- Podcasting "The Best Defense Against Rubber-Hose Cryptanalysis": The cypherpunks were wrong (but also right)
- This day in history: 2002, 2007, 2012, 2017, 2021
- Colophon: Recent publications, upcoming/recent appearances, current writing projects, current reading
Podcasting "The Best Defense Against Rubber-Hose Cryptanalysis" (permalink)
This week on my podcast, I read my Medium column, "The Best Defense Against Rubber-Hose Cryptanalysis," about what the cypherpunks got wrong, what they got right, and what that says about claims that cryptocurrency will defend us from tyranny:
30 years ago, the cypherpunks – forerunners of the cryptocurrency movement – waged an epic battle to ensure that we could all access working cryptography. They believed that safeguarding individuals' right to privacy technology could profoundly alter the relationship of people and their governments.
Governments agreed! The NSA and other agencies were determined to ban civilian access to working crypto, insisting instead that we should all use a deliberately broken cipher that they were widely understood to be able to break. The agencies claimed that this would strike a balance: on the one hand, it would keep American individuals, agencies and businesses safe from criminals, state actors and corporate spies.
On the other hand, it would let the agencies break into our communications to keep us safe from child pornographers, terrorists, copyright infringers and the mafia (AKA "The Four Horsemen of the Infocalypse").
With the cypherpunks and the NSA both convinced that unbreakable ciphers represented a seismic shift, the battle was joined. Pro-crypto fighters put up a valiant fight: they even built a $250,000 computer, Deep Crack, that could brute-force the NSA's neutered cipher (this computer currently sits next to my desk in my home office – seriously!).
Deep Crack proved that the NSA was deluded or lying: if we all used the NSA's cipher to protect ourselves, we'd be vulnerable to anyone with $250k to throw at our communications, who could then read our messages, forge software updates for our devices, and generally make a lot of mischief.
But despite this objective proof, the NSA and its allies were adamant that we could not be trusted with working crypto. Neither the cypherpunks' technological demonstrations, nor the pleas from security experts with warnings about corporate secrets, financial data, and health records, could sway them.
But we have access to strong crypto today. How did the cypherpunks do it? They used the rule of law. EFF brought a lawsuit, Bernstein v DoJ, which argued that the First Amendment protected the right of a computer scientist to publish strong ciphers. The 9th Circuit agreed, and code became a form of expressive speech under the US Constitution.
There's an important lesson there: while privacy tools are an important check against the abuse of government authority, they are also a temporary and limited measure. Ultimately, the point of privacy tools are to provide a way to organize to demand that states uphold the rule of law – they're not a stable alternative to the rule of law.
The cypherpunks knew this. Marcus Ranum's 1990 coinage, "rubber hose cryptanalysis," described the ability of a corrupt state to break your "unbreakable" cipher by ignoring your human rights, strapping you to a chair, and hitting you with a rubber hose until you gave up your passphrase.
There is no specialized hardware, no additional bits to your key, no fiendish math that will protect you against rubber hoses in the long run. The only stable countermeasure for rubber hoses is a state that respects its residents' human rights.
Much of the time, states don't need to resort to rubber hoses: they have what security experts call "the attacker's advantage." For you to enduringly defend yourself from a powerful surveillance system, you must be perfect. You need perfect math, embodied in perfect code, on perfect hardware. You need to use it perfectly, choosing a strong passphrase and never leaking it to a hidden camera or a keylogger.
Meanwhile, the attacker – the spies trying to break your security – need only discover and exploit a single imperfection. What's more, they get to attack your weakest link: they don't need to compromise you to read your group-chat – they can compromise anyone in the chat and access all of it. Security is a team sport.
So what is the role of cryptography in defending human rights? It's not to allow you to secede from society and live in an impregnable bubble where the state can't see your comms. It's to provide a temporary shelter that you can use to organize a movement to hold the state to account and demand that it respect your rights.
Like I said, the cypherpunks were the spiritual ancestors of the cryptocurrency movement, and while many cypherpunks have come to embrace crypto a part of a struggle for human rights, cryptocurrency advocates still often talk about replacing the state with math, rather than perfecting it.
This is an argument I raised in my 2018 talk for Ethereum Devcon, "Decentralize, Democratize, or Die":
Without the rule of law, crypto will fail. Without good governance, we'll see the power of states co-opted by the powerful in ways that make crypto unstable. For example, companies have long argued for a veto over who can divulge defects in their products, something that they can get by invoking DRM laws like Article 6 of the EUCD and Sec 1201 of the DMCA. These are "anti-circumvention" rules that felonize publishing information that weakens copyright locks. Companies that add a thin layer of DRM to their products gain the legal right to attack security researchers when they warn customers that the products are defective.
