Jacki : As important as GNU/Linux is — it underpins everything from Amazon to the wireless router in your house — Stallman’s true contribution to computing was the idea of freedom. His approach to computing is utterly socialist, to the point that he refuses to have a password for his accounts. About fifteen years ago, I sat down with RMS for dinner and a discussion in his office at MIT. Never before or since have I had any personal interaction with an intellect as formidable as his. I walked away thinking that Stallman was probably smarter than I was, an impression that I didn’t recall ever having before.
The purpose of these opening paragraphs is to make the case that the smartest man in computer science doesn’t think we should have passwords. It helps explain why the people on the other side of the argument are often so mind-numbingly stupid.
…it’s a very good idea to assume that you have no security whatsoever when you operate a computer.ii Assume that every email you’ve ever written is in the custody of a collating agency of some type. Assume that your Chinese-made laptop will respond to remote commands from its maker, from Microsoft, or from the Chinese government. Assume that your phone listens to you all the time, because it can.iii Assume that your Amazon Alexa or Tap device listens for keywords and sends them to Amazon. Don’t expect security or privacy on the Internet.iv It doesn’t exist, unless you are willing to use the equivalent of a “one-time-pad” on every communication. Even then, I’d be very careful about betting that your one-time-pad is so random that the NSA’s million-processor Cray can’t calculate it. Computers can’t actually create random numbers, you know… or maybe you didn’t, but I’m going to fill you in on that.
Just you watch. We’re headed back that way. Maybe not immediately. In twenty years, however, the idea of using a password and a security question to access your bank account will be as old-fashioned as the Frank Abagnalev days when you could print your own checks and get money for them at a teller’s window. We’re just going to have to break a lot of eggs to make that omelet. And mark my words, dear readers: some of those eggs will belong to you, and to me. But not to Richard Stallman. He got a MacArthur grant, and something tells me he took it in cash.vi
And right there is the problem with just throwing up our hands and letting China have an entire section. Because even if you have a US-made CPU, is anybody making modern x64 boards anywhere but China?
Pete : I’m not sure where ‘pcengines’ manufactures, but they’re based in Switzerland and their boards ship without proprietary BIOS and with full schematics…
Just you watch. We’re headed back that way.
While it’s conceivable that, 20 years hence, the everyman will be using fingerprints and retinal scans to access his banking, this is little more than the security theatre you so aptly describe : a farcical show and little else besides. Not that this cirque won’t be more than sufficient for those with “nothing to hide.” ™
For those of us intent on leaving something more than olde fables and washed-up hopes to our children, PGP (with RSA keys, ofc, and not that ECDSA garbage) is sine qua non for secure communications of every sort, from personal conversations to trading on stock exchanges. The barrier to entry to using PGP is admittedly high, but for security, identity, and the maintenance of a Web of Trust, nothing else comes close.
Besides, the Internet is nothing if not a promoter of power law distributions, and so what if PGP is “hard to use” ?
Jack : Well, you’re proceeding under the assumption that PGP isn’t already cracked wide open. Which is to say, that there’s no algorithm to quickly find primes from products.
And you’re also proceeding under the assumption that your information isn’t already compromised before you encrypt it. Your keyboard has a microprocessor on it. What’s it doing? Do you use a Bluetooth keyboard?
Think of all the archived HTTPS traffic that is now being cheerfully read by the NSA.
It’s not in any way impossible to conceive of a day in the year 2047 when you are sitting peacefully at home and the goons kick down your door because their 2048-bit quantum boxvii just read all of your files and your Bitcoin transactions in a matter of seconds.
Pete : I’m more proceeding under the assumption that I didn’t personally use a cheap netbook, ‘smartphone,’ or other insufficiently entropic source to generate my PGP keys, because you’re right, PGP RSA keys have been cracked – their exponents were calculated using Euclid’s cutting-edge 2`300-year-old algorithm, no less. Recently too. But none of these keys were in ‘battlefield use,’ so to speak. They all seemed to have belonged to various sorts of ‘researchers’ who thought that creating keys would be nifty without thinking through the implications of their methodologies.
As to my keyboard, I know exactly wtf it’s doingviii – principally because it’s a Model M that’s almost as old as I am. I’m therefore less concerned about backdoor or wirelessix attacks on it than microphones picking up the clickity-clacks,x and it’s much easier to fight the devil you can see than the one you can’t.
As to quantum computing, it remains a distant objective, like an autonomous car in every driveway or the ‘Internet of Things,’ all of which I sincerely doubt we’ll see in our lifetimes ; but even if we did, the breakthrough that leads to QC’s development will almost necessarily also lead to the development of algorithms that take millennia for said QC to brute-force and therefore provide the same level of security that wily PGP users enjoy today. So if the cat moves the game, so too does the mouse move on. Of course, this is all speculation for as long as we don’t have quantum computers, and we won’t know… until we know!
As to the state’s goons kicking my door in, by 2047, if I’m still on the green side of the grass, it won’t in any way be inconceivable that my goons will be kicking their doors in. With money and imagination, anything is possible, no ?
Jack : Ah, a Model M brother. I have thirty of them in a box, if you ever kill yours.xi
Incidentally, I might email you over the weekend — I want to write something that is in partial opposition to one of your recent posts.xii
Pete : Fire when ready.xiii
___ ___ ___
- As with last time, this conversation originally took place on Riverside Green, Jack’s blog (archived). Its distilled essence is preserved and adnotated herein. Experts in the field of computing science and digital security will quickly realise that we’re both, at best, proficient amateurs. It’s therefore my hope that this discussion will be of some value, however minor, to those less familiar with RMS, RSA Supercolliders, keyloggers, quantum computing, and related esoterica.↩
- As covered in 2014’s On Delusions of Digital Security.↩
- This is even true if you’re using a ‘dumbphone.’ So don’t think that you’re skirting the possibility of an always-on microphone just because you’re not using the latest whizbang iPhone.↩
- Security, in the sense of making attacks prohibitively expensive, even for state-level actors, exist. It’s just really goddam hard and not in the least bit “user-friendly.” Privacy also exists… as long as you’re using PGP and Bitcoin intelligently.
- See Leonardo “What’s a chinook?” DiCaprio in Catch Me If You Can.↩
- While it’s true that RMS took the payola, it’s not true that he was much of a strategist, as demonstrated by his disgraceful acceptance of a speaking engagement with a truly objectionable raft of Bitcoin scammers back in 2012.↩
- Those interested in a more explorative conversation on the subject of quantum computing are advised to take a few minutes reading The reason you can’t have nice numbers and other considerations.↩
- Ok, so I don’t know ~exactly~ wtf my keyboard is doing, but I have found that it’s a useful heuristic use hardware and software also in use by my WoT.↩
- There’s still RF from PS/2 and USB connections, true, but the concrete environs that I operate in are less susceptible to ELINT than, say, pressed shitboard houses or public cafes.↩
- Blessedly, TMSR~ is too distributed to make GUNMAN-type attacks cost-effective. This is a lesson learned from history!↩
- I’d actually considered stocking up on Model Ms on account of the fact that they aren’t making any more of them anytime soon – and no, the Unicomp doesn’t count, I have one collecting dust – but the plethora of them once produced combined with their stalwart reliability means that there’s little incentive to hoard them. The same goes for most battlefield-ready desktop computers, components, and accessories, really. While the golden age has largely come and gone, the number of users is only decreasing as disposable mobile widgets takes over the vast majority of homes and businesses. Prices for these non-renewable resources therefore don’t seem set to climb in the way that, say, Porsches have recently. But maybe we’re just 20-30 years away from that too.↩
- As Jack has yet to e-mail me (not that there’s any guarantee he will), I’m going to take this opportunity to throw out a few educated guesses as to what he’ll take exception with : if Jack is looking to take on the car guy angle, he’ll surely aim for What the rebooted DeLorean can learn from Singer, Pagani, and Bitcoin, but my gut tells me that he’ll pick up on How to be a pimp – a simple yet understandable and still exhaustive guide, translated seeing as how it was easily one of the most provocative articles of late.↩
- Verily, the saga continues!↩