IgnorantGuru's Blog

Linux software, news, and tips

Biography of a Cypherpunk, and How Cryptography Affects Your Life

For a little over two years, I have been on a strange odyssey into the heart of Linux, and I think now is a good time to summarize that journey for some readers that haven’t followed every step, and to answer some questions that it has opened. Like most users, I came to Linux with the impression that it was an openly and freely developed OS, a saner alternative to the corporate OSes such as Windows. I knew corporations had developed some of the software and had infiltrated the kernel, but I thought Linux was largely driven by users and community development, largely volunteers. And I thought the assertions that Linux took security more seriously were based in facts – that things were basically done smartly, because this is ‘our OS’.

Being semi-retired from such work, I never intended to develop software in Linux. This happened as a result of my first encounter with something ‘not quite right’ in Linux. Originally a user of the KDE version of Ubuntu, I began to see disturbing patterns in how daemons were being used, and generally how the system was being engineered to be increasingly locked down, intrusive, and overly complex. I knew these patterns well because I had used and developed on Windows for many years. With the advent of KDE4, I was driven to abandon KDE and Ubuntu completely, moving to Arch Linux with just Openbox. This was also my first real introduction to the ‘g’ side of Linux (GNOME and GTK apps and daemons), since now I was avoiding any KDE dependencies.

When I first began using Linux, a little over a decade ago, I chose the name “IgnorantGuru” because I was a guru in some areas of computers, certainly not a novice, but I was also a Linux noob and ignorant of plenty! I always feel this way about knowledge: acknowledge both what you know and what you don’t know – this is where learning begins, or continues. The surest way to learn nothing is to believe you know it all. So I got to know bash a bit and started sharing scripts, and eventually set up this blog to maintain my scripts and let people see what I was up to in my own explorations and uses of Linux. This blog also saw some fame in the form of an article I did on the lack of package signing in Arch Linux, a large controversy at the time which established this blog as a controversial news and discussion site. Then as I started hacking the legacy PCManFM so I could add a few custom commands to it, PCManFM-Mod was born. Feedback on this small mod convinced me that I wasn’t the only person interested in simple, flexible software, and this interest eventually grew into the SpaceFM and udevil projects. I am a Linux developer and blogger, when I had set out to be neither! Such is life.

I’m not new to all of this. I don’t usually go into my history much as I prefer a layer of anonymity to work in peace, and it helps me stay on topic. Yet here I would like to share a little of my general background so you can understand where I’m coming from. Sometimes I get the impression that people are confused as to why their file manager developer takes some of these blogging issues so seriously. Why does he care?

I care because I am a cypherpunk, or I was. Much of the software I’ve developed in the past has been in the general area of crypto and various related clients, servers, etc. If you were around back then, you knew my name (alias) – I wrote popular software of the day and had articles published by the EFF, etc. For those of you too young to know or remember, this was the period, and just following the period, when Phil Zimmerman first released strong cryptography into the civilian domain (PGP). The US federal government started a virtual war against this, and did everything they could to make Phil’s life miserable for years – he was persecuted. To help characterize the times for you, the only way he could release the source was to print it in books, then sell the books worldwide. This was still legal (although it infuriated the feds) because printed books had censorship protections and freedoms. People would buy the books, scan in the code (a very tedious and error-prone process, especially for crypto code), and (try to) compile it. This is how strong crypto first left the military domain and found use around the world, even something as simple as the https you now take for granted. Crypto wasn’t just used to keep secrets, but to expose them and to protect people (dissidents, activists, even intelligence agents). Anonymous and pseudonymous remailers, the precursors to today’s tor network, were developed and basically created chaos for those who numbered and controlled everyone. It became much more difficult to suppress information.

It was an exciting time – people are now revisiting some of that excitement with the Snowden affair and such – and we were all eager to master these new tools and free the world. Although some commercial software did exist, the 80s were very much a do-it-yourself time in computers. Much of what you used, you wrote yourself, so adding crypto to that mix created an explosion of new tech. “Conspiracy theory” was not a term then, and no one would have taken it seriously. If you didn’t distrust every government and newspaper, you were simply a damn fool. This is why I still consider most of you damn fools. ;) It’s hard for me to comprehend the naiveté in today’s world, and the easy validity given to people who ‘debunk’ revelations of obvious corruption.

I’ll share two personal anecdotes to give you an idea of those times for me. For one, I personally discovered a crypto key in a widely used crypto server of that day that had most of its bits set to 0x00 (rendering it compromised). No paranoia required – I witnessed it. People had been relying on this sophisticated tool for their anonymity (in some cases their LIVES) for a few years and it hadn’t been detected, despite alleged peer review. I happened to be examining the source to borrow some code and I couldn’t believe my eyes. A chill went down my spine. I immediately published my findings to the mailing list so that I would not become anyone’s target (paranoid? perhaps, but I was scared). The server’s developer quickly corrected it, but it left a lot of serious crypto people shocked and questioning, and it pretty much outed him (or someone he worked with – we didn’t have git in those days to find who did it) as someone’s agent, probably some government’s agent. He was actually a very likable fellow, though, and I had spoken to him on occassion. It was disturbing to see his likely involvement. I have never completely trusted anyone since.

The other event also left an indelible memory. My work was strictly legal (I even did my best to obey the ridiculous code export rules of the day, though they were mostly useless, locking the barn door after the horse had left), so I didn’t often have overt friction with the various agencies harassing people. As with the mailing list event, I tried to use openness to protect me. Release first, explain later. They knew of me and let me know that, and my web pages would routinely be shut down on spurious copyright claims, etc., but it was mostly just annoyances. Although I worked behind a layer of strong anonymity in those days, being a developer, one was always logging into servers and such, and we didn’t have the tools of today, so I knew I wasn’t hidden from serious players. Yet in this case I was sure I had heard from them. Although writing hard crypto (in the mathematical sense) wasn’t my central area, I had combined two crypto algorithms in a unique way. I was excited – it seemed to create an exponentially stronger algorithm and method. As was my habit, I released my notes immediately – everything to reproduce it – don’t want the hot potato. And I promised it would be in my next software release. It was then I received the oddest emails, like I had stepped on someone’s toes. Someone was desperately trying to convince me that I shouldn’t use the algorithm. First, they tried various broken technical arguments (which only revealed to me that they were lying), and then it turned into virtual threats. Who would be this motivated to make me stop using this algorithm, I wondered. I had the impression that the guy in some agency who monitored this area realized it would make a whole lot of new work.

It was almost like he was trying to protect me, to save me from myself. It wasn’t my first contact with ‘weird’ – I had received out-of-place business offers and other questionable things in the past. I got phone calls in the middle of the night, hang ups, just to let you know you were on someone’s list (this was common then among us, before cell phones existed). Yet this was eerie, and we never knew who we dealt with in those days. Intelligence agencies to an extent helped the process, even against the government’s own wishes and laws, because their agents used these same tools as us, and basically all the people using PGP and other tools were creating lots of cover traffic for their spooks. So even within governments there has always been a mixed reception to crypto breaking loose, and we found ourselves in strange company at times.

Long story short, within a few years of that incident, I quit the business and destroyed my PGP keys. It was always stressful having someone’s life depending on your code and keystrokes. (File management is blissfully relaxing by comparison, even though this is generally considered stressful work since you have people’s data in your hands.) After working for quite a few years in this area, I was developing shortness of breath and heart palpitations, and my nerves were simply shot. I had also come to see that the biggest players had developed ways of manipulating our systems. I saw the emergence of the new strategies of keyloggers, plausibly deniable code errors, weak OS security, network sniffing, and other non-brute-force attacks. All of the OSes of the day were simply not up to the task of providing a secure platform for anything. So the greatest algorithms were basically at the mercy of Microsoft’s (deliberately) botched security.

Plus, I had done my part, and I was burned out. Twenty-some years ago, I was working hard to help develop the technologies you’re using today. Now, I can barely follow the manuals I wrote back then – seems like gibberish to me and I simply don’t remember enough detail to understand most of it. When I decided to develop SpaceFM, I figured it would be a relatively relaxing project, with just basic security issues. The last thing I ever expected to be involved with again was spies.

I feel like I’m in one of those movies where the expert tries to retire but his retirement is invaded and he’s pulled back into ‘the game’. I don’t want to be in the game. How did this happen? I’ll tell you.

I’m a problem solver. I can analyze systems, find what’s not working or not optimum, track it down and correct it. I’m very good at this, you might say gifted. That’s why my software generally works well. Yet some aspects of SpaceFM were not working well. As I followed the trail of why they were not working well, I was led right into Red Hat and company.

For those who haven’t followed this blog, here are a few of the steps. I noted how udisks2 was built broken, seemingly deliberately breaking everyone’s work. Even before this, Linus and other kernel developers had noted horrible dev practices in the kernel, with some commenting that it seemed like Red Hat was engineering it to be broken. This is what I saw too – all these Red Hat developers doing surgery on the deepest parts of Linux, breaking it! I asked outright, What Is Red Hat Doing To Linux? It’s unusual seeing such high motivation in Linux developers – usually they have obvious reasons for the changes they take the time to make. Yet many of Red Hat’s changes had no immediate purpose or advantage – it was like watching a chess player putting pieces in place for some later conquest.

Next came my GNOME (et al): Rotting In Threes article, originally based on an email from someone who didn’t want their name involved (gee, that’s odd in open source), which exposed a climate of hostility to users and developers, and basically demonstrated how Red Hat completely controlled GTK and GNOME. This article went viral, bringing over 50,000 visitors to this blog and attracting the attention of Linux Users and Developers magazine’s editor. I eventually wrote my A Linux Conspiracy Theory article for them, extending on the material in the GNOME 3 article. I didn’t really want to write this (writing is a lot of work, especially when you have an editor in a print magazine ;) Yet I felt it was a good opportunity to make people aware of some of these development practices I was seeing, so I did my best to present what I was seeing at the time.

Since then, more has happened to reveal the true story here, the depth of which surprised even me. The GTK development story and the systemd debate on Debian revealed much corporate pressure being brought to bear in Linux, which I ranted about in GTK fesses up – this ain’t for you; Qt takes over the world. In comments there and in Ubuntu To Dump Nautilus, some really startling facts about Red Hat came to light. For me the biggest was the fact that the US military is Red Hat’s largest customer:

“When we rolled into Baghdad, we did it using open source,” General Justice continued. “It may come as a surprise to many of you, but the U.S. Army is ‘the’ single largest install base for Red Hat Linux. I’m their largest customer.” (2008)

This is pretty much what I had figured. I’m not exactly new to this, and I figured that in some way the military-industrial/corporate/intelligence complex was in control of Red Hat and Linux, and was devolving it into a useless, compromised toy. But I didn’t expect it to be stated so plainly. Any fool should realize that “biggest customer” doesn’t mean tallest or widest, it means the most money. IOW, most of Red Hat’s money comes from the military – they have first say in its development. And the connection between the military and spying agencies, etc. should be obvious. Not to mention the fact that dealing with Red Hat developers always creeps me out, just like those weird emails in the 90s. Something just isn’t right there.

Next, a reader posted this FOSDEM: NSA Operation ORCHESTRA Annual Status Report. Well worth watching in its entirety (including the Q&A at the end), to me this turned out to be a road-map detailing how Red Hat is operating on Linux! I recognized so much of it from personal experience at this point (and trust me, Red Hat controls almost every core component in Linux, in case you didn’t know). Presented by FreeBSD developer Poul-Heening Kamp (aka PHK), it does a great job of introducing some very subtle concepts, and I was shocked by how closely the examples he gave matched what I had been seeing Red Hat (and other corporations) doing in Linux the last few years. He also explains that “PSYOPS For Nerds” is a reality – our communities are being engineered and propagandized very effectively, pushing them in the directions desired not by us, but by… whom?

Well, what do you know? Without even trying to get there, my simple explorations into what was broken in Linux led a trail straight to the NSA (or whoever is behind such three-letter agencies). As usual, just follow the money. And these days, they admit much of it openly – secrets are just too hard to keep.

While I don’t use PGP much these days except to sign releases (old, good habit), what is an ex-cypherpunk rebel like me to think of such things? I honestly don’t know. It seems people have become very complacent and accepting of corporations and governments running their lives. We wouldn’t have been so appeasing in the 80s and 90s, but these are different times, and I understand that. Largely people are oppressed and heavily propaganda-fed. PHKs belief that this is not merely a technological problem but a social/political one is a view I have expressed several times, almost verbatim.

I think all of these revelations bring up questions for Linux users. For example, why should I care about encryption if I have no secrets to hide from a government or enemy? Why should I care about them rooting everyone’s system and being in charge of its core engineering decisions? Why should I care that Linux’s security is just a myth, as is the idea that it’s freely and openly developed, and anyone can participate? Why should I tell the truth about it? Why should the reality that Linux is a military- and spy-agency-created OS be important? Here are some of my answers to those questions.

It turns out that cryptography is not just for keeping secrets, and intrusive spying is not just about finding bad guys.

Computer technology, like any technology, has been weaponized. It is not merely used to serve homes and businesses, it is used to gain supremacy and control over people, governments, and other institutions. Today’s computers, the military versions of which are far beyond civilian specs, are very powerful to put it mildly. Anytime you have great power, held in darkness in the hands of a few people, you have a recipe for tyranny. Do you enjoy war and destruction in your neighborhood? If not, you should be paying attention to this, NOW. Because one thing I can tell you: All these people know how to do is create war.

Let’s be clear: This is not a new problem. Humans on earth have been enslaved for thousands of years. Governments and banks have always been corrupt and severe. Every form of communication, even something as simple as a typewriter or printing press, has come under constraints and control designed ultimately to control people. It’s that simple. There are those who would enslave and control the world. While some of them may believe in their causes and feel they are ‘the good guys’ despite the insane things they do every day as ends-to-means, one thing that history has shown is that power corrupts absolutely. And governments abuse every power they assume, without exception. It’s history, including modern history. This is the world we have always lived in, and we always manage to scrape out some small degree of freedom from absolute tyranny (although there has been plenty of it experienced). Where does it end?

