Here we have a painful example of the biggest problem with circumvention tools: the people writing them don't have the resources to compete with their adversaries.
It's easy to assume that knowing how to code with sockets and call into a crypto library makes you more clueful than the people running "the great firewall" or whatever it is Iran has. They're trying to censor the Internet, how smart could they be?
Well, they're smart enough to pay someone a million dollars to break a circumvention tool without giving it a second thought. The Tor project, which actually has some software security talent, couldn't clear the "adversary with $1MM" bar (they screwed up Diffie-Hellman). And Tor has an "easy" problem; stealth circumvention is much harder.
Get circumvention at all wrong and you achieve the opposite of what the tool is intended for: you put a big red flag on people breaking their local laws. The risk/reward structure here is totally broken, even before you consider how likely it is that everyone's machines in the country you're trying to "help" are already rootkitted.
Could the entirety of your arguments against cryptosystem design not be applied to SSL in its infancy? Aren't the resources of the attackers always larger than the resources of the developers?
There's clearly a large gap between what currently accepted protocols can do, and the capabilities of zero knowledge proofs and secure multiparty computation. It's certainly smart to reuse existing blocks rather than recreating their errors, but that doesn't mean all crypto protocol design work is antiquated.
(although please don't think I'm saying distributing Haystack to users in repressive regimes was anything but criminal malpractice. Even TOR says to not rely on it for strong anonymity)
If SSL was being sold as a tool to allow people to visit censored Internet sites from ISPs controlled by a government that still kills people by burying them in a sand pit and hurling giant rocks at their head? Yes. It'd be the same argument.
Since I never argued that all crypto protocol design work was "antiquated", I'm not sure how to respond to that. What I've said a bunch of times is: it is prohibitively difficult to get stealth circumvention tools right on the first try, and the adversary being circumvented could pay the couple million it would take to turn any such tool, without even noticing the cost.
There's a big difference between saying that it's hard to get protocols/tools right on the first (or fifth) try, and stating that people should not develop 'circumvention' tools at all. (And I've seen you express that latter viewpoint more than once with respect to various experimental protocols)
I don't think it matters if I have an alternative idea. The world is under no obligation to be equitable. Meanwhile: "best effort" isn't good enough when the penalty for failure is someone being hung from a construction crane.
I think a state-sponsored circumvention tool, backed by one or more western governments, would --- if procured properly, which would never happen, and instead would involve Lockheed or SAIC --- stand enough of a chance against a foreign adversary to be worth considering. Short of that, you run right into a very simple wall: once your tool starts to matter, Iran will happily spend many millions of dollars to have it turned.
I would say we are not doomed to police-statism, because there is a countervailing force: An open network is more valuable than a closed network. There are forces that will work to keep the network open so they can tap that value, though they may face a coordination problem. Google would be one example of a company that, for all its many missteps and concerning moves, is broadly speaking fighting for a more open net rather than a more closed net. (I'm not saying they've been 100% successful or 100% aligned to openness, but net-net I've been reasonably impressed with their vision on this point; and again, by "reasonably impressed" I do not mean "in love with".) Even a government may be convinced that the more valuable open network is in their best interests, as it represents a larger tax base to work from. Perhaps we should be encouraging Internet taxes now, instead of fighting them!
But the police state won't be defeated by broad-scale usage of some technical tool. Small-scale usage by a small core group of hackers who constantly adapt (and, frankly, constantly suffer attrition by the police and face the non-zero chance of making one mistake that allows the police to catch them all) might be possible, but if we're going to defeat a police state it will have to be on something other than a purely technical level like that.
It's easy to assume that knowing how to code with sockets and call into a crypto library makes you more clueful than the people running "the great firewall" or whatever it is Iran has. They're trying to censor the Internet, how smart could they be?
Well, they're smart enough to pay someone a million dollars to break a circumvention tool without giving it a second thought. The Tor project, which actually has some software security talent, couldn't clear the "adversary with $1MM" bar (they screwed up Diffie-Hellman). And Tor has an "easy" problem; stealth circumvention is much harder.
Get circumvention at all wrong and you achieve the opposite of what the tool is intended for: you put a big red flag on people breaking their local laws. The risk/reward structure here is totally broken, even before you consider how likely it is that everyone's machines in the country you're trying to "help" are already rootkitted.
Don't build circumvention tools.