Will cDc privacy app Peekabooty put users at risk?
Maybe, maybe not....
In spite of having long anticipated the Cult of the Dead Cow's Peekabooty demo at Defcon09 as one of the conference's major highlights, we actually managed to miss it. However, we got a pretty good description of it from a trustworthy journo who, unlike yours truly, found it possible to struggle over to the Hard Rock Hotel (you know who you are, bud) to observe it in action.
Based on that and several other conversations with networking specialists, we developed the impression that Peekabooty could be a fairly self-destructive tool in the hands of non-technical computer users in repressive countries, which might, ironically, give the very people it's designed to help a dangerously false sense of security.
We also spoke at length with cDc, and they made some well-reasoned replies to our characteristically skeptical inquiries.
What we know
First up, Peekabooty is a peer networking application which enables users in countries where Internet content is censored to host and retrieve forbidden content via encrypted communication with a trusted client, and so bypass national firewalls. We'll say flat out that the goal here is eminently good, and we support it wholeheartedly.
Depending on how involved one wishes to be, the scheme may or may not require a download. Some users will actually be hosting content. Others will merely relay it, and others will simply be accessing Web content through an ordinary browser with nothing installed on their machines, as with SafeWeb.
What's wrong with this picture?
With the exception of safe browsing without a download, we see some potential risks for users in repressive countries, and we worry that the less than tech-savvy may fail to appreciate them. Furthermore, some users will not merely be viewing banned content, they'll actually be hosting it, which could open them up to increased criminal liability. Additionally, it may be possible for Feds to scan for characteristic traffic which would indicate its use.
The most obvious concern is that the download itself may be incriminating in the more neurotic countries where it's to be used. Clearly, a person under surveillance is not a candidate for PB use, so we asked cDc how they intend to make that clear to potential users.
"The app can be obscured, but not hidden as you correctly point out. We are going to give advance briefings to grassroots organizations who will act as one distribution chain; risk assessment will be part of that. Obviously, if someone is already on 'state radar', they would not be a suitable candidate," cDc member Oxblood Ruffin told us.
"We will clearly spell out the risks and have people aware of them before we deploy, but also consider this: the level of risk in using Peekabooty is pretty much the same as if one made the more public statement of going to a political rally. People aren't stupid, and they know the consequences of having contrary opinions to the authorities. So at the end of the day, it will be the user's choice to install Peekabooty, or not."
Member Drunken Master added that there are plans "to integrate process hiding and other things, and have a way to quickly wipe the disk of the tool (securely) in case something bad happens to you."
Good, so long as your machine is running when the Feds kick the door, and you tend not to panic.
Another worry is that the user has to trust the node that will decrypt, and he therefore needs some way of determining whether or not he ought to. 'How on earth can the user know the difference between a safe node and a compromised one,' we asked.
DM replied, noting that "one of the more advanced pieces of the program allows you to specify who you trust in the network. You can choose to connect through those nodes of trust. You do not have to be directly connected to those you trust.... It would be easier for the bad guys to simply set up their own nodes."
Which is exactly what we're concerned about. Without some form of cryptographically-robust certification scheme, you might just find yourself communicating directly with the Feds.
"Make no mistake about it: the application is not made for everyone. If the user cannot accept a certain level of risk, they should not use it, and we will make that very clear. We will have different ways to run the program, each with a different level of risk associated with it," DM told us.
He also, and rightly, observed that our 'devil's advocate' line of questioning is relevant only to a limited number of real-world situations.
"The questions you are asking are all geared toward the extreme case and that is important to think about; but it is also important to remember that there are plenty of countries out there where the firewall may block you from seeing things, but nothing bad happens to you if you do see the banned content (same with corporations)."
The tool has been made open source, and wisely so. While Feds will find it easier to observe patterns in its behavior and so identify characteristic packet traffic, the open-source development community will also be tweaking and refining it continually to thwart them. Indeed, because the competition between those who'll be using it and those who'll be threatened by it is open-ended, it's better to develop a flexible and adaptable tool than some rigid, and therefore very temporary, solution.
"One of the interesting things about a distributed tool like this is that each government and corporation will have to find their own methods of dealing with it. Just because one government figures out a way to block it, doesn't mean they all do," DM observed.
We see some serious risks for those in the government-surveillance hot seat, and we'd hate to see any of those users turn to a full implementation of Peekabooty in quest of increased security, when in that case it would provide just the reverse. We trust that cDc understands this as well as we do, and that they'll do all they can to discourage its full use by those whose doors remain under constant threat of being kicked.
But, with the exception of open-sourcing, we haven't seen any clear advantage in PB over a product like Triangle Boy, which requires no download, prevents decryption by relay clients, and employs a certification scheme so that one can be confident he's communicating with a trustworthy server.
Better yet, it's up and running right now; and as for packet traffic, all the Feds would be able to learn from their remote surveillance efforts is that the subject is using crypto over https (unless, of course, his box has been compromised, in which case nothing will help him, or hurt him any worse than he already has been).
This may well change for the better as PB nears completion; and we look forward to evaluating it as soon as it's ready, and promptly reporting our experiences with it. ®