HOPE X - 7/18/2014
July 18-20, 2014
The 10th Hackers on Planet Earth conference was held at the Hotel Pennsylvania in New York City.
- 1 July 18, 2014
- 2 July 19, 2014
- 3 July 20, 2014
July 18, 2014
Surveillance, Sousveillance, and Anti-Surveillance
Many artists are using humor and interesting artistic techniques to talk about surveillance. Take a look at Surveillance Camera Man on YouTube. This is a guy in Seattle that videotapes people, to capture their reactions. Some of the reactions are pretty interesting. For example, http://www.dailymotion.com/video/x28epbm_surveillance-camera-man-2_creation.
Jeremy Bentham came up with the idea of the "panopticon" as a prison design. There's a guard tower in the middle, and the prisoners are positioned on the outer wall. At a moments notice, the guard could turn and look at anyone in the prison. Even though a single guard couldn't watch all the prisoners all the time, he had the ability to watch any prisoner at any given time. It had the same effect.
Michelle Foucault used the panopticon as the basis for panopticism. Panopticism is the use of being watched as a means of social control. People subjugate themselves because they know someone might be watching them. Sousveillance is the act of watching the watchers. For example, Cop Watch.
Artveillance is art that comments on surveillance. For example, much of Banksky's work contains surveillance cameras. The Institute of Applied Autonomy built a map of all surveillance cameras (in the late 1990s, early 2000s). The also wrote a `directions' application that would find route of least surveillance; directions the minimized the number of surveillance cameras you'd pass by.
Sometimes you want to be filmed, in order to make a statement. For examples, New York's Surveillance Camera Players did a production of 1984 that was entirely filmed on MTA surveillance cameras. See https://www.youtube.com/watch?v=RILTl8mxEnE.
Ambient Information Systems wrote a "Manifesto for CCTV Film Makers", http://www.ambienttv.net/content/?q=dpamanifesto. In the UK, you can obtain CCTV footage that you appear in. Artists would do things in front of CCTV cameras, request their footage, and edit it into short movies. For example, Manu Luksch's "Faceless", http://www.ambienttv.net/content/?q=facelessthemovie.
Sousveillance is based on the idea that watchers can be watched. Stephen Mann's "Shooting Back" is a good example: https://www.youtube.com/watch?v=535wOr5OTz0.
McVeillance is the ratio of the number of people being surveilled vs. the number of people watching back. You can postulate that the higher the ratio, the more corrupt the society.
Tracking Transience was a project started by Hasan Elahi. Hasan was detained by the FBI shortly after the 9/11 attacks. He started contacting local FBI offices whenever he traveled, to report is whereabouts and what he was doing. Since then, the FBI hasn't stopped him for questioning.
One group published a "Guide to CCTV Camera Destruction", http://www.schnews.org.uk/diyguide/guidetoclosedcircuittelevisioncctvdestruction.htm. The gaze of the surveillance camera does not fall equally upon all those on the street.
Camover was a response to a police conference in Berlin. A group of activists made a contest out of taking down and collecting CCTV cameras. See http://boingboing.net/2013/01/26/berlin-activists-create-cctv-s.html, and https://www.youtube.com/watch?v=9GCsd2TJKjQ.
Disruptive Fashion can be a form of counter-surveillance. Some hair styles and patterns of high-contrast makeup will prevent facial recognition software from recognizing faces.
High powered infrared LEDs can inhibit surveillance cameras. The cameras see the infrared light, but people do not.
Barret Brown and Anonymous: Persecution of Information Activists
Kevin Gallagher, Ahmed Ghappour, Gabriella Coleman
(Gabriella Coleman on anonymous). In many areas of the world, anonymous has emerged as the global face of dissent. Anonymous started out with internet trolling. By 2008, the group had shifted to activism.
The militant side of anonymous started getting active in 2010. They defended Wikileaks when governments cracked down on them.
Jeremy Hammond was sentenced to ten years in prison. He was swept up in the "nerd scare".
(Kevin Gallagher on Barret Brown). I first met Barret at the last HOPE conference (HOPE IX), and he was arrested a few weeks later. Barrett is a 31-year old journalist. In 2011, he started delving into anonymous.
Barret was denied bail, and charged with posting a link to the Stratfor documents, and hiding computers during the first FBI raid of his home. In 2014, the government threatened to seize our defense fund; fortunately, they didn't succeed. But they got a gag order that prevented Barrett or his lawyers from talking about the case. Barrett is still in jail, waiting to be sentenced.
Very few US journalists have been raided for doing journalism. Barrett is one of them. The FBI went after Barrett's mom for obstruction of justice. He won't be the last journalist that's over-prosecuted. It's very important to set up campaigns for people who've been arrested, and to help them get adequate defense.
(Ahmed Ghappour). What turns prosecutors into persecutors, particularly when some part of the indictment is based on protected free speech? When the government doesn't know what you're up to, they try to criminalize what you're doing. They go after information activists much like they go after suspected terrorists. In the government's case, they alleged that Barrett Brown and anonymous were trying to take over the world.
Fear is one component of persecution. The government is trying to make people afraid of "hackers". Right now, cybersecurity is the highest security priority in the united states. Priority number two is internal threats (aka whistleblowers). Terrorism is priority number three. Our government considers cyber attacks to be at the level of force, which means that kinetic war responses are acceptable. "Hacktivist" is now listed as a legitimate security threat.
We've seen anonymous's activity surge at times, but the collective seems to have gotten weaker. Is this really the case, or is the media simply not reporting on what they're doing? Anonymous's strength has always been their adaptability and unpredictability.
This is about criminalizing information activism, or even programming.
Campaigns help. Prosecutors behave differently when they know they're being watched.
The Department of Justice and Criminal Justice systems are sorely lacking in technical competence. They're trying to investigate cases where they have no technical understanding of the facts in the case.
Gabriella has a book coming out in November. It's called Hacker, Hoaxer, Whistleblower, Spy: the many Faces of Anonymous.
Question: Has Edward Snowden helped Anonymous's views?
Yes, his intervention allowed many people to understand this kind of politics.
Wireless Meshnets: Building the Next Version of the Web
Kevin Carter, Peter Valdez, Kurt Snieckus
The presenters work with a group called NYC Mesh, https://nycmesh.net/. They're trying to create community-based wireless mesh networks in NYC.
The internet is amazing, so why would we want to build a new one. ARPANET was first developed by academics and hackers, and they could never have predicted how it would grow. Political and corporate control has completely changed the character of the Internet. The corporations use lobbying power to determine how the internet is regulated. The FCC might allow internet service providers to create internet "fast lanes". This would create slow lanes for everyone else. And then, there is the corporate & political surveillance state.
Globally, the US is #29 in terms of internet bandwidth, just after Estonia, and with an average broadband speed of 25 mbps.
Wireless technology is now ubiquitous and cheap.
Hyperboria is a mesh net win which devices relay data and route traffic through peers. It's a decentralized network. Hyperboria uses cjdns, because cjdns has privacy and security controls built in. Anyone can participate by adding a node. Meshnets are run by users, for users.
Decentralization is a way to combat the ISP oligopoly, and various socio-political factors.
Cjnds uses ipv6 addresses, which are based on public key fingerprints. All data that flows through the network is encrypted and signed. It's one big flat address space, and there's no way to derive geolocation from network addresses. BATMAN is another meshnet protocol.
How does one join a meshnet? The first thing you'll need is an OpenWRT-compatible router. The ubiquity nanostation is a good choice. Meshberry is a distribution that can be set up on a Raspberry PI. Meshbox is a project to get CJDNS working on OpenWRT.
DNS doesn't work well on meshnets. We need a good DNS replacement protocol. DNS is still an open problem,
https://wiki.projectmeshnet.org/Main_Page has a guide for setting up your own mesh local.
You can also participate via #cjdns on EffNet.
Advanced FOIA Workshop
Michael Morrissey, Kel McClennehan, Michael Radnitzsky
The government likes paper and files; this is what FOIA was written for. But what about government information contained in databases? Electronic records work in your favor. If you ask for records in electronic form, then government agencies must give you the records in electronic form. Sometimes, this means requesting a copy of the entire database.
In some cases, you can work with your handler, to minimize the amount of effort needed to satisfy your request. Say something to the effect of "I recognize that you have more familiarity with the database, and I'm willing to work with you to reduce the impact of this request".
Government database systems tend to be built by contract. Ask for a copy of the contract. The contract should indicate what the system is required to do (e.g., to support csv export). Some agencies have very antiquated systems, and extracts might be technically challenging.
You can file a FOIA request in tiers. Ask for the manual that the agency uses for satisfying FOIA requests. If you have the manual, you can probably write the request for them. Ask the analyst to provide the query string (or query parameters) they used, in addition to the query results. Start with a small request (almost like a test), and then built up to bigger requests.
Never ask a FOIA officer for their judgment. Their judgment may not be what you want, and you'll be charged for the time taken to make and apply that judgment.
Ask for manuals, or a design specification of the database in question. A lot of government data is outsourced. They give the data to a cloud provider, and then lease it back. Sometimes the agency will say "the data belongs to a private company, and it's no longer subject to FOIA". This is a big problem.
There aren't many contractors building systems for federal agencies. Often, many agencies use products from the same vendor, with small tweaks to meet particular agency needs. http://usaspending.gov/ can help you find contracts that were awarded by individual agencies.
Lots of agencies use mailing list software (listserv), and you can request copies of these messages. Some agencies make this very difficult. For example, the CIA will only provide messages matching a particular set of To:, From:, and Subject: headers.
National Freedom of Information coalition: http://www.nfoic.org/.
At the federal level, FOIA officers often don't have direct access to the data you're looking for. Often, FOIA officers need to task out queries, and coordinate with others to satisfy a request. Much of FOIA is trying to put yourself in a bureaucrat's mind. What would a filing cabinet do?
Get familiar with agencies data retention schedules, and data disposition schedules. These can provide a good roadmap for what kind of data exists.
The privacy act cannot be used as a basis for (b)3 denials.
Some agencies post a list of "major information systems" on their website. FOIA law requires this. (See FISMA: https://en.wikipedia.org/wiki/FISMA#Inventory_of_information_systems).
If you're facing a large processing fee, offer to show up in person. By law, you must be allowed to examine records in person, for free. Most agencies don't want requesters snooping around their offices.
When records are subject to FOIA requests, an agency cannot purge those records during FOIA processing.
Often, it's interesting to ask for the "administrative records" generated in the processing of your FOIA case.
People used to collect books in personal libraries. I'd like to archive everything I look at in my web browser, in a way that preserves the interactive nature of web sites. Like archive.org, but stored on my own computer, and cataloging only the web sites that I visit.
The FCC is currently considering proposal 12-254, for a new citizens band radio.
http://phant.io/: FOSS tools for building the internet of things.
https://sparkfun.org/: makers of free hardware that can be used to build the internet of things. (Their website's certificate was issued by Comodo; my web browser claims that it cannot verify their certificate).
http://www.worldcat.org/. A catalog of all books in the world.
Postprivacy: Life in the Digital Sphere
Privacy is a social process. It's key to many debates of our time. Privacy is part of the UN and EU's declaration of human rights. It's a tool to protect people. There are many definition of privacy. One definition is "It's the right to be left alone"; this definition comes from Judge Brandeis and was prompted by the rise of cameras in the 1890's. Another definition is "the right to control access to personal information".
Privacy is not the same thing as having secrets. You share secrets with the assumption that the receiver won't pass them along. Privacy allows you to control information that you put out about yourself. Secrets are information you don't put out at all.
The Nazis used every data gathering tool at their disposal. The professionalized psychology. The Netherlands had very accurate public registries, which included individual's religion. The Nazis used these registries to round up Jews. The Statsi kept (or tried to keep) records on every observable interaction between people, regardless of how mundane these interactions were.
At that point in time, only governments and very large companies could collect large quantities of personal data. They were the only ones with computers. These factors caused Europe to develop strong privacy laws.
Privacy allows us to develop our ideas, before we release them to the world. In Germany, you have the right to legal self-determination. You can sue over privacy.
Governments don't like privacy, especially when it gets in their way. Secret services are antithetical to a free society, and we have to get rid of them.
You can be asked to give away your privacy - to get a loan, or to get a job.
Many people say that privacy is very important, but they don't act that way. For example, Google's search engine has a 95% market share in Germany.
Privacy is like DRM. Both involve control of information that's been released to the public.
Who owns data about the relationships between people. It's not just one person.
Post-privacy means a change of defaults; making things public by default. In the offline space, we've always shared information about ourselves. Even if just via the clothes we were wearing.
To change public perception, you have to get out there, you have to be visible, and you have to make a point.
To keep discrimination in check, we need people to be visible.
Post-privacy is a way to step back from privacy as dogma, and see what's really out there. We should teach other things instead. Participation. Open and noncommercial platforms for collecting and aggregating data. Structures that help us redefine power. Rethinking consent, and how we treat other people. Rethink ethics and how we treat other people's data. Instead of focusing on hiding data, focus on how we treat it, and what we can do with it.
Ladar Levison, Stephen Watt
The idea is how to make email "go dark", from the NSA's perspective. This involves solving server problems. First there's key management: the process of generating, rotating, obtaining, and validating keys. We want to make the world a safer place, without people having to think about it too much. Second, there's the problem of metadata minimization. Somewhere along the line, we lost freedom of association. We want to encrypt headers, separate message and envelope headers, and minimize the amount of header data that a server can see. Ideally, mail servers would be onions, and wouldn't know the entire route. Third, we want to engineer a system that's resistant to advanced threats. Our goal for Darkmail is to make mass surveillance technologically unfeasible.
Endpoint defenses leave security problems to individual users. Not many consumer devices can be called "secure".
Darkmail was designed to be flexible. People will deploy and use it differently, based on their own perceived threat model.
Darkmail's client mode governs how keys are handled. There are three client modes: trustful, cautious, and paranoid. Trustful mode implies that you trust the server to handle all encryption on your behalf, and all encryption is done on the server. Trustful mode could work like Lavabit used to work.
If the only thing we get out of the Snowden disclosures is more TLS for SMTP, then we've lost.
In cautious and paranoid mode, the security comes down to the strength of your password, and the security of your endpoint device. In cautious mode, your private keys are encrypted, but stored on the server, so that they can be accessed anywhere. In paranoid mode, your private keys stay on your device.
Users generate keys, which are signed by organization keys. Organization keys are pinned to DNS.
Only 0.5% of domains use DNSSEC. UDP packets aren't encrypted, which is a big problem with DNS.
In darkmail, trust requires both a primary and secondary source for validation. Darkmail has a "global ledger", which is used to syndicate public key information. The global ledger and DNSSEC can be used to validate keys.
Darkmail keys incorporate the concept of a chain of custody. You can rotate keys, and key n is signed with key (n - 1). This allows key rotation to be verified.
We'd like to create a DNS resolver that can look up public keys for email addresses.
Darkmail is based on an architecture called Magma. All mail services run out of a single multi-threaded process. The system is designed to cluster, using MySQL for cluster synchronization, and memcached for fast lookups. There's a dedicated memory allocator for sensitive information, like passwords and private keys. This memory is pinned and can't be paged out to disk; it's also wiped on free.
Our first implementation is targeting CentOS on x86 64.
TLS 1.2 is mandatory for client-to-server and server-to-server communications. As an end-user client, we're working on a Thunderbird fork called Volcano.
July 19, 2014
Bless the Cops and Keep the Far From Us
This talk could be subtitled "keeping your ass out of the sights of law enforcement".
Computer crimes have been in the news a lot lately, and this gives hackers a bad name. We've gone from folk heros, to common criminals, to national security threats.
For computer crimes, the state has abdicated its role to protect. If you report $10k of damage due to malware, you'll get a very different response than if you reported $10k of damage due to vandalism.
If you're caught committing a computer crime, expect to be given greater scrutiny. Particularly if you're a white hat security researcher who's operating openly.
18 USC 1030 is the Computer Fraud and Abuse Act (CFAA). The CFAA protects any computer involved in interstate commerce, which is practically any computer that's plugged into the internet and turned on. The law is very vague, to prevent hackers from skirting (or for that matter, obeying) the law.
The CFAA has no "good reason" or "self defense" exclusions. There is also no free speech exclusion. Most CFAA violations carry 3-4 year prison sentences. EULAs and Terms of Service define what you're allows to do with a service; this becomes the CFAA's definition of "Authorized Access".
Let's consider third-party audit clauses. A stores data with B, and B subcontracts data storage with C. The third-party audit clause gives A the ability to audit C. For penetration testers, this creates ambiguous system boundaries. Where does your system end, and Amazon's system begin?
Every computer crime has sentence enhancements (i.e., more severe punishment), due to the use of "sophisticated means".
If you plan to do white hat security research, protect yourself by getting authorization first, preferably written authorization.
Be careful about disclosure. Many people are prosecuted not for what they've done, but for what they've said. Think of how one might take your words, and disclose them in the word possible light. Your statements will be used against you. For example, before you say "fuck shit up" (even in jest), consider how a prosecutor might use those words against you. "You're not a cop, are you?" is another phrase to avoid. To a prosecutor, this phrase shows intent to commit a crime.
Once the bracelets come on, shut the fuck up. Nothing you can say will make things better. In all likelihood, whatever you say will make things worse.
If you're prosecuted, expect prosecutors to take everything you've said online, and try to use those words to show you're an evil bastard.
Some speculate that one in five people are informants. Think Sabu - he wasn't a passive participant.
If you get legal attention, shut up and lawyer up.
Comment: On average, computer crimes carry fifteen year sentences, but rape only carries a five-year sentence.
Under modern sentencing guidelines, you'll get more time for doing something to a bank than you'll get for putting people in physical danger.
If you want to use a computer to get back at someone, you're better off beating them over the head with it. Cyber crimes carry a harsher sentence than physical assault.
Ask the EFF - This Year on the Internet
Nate Cardozo, Kurt Opsahl, Ade Kamdar, Peter Eckersley, Eva Galperin
Last year was very interesting, partly due to things going on with the National Security Agency. We have three cases against the NSA: Jewel vs NSA, First Unitarian vs. NSA (focused on the right of association), and Smith vs. Obama (in conjunction with the ACLU). Other cases involve national security letters; a court declared them unconstitutional, the government has appealed, and we're expecting the appeal to go to court in 5-6 months.
We have an effort to encrypt the web, by furthering HTTPS and developing HTTPS Everywhere, and the SSL Observatory. We also have an open wireless router project.
There are journalists, dissidents, activists, and the vulnerable population outside the US. These are the audiences for our surveillance self-defense guide. It's a digital first-aid kit.
We have an activist team focused on campaigns, and on getting people to take action. For example, patent reform, and open access to research.
We have FOIA suits against the NSA, and the "Who has your back" project. We also have the coders rights project.
Question: How does a FOIA request become a FOIA lawsuit?
If an agency doesn't respond within 20 days, you can sue. You can also sue if you're denied an appeal.
Question: How safe is it to use DDOS as a method of protest?
You're free speech rights are under threat right now, regardless of where you live, or who's jurisdiction you fall under. The UK recently expanded the surveillance capabilities of GCHQ. Australia introduce a law that would make it illegal to report on national security leaks.
Deflect is a non-profit offering DDOS protection for non-profits.
Question: What are some important legal decisions in the US that make us more (or less) safe in terms of the First Amendment?
Garcia v. Google. Google had to take down "The Innocence of Muslims", on the basis of a copyright claim by one of the actors.
A greater exception to free speech is the "right of materials". We've seen efforts to export these ideas to other countries via free trade agreements, like ACTA and the TPP.
Free speech isn't free. If you're using someone's platform, then they have free speech rights, and you do not.
Question: How effective are warrant canaries against National Security Letters?
Some companies and service providers have started using them. Warrant canaries haven't (yet) been tested in court. Tumbler and Pinterest did ones we really liked, using a six-month reporting interval, with a three-month delay. The delay helps lawyers, in case your warrant canary gets a legal challenge.
Question: Is privacy dead?
The government wants you to think this, because it makes you feel powerless. There's a reason why you lock your door, draw your curtains, and don't walk around naked. Even if you have nothing to hide, you have an obligation to protect people who do.
Question: Are you doing any work in Canada?
Most of our work there is done in conjunction with Citizen Lab, which is based out of the University of Toronto. A few of our colleagues were at a TPP meeting in Canada. We had signs and banners, it was great.
Question: The National Strategy for Trust Strategies in Cyberspace is calling for verified online identities. This has been an open process, but the EFF hasn't been involved. How do you choose which things to get involved in?
We have been involved, and we've submitted proposals for anonymous and pseudoanonymous systems. It's a large bureaucratic process between government and industry. This is happening all over the world. We don't have the head count to get involved in everything.
Question: What are some of the difficulties involved in arguing technical cases in front of a judge?
We have lawyers and technologists, and we work together in writing briefs.
Do you feel like the judges understand?
Sometimes the court gets it. For example, explaining the invasiveness of smart phone searches.
Question: In Ecuador, there's a growing Internet Freedom community. Do you work with these sorts of groups?
One of our folks is doing a tour of Latin America, giving talks. They influenced the US resolution that mass surveillance is not consistent with human rights.
Keynote Address - Daniel Ellsberg
Thomas Payne said that nations should have no secrets. The secrets of courts, like people, are their defects.
There are legitimate secrets in government, such as employee medical records, and secrets in wartime. Since the government has collected information on us, it could all be released digitally.
Most whistleblowers tend to know more than they release. Bradley Manning worked in a compartmentalized information group, meaning that he had top secret (or higher) clearance. He only released secrets (as opposed to top secrets). Manning's revelations helped get us out of Iraq. He revealed atrocities committed by the US armed forces. Bush and Obama would likely be indictable on torture, but we never chose to investigate them. That's illegal. We have an obligation to investigate.
It's odd that we prosecute people for revealing evidence of crimes. That's absurd. Other types of defects deserve to be known, but will be be kept secret, either by governments or corporations. Snowen revealed that the NSA knew that what they were doing in 2001-2005 was illegal.
Bush's invasion of Iraq. People were tried at Nueremberg for this sort of thing, and hanged as a result.
Most secrets don't need to be retained for very. Only 5% of things written need to be classified. After a few years, that drops to 0.1%. Very little deserves classification. Take D-Day for example. That should have been classified before the invasion. Did it need to remain classified in August of 1944? By then, the time and place of the invasion was widely known.
Today, there's no public interest defense for whistle blowers.
When Manning was on trial and asked why he leaked the pentagon papers, he started to explain his motives. The prosecution objected, and the judge sustained the objection. This was one of the first cases where a defendant was not allowed to explain their motive. This is why requests for Snowden to come back to the US are hollow. The courts won't allow him to give his side of the story.
There's no doubt that Snowden, Manning, and I broke secrecy rules, which are administrative rules in the executive branch. You can't give classified information to someone who's not authorized to see it. These are administrative privileges. We took an oath to protect the constitution from all enemies, foreign and domestic. We didn't take an oath to secrecy. There are domestic enemies of the constitution. Dick Cheney is one of them. Cheney believes that the executive branch is above the law.
We've been in a state of emergency since September 2001; it's been renewed every six months since then. The continuity orders are classified.
I know of no one who's been charged with violating their oath to defend the constitution. We signed a secrecy agreement. It was essentially like the NDA a corporation might ask you to sign. The US doesn't have an official secrets act. The British have one, as do many other countries. We shouldn't have a British-style state secrets act. It would violate the first amendment.
When I copied the pentagon papers, copying wasn't considered a crime. That's not the case today.
Official freedom of speech hasn't gotten as much attention as it should. Secrets are often used as a means to keep the public unaware of what the government is doing. Isn't it worthwhile to take a risk and sacrifice when you see the government doing something wrong and unconstitutional, and keeping it secret? Is the intelligence community really independent? Why is there a 6000 page report on CIA torture that's been bottled up for years?
We need more whistle blowers in government. Folks need to develop things like secure drop, so that people can do this without spending the rest of their lives in jail. Congress passed an official secrets act at the end of 2000. Clinton vetoed it.
Oil, gas, and coal companies certainly have plenty of documents showing that they know perfectly well that fossil fuels are causing climate change. These documents deserve to be leaked, and leakers will need help with anonymity.
A Conversation with Edward Snowden
Edward Snowden thanks Dan Ellsberg for all his service, both in and out of government. Question: What were you feeling the first time you heard about Edward Snowden?
Dan Ellsberg: I felt hope. I felt the same about Manning. How often do you need a massive dump of dump of documents?
Ed Snowden: You touched on technology. To gather public information, you need to know about technology. Technology powers dissent, and not just recently. Photocopies allowed the pentagon papers to come out. Technology empowers people. The government does their best to discredit and destroy whistleblowers.
Executive orders are being used to monitor many people, and many US citizens. This was news in the Washington Post, from a former State Department Official. It should be a front page story, but it's just an op-ed, because of a lack of overwhelming evidence.
The government calls whistleblowers "bad", and claims they're spies. The intelligence community uses these cases to create examples. We didn't fight a revolution to have a set of internal policies. People should know at least the broad outline of government policies that affect their lives.
Dan Ellsberg: Obama was asked if Manning was like me. Obama said no; the two were classified differently. What Manning put out was secret info. Everything I put out was top secret. That's the difference.
I immediately identified with Manning and Snowden. We were all willing to take a very big risk. I would have put out more recent documents, but I didn't have access to them. I was trying to end a war.
Snowden: You acted to end a war; to correct policies that were costing people their lives. The journalists and editors who worked on these stories are really trying to make sure they fit into the public interest. The intelligence community is doing a lot of things behind closed doors. They're not accountable to the public. There's very little accountability, even to congress.
Eight senate intelligence committee members all get a lot of funding from private intelligence companies. We need to know what governments do, in order to decide how much to scrutinize them.
Section 215 says "we can collect call records of everyone in the country". That's not about surveilling individuals; it's about surveilling everyone, collectively, and their associations. It's a violation of the first amendment's right to free association, the fourth amendment's right to privacy, and the fifth amendment's right to due process. We have the ability to protect our rights, by coding protection into the programs we use every day.
Question: What can designers and developers do?
Snowden: It depends on the threat model. Encryption is an important first step, but encryption doesn't protect the right to associate. Secure drops help. Phones are not very good tools for this. The same tools that the government uses to find spies are also being used to track journalists. We need obfuscation, mixed routing, and unattributed internet access. This is a worldwide problem. How are the worst people on earth going to damage your systems? And by "worst people", I mean governments.
Ellsberg: We've talked a lot about helping informants, and getting information to journalists, and even to congress. But we also have to consider the press. We have to be concerned about news outlets that only publish "approved" stories. The government hasn't (yet) gone to the extent of prosecuting journalists outright. I believe this is coming next; charging journalists with aiding and abetting, and making an assumption that they're criminals.
Snowden: That's a really complex topic. Politically, I'm almost Stallmanesque. Software is a way of expressing and defending our freedom. We need to enshrine our rights in the software we use. That would prevent mass collection, but wouldn't shut the government out of specific, targeted investigations.
Journalists that advocate policies of limiting what the public knows are not acting in our best interests.
Today's sysadmins and hackers have a civic duty to each people around the world how to safely interact with technology.
Ellsberg: Every one of us has seen things that were wrong, that should be exposed. But we turned our backs because we were intimidated. But there comes a time when the level of wrongness is so great that you have to cross the line and tell the truth, even at your own risk. Many people never see that line: renewing an unlawful ware, the tobacco industry, GM. I hope that more people will be inspired to take significant risks. Bismark said "courage on the battlefield is very common, but civil courage is very rare".
We got into Vietnam to support French colonialism. I think that every death in Vietnam was an unjustified homicide.
Courage isn't just something you do for the commander in chief. Snowden was the only person in the whole fucking NSA that did what they were supposed to do.
Snowden: Politically, I'm very moderate. Greenwald called me a radical; it was the first time I've ever been called that. Lots of people in government want to do the right thing, but there's a stigma; you have a family and you have kids. We can't judge people for human nature. This is not about wiping out government, this is about the public knowing what government does, and holding them accountable for their actions. We can't allow secret things to happen behind the scenes. The only way we stop that is with transparency.
Ellsberg: I came to feel that I was asking too much; that only some people had a limit. But many people complain internally, and they're taking risks too. I think it's essential to make the process less risky. The public needs to know the embarrassing things about their government. We can mitigate risk, but I don't think it will ever become riskless.
If Snowden went back to the United States, I think he'd spend the rest of his life in a solitary isolation cell. You'd never get a chance to make your case to the public. But you can do that in exile. Chelsea Manning has never been interviewed by a reporter, since the day she was arrested.
Snowden: Being a patriot does not mean obedience to authority. Oaths to authority are very dangerous. We should encourage oaths to values. If our leaders can't uphold their oaths to the Constitution, then they shouldn't ask us to. Our government asks people to protect the government's interest, to the detriment of people around us. If they can trample the first, fourth, and fifth amendments, then they can trample anything.
Ellsberg: We fundamentally agree here. There is risk, even if you don't get prosecuted. The constitution is the next beginning and end of this. The fugitive slave act was upheld by very brave people. Rosa parks broke a law that the Alabama Supreme court ruled constitutional. We may have to resort to civil disobedience.
Snowden: Look at everyone in the room. It's a broad cross-section. People from the NSA are in the room. To the NSA people in the room, you have to figure out what you believe, and the world you want to live in.
One group is taking the idea of HTTPS everywhere, and applying it to Tor. Instead of converting HTTP to HTTPS, they'd like to go from HTTPS to Tor hidden services. The challenge is identifying Tor hidden services that correspond to public websites.
Another speaker was attempting to quantify the effects of the Snowden revelations. They used Google trends to look at the frequency of searches that involved "privacy sensitive" terms. Surprisingly, the frequency went down 5% after Snowden's leaks started coming out in the media. There are also fewer searches for terms that might get you in trouble with the Government. The presenter's paper is called "Government Surveillance and Internet Search Behavior".
Tahoe LAFS (least authority file system) is a storage service that uses end-to-end encryption. You can make Tahoe available as a Tor hidden service.
I'm doing a movie about computer hacking. I've interviewed a number of people. We want to hear your stories, and we want to put you in our movie.
Ethereum is a new use of block chain technology. It expands the idea of block chains beyond financial transactions, to general contracts. The goal is to have "smart contracts", where one can verify that agreed-upon conditions have been satisfied.
Electric Waste Orchestra
Most of the things presented were built at a makerspace in Urbana. E-waste tends to pile up, because you have to pay someone to dispose of it. If you want to make things out of e-waste, it's easy to find material to work with.
The presenter built a musical instrument out of hard drives. It was kind of cool looking; shaped like a guitar, with a bunch of exposed hard drive platters. Spinning a patter creates a sine wave, and the waves can be used to produce music.
On the software side, MaxMSP and PureData were helpful in turning the electrical signals into music. PureData takes an analog voltage and digitizes it. The digitized signal can be passed to other functions.
A Sea of Parts
This presentation was about self-configuring modular robotics.
Each module should be "minimally viable", as simple as possible. The power of modular robotics comes from putting the modules together.
We have the notion of a "universal physical machine". The goal is to have modules that can be combined to form any kind of machine. Modules can be pooled and shared. Use what you need when you need them; return the modules when you're done. It's like sharing a power drill with your neighbor. Modules and sharing create a low barrier to entry.
Reconfigurable devices can be replaced without throwing away the old parts. You reconfigure the old parts instead.
As designs get more complex, involving more and more modules, it becomes harder to reconfigure the robots. The mathematics is very challenging. Someone recently built a kilobot (using 1024 modules). He said that the last 200 modules were very difficult to incorporate.
Social Engineering Panel
Emmanuel Goldstein and friends
A big part of social engineering involves learning what doesn't work. You have to know when the jig is up, and learn from it.
Social engineering is based on the idea of establishing rapport. Don't let your mood fail that. It's all about empathy, and being able to listen.
It's important to think about control, and controlling your outer persona. Social engineering is like method acting. It's a confidence scheme, designed to gain the trust of a target, and getting them to divulge something they shouldn't divulge.
July 20, 2014
Cyber Security in Humanitarian Projects
Cyber security is a problem for everyone. Malicious criminal attacks are getting more sophisticated. Governments do stupid things. Privacy is a growing concern. We need to make security tools easier for users. We need to build systems that, by default, enforce human rights.
Think like a n00b. How do your designs work for someone who's not a techie? This stuff is scary and incomprehensible to most people. Even more importantly, we're talking about vulnerable populations. Populations who've experienced disasters or crises are especially vulnerable - people who've lost their homes, who've experienced natural disasters, or who live in war zones.
There are two kinds of humanitarian projects: (1) those attached to large government agencies or NGOs (for example, FEMA and Doctors without Borders); and (2) small projects run by passionate people, which aren't attached to a larger organization. Both groups have things in common. They serve vulnerable populations, they store sensitive information, and they lack security skills. Both struggle to find funding. These two groups have different problems: too much bureaucracy vs. having no structure at all. Existing infrastructure vs no infrastructure. They have different ways of handling money and volunteers.
Projects that weren't built for security usually have security as an afterthought. This won't change unless security-focused people get involved right from the start. You don't know anything about security code until you've spent a bunch of time breaking things.
SANS holiday hack can be a lot of fun.
Don't just break things for yourself. It's much more fun to break things with friends. Have security-focused hackathons. Set up a pen testing lab, take an existing project, and try to break it. Try to get people from the project involved, so they can receive feedback.
Non techies are very important. We need people who will use our stuff, and aren't proficient in command line-ese.
What can you do? Help sponsor a hackathon. Have your company sponsor Geeks Without Bounds (http://gwob.org/), volunteer, mentor, organize your own events, donate.
Question: How do you balance security with the need to get things done?
Treat security as any other feature set. You don't implement every single feature in the 0.1 version, but you still keep them in mind.
Question: Have you seen attacks on humanitarian projects?
Scammers scraping personal information, and using it for phishing attacks. Many attacks are aimed at getting information out of people, especially dissidents.
Ethical Questions and Best Practices for Service Providers
Nicholas Merrill, Ladar Levison, Declan McCullagh
We're not here to denounce warrantless surveillance. Instead, we're here to talk about how service providers can conduct themselves ethically.
What's changed since the Snowden releases? The market has certainly changed. Privacy has become a market differentiator that consumers pay attention to. As a business, where do you draw the line between protecting users, and obeying (unjust) laws?
The bugs recently found in OpenSSL and GnuTLS emphasize the importance of layering protocols. For example, layering TLS + OTR + Tor. If one protocol becomes broken, you still have the other protocols to protect you.
I draw the line at the constitution. When there's a warrant issued by a judge, that's not overly broad, for a specific thing, then I think it's right to turn over the information and help law enforcement. Asking for access to everyone's data is way over the line. Gag orders make those requests villainous.
When you're served with a secret warrant, you have to clear your lawyer with the FBI, to make sure that they have the appropriate clearances. It's hard to find lawyers that have these clearances. I felt like I was being denied an inalienable right - the right to consult an attorney.
If you're starting a new business, you have to avoid being put in the position of handing over data on your users. If your users are the only ones with keys to their data, then you can't hand their data over.
Some are starting to kick around the idea of using separate legal entities for software development and service providers. They providers don't write the software, so they can't be forced to modify it.
Judges have free reign in the courtroom; they're like little kings. They can issue unreasonable orders, and your only option is to appeal them.
Warrant canaries are an interesting legal idea. Some attorneys believe you'll be charged with contempt for using a warrant canary.
Some people have used incriminating information as their password, then claimed they can't disclose it, due to the fifth amendments prohibition on self-incrimination.
Phones are tracking devices. Is there any informed consent there? Or, Facebook's manipulation of data as a social experiment. There's a continuum of ethics, but a lot of these things play out in back rooms. As a consumer, it's hard to tell what's going on.
If you're serious about privacy, the business model of mining consumer data has to be thrown out the window. We may need to go back to a fee-for-service model.
Being ethical could mean informing users when their data is given out. If my bank gives my personal information to a credit agency, then I deserve to be notified. There are many warrants for surveillance, but very few arrests coming from these warrants. Those under surveillance never have the opportunity to face their accusers.
I'm still fighting a gag order from 2004. I can finally talk about it because the FBI admits there was no underlying investigation. But I can't talk about the types of data the FBI wanted me to collect. The FBI eventually withdrew their National Security Letter. I think that was a tactical move, to prevent the Supreme court from ruling on the legality of the Patriot Act. Whenever someone is willing to take an NSL to court, the FBI always withdraws.
The vast majority of NSLs go to large service providers. If these large providers don't challenge the NSLs in court, we may never have a ruling on their legality.
Question: I've moved my email to a VPS in Iceland. Am I still subject to CALEA?
Yes, if you transmit data via the phone service. I'd favor a limit on surveillance. Say, after 60 days, you should be able to notify the targeted user, so they can start looking for a lawyer. The FBI has been trying to expand CALEA for years. "Going Dark" is the name of their latest effort to expand CALEA.
Question: What about a pro-se defense?
If your two options are "give the government what they want", and "go to jail", you don't need an attorney for those options.
Comment: You can't take a hypothetical dispute into court. You need something concrete in order to show standing.
In 2004, the government issued over twelve thousand National Security Letters. Only one person was willing to take them to court.
Question: What happens if the FBI forces you to make your service insecure, and won't allow you to remove the word "secure" from your marketing materials. Is that a problem with the FTC (federal trade commission)?
Yes, and the FTC hates the FBI. But guess who wins: the group protecting consumers, or the group protecting the state?
Comment: We like the convenience of technology, and that forces us to give up some privacy. But we're giving up more privacy than we should need to.
Teaching Electronic Privacy to Government
Is it possible to protect cyberspace without destroying democracy? Yes, but we have to do it carefully.
Many decisions are made in back rooms, with little or no transparency. When you're making security decisions, it's good to have a hacker in the room.
Our world has become increasingly instrumented. Once upon a time, this was moderated by the human workload required. Now, we've removed the human effort.
Different groups have different viewpoints on security; for example, the EFF, law enforcement, policy makers, and business. Most policy makers are trying to do a good job, and they like actionable ideas. But their abilities are limited.
Thee communities value patriotism, they understand threats, and they want to prevent bad things from happening. But their abilities are limited. There's a trust that things being built won't be abused.
If the department of defense defended the land like they defend cyberspace, then a land invasion would have to be fought by civilians and business entities. We want solutions the provide effective security, are non-intrusive, and protect privacy.
West Point just hired an ethics fellow. This is a new thing. The DoD also has a privacy research group.
In a large organization, the set of available tools are crude. You have posters, pamphlets, professional reading lists, conferences, and required annual training. Organization leaders have to use indirect means of changing attitudes. Changing attitude requires the support of senior leaders.
To get change in communities, we need to build allies, and develop mutual respect. Convey why privacy and civil liberties are important. Provide concrete examples. Tie your examples to our instrumented world. Freedom of thought and freedom of expression are important to democracy.
Question to consider: if you were running a training session for government officials, what would you teach them?
Comment: People in the military often have a good knowledge of history. Use the metaphor of "the people we will be". For example, we didn't fight the cold war to have a police state here.
Comment: We seem to be moving towards a militarized state. You can't have dissent when protesters are kettled. Much of our military recruitment is done among low-income communities. The danger is that we have a military and a police force that's invested in oppression for the benefit of the elite. Resistance to authority is a big difference between people in the military and people here (in this room). You have to get past their laser focus on security, and get them to look at the broader perspective.
Question: How did you get your position?
I worked with West Point. West Point is an academic institution, and you can do a lot with educational freedom.
Comment: My concern is around the phrase "humanitarian militarism". Data is the new oil. Data is new research for exploitation. Privacy and security trickles down to government contractors and NGOs. Contractors are responsive to opportunities, and to how contracts are written. If you write security and privacy into the contract, then the contractor will care.
Question: We see lots of negative reinforcement, but little positive enforcement. How can we do more positive enforcement?
The military is responsible to civilian authority. Focus your praise to civilian authorities. Follow the chain of authority.
Comment: I'm concerned about the rule of the military vs. the rule of local law enforcement. Perhaps the military could consider an open house, where civilians could come and meet them.
Comment: The military's job is to defend civilization. My job is to create a civilization that's worth defending. The military focuses on procedures: what did you do? Civil rights law focuses on why you did it, and what the outcome was.
Comment: The first step in negotiation is finding common ground. The military is very focused on security, and many of us are too. Likewise, we both value freedom.
The Science of Surveillance
The NSA didn't provide many facts to the agency's overseers. Are there ways to inject computer science into law?
Surveillance orders include privacy safeguards (for US persons). These safeguards are designed by lawyers, based on their assumptions about technology.
The bulk email metadata collection (which ran from 2001-2011) required a reasonable articulable suspicion. This comes from section 214 of the US Patriot Act. Metadata is not protected by the fourteenth amendment.
Internet traffic collection (2001-current). Most internet traffic gets routed through the United States, so the NSA is in a good position to intercept it. UPSTREAM and PRISM are two of the programs involved. These come from Section 702 of the FISA Amendments act.
Phone metadata collection (2001-current). This comes from Section 215 of the US Patriot Act; the "business records" provision. It also requires reasonable articulable suspicion for collection.
The CIA has a program to collect financial records.
Collection of phone location data (2010-2011). This was also done under the guise of Section 2015.
There's been very little transparency on the legal theories used to justify these programs.
Lawyers assume that most people don't send data outside the US, or that they're aware when they are sending data outside the United States. Many people send data outside the US, without ever realizing that it's leaving the country. For example: many domestic websites included content that's not hosted in the United States. The US House of Representatives website had a widget that was hosted in London. That's one end foreign. It's likely that 10% of US websites include content from a foreign host.
US companies sometimes have IT facilities outside the United States. For example, General Motors has website hosting in Frankfurt, Germany.
Traffic also leaves the united states because of routing.
Many people in the US use services located in foreign countries. For example, Doodle and is.gd.
In summary, many Americans send (or access) data outside of the united states. The "one end foreign" criteria doesn't make sense with the internet's architecture.
Lawyerly assumption: metadata does not identify individual persons, and it's not densely interconnected. We crowdsourced some phone metadata. Our crowdsourcing effort involved 825 recipients and 250k text messages. We found that it was pretty easy to correlate phone numbers with people. We were able to match 91% of the phone numbers using a commercial phone database.
We studied the structure of call graphs. The NSA stores raw phone data, and has a database of subjects for whom reasonable articulable suspicions exist. These two datasets are joined, and matching records are moved to the NSAs corporate store. We wanted to know, "how much stuff could make its way into the corporate store".
We thought our call graph would be very scattered, and we were completely wrong about that. This highest degree hub was T-Mobile's voicemail number. Using two hops, you can connect any pair of people that use T-Mobile voicemail. Likewise for calls to Comcast customer service. Again, any pair of people that call Comcast customer service are only two hops away from each other. Ditto for telemarketers: if a telemarketer calls two people, they're two hops away from each other. The participants in our study were 90% connected. 60% were connected within four hops, and 50% were connected within three hops.
If someone using Skype (routing calls through Skype's hub) called Comcast customer service (using Comcast's hub), then everyone who used either hub is connected by three hops.
Moving the raw data out of the NSA doesn't help much. The NSA collected numbers within three hops: that's a lot of data going into their corporate store.
Another experiment: we tried to infer if pairs of people were in a relationship. Turns out that this is pretty easy to do with phone metadata. It's also not challenging to infer medical conditions, or specific firearms that people owned. Phones are commonly used in sensitive contexts.
The government needs your help. The hacker community can help provide these kinds of facts to law makers.
Question: Why has the government made such a massive surveillance investment right now? What's the political rationale?
Question: What about inferring data from Skype?
We don't know of any bulk surveillance program that collects data from Skype. But Skype data might be collected through targeted surveillance.
Question: What does call graph connectivity look like if you remove the hub numbers?
The NSA could remove hub numbers, but there's incentive for them not to do so. Leaving hub numbers in allows them to put more data in their corporate store. There's also a long tail to hubs. You've got T-Mobile voicemail, but you've also got the local pizza shop.
Blinding the Surveillance State
This that the ACLU has worked on: getting a warrant requirement for police to search your cell phone; getting a warrant requirement for access to cell phone location data; working with and advising Edward Snowden.
In 2009 all browsers supported HTTPS, but most web sites used HTTP by default. Mass bulk surveillance is easiest when performed passively. The wealth of unencryption has meant a wealth of data for the NSA to collect. We're slowly putting the NSA on a diet. Large companies are starting to lock things down. Aside from monitoring traffic between users and data centers, the NSA was also monitoring traffic between corporate data centers.
Until January of this year, Yahoo! didn't use HTTPS at all. In 2014, a bunch of IM servers started to force encryption for jabber clients. Google published a transparency report, listing companies that didn't support STARTTLS for email delivery; now those companies are starting to support STARTTLS.
Qualys labs gives letter grades to companies for their implementation of HTTPS.
At first, US companies denied participation in the NSAs bulks surveillance. They, the hemmed and hawed. Then, they started pushing back.
It's rare for politicians to grandstand against surveillance. Pamela Jones Harbour (from the FTC) gave a speech where she advocated for the use of HTTPS by default. Chuck Schumer wrote a letter to websites, asking them to use HTTPS by default.
How do we get politicians to advocate for better security? Our politicians have been worried about hackers using Starbucks wi-fi connections, the threat of ID theft, stalking, and petty crimes. We may not be able to get our politicians to thwart the NSA, but we can lobby for protection against identity theft, fraud, and crime. When Google enabled HTTPS by default, they framed it as a response to Chinese hacking.
FTC activities don't extend to surveillance by government agencies. the FTC forced carriers to implement CALEA.
In 2013, the DNI (director of national intelligence) identified cyber as the primary threat. Prior to that, it had been terrorism.
After leaving the NSA, Keith Alexander started offering consulting services for a million dollars a month. Cyber is the only part of the defense industry that's going up. Many lobbyists previously worked for the military, but have little knowledge of technology.
Technologies that prevent data theft are the same technologies that would protect privacy and civil liberties. Tor is a security service that protects US information. Silent Circle is a security system that prevents the theft us US data. We should push for cybersecurity over civil liberties. We need to develop an affirmative cybersecurity agenda.
When addressing CISPA and similar legislation, point out the risks inherent in data retention. Push an agenda: a list of things we want government to fix to make the internet more secure.
Question: There used to be an office of tech advisers. Should we lobby for its reinstatement?
It would be great to have technology experts in Washington, advising policymakers.
Question: Isn't this about protecting American technology?
To the extend that security will prevent IP theft, we should push it.
Comment: We should advocate for citizen voices in identifying solutions to problems.
For this conference, we had a 10GB internet connection from Hurricane Electric. We got the 10GB fiber connection activated within seven days, which is almost unheard of. Our network equipment came from Yellow Fiber, Cisco, and NOC pool.
All IP addresses were public. NAT doesn't scale to the number of addresses we'd need for conference attendees.
We got one DMCA notice from Sony. Apparently somebody was downloading a copy of Spiderman 2.
Next conference, bring your servers, and hook them up to our 10GB network! The Snowden talk used Google hangouts for videoconferencing.
Over 20,000 people from six continents and 140 countries watched the live streams from the conference. A group called Internet Society handle the live streaming. We used Livestream (the company) as a streaming service. According to Livestream, we were one of the top-watched streams this weekend.