
Funding, and Distributing Software to Activists Against Authoritarian Regimes - r11t
https://www.eff.org/deeplinks/2010/09/on-software-for-dissidents
======
tptacek
This article doesn't go far enough. It's an optimistic take written by an
academic with a background studying P2P and privacy-preserving communications.
I respect Eckersley's view and the dues he's paid to have that view, but I
strongly disagree.

The economics of circumvention tools do not work.

One of the smallest regimes online activists target (the Islamic Republic of
Iran) spends many, many tens of millions of dollars a year to fund militant
groups in other countries. A safe estimate of the amount of money they would
be capable of spending "without blinking" to defeat a newly-popular
circumvention tool is 7 figures.

To put that rough figure in perspective, 7 figures may be more than any
company has spent to assess the security of any release of any piece of
software or hardware ever. Those assessments _always_ find terrible things. So
you have to start one of these projects assuming the responsibility for
withstanding a 7 figure analytical assault by your adversary.

I think --- but can't support the thought with evidence --- that many
advocates of circumvention tools are laboring under the idea that their
adversaries aren't savvy enough to defeat these tools. For instance, ask anti-
censorship advocates about the "great firewalls" or DPI systems; or don't,
because they're bound to snicker about them to you anyways. We're talking
about people dumb enough to think they can censor the Internet! How smart can
they be?

Unfortunately, a million dollars demonstrably buys a _lot_ of smart. Look to
any major credit card exfiltration ring or botnet operator or pay-per-install
site for evidence that there are many hundreds of people who can find
vulnerabilities in software and are willing to do so for the highest bidder.

Into this environment, inject the fact that a vulnerability in circumvention
software "turns" the tool, allowing it to be used as a dragnet to conduct
sweeping arrests (or simply to create files on people for later use). We're
talking about regimes that hang people from construction cranes for writing
blog posts.

This isn't a technology problem. If you don't speak Farsi, you probably
shouldn't be thinking about what you can do from your office chair in North
America to help overthrow goverments.