Giant companies love this, and thanks to market concentration, they can gang up on standards bodies to ensure that this veto over critics expands into new classes of technology (think of the W3C's rejection of protection for security disclosures that relate to its DRM standards):
It's not just infosec that suffers under corporate concentration. Chevron committed ecological genocide, then locked up the lawyer that held them to account for it:
Russian oligarchs used UK libel law to silence journalists who reported on their hidden wealth:
Pharma companies commit corporate murder with price-gouging, depriving people of life-saving medicine, and their regulators turn a blind eye:
Banks aren't just too big to fail, they're too big to jail, and no matter how many crimes Wells Fargo commits, it walks away intact:
Indeed, it is virtually impossible to pass a law in America if it is opposed by the wealthy and powerful, no matter how much public support that law has:
And as we are reminded by finance leak after finance leak, dark money is the key to this corruption. The wealthy lobby for lower taxes and financial secrecy, grow wealthier, then recycle that wealth into more lobbying:
If you care about privacy – not just "financial privacy" but all forms of privacy – then this should alarm you. Undermining privacy makes it easier for states to identify and neutralize dissidents. The cheaper it is to crush the opposition, the more human rights abuses you can get away with:
It's true that some financial privacy is anti-corruption. If you want to get money to a dissident news source, or a banned political cause, then private money matters. If you're fighting to decriminalize homosexuality, it helps if people can donate to the cause without outing themselves as supporters of a banned practice.
But remember the attacker's advantage. If your cause fails, then eventually a motivated, human-rights-abusing state will be able to figure out that you're gay, or publishing a dissident media outlet, etc.
Cryptocurrency and other unregulated financial products do open up new possibilities for the weak and the poor and the vulnerable. But they also enable the corruption that increases the ability of powerful people to suborn powerful states and victimize the vunerable.
We really do have a financial privacy problem. The fact that you can't consume paid media without identifying yourself (either by paying for a subscription, or being exposed to surveillance advertising) is a profound shift in how we talk amongst ourselves. It's not a problem that we solve with immutable, public ledgers – because eventually, you will slip up and de-anonymize yourself (thanks to the attacker's advantage).
This has created a world where the only people who can pay for dissident media are either so powerful or so reckless that they don't fear reprisals. Meanwhile, "dangerous ideas" with wealthy sponsors are subsidized and available to all, which is why the lies are free and the truth is paywalled.
The wealthy and powerful have found a way to beat rubber hose cryptanalysis: they're in charge of the rubber hoses. They don't need the rule of law, because they have the golden rule ("them that has the gold, makes the rules").
For the rest of us, the use of unregulated financial products in defeating financial censorship has to be weighed against its role in promoting the corruption that leads to financial censorship and other human rights abuses.
When advocates for unregulated financial products talk about "decentralization," they're usually talking about decentralizing banks, not money. But our human rights crisis, our governance crisis, is not the result of too few banks competing for oligarchs' loot – the problem is oligarchs.
Every oligarch is a policy failure. Every oligarch is a factory for producing policy failures.
Unregulated finance is a vast laundry for oligarchic wealth: dark money begets corrupt policy, which creates more dark money and more corrupt policy. So long as lawmakers are beholden to billionaires, not voters, we will all be vulnerable to rubber hose cryptanalysis.
Here's the podcast episode:
And here's a direct link to the MP3 (hosting courtesy of the Internet Archive; they'll host your stuff, for free, forever):
And here's the RSS for my podcast:
This day in history (permalink)
#20yrsago Hard-science Tolkien fan-writing https://web.archive.org/web/20020215030416/http://www.geocities.com/Area51/Corridor/8611/medating.htm
#15yrsago Meshing WiFi in a San Francisco housing project https://www.wired.com/2007/04/wifiproject-0403/
#15yrsago Pack your bagel in a CD spindle https://www.flickr.com/photos/piwonka/384203161
#10yrsago Step Gently Out: kid’s poem illustrated with gorgeous macro-photo portraits of backyard bugs https://memex.craphound.com/2012/04/04/step-gently-out-kids-poem-illustrated-with-gorgeous-macro-photo-portraits-of-backyard-bugs/
#10yrsago Canada’s warrantless spying bill is coming back, and it’s worse than before https://web.archive.org/web/20120504000316/https://www.michaelgeist.ca/content/view/6403/125/
