smuggling data out of Iran

Via Spencer, an interesting article about the Iranian protesters’ use of Tor, The Onion Router. I’m a big fan of Tor, and have seen it successfully used to evade dictatorial regimes in the past (specifically the people running NBA League Pass). But it’s probably worth pointing out Tor’s limits as they pertain to the situation in Iran.

First, you really can’t count on Tor for anonymity or encryption. The right way to do encryption on the internet is for your machine and the server with which it’s communicating to agree on a cryptographic arrangement that begins with you and ends with it. If the server isn’t expecting to receive encrypted content, it won’t know what to make of any such content that it receives — that’s kind of the point of encryption, right? So at some point Tor needs to decrypt your traffic and send it out onto the internet in its original, exposed form. Before it does that it passes it back and forth between who-knows-how-many nodes, concealing its point of origin. But hiding your IP address won’t do you much good if malevolent actors get their hands on the eventually-decrypted content and it contains your email address, or Twitter login name, or whatever else.

And it’s not too hard for them to do this. Tor relies on kind-hearted souls to run “exit nodes” — the spots where traffic gets decrypted and sent back into the plain internet. And if you run an exit node, you can easily choose to look at all of the traffic coming through it. In 2007 one clever guy did just that, and managed to capture a sensitive information being emailed by embassy staffers. Looking at the Tor exit node instructions, it doesn’t look like any node-approval bureaucracy has been added since this incident (nor should there have been, in my opinion). So there’s nothing stopping the Iranian government from setting up some exit nodes, grabbing whatever fraction of total Iranian Tor traffic lands in their laps, pulling email addresses and names from it and going after those people.

Nor is there any reason why Tor can’t be blocked. SSL traffic — the most widely used, genuinely secure encryption on the internet (it’s what protects your credit card number from snoopers when you buy something from Amazon) — is blocked in Iran. Now, given that Tor is working while SSL isn’t, the latter is probably being blocked through the relatively crude measure of turning off traffic on port 443, which is the standard port associated with https:// URLs. But with a semi-modern firewall it’s possible to block encrypted traffic regardless of the port — I’ve worked in offices that do this. That would effectively kill SSH, SSL, Tor and any other way of concealing online activities from eavesdropping government agents.

Actually, the government could do far worse. They could allow traffic through, but flag encrypted traffic to non-commercial sites for investigation. Or they could set up man in the middle attacks and rely on users to approve the certificate warning they receive. Or they could create redirects that send people to phishing sites that resemble Twitter and capture passwords but seemlessly pass tweets through to the real Twitter and then use the credentials to secretly arrange tweetups and the attendees all think they’re walking into an underground storefront but then why is it so dark and the doors close and they’re in THE BACK OF A TRUCK and it pulls away toward who knows where! OMG! Cut to our hero!

But that would be a lot of trouble. And for all of the conspiracy theories floating around Twitter about Iranian sysops planting hashtags to splinter the online protest’s efficacy, the actual shape of Evil Iranian IT probably looks a lot less like the climactic scenes of Neuromancer. That’s not to say that the import of the online part of these protests is nil — I’ve pretty well been convinced that my initial skepticism was too extreme. But it is to say that we should resist writing any definitive-sounding encomiums about the tools being used to get internet traffic out of Iran. The sad truth is that if the monopoly ISP is run by repressive theocrats with adequate time and resources, aspiring online activists are kind of screwed. To the extent the authorities care, anything that works very well is going to stop working soon enough.

bike lawyers

do you think he wears a cape?It’s great that this guy is specializing in cases from cyclists who’ve been in accidents. But it isn’t really necessary. Believe me: if you get a police report filed about your accident (and of course you should — nothing makes an insurance agent happier), personal injury scumbags will wriggle out of the woodwork and plop themselves onto your voicemail almost immediately. When it happened to me I found it pretty annoying, but I suppose it’s nice to know that cyclists’ rights will be protected.

But a legal jihad against drivers won’t change anything. At this point I’m convinced that the only way to make cities bike-friendly is to put fellow travelers (so to speak) into positions of power, like they’ve done in NYC.

two cheers for egalitarianism

ONE: The beginning of the end of the Registered Traveler program. I’ve always been uncomfortable with the idea behind this program — allowing the rich a means of escape from a vexing and arguably arbitrary set of collectively-self-imposed strictures has something of a history, and it’s not a noble one. Props to TSA, though, if the WSJ writeup really can be believed: the article cites the agency’s unwillingness to relax security standards as one of the things that made CLEAR/Registered Traveler not worth the price of admission for many would-be line skippers.

TWO: Via Caralyn, Christopher Weingarten on the present and future fortunes of the music critic. Points for his entirely appropriate level of occupational hopelessness; deductions for failing to make much of a case for the professional music critic’s necessity. With modern publishing and search technologies, the too-many-voices argument becomes a difficult one to make, and, I think, a basically incoherent one when talking about something as inessential and universally accessible as pop music.

