Bruce Schneier appears to squarely share our UVST approach to privacy

In this video excerpt of a Dec 14th Columbia University talk hosted by Eben Moglen, Bruce Schneier, arguably the world foremost security expert, seems to squarely share the User Verifiable Social Telematics architectural approaches and tenets, developed by the Open Media Cluster, for the development and provisioning of innovative IT solutions that can reasonably aim to achieve resistance to “bulk” eavesdropping attacks even from extremely well-financed and skilled entities.

Listen to from minute 33.21 till 36.00, as Bruce Schneier describes what are the core paradigms to keep in mind to develop the service or solution that should be developed to resist such bulk eavesdropping. Here’s a summary of such video excerpt:

  • Must truly be an end-to-end solution, including end-point equipment manufacturing oversight.

  • Highest level of privacy is really about transparency of all processes involved, which indirectly but solidly ensure user verifiability though (iterative( processes organisational and inspired by democratic accountability procedures, such as those practiced in proper ballot voting procedures.

Find pasted below some text excerpts from the latest version of UVST R&D Project Summary (downloadable from its web page) from which it is possible to desume the similarities in approaches and paradigms:

BASIC COMPONENTS: The main components of UVST are: a cheap and thin touch-screen device (CivicPod), custom-built through a thorough security assurance process (CivicFab), which is attachable via a custom external case to any smartphone and via dock to desktop peripherals or comes optionally embedded into the custom-modified internal case of commercial smartphones (CivicPhone); bare-bone dedicated or compatible HDMI/USB TV-connected devices with extensive HTML5 and video rendering capabilities (possibly embedding FirefoxOS or OperaOS) with onion routing functionalities (CivicDongle/Box); one or more dedicated custom-built street-facing lab where all devices and server-side equipment are verified and assembled, and where new users are authenticated on-site (CivicLab); a dedicated server-room, inside each CivicLab, where all remote services accessible by CivicPod/Phone are hosted, all CivicDevices are flashed, whose remote access is disabled and whose on-site access is physically conditional on presence, and express approval, of 5 randomly-selected UVST users (CivicRoom); any willing service provider that manages and commercialised the UVST end-to-end service (CivicProvider), whose quality of service is regularly certified by a to-be-established organization (CivicAuthority) which is made up of leading independent global digital civil rights expert organizations and UVST user-elected representative, also responsible for the updating of the certification specifications.

PARADIGMS: Core to ensuring such levels of assurance will be: (A) fully open processes and technology, (B) extremely low features set and lines of code for all software stacks of both server and client and, especially, (C) innovative iterative organisational processes, and related procedures and technologies, inspired by best-practice paper-based ballot-box democratic election procedures, military-grade oversight procedures, democratic jury-based committee processes, and best-of-breed certification authority organizational models; applied to all phases of all processes involved in the service provisioning.

ASSUMPTIONS: Our approach to highest-standards privacy communication solutions, in a post NSA-surveillance scandal world, is centered on (A) the recognition of the overwhelming solidity of proper encryption, (B) the inherent weaknesses to eavesdropping of transnational IP networks backbones due to their huge and multinational geographical extension, (C) the high-probability of radical security remotely-exploitable weaknesses, and the inability to verify, in core software and hardware components of both mass-market and “high security” mobile and desktop and (D) the understanding that highest privacy is really not a product nor a service, but a set of iterative organizational processes that end up producing a user end-to-end communication experience.
It is therefore critical to extend the privacy-by-design and security-through-transparency paradigms to their full extent, by building processes for the provision of end-to-end communication solutions that aim to be trust-free, i.e. devoid of need of trust in anyone or anything, except self-guaranteeing transparent and accountable organizational processes, whose quality can be assessed by reasonably educated citizens of democratic countries.

Security is a process and not a product. Products provide some protection, but the only way to effectively do business in an insecure world is to put processes in place that recognize the inherent insecurity in the products.” Bruce Schneier, 2000;

Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.” Edward Snowden, 2013

Ultimately, if you want to stop a burglar breaking through your front door, you don’t need a lawyer, you need a lock”. Neelie Kroes, Vice-President of the EU Commission, Dec 2013, (speaking about foreign state mass-surveillance).

CORE HW SECURITY: Given the grave risks that hardware or software vulnerabilities may be introduced during the manufacturing process, beyond-state-of-the-art verification and oversight processes and technologies – called (CivicFab) – will be applied for the production processes of the most sensitive hardware component of server-side and client-side devices involved in the service. CivicFab will match and exceed the security currently deployed by certain very powerful state security agencies for the most sensitive hardware components they need for the devices they need for highest-security scenarios. Here’s what the reportedly to today:

Choose a manufacturer, located a specific country, which are both somewhat more trustable than others, which will agree to:

Make so that the requested hardware is all produced in a continuous batch (50,000 let’s say) in a short time span (a few weeks).

Allow, once a year (let’s say), about 20 competent, trained and trusted technicians to monitor and verify thoroughly the process for a couple of weeks.

In addition, to such state-of-the-art, the CivicFab process under the oversight of the CivicAuthority would add:

Allow those technicians to publicly and completely document the process with videos, photos and more.

Choose a chip design of low or mid performance, but very solid security, so as to have a wider choice of manufacturers and countries to choose from.

Add at least 5 people that are randomly-selected among the UVST users, and at least 5 user-chosen technicians, to accompany the 20 technicians. They would be very well paid to take that time off, and are well trained and “self-trained” through open participatory processes.

Tor Project functionality (or other onion routing functionality) will be provided to protect the privacy of both voice and non-voice communication metadata. It will be directly or indirectly provided through a large number of entry and exit nodes (many hundreds) provided by the CivicDongles, the CivicRoom and related onion routing mirrors. Sophisticated per-user and behavioural traffic analysis countermeasures will be put in place, including: random off-setting of server connections between parties to the same Voip call; random generated spoofing and decoy voice-like and data-like traffic; and several other measures. Such countermeasures will become effective only when the user base will be both active and large (at least a few thousands of daily users for voice calls), especially if not using the Tor network.

AIMS: UVST aims to intrinsically (i.e. inherently) ensure that the actual software, protocols, hardware and procedures running “at any given time” at end-points and onion routing nodes – from the (re)-design phase to core HW components manufacturing processes – match that which is stated by the provider, allowed by applicable local (non-secret) laws and constitutions, and available for review by independent experts; and whose security, privacy and authentication levels has been openly developed and very very extensively assessed (paid, award-based and volunteer) by independent security top-experts, but especially by world-brightest ethical hackers and crackers. In fact, without their very active (paid and/or not) contribution it would unlikely to be able to have reasonable expectations to counter budgets and accumulated skill-sets of very extremely well-financed adversaries.

Rufo Guerreschi