16 September 2017

Blockchain, Crypto, Sharing, Malware - Fear of the Internet

In the past week I've been in several discussions on Twitter regarding the 'crisis' of Cyber crime, the 'problems' with the 'legitimacy' of blockchains, the 'respect' of copyright, Governments claims of a desire for a 'liberal, open, free and safe' Internet, then on Friday someone attempted to detonate an IED, talking heads and the papers were quick to condemn the Internet.

The Internet as we know it is under attack. Legacy business models hate it, legacy ISPs hate modern companies generating revenue off their backs and more importantly Governments hate their slipping control.

There is a 'cyber' crisis but it's not about crime, malware, blockchains or sharing. It's that fear or jealously of the Internet is going to kill what we have built and rob future generations of the Internets true potential.

The Legitimacy of Bitcoin

On Monday Stuart Coulson published a blog post suggesting that in order to legitimise Bitcoin a central blacklist should be created of "bad" Bitcoin addresses such as those used in Malware campaigns

The blog post mentions the "3 Wannacry wallets" as an example of where the blacklisting would have worked. The problem is that most Ransomware generates a per user address to allow the miscreants to know who has paid them and who hasn't. Using the Wannacry addresses (not 'wallets') as an example is either ignorance of the normal operation of ransomware, intentionally misleading or just an accidental simplification. (By all accounts Wannacry was supposed to create unique addresses per victim and fallback to those 3 if unique generation failed.)

As the discussion continued it was suggested that a blacklist would stop transactions from happening;

Again such a claim either fundamentually misunderstands how Bitcoin et al work or is simply misleading the reader to underline the success of the proposed solution.

Regardless of whether these mistakes are due to ignorance or as an attempt to mislead they are concerning. Mr Coulson is heavily involved in Cyber Challenge UK which is an attempt to solve the UKs ailing infosec competency. This is concerning.

Bitcoin does not need centralised blacklists where malicious people can file false reports, or where heavy handed AML obligations will cripple a business. Even if a blacklist were to exist (even in a manner such as SpamHaus) I wouldn't use it, Ablative Hosting wouldn't use it and hundreds if not thousands of other people wouldn't use it. Bitcoin and other cryptocoins will continue to prosper regardless.

Sustaining Creative Expression with an Accountable, Respectable New Internet

Later that week I engaged with none other than Neil Turkewitz who at one point was pulling down $600,000 a year as a part of the RIAA. He was lambasting respected Technology lawyers such as Neil Brown and Graham Smith for pointing out things such as UK case law countering some of his points, that due process requires courts not algorithms (for example) or that calling misuse of Copyright legislation censorship was somehow muddying the waters of actual censorship.

Upon my engagement I was advised that I was "fighting an old war", we reset the conversation and Mr Turkewitz put forward his primary objection to my stance;

Now this is lovely language, in earlier tweet Neil talked about respect and accountability and now we are talking about sustaining creative expression. The skeptic in me assumed that Neil was actually talking about creating new laws that ensured the notion of copyright etc and the legacy business models built around it could survive without having to change or innovate. I was right.

Rather than innovate a failing business model it seems that creative industry simply wants to attack the Internet with more censorship and any collateral damage is acceptable. Other companies have seized on the opportunities of the Internet but others would rather strangle it than change their business model.

The 'Crisis' of Online Crime

Over the course of the week Carl Miller of Demos tweeted that we are facing a crisis of cybercrime and that UK legislators can't do anything about it;

I've always thought of the Internet as being a great equaliser. With free and open source software coupled with the nature of the Internet every consumer can also be a publisher (as in one can literally can host a blog on the same computer they are using to read other peoples blogs, no other companies, software or permission needed). History has called other technologies "great equalisers";

The gun has been called the great equalizer, meaning that a small person with a gun is equal to a large person [Ronald Reagan]

Similarly, a properly maintained computer operated by a competent person can probably withstand most crimeware.

I acknowledge that privilege and survivor bias coupled with a lack of understanding the true extent of the crime stats beyond the NCA report means that the following paragraphs are probably woefully ill-informed and maybe we are indeed in a crisis but even if we are; it is not the Internets problem to fix.

Ransomware (and malware in general) are down to the online equivilent of not locking your front door; if you don't patch your computer then the criminals are just going to walk straight in and help themselves. When burglers were robbing people with unlocked front doors did we blame the doors, their garden gates, the pavement or the roads? Of course not, people learned to lock their doors, leave a light or radio on, get a fake burgler alarm etc.

Poorly secured IoT and data breaches are caused by selfish lazy vendors. Back in the day credit card receipts used to print the full credit card number on them, trawling through bins at supermarkets would provide tens of thousands of pounds worth of criminal bounty. Vendors were to blame and they adjusted accordingly, in time vendors utilising the Internet will too.

People replying to lottery, inheritance or Iraq/Afghan spoils emails would equally be scammed by someone phoning them or sending physical mail. It's barely worth discussing here.

Law enforcement is somewhat playing catchup here but the issue in my opinion is not that the Internet is bad, or that the Police suck at Cyber (although they are massively understaffed thanks to the Home Office) but as Neil Brown pointed out these are old problems and people are trying to apply old solutions (this was in response to the Bitcoin Blacklist)

Allowing the Police to gather and utilise ICRs, making malicious software more illegal (now that X is illegal we can rest assured that criminals will stop doing it!) won't achieve anything as long as people still believe that they've won a £10,000,000,000 lottery they never entered into. The problem isn't that criminals have leveraged all the benefits we gain from the Internet but that criminals are arseholes (and human beings by nature are lazy and selfish)

The NCA can't be trusted to follow warrant proceedures, flagrently attempt to bypass legal safeguards, Police officers abuse access to databases and lets not get started on GCHQs abuses of the Internet. Giving the state more powers to attack the Internet, encryption and our computers is not a good idea.

Instead of UK legislators trying to 'fix' the Internet and instead of giving billions of pounds to GCHQ/NCSC (who let the person who did more to protect the NHS from Wannacry than they did walk into an FBI ambush) that time and money would be better spent on bolstering projects like Cyber Aware.

The Future of the (UK) Internet

On the 13th of September Matt Hancock MP gave a speech.

The speech started off well, praising the Internets growth and libertarian attitudes but then it got darker;

Sometimes we do need regulation, like with the age verification laws to prevent children viewing porn easily online, just as they do offline.

By regulation Mr Hancock is referring to the Digital Economy Act 2017 that allows the British Board of Film Censors to order any UK ISP to block any website on the Internet if it falls foul of these new regulations. The speech continued;

In other words, we must build an internet based on liberal and not libertarian values, where we cherish freedom yet prevent harm to others. We seek an internet that is free, open and safe, that fosters innovation, where standards are driven by experts, in which all stakeholders have a say in how the internet is run, and where the major players act to prevent harm.

Much like Mr Turkewitz's language earlier words like liberal, free, open and safe all seem good. But I'd wager that Orwell would be skeptical that the Governments intentions matched the dictionary definitions of the words used.

The Internet is free and it is open. Hell, in 2015 I built my own ISP, with that in mind what about the Internet of today isn't free or strong are these words just there to buttress the replacement of libertarian with liberal and the addition of safe?

The Government doesn't want an Internet safe for you or I, it doesn't care about making an Internet that is 'safe' for our children (who they will let burn in towerblocks, starve during the summer holidays or send to die in war). The Government wants an Internet it can control, an Internet that doesn't pose a threat to it.

Cryptography and the evil Internet Giants

Terrorism is a sensitive subject especially in the immediate days after an attack but it didn't take long for useful idiots including a former Metropolitan Police Officer and the Daily Mail to blame cryptography and the Internet for the latest bombings.

I remember trading the Anarchists Cookbook (and other such material) on floppy disks back in the nineties, none of us blew up a train. Bomb making instructions are available to anyone who studies physics and/or chemistry. It is in books from the 1940s printed by the UK Government they are available in libraries or bookshops as Peter R. Neumann also points out;

If people are being radicalised in their homes by shadowy people abroad then banning all the bomb making instructions from the Internet won't make the slightest bit of difference. The shadows will simply type it out line by line.

If we ban cryptography then the shadowy hands will simply print it out and bring it through physical ports and photocopy the instructions to handout.

The problem of people building bombs and being convinced to do horrible things with those bombs is not the Internet. As with cyber crime and copyright infringement the problem is people, not technology.

The Internet is Dead, Long Live the Internet

Even if everyone above get's their way and the Internet of 2020 is censored clean of any pornography and bomb making instructions, even if it is now technically impossible to upload a copy of a song (or even an unlicensed remix, fair-use is dead now) and even if it is impossible to be mean to be people on the Internet (trolling, radicalisation etc), guess what?

People will still be bastard coated bastards with a bastard filling. The plain Internet will be strangled, net neutrality will die, the ability to dissent or call for justice will be impossible, the ability to challenge monolithic media by publishing your own material will be gone, encryption and privacy would be a memory.

But.... software like Tor will still exist, GPG will still exist, software like OpenBazzar and ZCash will still exist. The libertarian Internet will still exist but in order to survive it will have evolved to be an unstoppable, decentralised, ethereal phoenix.

If I am wrong and the Internet truly is the problem then like a Hydra it will have grown stronger. If you can consume you will still be able to publish and nothing in the 'verse will stop that.

As I've been saying since the City of London Police attacked Proxy operators; We can innovate faster than they can legislate.