Will cDc privacy app Peekabooty put users at risk?

Maybe, maybe not....

  • alert
  • submit to reddit

High performance access to file storage

In spite of having long anticipated the Cult of the Dead Cow's Peekabooty demo at Defcon09 as one of the conference's major highlights, we actually managed to miss it. However, we got a pretty good description of it from a trustworthy journo who, unlike yours truly, found it possible to struggle over to the Hard Rock Hotel (you know who you are, bud) to observe it in action.

Based on that and several other conversations with networking specialists, we developed the impression that Peekabooty could be a fairly self-destructive tool in the hands of non-technical computer users in repressive countries, which might, ironically, give the very people it's designed to help a dangerously false sense of security.

We also spoke at length with cDc, and they made some well-reasoned replies to our characteristically skeptical inquiries.

What we know

First up, Peekabooty is a peer networking application which enables users in countries where Internet content is censored to host and retrieve forbidden content via encrypted communication with a trusted client, and so bypass national firewalls. We'll say flat out that the goal here is eminently good, and we support it wholeheartedly.

Depending on how involved one wishes to be, the scheme may or may not require a download. Some users will actually be hosting content. Others will merely relay it, and others will simply be accessing Web content through an ordinary browser with nothing installed on their machines, as with SafeWeb.

What's wrong with this picture?
With the exception of safe browsing without a download, we see some potential risks for users in repressive countries, and we worry that the less than tech-savvy may fail to appreciate them. Furthermore, some users will not merely be viewing banned content, they'll actually be hosting it, which could open them up to increased criminal liability. Additionally, it may be possible for Feds to scan for characteristic traffic which would indicate its use.

The most obvious concern is that the download itself may be incriminating in the more neurotic countries where it's to be used. Clearly, a person under surveillance is not a candidate for PB use, so we asked cDc how they intend to make that clear to potential users.

"The app can be obscured, but not hidden as you correctly point out. We are going to give advance briefings to grassroots organizations who will act as one distribution chain; risk assessment will be part of that. Obviously, if someone is already on 'state radar', they would not be a suitable candidate," cDc member Oxblood Ruffin told us.

"We will clearly spell out the risks and have people aware of them before we deploy, but also consider this: the level of risk in using Peekabooty is pretty much the same as if one made the more public statement of going to a political rally. People aren't stupid, and they know the consequences of having contrary opinions to the authorities. So at the end of the day, it will be the user's choice to install Peekabooty, or not."

Member Drunken Master added that there are plans "to integrate process hiding and other things, and have a way to quickly wipe the disk of the tool (securely) in case something bad happens to you."

Good, so long as your machine is running when the Feds kick the door, and you tend not to panic.

Another worry is that the user has to trust the node that will decrypt, and he therefore needs some way of determining whether or not he ought to. 'How on earth can the user know the difference between a safe node and a compromised one,' we asked.

DM replied, noting that "one of the more advanced pieces of the program allows you to specify who you trust in the network. You can choose to connect through those nodes of trust. You do not have to be directly connected to those you trust.... It would be easier for the bad guys to simply set up their own nodes."

Which is exactly what we're concerned about. Without some form of cryptographically-robust certification scheme, you might just find yourself communicating directly with the Feds.

"Make no mistake about it: the application is not made for everyone. If the user cannot accept a certain level of risk, they should not use it, and we will make that very clear. We will have different ways to run the program, each with a different level of risk associated with it," DM told us.

He also, and rightly, observed that our 'devil's advocate' line of questioning is relevant only to a limited number of real-world situations.

"The questions you are asking are all geared toward the extreme case and that is important to think about; but it is also important to remember that there are plenty of countries out there where the firewall may block you from seeing things, but nothing bad happens to you if you do see the banned content (same with corporations)."

The tool has been made open source, and wisely so. While Feds will find it easier to observe patterns in its behavior and so identify characteristic packet traffic, the open-source development community will also be tweaking and refining it continually to thwart them. Indeed, because the competition between those who'll be using it and those who'll be threatened by it is open-ended, it's better to develop a flexible and adaptable tool than some rigid, and therefore very temporary, solution.

"One of the interesting things about a distributed tool like this is that each government and corporation will have to find their own methods of dealing with it. Just because one government figures out a way to block it, doesn't mean they all do," DM observed.

Why Peekabooty?
We see some serious risks for those in the government-surveillance hot seat, and we'd hate to see any of those users turn to a full implementation of Peekabooty in quest of increased security, when in that case it would provide just the reverse. We trust that cDc understands this as well as we do, and that they'll do all they can to discourage its full use by those whose doors remain under constant threat of being kicked.

But, with the exception of open-sourcing, we haven't seen any clear advantage in PB over a product like Triangle Boy, which requires no download, prevents decryption by relay clients, and employs a certification scheme so that one can be confident he's communicating with a trustworthy server.

Better yet, it's up and running right now; and as for packet traffic, all the Feds would be able to learn from their remote surveillance efforts is that the subject is using crypto over https (unless, of course, his box has been compromised, in which case nothing will help him, or hurt him any worse than he already has been).

This may well change for the better as PB nears completion; and we look forward to evaluating it as soon as it's ready, and promptly reporting our experiences with it. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Inside the Hekaton: SQL Server 2014's database engine deconstructed
Nadella's database sqares the circle of cheap memory vs speed
Oh no, Joe: WinPhone users already griping over 8.1 mega-update
Hang on. Which bit of Developer Preview don't you understand?
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
IRS boss on XP migration: 'Classic fix the airplane while you're flying it attempt'
Plus: Condoleezza Rice at Dropbox 'maybe she can find ... weapons of mass destruction'
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
Ditch the sync, paddle in the Streem: Upstart offers syncless sharing
Upload, delete and carry on sharing afterwards?
prev story


Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.