This isn’t something I’m happy about. I have friends who are great music critics, and I’d love for them to be able to support themselves by writing record reviews. But this is sort of like saying that I’d love to see the market compensate my friends for playing Halo with me. It’s clear that the costs associated with producing music criticism have fallen to the point where it’s essentially a leisure activity. In a perfect world, this would be great: the resources expended to produce music criticism could be reallocated to more productive ends, and we could still be assured a steady stream of deep thinking about music (now with less market distortion!). In practice, those resources are likely to wind up allocated less efficiently — say, put toward debt service on a loan that financed the unnecessary sale of an alt-weekly to a clueless owner who will preside over its demise. (Woo markets!)

But we’ll still have plenty of music criticism, and plenty of other good writing. I won’t say something pretentious about writers writing because of some irresistible artistic compulsion. But writers will keep writing because they think writing is fun, so they’ll do it when they can. And that’ll be enough for the rest of us, because these days much of the writing they do will inevitably be free, our supply unrestricted. Just look at The Awl, a site run by people who perfected the blogosphere, then watched it blossom, pullulate, and choke itself to death. Now they’re doing it all over again, because hell, it was pretty fun for a while there, wasn’t it?

you can also write ‘yes please’ under ‘sex’

Okay, yes, Michele Bachmann refusing to participate in the census is a bit kooky. But I’m sympathetic. I started participating in the Census survey of household employment a few weeks ago (SPOILER ALERT: I still have a job). The very next day I began receiving unusually high numbers of calls from phone surveys. Pepco, private companies, and who knows how many other sample-seekers who I hung up on before identifying. It’s leveled off a bit since, but there was a pronounced effect.

I know, I know: they’re not allowed to sell my information. It’s probably just coincidence. I mean, malfeasance by the government or its agents? The very idea is ludicrous!

And yet I remain convinced by the experience. And so I understand where Michele is coming from. If they’re willing to sell my phone number, is it really so outlandish to think that the ACORN agents administering the census will be secretly sizing up respondent families’ fitness in order to facilitate the involuntary harvesting of organs (and their subsequent redistribution to welfare recipients) under the coming socialized medicine dystopia? Of course not. Stay strong, Michele.

more on Twitter and Iran

Yglesias links to Farrell; both are worth reading.

It’s still not clear to me the extent to which technology is enabling intramural communication among the protesters, as opposed to simply serving as a broadcast medium between a few of them and the west. I’m very curious to find out, though, and have a few emails out to people running proxies asking how much activity they’re seeing from plausibly Iranian IPs. At least one has committed to figuring this out; we’ll see if he follows through.

One thing is increasingly clear: the idea that you can change the world from your computer has a strong allure. From the various alleged DoS attacks underway* to the wrangling over hashtags and profile data (based on what seems to be pretty tenuous speculation about the regime’s filtering plans and abilities), a lot of narcissism is masquerading as activism. But then, this is the internet.

* These seem virtually certain to be counterproductive — how exactly does damaging digital communication empower the side without the TV stations in an information war? How are targets even being identified, except via the diktat of trusted-but-unverified Twitter users?

UPDATE: Austin Heap, who seems to be running the biggest clearinghouse for #iranelection proxies, has written an update sharing some stats. He’s apparently filtering source IP (seemingly using this list) and reports 2000 connections/second. Modern browsers reuse connections for multiple HTTP requests, so that’s nothing to sneeze at. I’ve asked him whether he’s comfortable generating some stats on where the outbound traffic is going.

WELL, HELL: If the professional diplomats at the State Department thinks that Twitter is vital resource for Iranian protesters, I suppose I can’t really argue otherwise. But it doesn’t make me any happier about a privately-owned technology becoming a vital part of the infrastructure supporting political activity. I should add that Twitter as a company has been nothing but praiseworthy, from how they rescheduled their downtime to the openness represented by their API. But there are limits to any for-profit enterprise’s goodwill. I would feel a lot more comfortable if #iranelection was occurring on a decentralized network (and yes, I realize there are immense technological hurdles to such a thing being practical).

great ways to watch mediocre television

Sort-of-recommended: Harper’s Island, a CBS horror miniseries that Emily EDIT: And I! And I! began watching over the weekend. It’s not good in the traditional/objective/subjective/plausible sense, but it’s not all that bad. It’s essentially a conventional horror movie spread over a thirteen episode miniseries. That lets the action ramp up at a pleasantly leisurely pace, but the long home stretch threatens to buckle under the weight of a series of red herrings and a body count that seems to climb simply because the writers don’t know what else to do. But there are four more episodes left, so it’s too early to make any definitive judgments.

Definitely recommended: Netflix’s offering of Harper’s Island as a streamable product as the episodes air. This was a little confusing — I couldn’t figure out why the number of episodes in the series was growing (has I miscounted?), and last night Emily and I were left worrying that the first season had ended with a particularly irritating cliffhanger. Actually, though, it was just Netflix serving as the on-demand service that that Comcast denies to my Tivo-having self. And they say that a la carte TV service is impossible…

I only favor internet triumphalism when it’s about non-proprietary tech

Look, I know I have a dog in this fight — as much as I like Twitter, I really, really bristle at the idea of a communication medium being coronated as essential while it’s still a proprietary product of a single company (which hasn’t yet set pricing!). I know I’m biased. But still, c’mon: you can’t tell me that people aren’t a bit overeager to write this story.

I think there’s reason for skepticism about Ambinder’s claims. My understanding is that cell service has been disrupted in Tehran since Saturday evening, and that net access to Twitter from Iran is blocked, making it only possible to access the site through a shifting set of proxy servers — a task that requires both technical expertise and which is typically impractical to do on a mobile device. Ambinder’s vision of furtive Twitter revolutionaries users collaboratively helping one another dodge #machinegunnests seems like wishful thinking.

It does seem unquestionable that Twitter has enabled the coverage of the events in Iran to proceed with an immediacy that’s novel to the medium. Partly this is simply because Twitter is currently enjoying a lot of excitement and attention from journalists; partly it’s because the medium really does enable the centralized distribution of information on a time scale that was previously impractical.

But when all is said and done, the centralization means it’s still relatively brittle when faced with a government keen on blocking it. Again: how are Iranians supposed to have been using the service? Yes, clearly some are. But how many, really? While it’s been a fascinating way for all of us to learn what’s going on in Iran, I still doubt that enough people in Iran have access to the site for it to be significantly enabling or shaping events there. Maybe I’m wrong. We’ll see.

the uncannily inefficient Valley

Yglesias is fond of suggesting Silicon Valley’s compensation model as a good alternative to the one that led the finance industry into distaster. The idea is that by using stock options to connect compensation to the long-term performance of a company rather than to its quarterly or yearly performance, we can make short-term risk-taking less lucrative than intelligent stewardship of a firm.

This sounds like a pretty good idea, and very well may be. But it’s worth pointing out a couple of things: first, this may just be an apples and oranges sort of situation. It may not be the case that the sort of compensation structures available to a penniless startup are practically applicable to an enormous financial behemoth. I’m admittedly no expert, but I can imagine there may be problems.

Second — and this I can say with somewhat more confidence — the performance of the software industry is not such an inspirational success story that emulating it should be assumed to be a good idea. Spend three months reading TechCrunch or its equivalent; if you can make it through that time without killing yourself, you’ll realize that Silicon Valley is incredibly inefficient, wasting vast sums of money on overhyped ideas that are stupid, unnecessary or just commercially impractical. There are very, very few firms that have created genuinely original technologies — technologies that Harry Turtledove would like to write about, technologies that may conceivably never have been invented if their creators’ parents hadn’t met. The bulk of the industry is made up of the proverbial million monkeys sitting at a million MacBooks; occasionally some Javascript comes out.

Some friends of mine have created a fake web startup. On their homepage (or twitter feed) you can find a simple mad-lib that changes every time you reload the page, and which goes like this: “[VAGUE, POSITIVE GERUND] [TECHNOLOGY A] with [TECHNOLOGY B].” This really is how the industry operates: through the mind-numbing combinatorial exhaustion of whatever technologies Google, Amazon, Adobe, Sun and a very few brilliant open-source developers can come up with. Some of this is valuable, even necessary economic activity. But a lot of it is just speculative activity which benefits no one other than the people directly involved — and which is ultimately a waste of resources. This should sound wearyingly familiar by now.

Now, it’s not all their fault. The real problem is that software development is really easy — you need almost no capital, and there’s an incredible wealth of existing technology that can be utilized. The bottlenecks to innovative commercial activity in the software realm are frequently external. These limits can be technological but not software-related (phone cameras needed to get good enough to read barcodes), cultural (Facebook couldn’t exist until college students were wired enough to adopt it) or political (only a firm of Google’s size and import could start scanning books and comfortably expect to find a way out of the orphan works problem without being sued into oblivion). And of course it’s just generally tough to start a successful business (I think I can confidently say that the average internet startup is based on a somewhat stupider idea than the average non-internet startup, but I have no idea which is actually more likely to fail). I’m sympathetic to these guys: certainly, I can understand the impulse to paint yourself a visionary who creates fundamentally new possibilities, rather than as mere skilled craftsman using tools handed down from others.

But still, it’s hard to look at the amount of investor money wasted on the web industry and conclude that its compensation practices are ones that should be emulated — particularly given that those practices are being abandoned now that the accounting gimmick that enabled them has been ended. Maybe it’s preferable to have a lot of middle-class programmers blowing through investor money instead of a relatively few upper class finance executives doing the same — I suppose it is a more progressive transfer — but that’s all that Silicon Valley’s recent history seems to promise. The way to neutralize the villains of this bubble may not be to make them more like the villains of the last bubble.