0:00:08.744,0:00:13.883 It's conventional to give an introduction at a moment like this 0:00:13.883,0:00:19.039 and there are of course two things that make doing that difficult, if not pointless. 0:00:19.039,0:00:25.821 One of which is, everyone already knows the speaker, and the other is, his family is here, which means of course 0:00:25.821,0:00:31.407 introductions must be handled with particular care. 0:00:31.407,0:00:39.702 I've been trying to talk about Snowden and the future at this law school this fall, and I was hampered by two things: 0:00:39.702,0:00:47.122 I hadn't read the documents, and I wasn't a cryptographic expert. 0:00:47.122,0:00:53.073 Both of those problems have been solved because I'm not going to be doing the talking this evening. 0:00:53.073,0:01:01.489 Bruce Schneider is (I think it's fair to say), the world's most important cryptographer and public intellectual-- 0:01:01.489,0:01:11.045 most wonderful cryptographers being more introverted and less linguistically capable in high rhetorical form. 0:01:11.045,0:01:18.076 So that's why he doesn't need any introduction, but I should say that as another alumnus of 0:01:18.076,0:01:20.826 the Hunter College Elementary School System, 0:01:20.826,0:01:24.291 that Bruce is a graduate of the Hunter High School in New York 0:01:24.291,0:01:31.993 and of the University of Rochester, and of American University, and holds honorary doctorates 0:01:31.993,0:01:37.662 arising from having done good work for the human race, which most people here know all about. 0:01:37.662,0:01:45.661 Applied cryptography is still a really good place to begin if you want to understand why you can trust the math. 0:01:45.661,0:01:54.407 The array of articles, interviews, and books on security, trust and modern technology 0:01:54.407,0:02:03.074 is, for people like me who try to follow along doing the law of this, is not just an inspiration but a godsend. 0:02:03.074,0:02:12.173 It's my great pleasure to have Bruce here at Columbia today because he knows what the rest of all those documents say 0:02:12.173,0:02:18.369 which means he knows a great deal about Snowden and the future is really going to turn out. 0:02:18.369,0:02:26.816 I hope here in conversation this evening we can hit some of the geeky high spots of all of that. 0:02:26.816,0:02:37.435 So, Bruce, welcome to Columbia Law School and thank you for being here. 0:02:37.435,0:02:43.772 Maybe a good place to begin would be to say whatever you can say about how you came to be 0:02:43.772,0:02:49.362 involved with Glen Greenwald and the project of publication of Mr. Snowden's disclosures. 0:02:49.362,0:02:53.880 Well, the one sentence answer is: "I was asked." 0:02:53.880,0:03:00.542 Greenwald had in his possession all these documents. They are very technical, very jargon-filled 0:03:00.542,0:03:08.096 and he needed an expert in the material to help understand them. 0:03:08.096,0:03:13.937 My name came up again and again until he called me. 0:03:13.937,0:03:19.961 Stuff happens, and I go down to Rio, and it's kind of a surreal experience to be handed 0:03:19.961,0:03:27.278 reams of Top Secret classified material and say "hey read this and tell me what you think" but 0:03:27.278,0:03:30.354 that's what I did. 0:03:30.354,0:03:35.603 We worked on several stories, and the one story we published before Greenwald severed his relationship 0:03:35.603,0:03:39.609 with The Guardian was about Tor, the anonymity service. 0:03:39.609,0:03:51.024 It's a good story, it talks about how it is secure, how the NSA does go after Tor users, what mechanisms they're using 0:03:51.024,0:03:59.346 how they are attacking users on the Internet, both getting data, breaking anonymity, breaking into computers. 0:03:59.346,0:04:05.778 The story published in early October, and I think it was like two weeks later that Greenwald broke with The Guardian. 0:04:05.778,0:04:12.941 Presumably, when a new venture gets started up, I will be back doing stories. 0:04:12.941,0:04:21.133 There is a lot more to tell. Until then, you are in the very capable hands of Bart Gellman and Ashkan Soltani 0:04:21.133,0:04:26.297 who are writing for the Washington Post, doing a great job. 0:04:26.297,0:04:35.205 What do you think we should do with the fact that you probably weren't terribly surprised by what you read? 0:04:35.205,0:04:40.751 There's a movement around that world that says, "Well, nobody is really surprised because everybody 0:04:40.751,0:04:46.962 knows it's going on, therefore there's nothing we need to do about it," and I find myself confronting that knowing that 0:04:46.962,0:04:55.416 the first part of the syllogism is, in fact, correct. We're not terribly surprised. Why are we not terribly surprised? 0:04:55.416,0:04:57.661 You know, I think we're both surprised and not surprised. 0:04:57.661,0:05:04.811 It's really interesting, if you've ever watched any movie with an NSA villain, this is exactly the sorta thing they would do. 0:05:04.811,0:05:12.538 There's nothing in the revelations-- I mean, sometimes they are a bit extreme, spying on gaming worlds-- 0:05:12.538,0:05:19.123 but if you thought about it for half a minute, you would say "well of course you would, that's a place to communicate." 0:05:19.123,0:05:24.621 If the goal is to eavesdrop on all communications, you're going to eavesdrop on that channel just like 0:05:24.621,0:05:31.377 you'd eavesdrop on a little chat window in a Scrabble game, as well as Skype. 0:05:31.377,0:05:40.792 So, there is no surprise. But the details, the extent, I think it really is a surprise. 0:05:40.792,0:05:47.463 We kinda knew it, but we never actually fully thought about it, we never did the math. We never worked out the budgets. 0:05:47.463,0:05:53.550 And we were starting to, because we were seeing the Utah facility come up, and people were looking at 0:05:53.550,0:06:02.045 the square footage, the power, how many servers are there, what could be stored there, but still you're just guessing. 0:06:02.045,0:06:09.499 Seeing it for real is just surprising because it's there. You might know it's there, but seeing it... 0:06:09.499,0:06:16.749 The analogy I've been using, a crummy analogy but it's the best one I've got, is it's kinda like death. 0:06:16.749,0:06:25.592 You all know death is coming, it's not a surprise, the story always ends this way, yet everytime it happens it is a surprise. 0:06:25.592,0:06:32.171 Because you basically never really think about it. I think surveillance was like that; we never thought about it. 0:06:32.171,0:06:39.694 There are professionals in the world of cyber security who have thought about it. They are more surprised I think than you and me 0:06:39.694,0:06:46.536 because they trusted in what the listeners told them more. The gaps that have opened up in the documents you've read 0:06:46.536,0:06:55.978 between what is actually going on and what people were assured was going on must seem fairly large. 0:06:55.978,0:07:00.740 We know that they promised the financial community that they were going to break financial crypto. 0:07:00.740,0:07:08.659 We know they made all sorts of promises about how minimization worked in the United States. 0:07:08.659,0:07:19.511 In that sense, is it true that those of us at the "cypherpunk" edge of the world more surprised because they trusted The Listeners more? 0:07:19.511,0:07:27.791 I don't know, my guess is if you're right you're surprised even more, because, my god, it is actually that bad. 0:07:27.791,0:07:38.155 You know, around the edges... you sorta have a bell curve of beliefs of how bad this was. 0:07:38.155,0:07:45.593 Now we're seeing that even the more extreme beliefs of how much surveillance is going on 0:07:45.593,0:07:59.397 are true and actually conservative. We're seeing a surprising number of alliances, where it's very common for the NSA to spy on country A 0:07:59.397,0:08:05.526 and then partner with country A to spy on country B, and then partner with country B to spy on somebody else. 0:08:05.526,0:08:15.102 We're seeing so many webs of that. Germany, who is one of NSA's most trusted partners is being spied on. 0:08:15.102,0:08:21.941 The only thing we haven't seen-- and I can't wait because it will be extraordinarily big-- is when we start seeing 0:08:21.941,0:08:27.727 the UK and the US start spying on each other. I think the odds of that not being true are very small. 0:08:27.727,0:08:35.479 Because why in the world, if you as the NSA are spying on your own country, why wouldn't you spy on the country of your closest ally? 0:08:35.479,0:08:40.258 You're spying on everyone else. There's just no exclusion. 0:08:40.258,0:08:47.369 What do you think is the biggest headline for you, as a technical thinker, that's come out of the documents you've seen? 0:08:47.369,0:08:59.735 I think the most important headline is that crypto works. We expected more cryptanalysis, we expected more "the NSA can break this code and that code and that code." 0:08:59.735,0:09:07.509 We know they're spending an enormous amount of money on this. But again, we learned from the documents that cryptography works. 0:09:07.509,0:09:18.813 That's the lesson of Tor. The NSA can't break Tor and that pisses them off. That's the lesson of the NSA eavesdropping on your buddy list and address books 0:09:18.813,0:09:27.400 from your connections between your browser, Gmail, and your ISP. You look at the data, and they get about 10 times the amount of data from 0:09:27.400,0:09:36.735 Yahoo users as Google users even though Google is so many more times larger than Yahoo. It's because Google uses SSL client-side as default. 0:09:36.735,0:09:40.903 So, SSL works. And there's another slide from a program called MUSCULAR 0:09:40.903,0:09:48.982 which is an NSA program for getting data from Google's data centers and the connections between them, where they specifically point out 0:09:48.982,0:10:03.489 "this is the place where SSL is removed." So, we see again and again that cryptography is not much of a barrier, but they aren't breaking it by breaking the math. 0:10:03.489,0:10:12.311 They're breaking it by cheating, by going after the implementation, by stealing keys, by forging certificates 0:10:12.311,0:10:22.418 by doing all the non-cryptography things that we all know are important, but you don't get that mathematical benefit. 0:10:22.418,0:10:32.803 Just to take the paranoid side of this for a moment, how much of this do you think could turn out to be cognitive bias in our collecting? 0:10:32.803,0:10:40.035 Did Mr. Snowden miss the whole other trove in which the documents about crypto-breaking are? 0:10:40.035,0:10:49.622 That's certainly possible. We don't know a lot about how he collected and what he collected, but it's certainly possible. 0:10:49.622,0:10:54.995 There are a documents about cryptanalysis that are completely separate, on separate networks and he didn't have access to them. 0:10:54.995,0:11:07.246 But what we are seeing is operational stuff. You'll see in the documents on BULLRUN, which is their program to subvert cryptography, it'll say 0:11:07.246,0:11:17.667 in several places, "don't speculate on how this works." They're talking to the analysts, the people doing the intelligence. 0:11:17.667,0:11:30.530 "You want to break into these circuits, we will do that for you. Don't speculate on how we're doing it. Just accept this windfall of data and be happy." 0:11:30.530,0:11:41.664 But we do see, again and again, crypto stymieing. Tor's story is really important. They [NSA] have seminars and workshops on "how do we break Tor?" 0:11:41.664,0:11:52.923 Again and again you see that they are unable to, that the cryptography is working, and that when they have breaks they're getting in around the edges-- 0:11:52.923,0:11:58.011 attacking the user, they're trying to go after correlations. 0:11:58.011,0:12:05.923 There is something in the black budget, which we see the first pages of (and I think the Washington Post published those) 0:12:05.923,0:12:16.554 there's a narrative by James Clapper, talking about what the NSA is doing. There is one sentence where he talks about crytopgraphy-- 0:12:16.554,0:12:22.173 I'm going to read the sentence because I think the wording is interesting. 0:12:22.173,0:12:34.645 He says, "We are investing in groundbreaking cryptanalytic capabilities to defeat adversarial cryptography and exploit Internet traffic." 0:12:34.645,0:12:42.725 So, that sentence doesn't sound like, "We got a bunch of smart people in a room and hope they get lucky." 0:12:42.725,0:12:49.099 That sounds like "We've got a piece of math but we need a bunch of engineering to make it work." 0:12:49.099,0:13:02.978 "We need a really big computer, a big database, we need some something that requires time and budget. Not new math." 0:13:02.978,0:13:10.461 So, there's speculation that there is at least one piece of cryptography that they have and we don't. Which is perfectly reasonable. 0:13:10.461,0:13:19.607 They tend to hire the top 10% of mathematicians every year. They go into the agency, they never come out. They get everything we do, we get nothing they do. 0:13:19.607,0:13:27.145 There is going to be this differential in knowledge that which will expand over the years. 0:13:27.145,0:13:36.424 Before this we all would say, "we think they're 10 years ahead of the state of the art." And we pull that number out of the air. 0:13:36.424,0:13:43.011 So there are speculations of what the NSA has. And these are just speculations; we know nothing. 0:13:43.011,0:13:48.357 I'll give the three-- the first is something about elliptic curves. 0:13:48.357,0:13:58.182 Elliptic curves is a very complex area of mathematics that is being used in public key cryptography, and it is perfectly reasonable to believe that 0:13:58.182,0:14:06.488 the NSA has some ability to either break elliptic curves to a greater extent than we can, or to break certain classes of curves that we would 0:14:06.488,0:14:15.561 not be able to recognize. We know that the agency has tried to affect curve selection, which implies that there are some classes of curves 0:14:15.561,0:14:22.505 they have an advantage over, that we don't know. The other reasonable assumption is general factoring. 0:14:22.505,0:14:31.269 If you look at the academic world, factoring gets better slowly every year-- a factor of 2 here, a factor of 10 there, a factor of 100 on a really good year. 0:14:31.269,0:14:37.883 Every year it progresses. If you assume the NSA is 10 years ahead of the state of the arts, you can do some math and you can assume they are 0:14:37.883,0:14:44.967 at some higher point than we are. And that'd be the sort of thing that would make sense from Clapper's quote. 0:14:44.967,0:14:58.075 The third speculation is the RC4 algorithm, which is a symmetric cypher that has been teetering on the edge of "we can break it in academia" for quite awhile. 0:14:58.075,0:15:06.993 It was invented by Ron Rivest, who is actually the master of the too-good-to-be-true cypher: you can't imagine it being secure yet you can't break it. 0:15:06.993,0:15:10.827 And maybe it's holding up, but maybe they have something. 0:15:10.827,0:15:20.128 Those are my guesses but there is going to be at least one piece of math, it will be extraordinarily hidden. 0:15:20.128,0:15:33.240 Just like the names of the companies who are cooperating in BULLRUN, this stuff is ECI-- extremely compartmentalized information-- pretty much never written down. 0:15:33.240,0:15:38.871 Now, sometimes you get lucky. And Snowden, because of his position, did get lucky. 0:15:38.871,0:15:53.246 I remember some of the early weeks of this, some congressman said a quote like, "Snowden couldn't have this data. You have to be on a list to get this data. He wasn't on the list!" 0:15:53.246,0:16:01.135 I'm listening to the person and I'm thinking, "no you don't understand, here's the man who typed the list into the computer. Don't you understand what root access means?" 0:16:01.135,0:16:10.493 Who has the most access to the secrets in a company? It's the janitorial staff, because they get access to everything. 0:16:10.493,0:16:20.231 The plumbers, the people who are doing the infrastructure, have enormous access, and that seems to be what happened. 0:16:20.231,0:16:25.822 Let's talk a little bit about the efforts against math. Standards corruption, for example. 0:16:25.822,0:16:35.734 We have one clearly documented case of NSA taking over a standards-making process, and choosing in the end, for NIST, 0:16:35.734,0:16:41.971 a random number generator which was not a random number generator exactly... 0:16:41.971,0:16:50.849 How should we think that process of not necessarily attacking the basic mathematics but attacking how that math is applied 0:16:50.849,0:16:58.309 in the standards process to produce weaknesses, how far should we take that to an extent? 0:16:58.309,0:17:04.117 That's certainly worrying, something we're looking at over and over again. That the standard in question is a random number generator standard, 0:17:04.117,0:17:10.943 and if you are going to put a backdoor into a system, hacking a random number generator is a perfect place to do it. 0:17:10.943,0:17:19.635 You can do it imperceptibly. It doesn't affect the output at all. It's a really good place to put a secret backdoor. 0:17:19.635,0:17:26.853 This is a case, again, where we knew. It was '06 or '07 where I'm writing an essay where I'm saying 0:17:26.853,0:17:31.661 "Don't trust this random number generator because there could conceivably be a backdoor and here's how you'd put it in." 0:17:31.661,0:17:41.446 Again, there's no big surprise. It's one of four random number generators in the standard. The other three we think are good. 0:17:41.446,0:17:49.309 But this entered the standard and then it started being requested by governments, by US government contracts, 0:17:49.309,0:17:55.689 and it ended up as the default random number generator in some libraries, and no one is really sure how. 0:17:55.689,0:18:05.549 So this is an example of how a hacked standard can infiltrate slowly the systems we're using. 0:18:05.549,0:18:12.165 So now we're starting to look at everything else, and NIST, whose the government entity doing these standards, 0:18:12.165,0:18:23.266 who pretty much has been trusted, is coming under a lot of scrutiny, and they, I think rightfully, are very angry at the NSA for ruining their credibility. 0:18:23.266,0:18:32.876 I think a lot of the standards are still good. The AES is still strong. We have a new hash function standard that I'm happy with. 0:18:32.876,0:18:39.550 These were semi-public processes. These were not NSA-produced algorithms that became standards. 0:18:39.550,0:18:48.368 These were open calls, and we in the community would look at them, and there was rough consensus, and the NIST picked one. 0:18:48.368,0:18:59.679 It's possible that they're hacked, but I think it's really unlikely. I would more look at implementations. 0:18:59.679,0:19:07.119 We know that cellphone encryption-- and this is not just the NSA-- here you have an international cellphone standard 0:19:07.119,0:19:17.999 and you've got three dozen countries that want to eavesdrop. So all together there's pressure not to have real security in your cell networks. 0:19:17.999,0:19:25.841 So these are more overt, we know about them. I worry more about the private standards than the public standards. 0:19:25.841,0:19:35.840 We have one example of a backdoor trying to be slipped into Linux, which we are almost positive is enemy action. We don't know who 0:19:35.840,0:19:47.725 the enemy is in this case, it could be anybody, which we found because we, I think, got lucky. So, certainly it is possible to slip backdoors in commercial software. 0:19:47.725,0:19:54.059 I worry less about the standards and more the private stuff we can't see. 0:19:54.059,0:20:02.756 Do you think we're going to have to consider the possibility that all the standardized family of ECC curves are ones that we should abandon? 0:20:02.756,0:20:08.644 I don't. I mean, they are curves that came from academia, they are curves that came from public processes. 0:20:08.644,0:20:20.330 Those are ones we can trust more. I would love to up our key lengths, for extra conservativeness, just because I'm now more leery-- especially with elliptic curves. 0:20:20.330,0:20:26.737 I think we just have to look at pedigree, and we have to mistrust things that can be tampered with. 0:20:26.737,0:20:32.884 We know that the NSA has implemented curve selection, but we don't know how. 0:20:32.884,0:20:42.862 We don't know if it's the NSA going to-- i'm making this up-- an engineer at some company and saying "here's some curves, why don't you suggest these?" 0:20:42.862,0:20:52.800 We don't know if there's some vetting... we don't know what has happened. But I would like curves to be generated in open, public manners. 0:20:52.800,0:20:59.828 I think for the world, if we're going to trust them in a global community, we have to do that. 0:20:59.828,0:21:08.849 We end up talking about the NSA, but this is not about the NSA. This is what any large nation state would do. 0:21:08.849,0:21:17.370 Snowden has given us some phenomenal insight into the NSA's activities in particular, but we know China uses a lot of these same techniques. 0:21:17.370,0:21:28.989 We know other countries do. This is going to be what cybercrime is going to look like in 3-5 years because technology democratizes. 0:21:28.989,0:21:34.779 We really need to get security for everyone against everything. 0:21:34.779,0:21:44.632 So, let's follow that up a little bit. We have talked so far, and most of the Snowden documents that we have seen publicly released so far have 0:21:44.632,0:21:54.276 talked primarily about passive listening activity of one sort or another-- hack, tap, steal, with respect to the backbones and the telecom networks. 0:21:54.276,0:22:03.409 But we haven't had much information about listener activity directed at subverting the security of individuals or businesses. 0:22:03.409,0:22:11.522 With the cookie-based material that started coming out 36 hours ago, things have begun to change a little bit about that. 0:22:11.522,0:22:22.824 Have you seen things you can talk about that relate to how the American military listeners or others are directly subverting the security of individual's computers? 0:22:22.824,0:22:30.243 So the first story on that was the Tor story from early October. And there, I wrote about two different programs 0:22:30.243,0:22:40.353 that the NSA uses for active attack. And there's been a great article in Foreign Policy on TAO, tailored access operations. 0:22:40.353,0:22:46.126 These are basically the NSA's black bag teams. So, we have seen these stories over the last several months. 0:22:46.126,0:22:56.069 The two things I wrote about back in early October were QUANTUM, and QUANTUM is an add-on to their eavesdropping platforms. 0:22:56.069,0:23:03.164 So, the NSA has large eavesdropping platforms on internet trunks, and these have names like TUMULT, TURBULENCE, and TURMOIL. 0:23:03.164,0:23:12.491 I'm not quite sure how those three relate to each other. They all begin with 'TU' so they seem to be a family. One is a superset of another. 0:23:12.491,0:23:21.660 TURMOIL seems to be the latest generation. TURMOIL is the device that gets the "firehose" and quickly decides 0:23:21.660,0:23:29.400 what needs further analysis, because the firehose is coming at you and you need to make very quick decisions about what to eavesdrop on. 0:23:29.400,0:23:42.771 So, sitting on TURMOIL is something called QUANTUM, and what QUANTUM does is it gives the NSA the ability to inject into the stream, to add bytes. 0:23:42.771,0:23:50.820 And this is what the NSA uses for things like packet injection. Packet injection injects packets into your data stream. 0:23:50.820,0:23:55.682 Again, nothing new, this is how the great firewall of China works-- this is a hacker tool. 0:23:55.682,0:24:04.582 But if you're sitting on the backbone, if you're on the AT&T backbone, you can do some phenomenally interesting things with this. 0:24:04.582,0:24:15.987 You can do DNS hacking-- this is actually what China does for censorship. You can do frame injection, where you redirect users 0:24:15.987,0:24:24.571 surreptitiously to other servers-- I'll get back to that later. We knew from the Tor story that there's something called QUANTUM Cookie. 0:24:24.571,0:24:35.578 We didn't really know how it worked until we just got the Cookie story from a few days ago, but the slide said "force users to divulge their cookies." 0:24:35.578,0:24:46.299 This is a way that the NSA would-- and think of this in terms of a Tor user, this is a user that is being anonymous on the network because of Tor-- 0:24:46.299,0:24:55.310 if you could force that user to divulge his cookies, if you've got a database of whose cookies belong to who, that de-anonymizes. 0:24:55.310,0:25:00.160 So now we're seeing how these things link together. And there are other QUANTUM programs. 0:25:00.160,0:25:12.305 Nicholas Weaver, whose at UC Berkely, knows nothing about the documents but has written some great essays on how this works, 0:25:12.305,0:25:17.932 because this is how of course it would work now that you know about it, you start thinking about what you would do with this. 0:25:17.932,0:25:26.044 So we do know quite a lot about QUANTUM, and I think that's important. We also know about a program called FOXACID-- 0:25:26.044,0:25:33.858 and by the way, the NSA has the coolest codenames in the world. If you're at lunch, you'd want to sit at the FOXACID table. 0:25:33.858,0:25:40.227 Worse codename: EGOTISTICALGIRAFFE. Never want to sit with them. Ever. 0:25:40.227,0:25:53.547 So FOXACID is the NSA's multifaceted hacking tool. If you think about their problem, if you think about what they need to do, 0:25:53.547,0:26:05.225 they need to turn, basically, people off the street, into cyberwarriors, and the way they do that is not going to be through years of training-- that's expensive. 0:26:05.225,0:26:13.991 It's going to be through tools and procedural manuals, and automated/semi-automated ways to make hacking work. 0:26:13.991,0:26:19.656 And FOXACID-- if you know hacking tools, you know Metasploit?-- FOXACID is Metasploit with a budget. 0:26:19.656,0:26:33.326 So this is the server that, when you visit it, and you can be forced to visit it in many ways, one of them is through a QUANTUM-- we think it's called a 0:26:33.326,0:26:45.245 QUANTUM tip, QUANTUM inserts-- I mean, there are some codenames we don't understand. First the user is "tipped", tipped into FOXACID. 0:26:45.245,0:26:52.325 So you're visiting-- and I'm making this up-- Google, and the NSA sees you visit Google, and they do a frame injection, 0:26:52.325,0:26:59.904 and then some invisible packets go to the FOXACID server, which recognizes who you are through whatever systems they have, 0:26:59.904,0:27:07.843 and the server says "OK, it's this person." They're going to know if this person is high value vs. low value, 0:27:07.843,0:27:17.493 if this person is a sophisticated user vs. a naive user. And based on all these criteria, FOXACID will decide what exploit to serve. 0:27:17.493,0:27:24.656 ...and I forget the codename of the basic exploit, it's a cool codename too. Damn it... 0:27:24.656,0:27:34.411 And then if that works-- called a "shot"-- if that works then there's a series of other exploits that are run to figure out 0:27:34.411,0:27:44.224 "OK I'm on this computer, who is it? Where is it? What network is it on? What's it connected to? What's on it?" 0:27:44.224,0:27:54.026 And then we know there's a lot of specialized attack tools. There's a document that the French press published, and I don't know if they meant to but 0:27:54.026,0:28:03.076 at the bottom of this document is this glossary of codenames and attack codes. There was a special attack code for figuring out where the 0:28:03.076,0:28:09.374 geographical location is. There's a special attack code for jumping air gaps-- that was interesting. There's a special attack code for doing 0:28:09.374,0:28:20.024 various things you might want to do. So, we have quite a bit. We've seen nothing so far from US Cyber Command. 0:28:20.024,0:28:29.862 And we don't know, it's not public yet, if the story is not yet out, or if the US Cyber Command documents were separate enough that 0:28:29.862,0:28:38.431 they're not in the trove. So, everything we're seeing is NSA and GCHQ-- that's the British counterpart. We're not seeing US Cyber Command, 0:28:38.431,0:28:46.571 which presumably does a lot more offensive operations. That's kind of their job. But the NSA does quite a lot, too. 0:28:46.571,0:28:57.120 We know that TAO will go in and steal keys. If there's a circuit they want to eavesdrop on but they can't break it, they'll go in and steal the key. 0:28:57.120,0:29:13.245 Let's just hang out a moment in this question of injection attacks from the backbone. That tip that put somebody's browsing activity 0:29:13.245,0:29:23.779 into a platform where they could try various exploits and see what's going on, that depended on a frame injection in the example you gave, 0:29:23.779,0:29:30.287 which a browser could be smart enough to turn down all together. If that browser were running NoScript, what would happen? 0:29:30.287,0:29:45.704 It depends. NoScript is a really good way to deal with some of these, but in our normal browsing, there's often quite a lot redirects that don't all involve scripts. 0:29:45.704,0:29:53.709 It's not clear to me whether scripts are required for this attack. I think there's going to be some attacks where they are not. 0:29:53.709,0:30:03.799 You read the NSA documentation, they talk a lot about PSPs, personal security products, and these just piss them off ginormously. 0:30:03.799,0:30:13.375 A lot of this action involves around a couple of things-- there's also the fact that the Internet is very insecure out of the box, 0:30:13.375,0:30:27.739 and there is this sort of background radiation of script kiddies attacking things all the time, so when you are attacked it's the 30th time this millisecond, so what? 0:30:27.739,0:30:39.033 That will give an agency like the NSA, or somebody else, an enormous amount of cover. Because attacks happen so often. 0:30:39.033,0:30:48.564 There's certainly a lot of things we can do to make this much harder. Encrypting the backbone would do an enormous amount of good. 0:30:48.564,0:30:57.325 You can't do frame injection in an SSL connection, because you can't see the frames. You can do an DNS redirect, or other things you can do, 0:30:57.325,0:31:08.690 but there are things you can't do. Using the privacy tools we have, I think, give us an enormous benefit. The fact that Tor works-- that might be 0:31:08.690,0:31:22.989 the biggest surprise we've seen so far-- that Tor does work. It's annoying to use, but it does work. That shows that a bunch of us can decide 0:31:22.989,0:31:28.538 that we're going to build a privacy tool that will defeat major governments. That's kind of awesome. 0:31:28.538,0:31:35.238 Kind of too awesome to be true. 0:31:35.238,0:31:40.187 You know, everything I've read tells me the NSA cannot break Tor. I believe the NSA cannot break Tor. 0:31:40.187,0:31:46.033 When all the dust settles, how much do you think they won't be able to break Tor? Is Tor going to be the exception, or are we going to be sitting there 0:31:46.033,0:31:48.866 saying, "the new GPG is also safe"? 0:31:48.866,0:32:00.662 I think most of the public domain privacy tools are going to be safe, yes. I think GPG is going to be safe. I think OTR is going to be safe. 0:32:00.662,0:32:13.856 I think that Tails is going to be safe. I do think that these systems, because they were not-- you know, the NSA has a big lever when 0:32:13.856,0:32:27.805 a tool is written closed-source by a for-profit corporation. There are levers they have that they don't have in the open source international, altruistic community. 0:32:27.805,0:32:40.656 And these are generally written by crypto-paranoids, they're pretty well designed. We make mistakes, but we find them and we correct them, 0:32:40.656,0:32:52.685 and we're getting good at that. I think that the NSA is going after these tools, they're going after implementations. Everyone got their Microsoft 0:32:52.685,0:33:01.406 Update patches two days ago, you installed them, did that put a backdoor into your system? You have no idea. I mean, we hope not, we think not, 0:33:01.406,0:33:10.318 but we actually don't know. That's going to be a much more fruitful avenue of attack, and yes, you can actually break all of those tools that way. 0:33:10.318,0:33:21.325 Auto-update is great, but auto-update requires trust. But I think that the math and the protocols are fundamentally secure. 0:33:21.325,0:33:31.158 So-- I will admit that I say this as a free software advocate-- I think that what you just said is without Freedom Zero there is not freedom: if you can't read it, you can't trust it. 0:33:31.158,0:33:35.397 Is that where we're going to be when the dust settles?[br]--I think it's where we always have been. 0:33:35.397,0:33:45.314 --But people didn't believe it?[br]--But we do believe it. We are all here trusting the building codes here at Columbia University. 0:33:45.314,0:33:56.495 We don't think about "well, the roof could fall on our heads," but we are trusting. We're trusting the people around us, we're trusting all the tools we use, 0:33:56.495,0:34:05.269 both tech and non-tech, but yes, we're trusting our hardware. I mean, a few days ago, was it OpenBSD?, announced that they no longer 0:34:05.269,0:34:15.204 trust the random number generator on the Intel chip. Not because we know it's broken, no because we have evidence that it's broken, 0:34:15.204,0:34:24.243 but because we know that Intel is susceptible, and if they were told "break your random number generator or we're not buying your stuff anymore," what are they going to do? 0:34:24.243,0:34:35.631 And, a researcher's name I forget right now, showed a really clever way to put a backdoor in a random number generator on a silicon chip, that we would never in a million years find. 0:34:35.631,0:34:45.698 So we have a proven concept that it's possible, we have a company that could be susceptible, and we have mathematical fixes to this. 0:34:45.698,0:34:53.906 We can run the hardware outputs through an algorithm with some other input, and we know how to fix this. 0:34:53.906,0:35:07.324 So, we either have to trust them, or we have to do things to ensure we're still secure if they're not trustworthy, but we're still trusting 0:35:07.324,0:35:17.545 those tools that are now fixing this. So in the end, you have to trust everyone up the chain from the hardware, operating system software, user, everything-- 0:35:17.545,0:35:29.908 -- to the room your sitting in which could have various listening devices-- and that's never going to change. In any technological society, you cannot examine everything. 0:35:29.908,0:35:42.071 You fundamentally must trust. This is why transparency of process is so important. We don't trust because we verify, we trust because we know someone else verified, 0:35:42.071,0:35:46.961 or a few people who mutually don't like each other have verified, and that sort of mechanism. 0:35:46.961,0:35:52.608 Both republicans and democrats are counting the votes, therefore... that sort of thing. 0:35:52.608,0:36:00.908 But in that, we would then say that the way that reduces out is use software over hardware where you can, 0:36:00.908,0:36:05.189 and use software you can read over software that you can't.[br]--Yes. 0:36:05.189,0:36:12.911 And so, we are pushing ourselves towards openness or freedom, depending on which word we happen to be using. 0:36:12.911,0:36:18.464 And we're basically saying that hardware's definition in the 20th century is, "hardware is what the NSA is inside." 0:36:18.464,0:36:21.408 --Unless we have open source hardware, which we here talk about. 0:36:21.408,0:36:27.778 --Well, at that point we're going to have to go very far towards the chips themselves, aren't we?[br]--That's right. 0:36:27.778,0:36:39.546 We're not talking about designs and layouts that are free to copy, modify, and reuse. We're talking about we have to go from the masks up, 0:36:39.546,0:36:41.743 otherwise we wouldn't trust it. 0:36:41.743,0:36:52.081 Right, and the goal here is to reduce your trust footprint. I mean, I could trust 30 companies, if I could trust 5 that's better. 0:36:52.081,0:36:59.237 Or, if I could figure out ways where, I don't have to trust any one, but in order to break my security it has to be a collusion of two of them. 0:36:59.237,0:37:03.013 These things make it harder for the attacker. 0:37:03.013,0:37:09.878 OK, good. So I've got an apartment full of gear, like many of the people in this room, and there's a lot of boxes in there. 0:37:09.909,0:37:19.652 I think what I have learned from the documents I have seen so far and what I think they tell me about the context of the listeners I've always known-- 0:37:19.652,0:37:25.483 maybe you agree with me about this-- is if I'm going to start distrusting some box in my apartment, I should start with my router. 0:37:25.483,0:37:39.684 I would. I believe-- and this story hasn't really been told, I think it will, I'm not sure where the details are-- that the routers, the network devices 0:37:39.684,0:37:51.147 are a much more fruitful avenue of attack than the computers. And I think we're just starting to see that. There have been a couple of stories in the past 0:37:51.147,0:38:01.401 couple of weeks about malware attacks against routers. The criminals are starting to notice this, but routers never get patched, basically. 0:38:01.401,0:38:11.119 They're running a 4 year old version of Linux, they've got a bunch of binary blobs around them for various device drivers, and they never ever get patched. 0:38:11.119,0:38:23.739 Even if the patch was issued, you would have no idea how to install it. The margins are very slim, the industry isn't really set up for security updates. 0:38:23.739,0:38:35.989 They're always building the next thing. At a very small level, I think we are-- ignoring the NSA-- the next wave of cybercrime is going to come after these routers. 0:38:35.989,0:38:45.610 We saw an attack on a point of sales system recently. There was a botnet that took over a gazillion routers in Brazil recently. 0:38:45.610,0:38:58.132 I think this is very much a danger for all of us. For the NSA, I think they've had better luck with the router companies. 0:38:58.132,0:39:07.404 I think this is very generational. You start to think about the history of the NSA and surveillance, and cooperating with US companies, telcos have 0:39:07.404,0:39:15.986 started cooperating with the NSA since the NSA came into existence. My guess is this cooperation just carried through the Cold War, 0:39:15.986,0:39:28.760 and after it's no big deal for Level3, or AT&T, or any telco company, or executive, or person, to, you know, "Oh yeah we give the NSA a copy, that's just what we do." 0:39:28.760,0:39:37.635 And that is a very different mentality that you'll get out of Google, or Microsoft, or Apple, or companies coming out of the computer space that 0:39:37.635,0:39:46.739 don't have this history of cooperation and collusion. The reactions you're getting from those companies are much more hostile. 0:39:46.739,0:39:55.844 "What do you mean you're doing this to us?" Not, "oh yeah we kinda assumed that, and we'll give you a room if you just ask. Don't be a stranger." 0:39:55.844,0:40:03.823 But isn't part of the outrage a result of the fact that they thought they had made deals as a result of which they weren't going to be troubled more? 0:40:03.823,0:40:08.900 They really just feel that the guys they bought didn't stay bought, right? 0:40:08.900,0:40:21.371 You know, I'm not sure it's deals. Yes, I think it's a bit rich for CEOs of Google to complain that the NSA is getting a copy of the data it stole from you fair and square. 0:40:21.371,0:40:31.120 And certainly a lot of government surveillance piggy-backs on corporate surveillance. There's a whole story about cookies-- it's simply because these 0:40:31.120,0:40:38.985 companies want to identify you on the internet, and the NSA is just getting itself a copy.[br]--Right, the prefs cookie at Google, let's just 0:40:38.985,0:40:46.939 fingerprint all the browsers just in case we need all the browser fingerprints on Earth, and then, by god, that makes it easier to steal all the browser fingerprints. 0:40:46.939,0:41:01.901 But, these companies do have a huge PR problem. They did believe, I think, that the bulk of the NSA collection of their stuff, came through the front door, 0:41:01.901,0:41:09.814 came through National Security Letters, came through subpoenas, came through warrants. I don't know it, but I assume Google has a room full of 0:41:09.814,0:41:19.153 lawyers that deal with the 30 or 50 countries that serve it with subpoenas or whatever they're called in that country, whether they're legal or not. 0:41:19.153,0:41:32.278 I believe these companies did think that that was primarily what the NSA was doing. I don't think they realized that was just a way to launder stuff they got surreptitiously previously. 0:41:32.278,0:41:43.955 I think a really important moral is that the NSA surveillance is robust. It's robust legally, it's robust technically, it's robust politically. 0:41:43.955,0:41:54.071 I can name three different ways the NSA has access to your GMail, under three different legal authorities. 0:41:54.071,0:42:03.105 And I worry about pending legislation in the United States that tends to focus on a particular program, or a particular authority, 0:42:03.105,0:42:15.657 not realizing that they have backups and backups to backups. So, I do think that Google was legitimately surprised at the extent that they were penetrating, 0:42:15.657,0:42:26.739 given that they were cooperating where they thought they had to. "We're giving you what you're asking for, under the extraordinarily draconian laws, 0:42:26.739,0:42:35.773 you mean you're getting it these other ways (plural) also? What, do you guys have money to burn?" "Yeah, we kinda do." 0:42:35.773,0:42:46.361 And so, the private dataminers who also have money to burn are gonna have to burn some making themselves more secure or people aren't going to use them? 0:42:46.361,0:42:54.738 We don't know. We're getting back to trust again. You are someone in some country somewhere and you've learned that the NSA is getting a copy of 0:42:54.738,0:43:02.340 everything. And Google has a press release saying, "Oh, we fixed that." Do you believe it? I sure don't. I think the companies have 0:43:02.340,0:43:13.120 a serious problem right now, that the trust that-- and this is an Internet problem-- the Internet used to be run on a basic, U.S. benign dictatorship. 0:43:13.120,0:43:23.188 Under the assumption that the U.S. was generally behaving in the world's best interest. And I think that trust lost is a one-way function. 0:43:23.188,0:43:35.978 We generally believe that Google, yeah, they were reading your GMail and serving you ads, but that was it. And now that the cats out of the bag, I'm not 0:43:35.978,0:43:47.239 sure there's a way for these companies to convince the world that, "yes, we've contained the problem." That, "yes, we only give the NSA the data only when they ask us with secret requests." 0:43:47.239,0:43:56.093 Which is the best they'll ever be able to say. I think this is why we're seeing these movements in Brazil and other countries that say, 0:43:56.093,0:44:05.069 "Now wait a second. We want this data in our country. There no longer exists these assurances you can give us." 0:44:05.069,0:44:15.603 Because maybe we've been deluding ourselves the past, you know, bunch of years-- and cloud computing is not going away for a whole bunch of other reasons-- 0:44:15.603,0:44:24.726 I see coming some Internet balkanization, which I think is going to be very bad because a bunch of countries are going to be doing 0:44:24.726,0:44:36.361 way worse than we are. And a lot of countries are using our actions to justify their own actions. So, if this is fixed, I don't think it's coming from the companies. 0:44:36.361,0:44:44.122 I think it's coming from the tech community. It's coming from the IETF, it's coming from the open source movement, 0:44:44.214,0:44:57.867 it's coming from all the non-commercial entities that are going to try to build security back in. We'll never be able to trust Google, or Microsoft, or Apple, 0:44:57.867,0:45:01.367 or any of these companies ever again. I just don't think that's going to happen. 0:45:01.367,0:45:13.255 But most of the free communities that have been building crypto and security software, groups of hackers who, as you say, are knowledgeable 0:45:13.255,0:45:22.091 and extremely well motivated, they probably would have said 10 years ago, "Look, we are making software that we think creates security, but 0:45:22.091,0:45:32.720 if you're up against national means of intelligence, all bets are off." And now, if you're right about what we're going to be called upon to do, we're going to have to 0:45:32.720,0:45:40.089 raise our game substantially, because what you've really said is, "unless you're good against national means of intelligence, you're not good at all." 0:45:40.089,0:45:51.180 Yeah, but it's actually better than that. One of the things we've learned about the NSA is they might have more employees doing surveillance 0:45:51.180,0:45:56.615 than the rest of the planet combined, and bigger budget than the rest of the planet combined, but they are not made of magic. 0:45:56.615,0:46:07.299 They are subject to the same laws of mathematics, and physics, and economics that everyone else is. And what we've done is not-- 0:46:07.299,0:46:19.990 the problem is we've made surveillance too cheap. We've made bulk surveillance too cheap. Fundamentally, if the NSA, or China, 0:46:19.990,0:46:27.886 or a dozen other countries I could name, or a bunch of really good hackers, want into your computer, they are in. Period. 0:46:27.886,0:46:40.394 We do not have the expertise, anywhere on this planet, to build that level of security. Right now, in the world, on computers, attack is much easier than defense. 0:46:40.394,0:46:51.448 But that's not what I'm trying to defend against. I'm trying to defend against bulk collection. And this is what we object to. 0:46:51.448,0:47:01.004 If the Snowden documents revealed the NSA spied on the Taliban in North Korea, no one would care. If the NSA spied on Belgium-- 0:47:01.004,0:47:13.841 or, I guess that UK spied on Belgium, which is like Connecticut spying on Nebraska-- that's the problem. It is easier to get everything than to target. 0:47:13.841,0:47:22.860 The economics are all wrong. Fixing the economics is a much more tractable problem, and something we can do. 0:47:22.860,0:47:34.206 So, it's not, "you need to be secure against the NSA." You need to be secure against NSA bulk collection, and that's an extremely important point. 0:47:34.206,0:47:43.758 If you're the financial industry, however, you might actually need to be secure against the NSA. Part of what is happening, it seems to me at the moment, 0:47:43.758,0:47:53.525 --and I'd be very interested to hear your view on this-- we're also living in a world after the end of money, where trust is all that sustains economic value. 0:47:53.525,0:48:01.639 Bars of gold have been replaced by bit streams signed by trusted parties. Signing is a cryptographic activity, 0:48:01.639,0:48:09.675 the consequence of which is that if we are to have the economics you are talking about, in a world where values are represented by digital 0:48:09.675,0:48:20.671 entities, signed by trusted parties using algorithms we believe in, there is actually, at the end of the day, a requirement to provide a level of 0:48:20.671,0:48:29.170 security in order to stave off chaotic risk in the world financial system, which it appears the American government has been deliberately undermining. 0:48:29.170,0:48:38.472 Isn't there a really hard choice out there for us now, about whether we're going to have security in the way the military listeners think 0:48:38.472,0:48:42.416 about it, or are we going to have trusts sufficient to run the world economic system? 0:48:42.416,0:48:57.288 I think that this is the fundamental choice that this whole story brings to light. A lot of people talk about this as "should the NSA be allowed to spy or not?" 0:48:57.288,0:49:06.543 That's actually the wrong way to think about it. The way to think about it is should be build an electronic infrastructure / Internet in the information age, 0:49:06.543,0:49:14.305 where everyone is allowed to spy, or where nobody is. Do we choose surveillance or security, 0:49:14.305,0:49:23.509 where security is defined as not that the NSA isn't listening, but that nobody is listening. Because the NSA doesn't get the only ear. 0:49:23.509,0:49:35.296 It's the global financial industry, but it's everything else as well. And this is in the NSA's mission, the NSA has always had a dual mission: 0:49:35.296,0:49:45.303 throughout the Cold War, it's to protect US communications and eavesdrop on Warsaw Pact communications. 0:49:45.303,0:49:52.990 That dual mission made a lot of sense during the cold war. You eavesdrop on the Soviet stuff and you protect the American stuff. 0:49:52.990,0:50:06.587 That fails when everyone starts using the same stuff. When the entire world uses TCP/IP, and Cisco routers, and Microsoft Windows, suddenly... 0:50:06.587,0:50:11.799 --Well, not the entire world...[br]--Well, enough of the world, to a first approximation. 0:50:11.799,0:50:26.288 You now have a very real choice. You learn of a vulnerability against-- I'm making this up-- a Cisco router. You can use that vulnerability to 0:50:26.288,0:50:33.484 eavesdrop on the people you don't like, knowing full well that other people might discover that vulnerability and eavesdrop on you, or you can 0:50:33.484,0:50:41.796 close the vulnerability, reduce your ability to eavesdrop, and eliminate everyone else's ability to eavesdrop as well. 0:50:41.796,0:50:51.260 And maybe the financial industry is the tipping point for this, but I think we need to collectively recognize that it is in our 0:50:51.260,0:50:58.552 collective long-term interest to have actual security and not eavesdropping. 0:50:58.552,0:51:02.836 Does actual security imply anonymity?[br]--Yes. 0:51:02.836,0:51:11.835 And the distinction of anonymity has been pretty much their goal all the way along. Attribution is what they look for. 0:51:11.835,0:51:17.529 "Make it possible for us to attach an identity to every action."[br]--Yes, and this is the metadata debate. 0:51:17.529,0:51:28.171 When the first stories about Verizon and cellphone eavesdropping, one of the defenses was-- the President said this-- he said, 0:51:28.171,0:51:38.449 "Don't worry, it's all metadata. No one is listening to your conversations." I think this is an extremely... I don't know what word I want to use... 0:51:38.449,0:51:45.343 --Disingenuous.[br]--Yeah, and it is. Because metadata equals surveillance. 0:51:45.343,0:51:55.034 And it's easy to understand this. Imagine you hired a private detective to eavesdrop on somebody. That detective would put a bug in 0:51:55.034,0:52:03.613 their home, and their car, and their office, and you would get a report of their conversations. That's what the data is. If you ask that same 0:52:03.613,0:52:14.955 detective to surveil somebody, you'd get a different report: where he went, who he spoke to, what he purchased, what he read. That's all metadata. 0:52:14.955,0:52:25.009 When the President says, "Don't worry, it's just metadata" I hear "Don't worry, you're all just under surveillance 24/7." 0:52:25.009,0:52:34.834 Breaking anonymity is part of that, because it's one thing to know that this anonymous blog did these things. It's very different to 0:52:34.834,0:52:43.342 attached a name to it, or if you can't do that, continuity with other anonymous blobs, you attach a persistent pseudonym. 0:52:43.342,0:52:53.897 That's not just the goal of the NSA, that's the goal of Google. That's the goal of Facebook. When Google+ came up with a real names policy, 0:52:53.897,0:53:05.874 it was basically "we need to market to you better. We don't want anonymity on our system." When they're trying to tie your cellphone usage to your internet usage to 0:53:05.874,0:53:14.278 your real world usage, that's all about breaking anonymity. So it's for-profit and for-government. This is what's happening. 0:53:14.278,0:53:24.257 So, what is the sum of the economic thinking that lies behind the idea that we change the economics? It is obviously expensive to follow people. 0:53:24.257,0:53:33.897 You gotta have a guy out there tailing people and she's gotta know how to not get seen. But getting 5 billion cellphone location records a day... that's much simpler. 0:53:33.897,0:53:44.276 Isn't it a permanent economic fact that the way we live in the digital universe, following individual people is expensive and following everybody is much cheaper? 0:53:44.276,0:53:54.508 --Only if following everybody is cheap. And that's true because we have designed the cellphone system such that this location data 0:53:54.508,0:54:01.139 is transmitted in the clear, and easy to eavesdrop on. We could design a cellphone system that doesn't have that property. 0:54:01.139,0:54:12.420 We've designed an Internet economic architecture where surveillance is the fundamental business model. We could decide not to 0:54:12.420,0:54:17.544 design it that way.[br]--Yes, but if you and I and everybody in this room who totally believes this goes and says 0:54:17.544,0:54:25.092 "we need to build an internet with anonymity built in from the beginning," it will be a complete political non-starter. 0:54:25.092,0:54:34.127 Because every policeman, every taxman, every other form of legitimate government agency on earth has now decided they can do a much better job 0:54:34.127,0:54:37.705 governing us without anonymity, and never going back. Isn't that right? 0:54:37.705,0:54:47.115 --So, I tend to be long-term optimistic. I think that we as a species tend to solve these problems. 0:54:47.115,0:54:57.858 It might take us a generation, or two. We might have some pretty horrible world wars while we're doing it, but you know, the quote that actually 0:54:57.858,0:55:07.342 lets me sleep at night is Martin Luther King Jr. who says "the arc of history is long but bends towards justice." We do manage to have more 0:55:07.342,0:55:19.450 freedom, and more liberty, and more rights, century by century. Not year by year. So I do think that long term, wherever that is, we will have licked this. 0:55:19.450,0:55:27.648 --OK, but Martin Luther King can say that because his view of justice isn't path-dependent. His view of justice is it's absolute and it's always there. 0:55:27.648,0:55:37.670 Technology, on the other hand, is path-dependent. When our friend Dan Geer at In-Q-Tel says that talk on tradeoffs 0:55:37.670,0:55:43.917 in cybersecurity that you and I both so admire, this is the last generation in which the human race gets a choice. 0:55:43.917,0:55:52.261 He's basically speaking to what you've just said. You said "if we have long enough we'll get this fixed" and he said "technology is path dependent 0:55:52.261,0:56:01.170 and once this is fastened on the human race it may not be unfastenable again, and we evolve forward from where we are in a dependent path." 0:56:01.170,0:56:10.454 So one of those lets me sleep and the other one keeps me awake, and between those two what you and I have to confront is our friends 0:56:10.454,0:56:17.966 out in the world who say "it's hopeless, there's nothing we can do," and "I'm not doing anything wrong, so why should I care?" 0:56:17.966,0:56:25.081 And those are the two arguments that we need to address. In the couple of minutes left to us before we open it up to all of these people, 0:56:25.081,0:56:29.504 what do you say to the people who say, "it's hopeless, there's nothing we can do"? 0:56:29.504,0:56:35.914 --I think there's a lot we can do. That's, I think, one of the most important morals from the Snowden documents, is that the NSA isn't 0:56:35.914,0:56:45.354 made of magic, that there not breaking cryptography anywhere near the extent that we kinda thought they were, that there are things we can do to make 0:56:45.354,0:56:53.041 ourselves much more secure. I mean, if you are the one person they want, they're going to get in. But again, that leverages the economics. 0:56:53.041,0:56:59.207 Now we're getting into tailing everybody individually. You've only got so many agents, you can only tail so many people. 0:56:59.207,0:57:08.860 If you eliminate the bulk, or make the bulk harder, or make us more able to hide in the noise, we are doing ourselves an enormous favor. 0:57:08.860,0:57:14.631 And if we give the tools to the dissidents around the world who are hiding from much worse regimes than we have, 0:57:14.631,0:57:21.325 to do this, we are doing an enormous amount of good for the world. There are things we can do. It is no where near hopeless, and I think 0:57:21.325,0:57:33.907 we learned this again and again and again. And, the other half is "Why? I don't have anything to hide." The people who are speaking best to this 0:57:33.907,0:57:44.996 are the psychologists, who look at what it is like to live under constant gaze, or under the threat of-- that if you believe that you could 0:57:44.996,0:57:55.249 be watched at any moment, what does that do to you as a person? And what we learn is, it makes you different. It makes you more conformist. 0:57:55.249,0:58:10.575 It makes you less willing to think new thoughts or try new ideas. It stagnates society. It makes us all worse. Society improves because people dare to 0:58:10.575,0:58:20.521 think the unthinkable and then after 20 or 30 years everyone says, "well you know, that was kind of a good idea." It takes a while, but it has to start 0:58:20.521,0:58:31.630 with doing something that you don't want anyone else to know. So, it hurts us big and small. It hurts us in the big because society stagnates, 0:58:31.630,0:58:42.615 and it hurts us in the small because we are diminished as individuals, because we cannot fully be individuals. We have to be a member of the group. 0:58:42.615,0:58:52.597 I mean, there's phenomenal writings, philosophical and psychological, that really look at how this works. It's a hard argument to make. 0:58:52.597,0:59:05.934 The arguments on the other side are quite simple: "terrorists will kill your children." That's it. That argument pushes four very core buttons that will 0:59:05.934,0:59:16.548 make you scared. So I could spend an hour saying, "well this doesn't protect you from terrorism." That argument is happening at a higher intellectual 0:59:16.548,0:59:35.608 level than your fear. I'm going to lose that argument. So, the forces of surveillance are strong. This is an extremely difficult fight and I'm always amazed 0:59:35.608,0:59:48.117 at the resilience of our species to overcome intractable problems, to overcome futility. It amazes me again and again, and I'm not willing to 0:59:48.117,0:59:57.219 count us out. It is possible that we've reached some theoretical limits here, and I could actually draw out that argument, that's, you know, some Darwinian-level 0:59:57.219,1:00:08.378 limit in our species, that technology just makes bad things happen and we have no choice here. My guess is not, but it's going to require a lot of 1:00:08.378,1:00:18.367 changing. I mean, the war has to end-- that's a phrase you used when we were talking earlier. If terrorists-- if General Alexander could get 1:00:18.367,1:00:28.289 in front of Congress and say, "if I had these powers I could have stopped 9/11," and no one looks to him and says, "you didn't stop Boston." And that was 1:00:28.289,1:00:39.633 one guy on a terrorist watch list, and the other guy with a sloppy Facebook trail. What are you talking about? We need that level of response. 1:00:39.633,1:00:43.202 But I'm still bullish on us. 1:00:43.202,1:00:52.153 --So, if I don't ask you someone else is going to ask you, I might as well save the time: what do you trust these days? 1:00:52.153,1:01:05.124 --So, I actually wrote an essay about that in The Guardian, and what do I trust? I trust OTR, I trust Tails, I trust GPG, 1:01:05.124,1:01:19.170 I trust-- oh, what's the file encrypter-- Truecrypt, which I consider the best of three bad alternatives. I do a few other things, there's a file erasure program, 1:01:19.170,1:01:29.338 that I think they're all pretty good. But basically, I have an airgap computer I use for things I don't want on the Internet. And again, all these things we can 1:01:29.338,1:01:38.202 pick apart, but I'm just trying to make it harder. [br]--We don't have to pick you apart, because other people will do that for us. 1:01:38.202,1:01:47.500 --If the NSA wanted me, I think they're in. If the FBI-- could the FBI get a warrant against my computer? Probably. 1:01:47.500,1:01:59.059 They haven't broken down my door yet.[br]--[audience] That you know of...[br]--That I know of, right. But what am I going to do? 1:01:59.059,1:02:09.565 I am not a nation state, I cannot protect my computer. My house is not tamper shielded, and it will never be tamper shielded. I will never have my computers 1:02:09.565,1:02:20.440 in a secret level [unintelligible] safe. I will never have guards, no one's home right now and I don't come home for a couple of hours. So it is quite easy 1:02:20.440,1:02:29.867 to grab an image of my hard drive. It is trivial to put temporary receiver around, or grab my keystrokes when I type in my password. If you are 1:02:29.867,1:02:42.961 targeted, there's pretty much nothing you can do with that level. So, at some point you have to just say, "that's the way the world works" and you can't do anything. 1:02:42.961,1:02:52.025 But you can protect yourself against bulk surveillance, and that's largely what I'm trying to do. When I go in and out of the country right now, 1:02:52.025,1:02:58.681 my securities don't happen on your laptop. So when my laptop gets-- and it's interesting, I spend a lot of time now when I'm flying into the US erasing 1:02:58.681,1:03:07.465 all my free space, deleting data, encrypting archives, and all sort of things. You spend a few hours doing it, you go through the US border and nothing happens, 1:03:07.465,1:03:17.131 and you know, you're pissed off. I went through all this trouble, and you can't seize my laptop? What the hell are you guys doing? And I just know after 1:03:17.131,1:03:23.905 four or five times, "I don't have to do this, they're not going to take my stuff..." and then they're going to take it. And security is a lot like that. 1:03:23.905,1:03:32.664 There's an essay I should write, on how hard it is to get opsec right. There's a nice story-- well there's a couple of stories-- 1:03:32.664,1:03:44.315 there's a story of General Petraeus, and how his secret conversations were eavesdropped on. And also, the guy who was running Silk Road. And there's 1:03:44.315,1:03:58.760 also a third one I'd use, from the Chinese hackers that Mandiant found. You have to be perfect, that if you make a mistake sometime in the past 10 years, 1:03:58.760,1:04:10.312 your security has been compromised. And because there's never feedback, you never know. I can tell you that one time-- and I shouldn't say this-- 1:04:10.312,1:04:19.972 I spent a lot of time encrypting this archive, I had it encrypted, I zipped it, I encrypted it, I decrypted it, and encrypted it again just make sure I had it right 1:04:19.972,1:04:29.331 because if you get it wrong the key doesn't work and you're screwed. I do this, and I throw the zips in the trash, I delete the trash, I erase the trash, 1:04:29.331,1:04:41.767 I go through the border, I come in, I open my computer, and I forgot to erase the originals... You never get any feedback as you do this. 1:04:41.767,1:04:52.295 You never know if you did it right. And it's easy to make a mistake, because security is always-- you never want to do security, it's always in the way. 1:04:52.295,1:05:03.840 "Oh, I have to remember when I use OTR to do the authentication step." It's not what I want to do, I want to talk to the guy. I have to remember-- 1:05:03.840,1:05:12.275 and I'll do this: I'll close my laptop, boot it down, put in my USB stick, open up Tails, get it all ready and then "Oh, damn, the email address I wanted is on 1:05:12.275,1:05:24.472 the memory." I gotta close it all down, open it up again. It's always in the way. It's very easy to make a mistake. And the way the balance goes, if you make 1:05:24.472,1:05:33.043 a mistake, you're done. This makes it very hard. I'm not helping, am I? 1:05:33.043,1:05:41.173 --I felt very good, I was thinking to myself I need to design an exploit platform that gives positive reinforcement back to you for doing the 1:05:41.173,1:05:46.699 wrong thing, and pretty soon we'll have you trained to do the wrong thing--[br]--And if it gets a cool codename, you're in. 1:05:46.699,1:05:56.251 --Absolutely. So, I think it's time we let some other people ask some questions. 1:05:56.251,1:06:04.746 --[audience] Bruce, thanks very much. I wanted to ask one question that's about the opposite side of bulk analysis, and that is about natural language 1:06:04.746,1:06:12.152 processing. What is your assessment of the state of it, and how much of a threat or problem do you think it really is? Because I've seen some of what's 1:06:12.152,1:06:17.887 going into it, and I wasn't particularly impressed, frankly.[br]--Well, we don't know. There are a large number of 1:06:17.887,1:06:24.929 patents the NSA has in this area, so there's stuff in the public. My guess is they're extraordinarily good. This is something they've been working on 1:06:24.929,1:06:33.598 since computers were invented, because this is not a new problem. Especially when you are dealing with radio, where you had to transcribe. It was 1:06:33.598,1:06:43.747 the only thing you could do, that the recording just couldn't keep up. So my guess is they are very good at natural language processing, 1:06:43.747,1:06:56.179 and natural language translation. I would expect that most everything gets very quickly turned into text, that there's easy ways to annotate little 1:06:56.179,1:07:07.684 bits of voice, stuff you don't know that might need a person. And that voice printing is extremely advanced as well. Again, nothing is published in 1:07:07.684,1:07:15.671 this, and I don't know if it will be. But I would expect this is an area they have devoted considerable resources on for a decade. 1:07:15.671,1:07:19.180 -- [audience] Are they better than Facebook, do you think, or Google?[br]-- They would have to be. They've been doing this 1:07:19.180,1:07:26.848 for decades, and with way more budget. And again, it's going to be a one-way function. Anything that Google and Facebook can do is going to come out 1:07:26.848,1:07:35.772 of the academic community, and they're going to know about it. It's like cryptography: you have this-- information only flows in one direction, from the 1:07:35.772,1:07:44.974 academic community to the NSA. It never flows the other way. So the NSA can get the best of the world, plus what they have. They spend a lot of money 1:07:44.974,1:07:50.836 on linguists. 1:07:50.836,1:07:59.744 -- [audience] I want to get your opinion about these third party companies that are creating these commercial off-the-shelf products in order 1:07:59.744,1:08:13.623 to spy and target people. I read this document "For Their Eyes Only: The Commercialization of Digital Spying" and at some point you posted something like 1:08:13.623,1:08:18.326 that on your blog, so I want to get your opinion on these companies, not only NSA but now these other people. 1:08:18.326,1:08:34.584 -- Right, I mean one problem-- I guess it is a problem-- a lot of government capabilities have corporate analogs. So we talk a lot 1:08:34.584,1:08:41.079 about surveillance, there's government surveillance and then there's corporate surveillance, and all these tools are being built for corporate surveillance, 1:08:41.079,1:08:50.972 some of it for legitimate reasons, some of it for reasons we may not like, and then this is also being used by governments. 1:08:50.972,1:08:59.710 You know, propaganda tools-- we're seeing companies like Blue Coat and Sophos. These are commercial products being sold in 1:08:59.710,1:09:08.821 corporations that are also being sold to Syria to identify and arrest dissidents. A lot of these technologies are dual use, and I don't 1:09:08.821,1:09:19.451 think we can address one issue without also addressing the other. We cannot just say "governments can't do this and corporations can." 1:09:19.451,1:09:31.043 The tools lend themselves to abuse. And there's talk about putting a lot of these tools back under export control. Over the past month I've been seeing 1:09:31.043,1:09:40.195 more discussion about that. I'm not sure that it's possible anymore. It's a very different world than the 90s, when you actually could have export controls 1:09:40.195,1:09:47.420 on cryptography, because everything was mailed around. It wasn't just downloaded. The connected international world is much harder. You end 1:09:47.420,1:10:00.553 up putting national barriers like the Great Firewall of China, which works well but is also pretty porous. These are certainly important to talk about, 1:10:00.553,1:10:09.008 the corporate analogs to these government tools.[br]--I can't speak about the Snowden documents which Bruce has seen, and we're not ready at SFLC 1:10:09.008,1:10:18.348 to make any publications yet, but I can tell you for sure that there are national governments that have outsourced the process of penetrating 1:10:18.348,1:10:28.321 and listening to computer networks to commercial organizations whose contract work mixes government and commercial spying, but whose primary 1:10:28.321,1:10:34.727 bread and butter in this and other countries around the world is the conduct of governmental spying.[br]--I think it's dangerous for us because 1:10:34.727,1:10:42.911 now you have an industry that is going to lobby. Just like you have a private prison industry lobbying for more draconian laws, you're going to have 1:10:42.911,1:10:47.382 a private surveillance industry lobbying for more surveillance, because more surveillance means more sales. 1:10:47.382,1:11:03.533 --Well, wealthy database-making companies can be counted on doing that anyway, I should think. 1:11:03.533,1:11:12.847 -- [audience] Here's a real paranoid question for you. An important strategy in all espionage is the spread of disinformation. Is it possible with the spread 1:11:12.847,1:11:22.415 of the Snowden documents, or other types of leaks, that there is some tiny bit of disinformation there to make the community represented here trust 1:11:22.415,1:11:31.916 some type of technology that is actually vulnerable?[br]--So that is actually the less paranoid version of that argument. The more paranoid one is 1:11:31.916,1:11:42.354 that Snowden is a government plant and that is all disinformation. You do hear that. I believe that is not true. I believe that Snowden is a legitimate 1:11:42.354,1:11:53.556 whistle blower, that he has legitimate whistle blowing documents that he-- I guess, legitimately-- that he fair and square stole from the NSA and 1:11:53.556,1:12:06.859 went to China with, and that this is real, that this is not government disinformation. It would-- nah, it doesn't even pass the smell test. I do not 1:12:06.859,1:12:17.402 believe so.[br]--It looks like we should hand the mic down.[br]--Just throw it at them. 1:12:17.402,1:12:21.979 --If we owned it we would do that.[br]--What could possibly go wrong with that?[br]--[audience] Hi. I had a question about 1:12:21.979,1:12:32.585 the relationship between corporate and government surveillance. So, you were saying that one thing we could do to defend against the surveillance of 1:12:32.585,1:12:39.972 the mobile phone network is the location information could all be encrypted. But, the mobile phone companies actually need to know which 1:12:39.972,1:12:47.982 cell tower to send your signal to. So the mobile phone companies are going to know. They're in a position where they can't help but collude. 1:12:47.982,1:12:55.453 Do you have a vision for what a mobile phone-- what people here would consider to be a functional mobile phone network-- would look like that the government couldn't actually spy on? 1:12:55.453,1:13:06.760 --So I don't actually know. My guess is that it is possible, that you could have a distributed system that would hide location data from the central 1:13:06.760,1:13:17.956 nodes. And some of it is just leveraging small distribution. I think we were all much more secure when there were 100,000 ISPs than when there 1:13:17.956,1:13:29.392 were 100. That level of distribution-- again, the economics. We could force the NSA or the FBI to go after all of these companies rather than 1:13:29.392,1:13:39.992 just a few. So my guess is that there is a cell architecture that doesn't require centralized [unintelligible]. And just like in file sharing, 1:13:39.992,1:13:48.594 the original file sharing systems had a centralized network that knew who had what file. Those were gone after by the music industry, and then the 1:13:48.594,1:13:56.430 follow on systems were distributed. They were peer-to-peer. They didn't have that centralized command-and-control. We know how to do 1:13:56.430,1:14:03.817 this. The question is making it fast, making it scale. I'm not saying this is easy, but if we want to, yes, I think we can. 1:14:03.817,1:14:08.468 --[audience] Do you know anyone who is working on that?[br]--Not a soul. 1:14:08.468,1:14:15.733 --[audience] Hey, thanks guys. I've got two quick ones, maybe one for Eben and one for Bruce. One is, is it worth it to encrypt in a big corporate 1:14:15.733,1:14:28.353 cloud, like Amazon or Rackspace, using their encryption. And two, what are your thoughts on Sibel Edmonds and Russ Tice and Cyptome, who were 1:14:28.353,9:59:59.000 just in a debate with Greenwald on Twitter.[br]--I didn't follow the debate.[br]--Nor I. Tell us about it. 9:59:59.000,9:59:59.000 --[audience] Well, basically, Sibel Edmunds was the FBI's [unintelligible] translator pre 9/11. She's wondering, "Where are all the documents? 9:59:59.000,9:59:59.000 Why are only 1% out, and what's going on with Paypal and Omidyar, and that" 9:59:59.000,9:59:59.000 --I think it turns out that starting a new media empire is harder than you think. That's my guess. It's just things are happening slower than maybe people 9:59:59.000,9:59:59.000 would like. You know, releasing documents is hard. There are legitimate secrets in there that you don't want released. There are, there really are. 9:59:59.000,9:59:59.000 And it's good that the process is happening slowly and methodically, that a Wikileaks-style data dump would not be fun for anybody. So, that's good. 9:59:59.000,9:59:59.000 And there's a lot there, and it's slow to look at, and all of these stories do end up with a negotiation with the government. 9:59:59.000,9:59:59.000 And this is the way journalism works. I didn't know this, but I got to meet it, that the reporters say, "We're releasing this story. Do you have 9:59:59.000,9:59:59.000 anything that-- basically, do you mind?" And if the government says "Yes, don't release anything," of course no one is going to listen. But if they say 9:59:59.000,9:59:59.000 "Look, this particular sentence, if you do this it will disrupt--," and there's a level of trust here, between the reporters and the government, and you know 9:59:59.000,9:59:59.000 names are redacted, operational details are redacted. If the NSA is spying on North Korea and the Taliban we're not going to hear about it 9:59:59.000,9:59:59.000 because that would be a good thing. So, there is this long process, and figuring out what our stories and legitimate interest is also a long process. So, 9:59:59.000,9:59:59.000 this does take a long time. There's a lot of stuff.[br]--[audience] People are also making a lot of money, though. That's kind of what's being conjectured. 9:59:59.000,9:59:59.000 --You know-- the people who are doing it, are they? Is anyone reading this stuff except us?[br]--[audience] Isn't Greenwald-- 9:59:59.000,9:59:59.000 --Greenwald does have a book deal, but there's way easier ways to make a living than living in exile. None of these people are making lots of money. 9:59:59.000,9:59:59.000 Laura Poitras-- anybody think of Bart Gellman for the Washington Post, and Ashkan Soltani who's working with him, this is not a huge profit center. 9:59:59.000,9:59:59.000 You would do way, way better calling up the Russian embassy and saying, "how much would you give me for the lot?" 9:59:59.000,9:59:59.000 --[audience] I wanted to push back a little bit harder on that. You drew a dichotomy between, on the one hand, surveillance, and on the other hand, 9:59:59.000,9:59:59.000 security. And you've said that we have to choose among them, and among them you choose security. When you say there are legitimate secrets and 9:59:59.000,9:59:59.000 there are operational details, those operational details are things that we would need in order to defend against this stuff. 9:59:59.000,9:59:59.000 And if I have, for instance, a friend who is working on anti-censorship software, or on secrecy software, why would you not give my friend a copy of these 9:59:59.000,9:59:59.000 documents so that my friend can actually make his or her software work? 9:59:59.000,9:59:59.000 --So, the hope is that the documents your friend gets are enough, that what's eliminated is the name and the phone number of the guy who wrote the 9:59:59.000,9:59:59.000 documents. Or, what's eliminated-- you'll see this in some of the documents-- they'll give a list of places we're eavesdropping on, and the IP addresses 9:59:59.000,9:59:59.000 will be blacked out. So, my hope is, when I wrote the Tor story I wanted to give enough detail so that the people who design Tor, the people who are working 9:59:59.000,9:59:59.000 on internet backbone security, had enough to figure out what the NSA is doing and to defend themselves. I didn't need to tell them-- and again, I'm making 9:59:59.000,9:59:59.000 this up-- that FOXACID was implemented successfully against, you know, these guys in Yemen. Because that is not useful to the fixers. I tried very hard-- 9:59:59.000,9:59:59.000 and I think the Washington Post did as well, I'm very happy with their level of detail-- that it is enough for us to know what the vulnerabilities are, what the 9:59:59.000,9:59:59.000 capabilities are, how they're being used, the extent they're being used, and to give us the information we need that, if we chose to, to fix them. 9:59:59.000,9:59:59.000 Yes, I think this is-- in some ways it would be neat to say "here it all is," but it's just not going to happen. It just isn't. If it does, it will be a mistake, 9:59:59.000,9:59:59.000 like the Wikileaks. It will be some confluence of bad things that shouldn't have happened. 9:59:59.000,9:59:59.000 --It's a little like ordinary vulnerability disclosure, isn't it Dave? I mean, you might as well want to tell people how to fix the problem without explaining which 9:59:59.000,9:59:59.000 bank is vulnerable, right?[br]--[audience] Well, if at a certain point if the problems are not getting fixed-- and it seems like on a political 9:59:59.000,9:59:59.000 level the problems are not getting fixed, because this is the other piece of it-- our ability to advocate for ourselves as citizens about what policies we 9:59:59.000,9:59:59.000 do and do not want. The vulnerability is not being fixed, and at a certain point you do go public and say, "this is the vulnerability." 9:59:59.000,9:59:59.000 --Well, I think Mr. Snowden has done that, and the likelihood that politics won't fix this is probably 1.0, no matter how many documents are disclosed. 9:59:59.000,9:59:59.000 --Sad, but true.[br]--I don't think politics is going to do it all by itself no matter what happens, precisely because I don't 9:59:59.000,9:59:59.000 think it's really going to turn out that the politics hinges on the technical details. It hinges on, it seems to me, where Bruce says it hinges on, where people 9:59:59.000,9:59:59.000 are going to buy arguments that they should be afraid. And we don't know how mad democracy is about that yet. Thanks to Mr. Snowden we're about 9:59:59.000,9:59:59.000 to find out. 9:59:59.000,9:59:59.000 --[audience] Just want to test a slightly more technical question. So you mentioned, basically, that open source systems are better in this case 9:59:59.000,9:59:59.000 because we can look at them and see that there's not backdoor, and what immediately comes to mind to me is the underhanded C coding contest, or the 9:59:59.000,9:59:59.000 Trusting Trust attack. These things that, you can hide backdoors in systems that people are looking at. Give me ideas on how to defend against 9:59:59.000,9:59:59.000 that sort of thing, make systems more audit-able, etc.[br]--So, you can but it's harder. The reason I like open source and free software and non-corporate, is less 9:59:59.000,9:59:59.000 because you can look at it, and more because it is harder for someone to slip someone in, because someone is looking at it. And yes, there's an 9:59:59.000,9:59:59.000 Obfuscated C Contest, and if you showed up in the Unix kernel with C code that looked like it came from the Obfuscated C Contest, you'd be sent back 9:59:59.000,9:59:59.000 and be told to make it look more clear.[br]--[audience] Well, have you looked at OpenSSL recently? 9:59:59.000,9:59:59.000 --I have not. Fair enough. I'm just trying to leverage the economics here, I want to make it harder, I want to increase the risk. Something that comes up 9:59:59.000,9:59:59.000 again and again in the NSA documents is that they are amazingly risk-averse. They don't like risk. They don't want to take risks. They really take very safe 9:59:59.000,9:59:59.000 paths. And if you increase the risk, you're going tip it to a point where they're not going to try, because the risk is dangerous. And I think that's-- this is 9:59:59.000,9:59:59.000 something that, without any legislation or any technical fixes, will change because of this summer, all these stories. And as amazing as it is, 9:59:59.000,9:59:59.000 the NSA has all sorts of contingencies for all sorts of things, never had a contingency for "all of our documents get released to the public." 9:59:59.000,9:59:59.000 It took them, what, two, three months to get a PR firm with enough clearance to talk to. Now they have a blog, and a Twitter feed, and they respond quickly. 9:59:59.000,9:59:59.000 But it took them a long time. So, when they were making decisions like, "should we eavesdrop on Belgium," they had all these benefits, costs, and 9:59:59.000,9:59:59.000 risks, but the world finding out-- they never thought that was a possibility. Well that is now over. I think that, basically, every NSA operation from now on 9:59:59.000,9:59:59.000 is going to be the big red letters underneath the "should be do it or not?" is "This is going to become public in three to five years." 9:59:59.000,9:59:59.000 With high probability. "Are we OK with doing it?" And I think some things are just not going to happen, because the blowback has been real. 9:59:59.000,9:59:59.000 --[audience] So you don't think that a Trusting Trust attack, a compiler--[br]--It could, but you know that's not an easy attack. 9:59:59.000,9:59:59.000 --[audience] And if it was discovered...[br]--And if it's discovered, "Wow." Suddenly it's really bad. This has rocked the agency. This is not 9:59:59.000,9:59:59.000 something they thought of. [br]--But if I could just ask a technical question back, did I hear you say that it would be a really good idea 9:59:59.000,9:59:59.000 if OpenSSL were rewritten to be clearer, and more modular, and easier for people to handle--[br]--[audience] Absolutely, if you could rewrite the 9:59:59.000,9:59:59.000 whole thing in Python, that would be--[br]--I don't think we should necessarily expect it to get rewritten in Python. And I'm personally 9:59:59.000,9:59:59.000 not sorry about that. But I'll hold out for rewriting it all in Perl if that'll make you feel better.