Turn and face the strange

Hi all,

So it’s a new year. A lot has changed, and a lot is staying the same. So I was thinking that maybe it’s time to start writing again. Maybe. Let’s see how it goes.

First things first, I have put some different subjects on different blogs before. I might continue doing that for some of them – but I’ll also use this main blog to cover more different subjects. If you come here for programming language geekery, there might not be that much of those things anymore. But we will see.

Last year did come with some significant changes. I’ve left ThoughtWorks, and am now working in an NGO form on privacy, security, crypto and anonymity things. Once we have a public web site and so on, I might tell more of the story here. Suffice to say, leaving ThoughtWorks was very hard, but also the right thing to do, in order to be able to expand the impact I can have, working on the things that I find important to the world.

That’s really most of it. My mind is very much focused on privacy these days. Some days I’m heads down writing low level code, others I’m spending on specification of cryptographic protocols, or the usability of common types of security interactions. This world is full of horrible things, and we need a change.

I have also basically stopped giving talks at conferences. For now, that is probably going to continue – I think most of what I have to say isn’t necessarily so relevant to conferences like Goto or QCon anymore – and I find that finding time to write software is hard enough as it is, even when not competing against conference travel.

So I think I’ll leave it at that for tonight. My life goes on in interesting directions. Code is as much a part of my daily life as it has ever been. Only the focus has changed a bit over the last ten years.

In my next post I was thinking about talking about one of the projects me and my team have spent a lot of time on the last year or so. Until then!

Separate blog about Privacy, Anonymity and Cryptography

It’s been a long while. But I have been writing a little bit during 2014 as well. I decided to switch venue a bit, once my writing became almost exclusively about privacy, anonymity and cryptography. Since my day-to-day job has been research in these areas for the last 2 years, it has become natural to write about what I think on these subjects.

So, if you are interested in following these kind of thoughts, please follow along at https://reap.ec.

Technical Details from Snowden

This summer has given confirmation to many things that technologists only guessed before. We know much more about what the NSA, GCHQ and other intelligence services are doing around the world, how they are subverting privacy and security in the name of fighting terrorism. All of this is primarily thanks to Edward Snowden, Laura Poitras and Glenn Greenwald – with the help of many other courageous people. For the technically inclined, last weeks revelations about how the NSA is pursuing a broad program to subvert all kinds of encryption was probably one of the most worrying releases. But right now we’re also seeing a strong backlash against Greenwald, claiming that he should be releasing the names of technologies broken, the companies involved and who specifically is complicit in all this. A lot of people are ascribing malicious intentions to Greenwald for keeping these things to himself. I would just like to add two things to the debate:

First, it is highly likely that Snowden did not in fact have access to what specific technologies were broken. It might not exist in the papers he gave to Greenwald and others. As far as we know, Snowden was not cleared for BULLRUN and related programs, and the fact that we know about them is because he managed to get access to protected documents he wasn’t supposed to be able to access. So I think it’s only fair to give Greenwald the benefit of the doubt – he might not be able to tell us the specific algorithms that are broken. Let’s not immediately jump to the conclusion that he is acting maliciously.

When it comes to what companies and people are complicit in these issues, in the short term it would be very useful for us to know. I suspect there are good reasons why this information hasn’t been released yet – but let’s not forget that many companies have been outed as cooperating in one way or another under the PRISM program.

The big problem is this – for us technologists to stop future BULLRUN programs to happen we need to build new organizational structures. We need to guard ourselves from compromised algorithms and hardware chips with backdoors. In order to do that we need to change how we do these things – and this will require long term cultural fixes. And even though it would be very satisfying in the short term to know what companies and people to be angry at, in the long run we need to build up an immune system that stops this from happening again.

This all said – I’m dying to know all these details myself. I think it’s pretty human. But let us not lose sight of the real battle.