#10yrsago Reddit-based PAC takes aim at SOPA-sponsor Lamar Smith https://www.reddit.com/r/politics/comments/rrb93/that_redditfunded_billboard_in_lamar_smiths/
#10yrsago Bruce Sterling’s critique and love note to “the New Aesthetic” https://www.wired.com/2012/04/an-essay-on-the-new-aesthetic/
#10yrsago Episode 1 of Wil Wheaton and Felicia Day’s “Tabletop,” a net-show about tabletop gaming sessions https://www.youtube.com/watch?v=X9QtdiRJYro
#10yrsago Voice of Yakko Warner performs “Yakko’s World” https://www.youtube.com/watch?v=Lo_8UmQzu14
#5yrsago Weaponized shelter: a website that lets tenants bid against each other for apartments, in 1000 citieshttps://gizmodo.com/bidding-website-rentberry-may-be-the-startup-of-your-ni-1793940693
#5yrsago Leaked Inspector General’s report reveals millions lost to incompetence and waste at the US Copyright Office https://www.techdirt.com/2017/04/03/newly-leaked-documents-expose-stunning-waste-incompetence-copyright-office/
#5yrsago Unesco warns the World Wide Web Consortium that DRM is incompatible with free expression https://en.unesco.org/sites/default/files/eme_letter_frank_la_rue.pdf
#5yrsago How Netflix is driving permanent, terrible, standards-defined insecurity for billions of browser users https://www.newscientist.com/article/2126513-debate-rages-over-controversial-copyright-standard-for-the-web/
#5yrsago Read: chapter two of WALKAWAY, in which buildings build themselves https://www.tor.com/2017/04/03/excerpts-cory-doctorow-walkaway-chapter-2/
#5yrsago Technology should serve us, not boss us around https://www.torforgeblog.com/2017/04/03/how-can-we-make-technology-that-frees-us-rather-than-enslaves-us/
#1yrago China's antitrust surge https://pluralistic.net/2021/04/03/ambulatory-wallets/#sectoral-balances
#1yrago Consumerism won't defeat Georgia's Jim Crow https://pluralistic.net/2021/04/03/ambulatory-wallets/#christmas-voting-turkeys
Today's top sources:
- Picks and Shovels, a Martin Hench noir thriller about the heroic era of the PC. Friday's progress: 523 words (79166 words total).
A Little Brother short story about DIY insulin PLANNING
Vigilant, Little Brother short story about remote invigilation. FIRST DRAFT COMPLETE, WAITING FOR EXPERT REVIEW
Moral Hazard, a short story for MIT Tech Review's 12 Tomorrows. FIRST DRAFT COMPLETE, ACCEPTED FOR PUBLICATION
Spill, a Little Brother short story about pipeline protests. FINAL DRAFT COMPLETE
A post-GND utopian novel, "The Lost Cause." FINISHED
A cyberpunk noir thriller novel, "Red Team Blues." FINISHED
Currently reading: Analogia by George Dyson.
Latest podcast: The Byzantine Premium
- Surveillance Capitalism, Borders, and the Police (San Diego DSA), Apr 14
Seize the Means of Computation, Emerging Technologies For the Enterprise, Apr 19-20
UK Competition and Markets Authority Data Technology and Analytics conference, Jun 15-16
- Initiative for Public Digital Infrastructure Podcast
The Bitcoin Podcast:
Dangerous Visions: False Dawns and Wandergrounds – Dystopia, Then and Now
- "Attack Surface": The third Little Brother novel, a standalone technothriller for adults. The Washington Post called it "a political cyberthriller, vigorous, bold and savvy about the limits of revolution and resistance." Order signed, personalized copies from Dark Delicacies https://www.darkdel.com/store/p1840/Available_Now%3A_Attack_Surface.html
"How to Destroy Surveillance Capitalism": an anti-monopoly pamphlet analyzing the true harms of surveillance capitalism and proposing a solution. https://onezero.medium.com/how-to-destroy-surveillance-capitalism-8135e6744d59 (print edition: https://bookshop.org/books/how-to-destroy-surveillance-capitalism/9781736205907) (signed copies: https://www.darkdel.com/store/p2024/Available_Now%3A__How_to_Destroy_Surveillance_Capitalism.html)
"Little Brother/Homeland": A reissue omnibus edition with a new introduction by Edward Snowden: https://us.macmillan.com/books/9781250774583; personalized/signed copies here: https://www.darkdel.com/store/p1750/July%3A__Little_Brother_%26_Homeland.html
"Poesy the Monster Slayer" a picture book about monsters, bedtime, gender, and kicking ass. Order here: https://us.macmillan.com/books/9781626723627. Get a personalized, signed copy here: https://www.darkdel.com/store/p1562/_Poesy_the_Monster_Slayer.html.
- Chokepoint Capitalism: How to Beat Big Tech, Tame Big Content, and Get Artists Paid, with Rebecca Giblin, nonfiction/business/politics, Beacon Press, September 2022
This work licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.
Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.
How to get Pluralistic:
Blog (no ads, tracking, or data-collection):
Newsletter (no ads, tracking, or data-collection):
Mastodon (no ads, tracking, or data-collection):
Medium (no ads, paywalled):
(Latest Medium column: "When Automation Becomes Enforcement" https://doctorow.medium.com/when-automation-becomes-enforcement-677461a78e62)
Twitter (mass-scale, unrestricted, third-party surveillance and advertising):
Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):
"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla