Hope XI 2016

From srevilak.net
Jump to: navigation, search

July 22 - July 24, 2016

Friday, July 22nd

The Phuture of Phreaking

The Cheshire Catalyst

Phone Phreaking was a way of the exploring the network - specifically, Bell Labs proprietary phone network.

Bell systems published the Bell Systems Journal, which provided a lot of the secrets behind how the network worked. Copies of BSJ were prized by phone phreaks.

When you make a phone call, your phone emits a series of DTMF tones, corresponding to the numbers dialed. When an operator places a call, dialing emits a different set of DTMF tones. The infamous "blue box" duplicated the operator's DTMF tones. Phone networks are different now, and blue boxes no longer work.

Project MF is a modern type of blue box. See http://projectmf.org/.

In most countries, the post office also runs the phone system. Obviously, the US isn't like that. European phone system standards come from the ITU.

WebRTC is the future of the web and VoIP. WebRTC is a set of published APIs that allow you to make phone calls over the web. There are ways to send SMS messages too.

The phone company used to use T1s to provide around 23 different lines to an office PBX system. Today, a PBX is more likely to be backed by VoIP. http://www.sonus.net/ produces a set of dummies guides for VoIP, SIP and such.


Question: Will this year's WebRTC conference be streamed?

I don't know. The conference page doesn't say.


Intro to HAM radio: What you need to start tomorrow

Radio is everywhere. It's in WiFi, your cellphone, satellites, AM/FM, radar, and shortwave.

The frequency of a signal affects directionality, and how far the signal can travel. Radio really boils down to encode, transmit, receive, decode.

Why should you get an Amateur radio license? Technically, the license is a legal requirement for operating a transmitter. But you're not too likely to be fined for operating without a license. A license also makes you part of the amateur operator community. Amateur radio has a specific segment of spectrum assigned to it. (Assuming, of course, that you're licensed).

Licenses are associated with exams. There you can find prep courses for the exams, and you can self-study. There are three exams: technician, general, and extra. There's no longer a Morse code requirement, though some operators elect to learn Morse code anyway.

You don't need much equipment to get started: a transmitter, an antenna, and something to capture audio input. There are several types of transmitters. Portable hand transceivers (HT) are small and handheld. Mobile transmitters are designed to fit in a car or boat. Base stations are larger, and designed to work from a fixed location.

DIY is a huge part of the HAM radio community. Antennas are a very common DIY project. You can also purchase plans and build your own transceiver.

AWA: Antique wireless association. This group is dedicated to preserving the technological history of radio.

QRP: Low power operators. Low power is anything that broadcasts at five watts or less. Some people challenge themselves, to see how far they can broadcast with a lower power transceiver. Under the right conditions, you can reach thousands of miles.

EME: Earth-moon-earth, aka Moonbounce. This is a group of amateur operators that bounce signal off the moon, and back to earth. In 2009, a team of operators did a earth-venus-earth bounce.

There's amateur satellite, http://www.amsat.org/. Before you can hit an object in space, you have to know where it is. The keplerian elements of objects in space is a set of software that can help you figure out when satellites will be overhead. With five watts and the right directional antenna, you can hit a satellite. Satellites have a footprint, where they retransmit signals down to earth.

Events in space affect radio propagation. See http://solarham.net/.

ARRL (http://www.arrl.org/) the National Association of Amateur Radio has a ton of info about signal propagation. Weather has a huge impact on propagation too. People have set up computer networks over microwave and HAM radio. Rocky Mountain Ham http://www.rmham.org/ is one example.

You're not supposed to do any sort of commercial activity over the amateur spectrum.

An FRN (FCC Registration Number) is an identification number given to you by the FCC, if you elect not to use your social security number.

The exam fee is $15.00. You're allowed to bring pencils and a calculator. Exams are closed book. Licenses are good for ten years. After than, you'll need to renew (for a small fee).

In NY, a ham radio license is a valid defense for talking on a cell phone while driving.

The presenter has posted a set of exam prep material at http://goo.gl/SidIzY.

There are amateur radio clubs all over the place. Reddit's /r/amateurradio is also a good source of information.


Question: Outside of this conference, what are some of the other opportunities for taking an amateur radio exam?

Look at the ARRL website. They publish a listing of exam dates an places.

Question: Who can I find? What do operators typically talk about?

We spend a lot of time talking about radio, and having casual discussions. There are also special interest nets (group discussions) on particular topics.

Question: What would you recommend as a starter radio?

Handhelds are generally good to start with, and tend to be the cheapest transceivers. Balfung is a popular brand.

Question: What about buying used equipment?

It's like buying a used computer. You can get really good stuff, but you can also get junk.

Question: Are there any websites to help you study for the exam?

https://hamstudy.org/ is a pretty good one.


Only you can stop police surveillance - here's how

Matt Cagle, Mariko Hirose, Jared Friend

Stingrays were originally developed for military use, but they've been quietly adopted by police departments. Stingrays are a new piece of technology, and for a long time, there were no constraints on their use. That led to the devices being used for routine surveillance.

The current surveillance climate makes it hard to defend someone. Because there's so much secrecy around these devices, attorneys don't know how they're being used. This leads to parallel construction. Plus, many defense attorneys don't have the technical background to understand how these things work.

What does a stingray do? It pretends to be a cell site. Your phone will connect to the stingray, and provides its IMSI (International Mobile Subscriber ID) number. Stingrays are commonly used to deliver warrants. If the subject's IMSI is known, the stingray can be used to find the phone. Stingrays are also used for phone taps, obtaining phone numbers, or assembling information prior to making a records request from a phone company.

Stingrays are indiscriminant surveillance devices. They target everyone in the device's range. They do not target specific individuals.

How can communities learn about new surveillance technologies? Pay attention to your city council agendas and meeting minutes. Before adopting a piece of surveillance technology, there's usually some discussion at the city council. Sometimes we learn about new surveillance technologies because someone in the local police department starts bragging about them.

New surveillance technologies often come with strings attached. For example, adoption might involve sharing information with state or federal governments.


The Panama papers and the law firm behind it

Alexander Urbelis, Manos Megagiannis

I'll tell you a story about a few interesting documents from Mossack Fonseca. The story begins in Germany. A German newspaper received 2.6 TB of documents. These documents were analyzed by members of the ICIJ, which is located in Washington, DC. ICIJ analyzed the documents for over a year, and published their first story on April 3rd, 2016.

Mossack Fonseca has 40 offices worldwide. They claim to help corporations maintain privacy. MF originally said the leak was an email breach. That's not accurate. Think of how long it would take to download 2.6TB of data: 2.3 days on a 100 mbit connection, or 17 hours copying to a USB drive. The leaked data goes back approximately 40 years.

One of the main characters is Paul Singer. He's a banker that purchased sovereign debt from struggling nations, then put the screws to them for repayment. Singer did this through a subsidiary in the Cayman islands. He did this to Argentina, and took them to court for repayment. He won the right to pursue Argentina around the world, for repayment.

In the US, Mossack Fonseca has a branch in Nevada. The main corporate office has tried to sever ties to the Nevada branch. MF has another branch in Wyoming. Wyoming makes it very easy for companies to incorporate; it's a very private state. Wyoming is almost like an offshore tax haven, aside from the fact that it's located within the US.

CIS is "Case information services". It's a custom portal, available to MF clients. Mossack Fonseca did a poor job at safeguarding client data. If you're working with a law firm, you should ask them about their information security policies. Law firms have traditionally been reluctant to spend a lot of money on information security.


Question: Do you think that foreign jurisdictions are still beneficial for individuals trying to maintain privacy?

Mossack Fonseca was quite good at hiding what their clients were doing. They were just bad at protecting client data.

Question: Are lawyers getting more sophisticated at covering their tracks?

Some will get better, by learning from other's mistakes. Mossack Fonseca definitely falls into the category of other's mistakes. This will lead some law firms to develop anti-forensic counter measures.


Ask the EFF: The year in digital civil liberties

Hurt Opsahl, Jacob Hoffman-Andrews, Vivian Brown, Parker Higgins

The EFF recently filed a lawsuit with the Federal Government, concerning what is allowed by Section 1201 of the DMCA. Section 1201 makes it illegal to attempt to circumnavigate DMCA restrictions. Every three years, the library of Congress grants exemptions. The every-three-year process doesn't square with our country's notion of protected free speech.

We have ongoing litigation over National Security Letters and federal government surveillance. We're trying to remove the gag order aspect of national security letters.

The Computer Fraud and Abuse Act (CFAA) is our federal anti-hacking statute. In United States v. Nosal, courts ruled that violations of a EULA were not violations of the CFAA. Violating a EULA is not a federal crime.

There's another case over password sharing - this will determine if sharing passwords is a crime, even if the sharing is done with permission and consent of the account holder whose password is shared.

In Facebook vs. Power Ventures, courts upheld the ruling that EULA violations are not CFAA violations. But the court upheld the notion that visiting a web site after receiving a cease and desist order from the web site operator is a CFAA violation. Beyond filing lawsuits, making people aware of legal and technology issues is very important, as is policy work.

Many videos are taken down (from video sharing services, like YouTube) on the basis of Content ID matches. We can't sue over this, but we're working to make people aware of the issue.

We've been working on a piece of software called Certbot, which makes it easier to obtain and renew X509 certificates from Let's Encrypt. Let's Encrypt is part of the EFF's long-running encrypt the web project. There are currently 4.5 million Let's Encrypt certificates in use.

We have initiatives to oppose surveillance at the local levels, and we're currently focused on biometrics and automatic license plate readers. We're doing awareness projects, and crowd-sourcing public records requests to gather information.

We had a campaign against Verizon's UIDH tracking. This year, Verizon and the FCC agreed that UIDH should be an opt-in only program.


Question: How should we describe the EFF to the general public?

Describe the specific topic areas we work on. Not all of our work involves the internet. For example, John Deere is using section 1201 of the DMCA to prevent people from repairing their John Deere tractors. Section 1201 affects a lot of things.

Privacy Badger is another EFF project worth mentioning.

Question: What's the hardest part of getting public outcry?

Generally, it's pretty hard. TV and newspapers won't cover an issue, unless there's an image (picture) of the thing you're talking about.

