Dropsafe

by Alec Muffett

The dangerous subtext within the concerned-dot-tech “Letter in Support of Responsible Fintech Policy”

Back in 1991 I published an open-source password cracking tool which defined the state of the art for the next 5+ years, so much so that echoes of it can be found in all major password crackers of today.

Some folk criticised me for doing this, choosing words like these to do so:

I know that in general it’s bad form to take a single quote out of context and use it to critique an entire essay (https://concerned.tech/) — but I do feel that this time it’s deserved.

The concerned-dot-tech essay has had extensive technical debunking, e.g.:

1/ https://prestonbyrne.com/2022/06/01/debunking-the-crypto-critics-letter/

2/ https://twitter.com/matthew_d_green/status/1532039624046125059

…but that’s not what bothers me.

I/others spent literal years, fighting for the right to publish code that was then illegal (i.e. cryptography under ITAR) or which some considered immoral or profane (e.g. “full disclosure” for security bugs).

I maintain that stance; but many in civil society today, disagree.

You Cant Do That Eric Cartman GIF

In their defence, they may not realise what they are saying; but each time $ACTIVISTS call for $SOFTWARE to be denied to $DEMOGRAPHIC because $MORALITY, they are calling for knowledge, code, or speech, to be constrained by audience.

This inevitably leads to illiberal outcomes.

How Could I Have Been So Foolish Eric Cartman GIF

“Not all innovation is unqualifiedly good; not everything that we can build should be built” — that phrase could be thrown at intrusion tools, privacy tools, even @torproject, because all of these tools are dual-use, and the thing which divides “good” from “bad” use, is intent.

For What Purpose Butters Stotch GIF

So anyone who says “not everything that we can build should be built” — poses a question, the question being of course:

Q: who decides what should/should-not be built, and what will they need in order to exercise that power?

There are only 2 solutions for such arbiters:

a) everyone on the internet is given an identity, there is no more anonymity, and whether you can use the software is dependent upon your identity & reputation; or…

b) wholesale bans on <shapes of software>, even if open-source, because <shape> of <tool> makes it wicked.

Heidi Gardner Flirting GIF by Saturday Night Live

Concrete example — passwords crackers:

a) you may only use a password cracker if you are a licensed system administrator of known good character

b) nobody may use password crackers because they are wicked

Thankfully the internet (and open source) do not work this way. Not yet.

Jimchi Jim Chi Asmr GIF

Hence my decades-old, innocuous strapline:

“Everybody deserves good security”

Everybody does. Even the really bad guys. Because otherwise we have tyranny, weak infrastructure, & (eventually) institutional corruption as everyone works around restriction.

So, for that reason, I consider the concerned-dot-tech essay to be deeply dangerous — as likewise I do all people who opine that $TECHNOLOGY is wicked merely because of its shape, feature, or lack-of-feature.

Because such denies the importance of intent, and ignores dual-use.

Nicole Franzel Bb22 GIF

Originally tweeted by Alec Muffett (@AlecMuffett) on 2022/06/02.

Comments

3 responses to “The dangerous subtext within the concerned-dot-tech “Letter in Support of Responsible Fintech Policy””

  1. Geoff Arnold

    Alec: In the US and UK (and probably elsewhere) it is a criminal offence to print counterfeit currency. “Printing absolutists” might argue that you should be allowed to print anything that you want; that the only criminal action should be the use of a counterfeit note. But (AFAIK) nobody says this, because the damage is not limited to the initial transaction; counterfeit currency may be undetected and used by many individuals whose transactions are legally compromised. The same thing applies to stock certificates, for similar reasons.

    A fraudulent contract in a DAO, is very much like a counterfeit bill or stock certificate. The elements in the smart contract code that perform the fraud may well be unnoticed for a time, causing multiple transactions to be legally tainted. And while a human can receive a counterfeit bill, identify it, and turn it in at a bank or police station (thus removing it from circulation), blockchains are designed to be hard to correct.

    Software is just a medium, out of which we build things. It’s like paper and ink. Some things that we create from paper and ink are regulated, for the general good. Some things that we create from software will also need to be regulated.

    Your argument focusses on the software, not the things that we make from it. It’s like focusing on the metal and plastic, rather than the gun that we make from it. We need to move up the stack, so to speak.

    Reply
    1. alecm

      Geoff: As a friend put it – quoting them, not me:

      “It’s not a cryptography problem, it’s a financial regulation problem. The technical properties of cryptocurrencies, and implementation details are mostly irrelevant other than where they read on financial risk, misselling and other such matters. The last thing anyone needs to do is to allow blame for when this whole sorry fiasco goes pop off of the people driving the crypto bubble onto the technology. That leads to exactly the same kind of broken “we should have regulated the programmers in the first place” mindset that I think Alec is talking about.”

      Is that far enough up the stack for you?

      Reply
  2. Stephen Spencer

    Geoff,

    For objects that have little direct value (a $5 note) to have functional value requires trust. This trust is codified explicitly and with the intent of providing holders of such notes the ability to interact economically. (rather than carrying bags of coins that have direct value) These laws are ubiquitous (unless there are countries that still use the gold standard) and, I imagine are the result of hard-learned lessons by past generations.

    Respectfully, this does not align with a call for new ideas/innovations to be filtered through a committee in an open-ended, only-as-they-see-fit fashion.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts