DISQUS

sargon · 3 years ago

While I don’t have anything to say about this area or paper in particular I think that the Cambridge group can, at times, be rather sensationalistic. Don’t get me wrong, as a whole I really like what the do, however when I have read papers that cover areas that I know something about I often find they stretch the bounds of truth. Often times the “vulnerably” they discover have either been known for a long time or are not really as applicable as they think.

Part of this is that they have been very successful marketing themselves to the media and general IT world and its seems to me that the topics they write about are increasingly being address to this group rather than the academia and/or security practitioners. Its not that the topics themselves don’t have merit but rather how they are presented.

Jon · 3 years ago

While I don’t have anything to say about this area or paper in particular I think that the Cambridge group can, at times, be rather sensationalistic. Don’t get me wrong, as a whole I really like what the do, however when I have read papers that cover areas that I know something about I often find they stretch the bounds of truth. Often times the “vulnerably” they discover have either been known for a long time or are not really as applicable as they think.

Part of this is that they have been very successful marketing themselves to the media and general IT world and its seems to me that the topics they write about are increasingly being address to this group rather than the academia and/or security practitioners. Its not that the topics themselves don’t have merit but rather how they are presented.

Pretending to Be Mike Lynn · 3 years ago

That’s not a problem we can solve with conference papers or code.

I dunno, word is the GFWoC is all Cisco code. We have ways of fixing Cisco code. :)

daniel · 3 years ago

Tom, I think you have made a painfully accurate observation, and it is one of threat models & risk management. Without understanding the threat framework within which one is functioning, offering workarounds is a worthless and perhaps dangerous exercise. The solution must not only address the mechanism by which a security bypass is possible but also the *context* of threat & the security systems being bypassed.

If the PRC equivalent of the Stasi disappear you when your traffic patterns differ from the norm...well, that is a very different risk model requiring a hidden-in-plain-sight-cypherpunk-covert-channel-approach rather than a front door entry. Making dissident traffic indistinguishable from the masses, perhaps something like the idea of "Crowds" way back in the late 90's and working some hocus-pocus proxy-encapsulation- rewrite-redirect on the server side--that might by interesting. However, it is a moot point because while the technical issues are entertaining to discuss, the reality is that the consequences for dissident's are nontrivial and in meatspace.

I would contend that the authors of the PRC paper and a majority of the audience have not considered what the actual threat is outside of their sand-boxed academic/r&d perspective - this is the land where the physical & digital divides merge.

Furthermore. I disagree with you with regard to code and conferences: they do help. Discussion and and understanding are inherently valuable. Once the topic is in the open, we are now free to brainstorm first on system requirements, and then specifications on how to bypass the system, and then applying those ideas into a solution. The solution(s) must to be tailored to the actual problem, something the paper clearly did not do. The greater threat/risk isn't a dissident's lack of communication with the outside world, it is getting killed for trying to communicate with the outside world!

Architect a solution that addresses the hidden-in-plain-sight requirement, and then there is something both useful and worthy of discussion.

Thomas Ptacek · 3 years ago

Daniel, this is great commentary.

On your first point, regarding whether there are techniques that can be used to create safe passage through the PRC filters --- yes, there definitely are. But I worry about the implications of talking about them, except in the abstract.

Which brings me to your second point, about the utility of papers and conferences. Yes. Papers are good. Disclosure is good. If the Cambridge group wants to research ways to defeat content filtering, I invite them to get in line and outdo the current state of the art.

They haven't done that. Instead, they've pointed out a well-known (and trivial) flaw in a SPECIFIC deployment --- the equivalent of me pointing out, say, the OpenSSL SSLv2 overflow in the Motorola corporate webserver (hypothetically), and in public. That's not vulnerability research.

Daniel · 3 years ago

Your synopsis is what precisely I was getting at, although I was being obtuse. The publication offered nothing of strategic and little of operational value, however it did:

1) Unnecessarily expose an egress vector
2) Show how little the authors understood of the problem, and even more how they were incapable of addressing it. Mighty amateur.

My point (and I suspect yours as well) is that those that are in know are simply getting the job done, not publishing detrimental, inflammatory drivel for the sake of publicity. In my weird world, I believe that if you are going to publish/talk/share information, make it either amusing, relevant or useful. Their doc was lacking in all three categories, and the sad fact is that there is only more of this caliber of "research" on the horizon. The least we can do is keep on fighting the good fight and calling foul when necessary.

Dan Ingevaldson · 3 years ago

I'm in China right now, and I don't have anything to say about the great firewall or anything, but I am definitely wondering why every American here is wearing sweatpants. Can you guys do a blog entry about that? Thanks.