Question: How do NYC's ring-up tests and DRT boxes not run afoul of the fourth amendment?

These are technologies that do something a police officer could do manually. From the police department's perspective, these devices are doing the same thing, but 24/7 and automated. Courts are starting to realize the effects of ubiquity and scale. We shouldn't turn into a dystopian society just because it's cheap. It's much easier to stop police from adopting new surveillance technologies if you can catch things before deployment.

Question: How do you convince people that they do have something to hide?

Governments can change very suddenly. You have an advantage when other people have privacy, like whistle-blowers. You might think you have nothing to hide, but the government may disagree with you. You can help protect free speech, even if you feel that you personally have nothing to say.

Question: Now that privacy can cut into the bottom line, are companies being more proactive about it? Does the EFF lobby?

The EFF is a 501(c)3 organization, which limits our ability to lobby.

Some companies have become very active in the area of privacy. Apple is adamant about not building back doors into their products. Corporations are likely to think there should be limits on what governments can do, but they're generally not interested in limiting what they, as corporations, can do. As more aspects of our lives involve technology, privacy will become more important. In the US, privacy issues tend not to get a lot of traction, until they involve commerce.

Question: Do you make money from smile.amazon.com?

A tiny bit. It's better than nothing, but it won't help us balance the books.

Question: What is the definition of privacy?

"The right to be left alone" is a good definition, which has been around for about 100 years. Privacy is not about secrets. It's about consent, and keeping other people out of your business. Another aspect involves having control over what you share. Privacy is abstract; it can be hard to define.


Crypto War II: Updates from the Trenches

Matt Blaze, Sandy Clark

Cryptowars Part I was all about wiretapping, and preserving law enforcement's ability to tap communications. Especially encrypted communications.

In 1992, AT&T introduced the TSD-3600. TDS stands for "telephone security device". This was a box that sat between a phone and the handset, and encrypted voice communications. The box acted like a modem, with a Diffie-Hellman key exchange and DES session encryption. These devices sold for about $1400/each.

The TSD-3600 wasn't a commercial success, but it really got the government's attention. They realized that this technology would become more affordable over time, and freaked out. The president of the united states called the president of AT&T and asked them to replace DES with the clipper chip. AT&T agreed, and the government bought a ton of them.

The clipper chip was pretty controversial. Clipper used a key escrow system (whereby the government could obtain private keys), and the escrow system could be defeated. Even if the government is doing its job properly, should we trust them with escrowed keys?

Until 1999, the US government officially discouraged the use of cryptography in consumer products. The government changed its mind in 1999, and that brought the cryptowars to an end.

In September 2001, there was a half-hearted attempt to put crypto restrictions into the patriot act, but that never really went anywhere.

In 2014, (FBI director) James Comey starts talking about "going dark" - the same argument that was used in Cryptowars Part I.

Wiretapping uses the phone infrastructure to capture the contents of communications. The percentage of wiretaps that have run into voice encryption rounds down to zero. The FBI cases (Apple and the San Bernadino shooter) are about stored data, rather than wiretaps. But we're still talking about the same encryption algorithms, and the same technical issues.

Computer security is hard, and can fail in several places. We occasionally fail with algorithm design, we frequently fail with algorithm implementations, and almost certainly fail when assembling systems. The FBI are the only people on the planet who think our computer security is too good.

There are two important tools we have for building security features: cryptography and simplicity. Back doors go against both.

At a policy level, there are two problems. (1) we can't afford more security vulnerabilities in our computer systems, and (2) access may get harder for law enforcement. Can we solve both problems at once?

The FBI got into the San Bernadino shooters phone by hacking. Instead of cracking the encryption, they cracked the device. What if device exploitation became the normal channel for obtaining data? The FBI is afraid of having the legal right to access data, but not the technical ability to do so.

We can apply two axioms: (1) everything is made of software, and (2) all software is insecure. Do you remember 2014? At the time, we said that 2014 was the year of the breach, until 2015. Then, 2015 was the year of the breach. Now, 2016 has become the year of the breach.

No device exists in isolation, and the internet is almost like one big living organism. We barely understand how it works, and we have no idea how to secure it. Every bit of complexity adds a new attack vector, and many of those attack vectors can be exploited. You don't necessarily need zero-days; you just need an unpatched system. All of these exploits are available for law enforcement to use.

Exploits can be targeted, so that they only collect information allowed by a legal process, and only collect it from an individual named in a warrant.

The FBI's takedown of Kickass Torrents involved using the Wayback Machine, whois, and good old-fashioned social engineering. They bought ads on kickass torrents, and that showed them where the money was going.

There are technical challenges in this approach. The intended target might be a hardened system. There's a risk of detection, and a risk of unintended proliferation (e.g., Stuxnet). Stuxnet was programmed with an extremely small target surface, but it still got out. Timebombs/self-destruct routines could be an effective way to prevent over-proliferation.

This process is expensive, but it should be. Expense acts as a check against untargeted mass surveillance.

There will be issues with law enforcement use of exploits, but I think these issues are surmountable.

Changes to Rule 41 (in the federal rules of criminal procedure) allows large-scale deployment of exploits. This change was quietly put into place, with no discussion in congress. Who decides when these exploits can be used? Do the require a search warrant or just a subpoena? We don't know, and that's pretty scary. We can have much more targeted investigations. Can targeted exploits pick up where wiretaps left off?

Police issues are rarely discussed in the tech community, and technical issues are almost never discussed by lawmakers.


Question: Why is the FBI pushing so hard against encryption, when it poses so few problems to them in practice?

The FBI is resource-constrained. In order to do technical investigations, they'd need more money.

Question: What kinds of things should we do?

Engage. Pay attention to policy changes. Smart technical people need to provide insight to politicians.


Seven Continents: a Telecom Informer World Tour

TProphet

Telecom can create culture.

Communication used to be real work. We wrote letters, and it took a long time for these letters to reach their destinations. It also took a long time for responses to reach us. These were slow, asynchronous communications.

The telegraph was a big change. All of the sudden, you could send messages to distant places, and get a response in the same day. The telegraph created a massive cultural shift.

The telecom era was another revolution, particularly in how the telephone changed the way we did business. The telephone was a truly synchronous method of communication. Telephone communication required less thoughtfulness and less effort. Mobile phones were another evolutionary change in this area.

Each of these communications advances brought more surveillance, and a convergence of IT and telecom.

When telecom becomes widespread in a country, how does that change the population, and the ways they interact with each other.

In Thailand, payphones can send SMS messages. That's still an asynchronous form of communications, kind of like a fast telegraph.

In Palau, all off-island communications go through a single satellite link. Calls are expensive, access to the internet is slow, and you're really limited in terms of the amount of data that can be transferred.

In China, there are kiosks for many things that could be done with mobile apps. It turns out that Chinese people like to go places to do things.

In Germany, you're not allowed to access the internet anonymously. In Turkey, you can't get a phone anonymously.

For nearly anything you can do with two or more people, telecom enables new ways of doing it. We've vastly increased our ability to communicate over distances, but we've also reduced the amount of personal interaction in our lives. Telecom has brought more censorship, and new ways of censorship.

What can we learn from the rest of the world? Japan does a better job with mobile payments. The EU does a better job with mobile banking. India does a better job at cheap communications.

Is online space distinctly different than physical space? Online communities have their own cultural identity. Do these communities supplement or supplant existing physical-space communities?

Half the world's population has no internet access. Most people in the world access the internet over bandwidth-limited mobile devices.


Question: There's a digital divide internationally, and there's a digital divide in the United States. Are these the same kind of divide, or different?

MPESA is a micropayments company in Kenya. Banking isn't a thing there, and people use micropayments instead. Some areas have leaped over the land line and gone straight to mobile. The same thing can happen with industries outside of banking and payments.

Question: Can you talk about phone service in remote areas?

Barrow, Alaska is very much like Palau. There's one satellite dish for all communications services. Prudo Bay is the center of arctic slope drilling. They oil companies ran fiber alongside the roads. Antarctica has internet and phone access via satellite. It's slow, but it works. There's one satellite that can hit the south pole, but only for a few hours each day.

Question: What about places like Montana, where a lot of phone service is provided over 3G repeaters? What will LTE do for places like this?

A 3G to LTE transition will be like any other analog to digital transition.

Question: Why has voice quality of mobile phones not as good as the voice quality of land lines?

It comes down to codecs. Companies are using codecs that use less bandwidth, and voice quality suffers as a result. SIP and VoIP are becoming better alternatives. Question: What about our deteriorating copper infrastructure?

I don't see phone companies investing any more money in copper. Fiber is better. The problem is that many areas don't have fiber service.


National Security Letters: The Checks and Balances Aren't Strong Enough

Nicholas Merrill

My struggle with National Security Letters has been going on since 2004. It's been an enduring story. In 2004, I was running an ISP in New York City, and I got a visit from an FBI agent. The agent delivered a National Security Letter (NSL) to my company. They wanted a bunch of information, including "electronic transaction records". One of my clients was politically active, particularly in the area of correctional system reform. The FBI tried to turn this person into an informant; they refused, which made the FBI very upset. The FBI began to use hostile techniques to enlist this person's support. They put him on a no-fly list, and began to question his employer. This person was the subject of the FBI's NSL.

At the time I received the NSL, I believed that the government should be able to get a real warrant from a judge. NSLs completely disregard the fourth amendment. We have the fourth amendment because British colonial authorities were using writs of assistance to clamp down on people who wanted to break away from the British crown. The fourth amendment says that searches must be particular (where you are searching, and what you are searching for), and warrants must be issued under oath. The patriot act brought us back to general warrants.

The FBI doesn't need to go to court in order to get an NSL. They only need to assert relevance to an authorized investigation.

Around 500 thousand NSLs have been issued, since the patriot act was passed. They all prevent recipients from talking about the order, at all. I wasn't allowed to discuss the NSL with people at my own company, or even a lawyer. Preventing people from talking about NSLs means there's no information about them, and this prevents Congress from exercising oversight.

I was represented by the New York ACLU for about seven years. We went to court, and my National Security Letter was ruled unconstitutional on a number of grounds. Since then, Congress has addressed some of the problems with NSLs, but not all of them.

The fact that NSLs were ruled unconstitutional hasn't stopped the FBI from using them. They still issue national security letters, at around the same rate. The secrecy

involved in these techniques has led to a real lack of accountability. National Security Letters use the term "Electronic Communications Transaction Records". The definition of this term more or less asks the recipient to determine what these records are. Fifteen years after the Patriot act, we don't have a firm grasp on what kind of information the FBI collected, how it was used, or where that information is now.

The FBI's inspector general uncovered a lot of abuse. Of all the NSLs issued, only one ever led to a conviction - for material support of a terrorist organization. Material support is a very broad term. For example, teaching a terrorist organization about conflict resolution would be classified as material support.

Why does the FBI continue to issue 50k national security letters each year? It's because the recipients don't challenge them. When challenged, the FBI will typically withdraw the NSL, to prevent the case from being heard by courts.

Who's working against NSLs? The EFF and ACLU have spent years litigating against them. Some technology companies are pushing back, and activist groups are lobbying for Patriot act reform. It's best to use a combination of litigation, legislation, and technical measures. And tech people should create systems that don't collect metadata in the first place.

"No fight for civil liberties ever stays won". This quote comes from ACLU founder Rodger Baldwin.

Calyx (my company) won the ability to talk about our national security letter. But that victory didn't carry over to other NSL recipients. They have to fight their own gag orders.


Question: I have a question about policy laundering. For example, if we can't pass a certain kind of law passed in the US, we can try to get it passed in a puppet government like the UK. Once it's passed in the UK, we can claim that as precedent. Does the EU ever try to launder policies through the US?

I'm not sure. In the EU, there's a strong focus on data collection by private companies. There's been very little focus on that in the US.

Saturday, July 23, 2015

Surveillance Gives me the Chills

Alex Marthews

Do people actually care about surveillance? Are they ignorant, apathetic, or do they have too many other things to deal with?

How do we know what the government is looking for? DHS had a social media monitoring program, and their list of keywords was published in 2011. Try to guess which of these words was on the DHS list.

  • agriculture, or weed. (weed)
  • Islam, or Jihad. (jihad)
  • white power, or illegal immigrant. (illegal immigrant)
  • hacktivist, or Anonymous. (hacktivist)
  • Bittorrent, or phreaking. (phreaking)
  • zero-day, or revolution. (revolution)

We wondered whether knowledge of mass surveillance would lead to self-censorship. To answer this question, we looked at Google trends data for 282 terms that were on the DHS keyword list. Our control group came from Google Zeitgeist (for "clean" internet searches). We also crowd-sourced a list of 100 personally embarrassing terms. After the Snowden revelations, there was a 5% reduction in searches for governmentsensitive terms. In non-US countries, there was a reduction in searches for personally embarrassing terms.

J. Penny did a similar study of Wikipedia pages. There was a 19.5% reduction in searches for terrorism-related terms, but no reduction in searches for security-related terms.

Another study showed that people were likely to modify their behavior when reminded about surveillance. They'd avoid sharing opinions that might be considered outside the norm.

All three of these studies illustrate people constraining their behavior in opinions they give, and things they look for. People who say they have nothing to hide are actually more likely to constrain themselves.

Law enforcement responds to stuff on social media. For example, they get antsy around the time of public events, and ramp up social media surveillance. In Arlington, a tweet caused a 12-member SWAT team to show up at someone's house.

The Boston police identified several "threats" during the 2014 Boston Marathon (this was one year after the Boston Marathon Bombing). The threats were (1) two middleeastern males asking questions about crowd size, and (2) two reporters from the Bay State Examiner asking police questions, and filming their interactions.

For all practical purposes, our government has adopted a convoluted definition of violent extremism. Their definition of violent extremism is (people planning violent crimes) + (people organizing peaceful protests) - (violence committed by the state) (people who the state approves of). We can't allow the government to define "violent extremist" this way; it leads to the suppression of free speech.

The FBI has a stated policy of following up on every terrorism lead. A tremendous number of these leads are false positives. In fact, there are about 9000 false positives for every legitimate lead. I think the solution is more speech. For example, one could counter terrorism by taking ISIS material and repurposing it to build community opposition, or counter arguments.

We need more solidarity and less hay ("less hay" referring to the idea that one needs a haystack in order to find a needle). Law enforcement should only perform investigations and seizures when there's individual evidence of involvement in a crime.


Leak Hypocrisy: A conversation on whistleblowers, Sources, and the Label "Espionage"

Jesselyn Radack, Carey Shenkman, Naomi Colvin

Our government charges people for leaking information, yet they routinely leak things themselves. We have a two-tiered system of justice. High-level officials can leak information for political gain, and the system gives them cover. Low-level whistleblowers, on the other hand, risk decades in jail. There has to be a public interest defense for whistle-blowing. Currently, the courts don't recognize public interest, where information is not leaked for personal or political gain.

Take the Snowden leaks, for example. He'd be happy to come home and stand trial, if he could offer a public interest defense. The government has already stated that he will not have that option. Attorney General Eric Holder said that Snowden performed a public service, so it's hypocritical for him to ask for prosecution. People that work for the government have a duty to report corruption, illegalities, or human rights abuses.

Most people in government are trying to serve the public. Whistle-blowing is usually the end result making waves, and getting a bad result. What are secrets designed to protect? Corruption and abuse, or people and rights.

European views on injustice are more straightforward and obvious than views in the US. The US is moving towards a darker time, while Europe is getting more progressive. Chelsea Manning filed an appeal against the length of her detention, and several organizations filed supporting briefs. She's still in detention.

When we talk about a two-tiered justice system, we're not just talking about whistleblowers. It's also about the free flow of information, especially in the media. Some reporting is dictated by the government, because news organizations are afraid of losing access.

The EU had a serious inquiry into the Snowden revelations. Germany has looked into complicity with NSA surveillance. However, Germany doesn't have a whistle-blower protection law. People in the EU have become much more aware of corporate tax avoidance (e.g., due to the Panama Papers). Without whistleblowers, that wouldn't have happened.

Price Waterhouse Coopers prosecuted the Lux Leak whistleblowers over violation of banking secrets laws. The EU just passed a trade secrets law, which is another barrier to whistleblowers. In the US, corporate whistle-blowing is okay, due to laws like Dodd-Frank and Sarbanes-Oxley. We need to get parity for government whistleblowers.


Question: Is there a stigma, with the idea of whistleblowers as being traitors?

Whistleblowers have traditionally been treated as turncoats and traitors. The government does this to draw attention away from the information they're releasing. The government has also tried to censor publishers who print leaked information. For example, Nixon tried to get gag orders against the newspapers that reported on the Pentagon Papers.


Arduino for Complete Newbies

This was a workshop about building Arduino boards.

The instructor recommends Cornfield Electronics as a source of parts.

You'll need a driver for the Arduino's serial cable. Choose "Arduino Uno" as the board type. You'll also need to specify which port your board is connected to. usbtty0 usually works.

Arduino programs are called "sketches". Here's an example, that blinks an LED attached to pin 13.

 void setup() {
   pinMode(13, OUTPUT);
 }
 
 void loop() {
   digitalWrite(13, HIGH);
   delay(1000);
   digitalWrite(13, LOW);
   delay(1000);
 }

There are two parts to a sketch: setup, and the main loop. This example turns an LED on and off, once per second.

This code has to be complied, and uploaded to the Arduino. Once a program is uploaded to the microcontroller, it stays there until overwritten.


Sunday, July 24th

LinkNYC Spy Stations

Deborah Natsios, John Young

NYC's "free public wifi" is neither free nor public.

It's great that the city is trying to provide free internet access, but there's cause for concern over some of the privacy implications. The ACLU outlined some of these concerns in a letter to the city, but the city never responded.

LinkNYC is largely a privatized project. In 2012, the city wanted to replace old payphones with some form of internet access. In 2014, the city awarded the contract to CitiBridge. CitiBridge is a new company, which was spun out of the two companies that used to maintain NYC's payphones. Google purchased CitiBridge's parent company, and now they're called Intersection.

Each LinkNYC terminal has three cameras and thirty sensors. The city expects the terminals to generate $500M in ad revenue, and they'll keep half of that. $500M over 12 years works out to $0.000043 per person, per month.

Most of our privacy concerns came from reading LinkNYC's privacy policy. The first version of the policy wasn't complete - it contained drafting edits. The policy tends to be amended each time a concern appears in the media; they keep adding to the list of data they're going to collect. It's a long list, which includes search terms, clickstream data. Privacy policies are supposed to represent a legal obligation that states what information will be collected, and how that information will be used.

The privacy policy says that information will not be sold, but that it may be shared. The privacy policy also states that the city will "make reasonable attempts to delete data 12 months after your last login"; data retention can be in perpetuity, as long as you keep logging in. The city claims that personal information will not be used for targeted advertising, but the privacy policy explicitly allows this use.

Take the number of terminals installed, and multiply by three. That's the number of cameras installed - in NYC, and in other cities where these devices are used. The video data will be centrally stored.

According to marketing materials, each terminal comes with a bluetooth sensor that pings nearby devices, to see what responds. The privacy policy doesn't mention this at all.

If a city doesn't use ads, the get the terminals for free, but pay $40k for installation and operating costs. If the city uses the terminals for advertising, they'll receive $30k/year per terminal.

One of the company officials claimed that their goal was to track people's location, and target ads to them. This is taking the internet business model, and applying it to private space. This is what we'll have to look forward to with "smart cities", unless we push back.

The NYC ACLU's letter mentioned data collection and data retention. They advocated for retention limits, and only collecting and retaining data for operational needs. Right now, access to collected data is granted with only a subpoena. The ACLU also wanted to see users notified when their data was collected, unless prohibited by a court order.

Camera data can be shared with law enforcement, and there are no restrictions on this sharing. The ACLU wanted to know if the cameras were intended to feed NYC's domain awareness system. The city won't respond to these questions. The vendor claims that the cameras are not currently turned on. This begs the question, when will they be turned on?

The project claims to provide internet access to people who might not otherwise afford it. So, who's most targeted by this surveillance? There's also the issue of mission creep. Even if surveillance wasn't the original goal, the fact that the terminals can be used for surveillance makes it likely that they'll eventually be used for that purpose.

The terminals allow for the privatization of data collected in public spaces. The vendor and the city will have access to this data, but the public won't. The terminals have passive sensors to "solve challenging problems that cities face". There's no elaboration on what these challenging problems are.


Question: What about the USB connectors on the terminals?

The privacy policy doesn't mention the USB connectors. Supposedly, they're only provided for charging devices.

Question: If the video were shared with another group, would the other group be permitted to use facial recognition software?

Yes, they would.

Question: What does the privacy policy say about beacon tracking?

The privacy policy doesn't mention beacon tracking. That's only mentioned in the marketing materials.

Question: How can we give them bogus data?

There are ways to do that, but I wouldn't encourage doing anything illegal.

Question: What happens if the company doesn't follow their own privacy policy?

Technically, they'd be breaking the law. However, the privacy policy is very broad, and allows them to do almost anything.


Freedom and Privacy in our Lives, Our Governments, and our Schools

Richard Stallman

This was similar to other RMS talks I've heard, but things started out with a bit of a twist. Richard's laptop and the conference room A/V system were not cooperating with each other, and Richard was unwilling to use another laptop. He ended up putting his laptop on the presenter table, facing the audience. One of the videographers was able to zoom in on his laptop screen, and run that signal to the projector. I wrote down one memorable quote:

Any law that prohibits sharing of published work is anti-social. This war on sharing is completely vicious. I reject "piracy" as a propaganda term that's used by the copyright industry. When people ask "what do you think of piracy", I say "robbing ships is bad".


Mapping Surveillance Cameras

James O'Keefe

I started working on this project with BINJ, the Boston Institute for Non-profit Journalism. We started collecting pictures of surveillance cameras, along with their coordinates.

Later, I found a CCTV manufacturer with a nice little app for mapping cameras. I used this for a while, but realized there was a problem: all the information was owned by the CCTV manufacturer.

The NYC surveillance camera project has a textual listing of cameras, but not a map. Though you can see a list, it's not easy to visualize where the cameras are located.

Open Street Map was a better alternative; that's what I've been using to map cameras. The cameras I map become public data, and anyone can use that information. I've put this on a web site, http://cctv.masspirates.org. It pulls down Open Street Map data once an hour, and points labeled "Surveillance Camera".

I mapped 30 cameras on a two-block walk to breakfast. I found 14 more in a small alley with a few shops. There are twelve cameras mounted in front of Penn Station. I mapped 21 while waiting in line at a concert in Providence, RI, and 17 more around a new school in Somerville.

I map the cameras with an iPhone all called pushpin, and pushpin uploads the changes to open street map. Pushpin works, but I'm trying to find an app that does a better job of streamlining the process.


Hacking Housing

Luke Iseman, Heather Stewart

We started turning shipping containers into tiny houses. This evolved into an incubator for tiny house construction; we have 18 units under construction right now. These aren't the glamorous houses you'll see on HGTV. We more interested in affordability. These houses cost about $10k/each to build.

These houses are built out of shipping containers. A "TEU" or "twenty-foot equivalent unit" is a standard container size. A TEU is 20' long, 8.5' high, and 8' wide, giving a total of 160 square feet. They're pretty easy to get in the Bay area. You can typically buy a container for around $2,300, which is about the cost of scrap.

Great - you've got a shipping container. You can pitch a tent inside of it, and sleep there (which we did, after getting our first container). Turning into a house requires more work, but you can do it in steps.

Get some reflective roof paint, and coat the whole exterior of the container. This will reflect sunlight and prevent thermal gain.

Next, you'll need some windows and doors. Expect to spend around $800 here. Home depot is a fine source of materials. Try to get double-paned glass or better.

Next, you'll need some welding and cutting equipment, to cut holes for the windows. Be sure to cut the holes 1" bigger than the window size.

After you've got the windows in, it's time to start working on the interior. Pink insulation or Reflectix works well.

Use bamboo, or some other kind of solid-core wood for the walls and floor.

Bedrooms are easy. You'll need the typical mattress and sheets.

When doing the kitchen, look for the kind of things that people use in RVs, boats, and camping. These work well in tiny houses too.

Get an on-demand water heater. You'll also need supply and waste pipes, and fans for ventilation.

Toilets are a controversial subject. We've been using composting toilets. The simplest version is a 5 gallon pail, a toilet seat, and some sawdust. But you can get fancier.

We've tried to use solar power where possible. You'll need panels, a controller, an inverter, and a marine battery. Power what you can with DC, to minimize inverter loss.

Total cost so far: $9,200, and seven long days of work.

Now that you've built a tiny house, where do you put it? Finding space for one unit is hard; it's easier to find space for a group of houses.

Sometimes you have to move. But being shipping containers, they're easy to move. You can see pictures of our work at https://boxouse.com/.


Question: Have you looked at hacking house boats?

Some friends rented space from us, which they've been using as a boat hacking space. On the west coast, there are very strict laws about overnight docking.

Question: What about zoning laws?

Most zoning enforcement is complaint-based. If no-one complains, there's no problem. We've also found that what's in the zoning laws isn't necessarily what's enforced.

Question: How do you find warehouses, lots, and spaces?

Craigslist is a good place to start. Don't tell you're landlord that you're planning to live there; pay your rent in full a week in advance, and they won't bother you. You don't need to get perfect results. Focus on practical things instead.

Question: Have you tried working with 40' containers?

No, they're really big and hard to move with a forklift. We'd like to try one eventually, though.

Question: Did you ever consider hacking on RVs or mobile homes?

That's definitely an option, just not the one we went with. If I were to do something vehicle-based, I'd probably start with a minivan.

Comment: There's a community of "skoolie" converters. They convert school buses into liveable spaces.

Comment: Rural areas can be more flexible with zoning, as long as you talk with the town first.

Question: How do you decide when to fight, vs. when to move?

The decision isn't that binary. Make sure the space stays interesting, fun, and entertaining.

Question: What do you miss the most about having a regular house or an apartment?

A kitchen. I haven't built one yet.

The ability for it to be only mildly illegal to rent my place on Air BnB.

Question: How well would these houses work in a cold environment?

In a cold climate, you might want 2x6 walls, and more insulation. A propane heater would help during the winter.

Question: Have you looked at underground shipping container houses?

If you're interested in that sort of thing, there a 1970's book called "The Underground Home" that you should look at. Being underground reduces the need for heating and cooling.


The Black Holes in our Surveillance Map

Marcy Wheeler

Reading documents can give us an understanding about government surveillance programs. It also lets us theorize about programs we haven't heard of (yet). The idea is to look for negative space in the documentation.

Look for veto threats during national security debates. Veto threats usually indicate something important.

Our Stingray discoveries go back to the Daniel Rigmaiden case. Rigmaiden was busted by the IRS's use of a Stingray. The EFF, ACLU, and local activists have been pressing for information about these devices. Now, we know they've been used many times without warrants.

The FBI will often send agents without direct knowledge to testify in court cases (i.e, "I wasn't there, but I read the report".) If the agent is asked an interesting question, the have plausible deniability for not knowing information beyond what's in the FBI reports. If you're reading about FBI court testimony, and the agent doesn't have first hand knowledge of the case, ask why. Look for gaps in time and space, and for the appearance of data without a good explanation.

Law enforcement often uses parallel construction. Agents might obtain information outside of due process, then look for other ways for that information to be introduced.

ECPA (the Electronic Privacy Communications Act) reforms passed the house by a voice vote. The senate version wasn't so good. It would have codified the FBI's National Security Letter practices. The Senate also tried to take judges out of the loop of "emergency requests". The senate also wanted to eliminate the need for law enforcement to justify why an emergency request was, in fact, an emergency. Emergency requests are often abused. The government will often withdraw their case in the face of push-back, so there's no investigation.

Sen. Wyden has asked about government standards for collection location information from smart phones. FISA defaults to requiring a warrant for location data, but individual states may have lower thresholds.

Facebook uses co-location for friend requests. This was discovered when a teenager who was getting suicide prevention counseling started getting friend requests from other people nearby, who were also receiving counseling. The parents approached Facebook about this. Facebook essentially responded with, "yeah, we do that".

The NSA had a financial dragnet program, to collect information about Western Union money transfers.

The FBI collected information about people who purchased things that might be used for bomb making - pressure cookers, hydrogen peroxide, and nail polish remover (acetone).

The USA freedom Act's transparent requirements don't require reporting about the use of location data.

CISA is the Cyber Intelligence Sharing Act. Companies that share cyber intelligence information with the government are given broad immunities. Data collected can be used for a variety of things. There were amendments that would have added transparency requirements to CISA sharing, but those amendments were rejected.


Question: Is there anything we can do about excessive FOIA redactions?

We should really start pushing the FISA court to provide notice to defendants. I think we'll learn more from FISA discovery than FOIA.

Question: What about phone taps, and services like twitter?

If the data exists, assume it will be collected.

Question: Is there a relationship between post-call digits, and material in URLs?

URLs are treated like content. But electronic communications transaction records (e.g., as requested in National Security Letters) often ask for URLs. The NSA correlates different online identities. One of the reasons they do this is to try to correlate passwords.

Question: Are the national security folks going to ad agencies for data?

Ad agencies are third-party companies. There's no reason why the government couldn't go to them for data.

Comment: The NSA minimizes or discards data collected from members of congress. But they definitely collect communications from lawyers.

Question: How can we get our congress critters to pay attention to this stuff.

There's a fourth amendment caucus in Congress.


Other Notes

Mobile citizen, http://mobilecitizen.org/ is the organization behind making portions of the mobile spectrum specifically available to non-profits.

http://www.zeit.de/ - a weekly German newspaper.

The internet society is the group that streamed HOPE. https://www.internetsociety. org/. The use a piece of streaming software called Livestream studio.

The "E" in "Email" stands for "Evidence".

https://meet.jit.si/ is a public-facing web Jitsi service.

https://ricochet.im/ is a messaging service that works over Tor. Looks like each ricochet instance creates a small hidden service for itself. The project says it's still in the experimental stages.