blame whichever scapegoat fits their political persuasion. If you're on the Left, it's the NRA. If you're on the Right, it's Big Pharma & video games.

Personally, I blame the Department of Education for treating secuity as an afterthought instead of a foundation. But that is the pattern of human nature. We fall prey to the Delusion of Innocence: pretending that which can be abused won't be abused.

The Cycle of the Delusion of Innocence:

  • invention invented ->
  • society benefits ->
  • inherent vulnerability is exploited ->
  • society recoils ->
  • secure protocol is appended to invention / new goverment agency created ->
  • repeat;

The Delusion of Innocence affects the digital world as much as the physical. In the beginning of the internet, all communication occurred through HTTP. HTTP is a cleartext protocol; an eavesdropper can read full conversations, and alter messages in transit. Imagine the fun a Russian/Chinese troll-farm would have on a pure-HTTP internet! Luckily, we've wisened-up; most websites are now encrypted via HTTPS. Sadly, the cycle repeats & the next invention will have vulnerabilities of its own.

In his rush to create sovereign money, Satoshi Nakamoto settled for a psuedonymous blockchain, rather than an anonymous one. We now suffer the consequences: blockchain analysis companies threaten to expose HODLers to the wrath of secret police forces, tax authorites, & common extortionists. Cypherpunks are left to decide which will be more effective: appending privacy to a fundementally transparent system, or adopting the latest private-by-default currencies.

To awaken from the Delusion of Innocence is a task unique to individuals - the majority will always prefer blissful ignorance. Your security is your responsibility. The incentives of the Collective rarely align with your well-being. Question, inspect, audit, build.

Build.

Asymmetric Advantage

Cryptography yields an asymmetric advantage to those who use it. Asymmetric how? In a fraction of a second, your laptop can form a secure (read: encrypted) connection with your bank. But if an eavesdropper intercepted the communications, it could take - literally - billions of years before they decrypt the data.

Libertarians love cryptography. Why? For the same reason they love guns: cryptography decentralizes power. Compared to the physical world, where goverments & mobs enjoy near-total control, the digital realm is a bastion of Individualism. Peers converse, unauthorized; information is traded, unhindered; activists gather, unharrassed.

Decentralization is powerful. The American defeat in Vietnam serves as an example. So does Bitcoin, BitTorrent, and the internet itself. Shutting down a decentralized system is like playing Whack-A-Mole: you only win if you unplug the machine. What government can afford to revert to a pre-digital economy?

The Boot-Strapping Problem of PGP

Who verifies the verified?

PGP - by which I mean all variants, open- & closed-source - is powerful yet awkward software. By 'awkward', I don't mean using the command-line interface; CLI-literacy is attainable.

By 'awkward', I mean that obtaining the true public-key of a stranger requires an inordinate amount of trust & hassle. Since there's been some recent controversy, let's pretend Bob wants to download Tor Browser.


Bob isn't security-conscious, but he's trying. This month, he installed a password-manager, switched from Windows to Linux, and even learned a little about using gpg on the command-line.

Bob is concerned about the dismal state of internet privacy, so he downloads Tor. Ever a dutiful denizen of the 'net, Bob also downloads the accompanying .sig file. As he prepares to verify his downloads on the command-line, Bob realizes "Wait! I don't have the public-keys for the Tor Project".

Not one to wait, Bob searches DuckDuckGo for "public keys tor". The first result is from torproject.org, where Bob made his initial download. "Perfect,", Bob thinks, "Straight from the horse's mouth."

Bob thinks again. "If I trust the Tor website so much, why am I bothering to verify the file at all? I can't trust a public-key from the same website I got my files from."

Bob is right. He needs to find an independent source for the keys. Where to now?

Since Bob is already on torproject.org, he press the hyperlink on a key-id. A new tab loads that says pgp.mit.edu. "Oh, the MIT key-server. I can trust them." While waiting for the key-server to load, Bob falls into coma. When he reawakens six-months later, the page is still loading.

To celebrate escaping the coma, Bob vacations in Hawaii for a week. When he returns, the key-server has finally loaded. Error 400: Server Under-resourced; Page Cannot Be Loaded.

"Ironic," thinks Bob, "this key-server is as out-of-date & unaccountable as the academics who maintain it."

So, Bob seeks out the next option that comes to mind: the GNU key-server. Bob goes to keys.gnupg.net and notices the connection is unsecured HTTP.

Bob leaves his house & walks directly into the ocean.


Take care, Bob. You represent us all.

Hopefully, the dark days of HTTP key-servers are all but behind us now. Applications like keybase.io (find me @ dmskube) promise a more secure, less trusting model for what a key-server could be.

Let's hope that innovation in privacy UX keeps apace with innovation in privacy technology. And let's hope against the reverse!