While PHK in the video says just use politics to solve this problem, most of us know that politics and media are as crippled as technology. They are largely controlled. I would say use everything to help address these problems: technology, politics, and in general, social change. Many people think they can change something by just voting once a year. But that requires almost no effort or risk, and as such produces almost no result. Real change requires real efforts, affecting every area of our lives. It’s costly – a genuine investment.

Cypherpunks have always advocated using strong cryptography as a tool of social change because it helps level the playing field. It is way to help distribute and balance power and information, rather than having it in the hands of a few people. How does this work?

I am not an advocate of battling the NSA, creating lots of secrets, private armies, and all of that. Rather, what we can do with this technology can be open and free. Cryptography can be used to keep information free, including information on corruption (eg whistleblowers). Simply put, it can empower and protect people who stand up for people. Who is stealing what from the people of this world? Let’s shine some light there.

Cryptography is also used in authentication – webs of trust – so that you can identify someone. Why would this be socially powerful? Ask yourself why we need elected representatives (vastly overpaid, corrupt lawyers) deciding the laws that control our societies? Why can we not simply micro-vote on each issue ourselves? We cannot do this because we are not allowed to, and the technology that could easily make it happen is suppressed. If the current electronically corrupt voting systems were replaced and recreated, many old tricks wouldn’t work. It is simply ridiculous that we have legal representatives in their current form – it is a total failure to use cryptography effectively.

Why is it important to have an OS that is free of rootkits and security holes? Because the computer is a very important tool in the modern world, and for citizens to exercise their power, they need such a tool to be reliable. They must own and control it. Beyond this, there are the many creative freedoms found in computers (or any information-based technology), and all the social growth they represent.

While this may sound strange for a cypherpunk, I am not a big believer in secrets. Rather, I am a big believer in openness (in finance, governments, business), and a believer in the free flow of information. I also feel that most intellectual property schemes do more to hold back progress than any other system – the idea of owning information is simply a system of mind control and exploitation. Many of the people reading this are deeply invested in that exploitation system whether they want to admit it or not, and are inclined to defend it because it serves short-sighted interests. But when you’re a slave breaking rocks, you may not think so much of where that system has brought you. You too are being herded aboard the trains, and your perks are temporary. History will show you this if you look at it.

Cryptography, and especially the larger concepts of distributed, non-centralized systems, open and participatory government and development groups, open accessible hardware, and many other powerful ideas that you see open source people advocating DO affect you. They protect you and everything you value in your life. Using such tools effectively and routinely is investing in your future.

Having grown up in the 80s, I am used to visions of the future – we spent a lot of time thinking about such things back then. We were a generation of dreamers, with nuclear annihilation hanging over us. A lot of our dreams from 20 years ago are now encoded, in your web browser for example, as reality. We lost the war against intrusion, but I believe we did take some steps toward openness and computing freedom. The primary threat today seems to be technological tyranny – the old Big Brother concept coming to living life (and death). Primarily it is an attack on the mind and creativity of man. I don’t see as much dreaming of the future today – the generations today seem to lack vision. Maybe it’s time to get some, to dream a little, and to put those dreams into action with real technology and POWER. The power that large groups of people united in certain principles acquire. This is different from concentrated power that oppresses people. It is distributed power that you share in, and which protects you and everyone.

One of the first and foremost principles is honesty. It’s time to start telling the truth about what’s happening in Linux, despite all the paid disruptors interfering in such discussions. Many Linux users and developers operate from myths that are simply no longer true, and really never were. Linux is a government, military product, right down to its core. There’s a start to truth-telling for you.

I’ll tell you one secret: It’s very, very difficult to control information, and to control people. In the long term it’s impossible. We have an easy advantage in many ways, because information is free by nature, and people are ever recreating themselves, defying control. I wouldn’t want to be a power-monger trying to rule the world! It’s a very tough job. And everything we can do to make that job more difficult is worth it.

The powers that be in this world don’t want to protect you, they want to protect themselves and their power. Nor do they want to share that power with you. They are not creating systems that create security for you and end corruption (stealing from you), they are creating systems that create vulnerabilities and concentrate corruption (wealth) in their hands. The solution is to distribute power, and to reveal the ‘plots’. Terrorists (the favorite theme of the day) don’t want open, authenticated systems anymore than governments do. Thieves always want closed, complex, dark systems where they can hide and manipulate without being exposed for what they are. Governments want the same (surely an amazing coincidence). People should have the wisdom to see that such systems serve no one but thieves.

So that’s my little pep talk. To be honest, I am as overwhelmed by the state of this world as anyone. There are no simple solutions. But I do believe in certain principles, and I do believe in how powerful they are – if you apply them. Learn to use the tools that matter, and use them well. Use them to create nothing less than a new world.

Updated reading:

February 17, 2014 Posted by | Uncategorized | 50 Comments

   

%d bloggers like this: