-
It's really awkward to talk directly into a camera. I spend most of my life trying to avoid surveillance, so...
-
I'm sorry to say I can't be with you in person, so we'll have to do with this video feed.
-
Basically, I guess if John has given a good intro, and I suspect that he has,
-
then you understand that the situation is a little precarious for me,
-
and returning to the U.S. at the moment for me due to my journalistic work with Der Speigel is a little difficult.
-
So I split my life into two basic parts.
-
One is that I work as a free software developer, and generally as a free software advocate, with the Tor project.
-
It's also the case that I work with Der Spiegel, and also as a freelance journalist with several other
-
publications, and lately I've spent my time doing research into the NSA's surveillance.
-
I've interviewed Edward Snowden, and I've published basically a bunch of information.
-
Stuff that previously we used to think was paranoid crazy-talk, and now we learned that the paranoid crazy-talkers
-
were not paranoid enough. So I guess for me the goal of this conversation, if we could call it that
-
when I'm just talking directly into a camera awkwardly, is that I wanted to say that the people that are writing free software
-
are actually writing the future. It's a little awkward to say that, but it's true.
-
As an example, I use a free software laptop. It's an X60
-
and this laptop is, as far as I can tell, about as free as you can get a laptop.
-
It has coreboot, it has Debian GNU/Linux, it is not using any binary blobs,
-
it is, to the best of my ability, liberated from proprietary software.
-
It's pretty good, but it's also many years old, and it's also the case that it's very difficult to
-
do forensics on a machine like this to know if it has been compromised.
-
It is the case, though, that I can do that at all because of free software.
-
It's possible to begin to build something secure with free software, where I can verify
-
and build things from source, where I can look at the source to see exactly what an attacker might try to do
-
with the programs that are running on my computer.
-
So the four freedoms here are incredibly important, especially for the work that I'm doing.
-
Now, given the difficulty of setting up this webstream, I think it's clear that I've done a pretty good
-
job of making sure there's no microphones. I removed the microphone from this laptop for example,
-
until I plugged another one in. I've done a pretty good job of that. But it turns out that
-
this is actually really hard for people who have never programmed in C,
-
or for people that do not really understand how to program their home computer
-
and beam themselves into the future. So, part of what I wanted to do was to inspire some people today to think about
-
what they can do to make this problem of mass surveillance, for example, something that
-
is different. That is, something where there isn't so much hopelessness.
-
It's a little strange, because I feel like, for many years, the free software community is the only one that has really cared about privacy.
-
The free software community builds decentralized or federated solutions and works really on
-
solving problems of the four freedoms, but how those four freedoms touch the rest of our lives.
-
And so, when I think about what's possible, I think the main problem right now is usability.
-
So, in this regard, to set up this stream, which is broadcasting over Tor, or if you connect to the Tor hidden service
-
which I've also set up, you can watch this video directly, without knowing my location.
-
That was so difficult to set up that it took me the better part of the day to actually accomplish that.
-
It's not that GStreamer is a bad piece of software, it's just that it's extremely complicated.
-
A simple user interface, for example, would have made a world of difference, such that people who are using other
-
video streaming solutions, such as proprietary solutions like the NSA PRISM partner Skype,
-
those people might choose something else. If this was integrated into Debian GNU/Linux,
-
and all you needed to do was download Tails or to install Debian, then it would be the case that you could very easily
-
convince people to do it securely, in a decentralized fashion. That's something that at the moment,
-
I think, is very far away. If it takes me the better part of the day, that means that it will take Glenn Greenwald an infinite amount of time.
-
It will probably never happen, actually, with all due respect to Glenn. When the software is so complicated, it turns out
-
that he'll choose something that's less complicated. And so usability is a fundamentally important way
-
that we can ensure that users will basically care about the four freedoms, because once everything
-
they do is working well in free software, why would they choose proprietary software?
-
Usually it is the case that they won't. In fact, there are many people who are Tails users, but they have to switch to
-
proprietary systems, they feel, for the usability of something like Skype.
-
So, I mean, why? What's going on that all of these things are necessary?
-
I suppose you've all heard the bad news.
-
And the bad news is that the Internet is under, essentially, total surveillance.
-
And what I mean by that is not, let's say, the traditional version of surveillance,
-
where you have a person, and the person is inspecting things, it's looking at things, it's taking notes.
-
Rather, the mass surveillance that is happening now is in the form of deep packet inspection.
-
Now, all around the world, there exists a series of systems that are run by the National Security Agency,
-
GCHQ, CSE, DSD, and other agencies. Those are just the ones we could call "friendly" agencies,
-
if you can call mass surveillance friendly, but you could say it's a kind of social concern, so let's say
-
that they're friendly. Then there's the rest of the world, and what's happening with those systems.
-
We don't know a lot about the rest of the world's systems, but thanks to the courage of Edward Snowden,
-
we do, for example, understand a great deal about the NSA's surveillance.
-
And one of the things that we understand is that it violates the Fourth Amendment.
-
At least on its face it seems clear that it is an unreasonable search and a seizure.
-
That is, it takes data from the Internet, sometimes through fiber optic splitters, things like Glimmerglass-related devices,
-
where they copy information from fiber optic lines onto another line. It then inspects the data,
-
that is, it has seized the data and then it, I believe, unreasonably searches through the data.
-
It does this looking for selectors. So, for example, if you happen to be Chancellor Merkel, that is the German Chancellor,
-
you would have had your phone number as one of those selectors, and anytime any flow of traffic passed by one of these
-
sensors—that is the turbine, turmoil, turbulence architecture of sensors—your data would be selected,
-
and that selection would ensure that your data flows that are associated with that would be recorded forever.
-
So if you know about the Bluffdale, Utah complex, you'll know for example that
-
the NSA is building very large computation centers, not just for attacking cryptographic systems,
-
but also for recording data that they cannot currently attack, in hopes that when that encrypted data
-
is interesting to them, or when they have a cryptographic breakthrough, they'll be able to do something
-
with data that previously was just noise to them. So this tells us a couple things.
-
One of the things that it tells us is that we are in a lot of trouble.
-
There are proprietary software solutions which, according to some of the documents leaked by Edward Snowden
-
and published by Glenn Greenwald, there are proprietary software companies that are
-
what are called SIGINT enabled. That is to say that they believe that when they sell you a security product
-
that it's somehow not false advertising to have willingly broken the system.
-
So that's a really serious problem. It tells us, for example, that proprietary software definitely has backdoors.
-
Unfortunately Glenn did not release the name of that company, or the companies that are involved,
-
but it should be extremely obvious that, if you were to guess, you probably wouldn't guess incorrectly.
-
And if you were to guess, you would probably understand that it's not a free software product.
-
That is, if you look at free software, you can find the problems. If someone were to add a backdoor,
-
while it might not always be obvious if they're very sneaky about it, it is significantly more difficult
-
to add a backdoor to a free software project than it is to add one to a proprietary hardware or software device.
-
So, when we start to see that our security solutions are actually not security solutions overall,
-
one of the things we'll notice is that it's not just the NSA or GCHQ that will be exploiting these systems.
-
It's actually lots of different people. So for example, now that you guys know about the Dual EC DRBG backdoor,
-
there is a very good chance that someone in the audience is working on attacking it and breaking it.
-
And if you happen to have, for example, copies of traffic that were encrypted with that, as the seed for
-
the random number generator, you may be able to exploit it.
-
So this is ultimately a kind of security by obscurity, in hopes that by adding this backdoor, only the good guys,
-
allegedly, they will be the only ones to break it. In reality, it doesn't work that way.
-
So we have a sort of tension here between signals intelligence and communication security.
-
On the one hand, we have signals intelligence collecting as much data as we can
-
from those aforementioned deep packet inspection systems. And on the other side, we have
-
communications security tools which allegedly are protecting us, but it turns out some of them are SIGINT-enabled.
-
So what is there to be done about this? It seems quite clear to me that free software and free hardware,
-
that is free and open hardware, where things are freely specified, where it's possible for you to fab your own hardware
-
in a factory of your choosing, in a country of your choosing, with parts of your choosing,
-
where you can verify them, that is clearly the right direction to go.
-
Because it is not just, let's say, again, so-called legitimate authorities that are doing this.
-
It's probably a lot of other people as well. We just happen to know there is absolutely, for certain, one set of people
-
that are doing it. And so free software in particular has given, I would say, some leverage.
-
That is, it has allowed regular people to be able to communicate securely in a time of
-
complete and total mass surveillance. So, for example, things that work: cryptography does
-
actually work. If it is not signals intelligence-enabled, that is SIGINT-enabled,
-
it is the case that the mathematics behind DSA, RSA, Diffie–Hellman, those seem to not be broken when you
-
use appropriate key sizes. That's very good news, because in an age of mass surveillance,
-
the only thing that stops the surveillance is making the surveillance worthwhile. That is, if it's extremely
-
valuable for everyone to spy, they will spy. If it's a lot of noise, if the searching for selectors doesn't work,
-
it changes the game significantly. At the moment, not every single byte of data is recorded forever.
-
There is clearly some attempts to do that, and that is something that we need to cope with.
-
From a cryptographic perspective, we need to think about it, I think, on the hundred-year crypto timeline.
-
This is something that Zooko has been working on and I think is a really good idea.
-
But we have to imagine that all of the things we do are being recorded for all time, and with that, we need to react appropriately.
-
So if you, for example, work on a free software chat client, it should have off-the-record messaging built into it.
-
If, for example, you build a web browser, it should be compatible with the Tor network. It should not be
-
compatible, for example, with the proprietary Flash player first. Unfortunately, on balance, what we see
-
is that people are often more concerned with making things work with Flash than with allegedly
-
paranoic tools like the Tor project and all of its software, like the Tor network. This, I think, is
-
kind of sad, but I think that we can turn this around and change it, and we need to look at the crypto
-
that we actually use. So, for example, for a Jabber server, it should be using forward secret crypto.
-
So, if you have TLS, it should be used in a forward secret mode. Because it isn't just passive surveillance,
-
though that is a very core and serious thing, it's also active surveillance. The turbulence architecture that
-
I mentioned, I detailed a little bit in my reporting at the 30C3 and also in Der Spiegel at the end of last year.
-
And what we see is those selectors that I mentioned before, let's say your phone number or your email
-
address... I wish I could see the audience because I'd ask you to raise your hand, and say "how many
-
of you are sysadmins?" Obviously some of you are, someone raised their hand. So the NSA is probably
-
targetting you, if you're a system administrator for any system that is interesting.
-
And it is the case that if you were to have some credentials for an interesting network, and you are
-
being targeted, one of the ways that you will be targeted is that you will be targeted by an analyst who looks
-
for selectors. They look for your federated logins, they look for your centralized logins, they look for
-
all kinds of information, and it is the case that they program this, essentially, into a targeting system.
-
And that targeting system will automatically attack you. It will do man-in-the-middle attacks,
-
it will do man-on-the-side attacks. It appears that they have certificate authority resources so that
-
they can do man-in-the-middle attacks on SSL, which tells us that we really need to work on things like
-
TACK and SSL cert pinning, that's very important. If, for example, we notice though, crypto changes
-
the way the selector-based surveillance can even function. If, for example, you note that all of my traffic
-
right now is going through the Tor network, and in many cases people, three people at the moment, are connected
-
to the Tor hidden service for this video feed, there is no possibility for selector-based injection.
-
That is, it's just TLS traffic, the network distinguisher is pretty close to normalized across
-
all Debian Tor users that are doing what I'm doing, which I admit, there's probably five of us in the world,
-
but, you know, that changes the fundamental trade-off. That is, doing the selector-based surveillance
-
will have less of a return than it previously did, or will require more targeting. And this is where anonymity comes into play.
-
If you have anonymity, it becomes significantly more difficult for someone to target you.
-
It's not impossible, of course, but it's... Well okay, maybe it's more than five people.
-
I've got a little lag here from the IRC channel, but apparently there are a few Debian users that route
-
their traffic over Tor in the audience, I hope? But if we see the anonymity benefit there, there's of course
-
a downside, you know? When you have these systems, they're laggy sometimes, they're not always really seamless to work together,
-
it takes a lot of specialized knowledge, again. And this returns me sort of to the key point, which is about usability.
-
So one of the things that I've seen when looking through documents for this research is that
-
usability and security is the worst nightmare of a signals intelligence agency. So for example,
-
Tech Secure and RedPhone, by Moxie Marlinspike, those pieces of software really make the life of
-
someone doing these kinds of attacks hell. At the very least, it means that they have to take what was once a passive thing,
-
where they could silently record data on everyone, and they can essentially now no longer do that.
-
They have to either attack his systems, which they probably will at some point, if they haven't already,
-
or they have to attack each end user's system. So this means that once we start to deploy this widely,
-
for everyone, it changes the balance, where mass surveillance becomes less and less economically useful for these attackers.
-
And that's important, because again, even if you think the NSA is sent from heaven, if you believe in heaven,
-
you have to understand that they're not the only people out there, doing these kinds of things.
-
So every time, for example, an American businessman or -woman goes traveling somewhere,
-
that person is effectively targeted for signals intelligence collection. Now sometimes it's not always
-
targeted in the literal selector sense, but they're using systems that are SIGINT-enabled.
-
Now whether or not the phone companies know is an interesting discussion. Most of them do. Most of them
-
go along willingly, but the key thing is that, on balance, when you travel abroad, you basically are
-
subject to the whims of all the countries where you are traveling, obviously.
-
Those whims may be significantly more harsh, they may have different economic interests,
-
they almost certainly have different political and legal and economic interests than what you might like.
-
If you're a free software developer, and you're not an American citizen, for example, you are a target, almost certainly.
-
If you are a system administrator, you are a target, almost certainly.
-
And it doesn't even matter if you're an American citizen, really, though there is a slight distinction about that.
-
I think that in the near future, we'll learn that that distinction is largely bogus.
-
Sorry for the bad news, but... I guess it's sort of important to tie these things together.
-
So, free software and free hardware, they can potentially bring some solutions into play, but it's
-
not exactly clear how we get there. So for example, if you're a system administrator, you probably have a SIM card in your phone.
-
This SIM card is, without a doubt, a piece of proprietary software and proprietary hardware
-
that then plugs into another piece of proprietary hardware, almost always, and that runs proprietary software.
-
And those are actually described, some of those cell phone systems are actually described as master and slave systems,
-
where the master CPU is in fact the proprietary one and it enslaves the free software CPU, which is often Android, which is not always
-
free to begin with. But if we were to say that in an ideal world you had the most free cell phone,
-
you'll probably still have a baseband, which is proprietary software, with a SIM card that is proprietary software and proprietary hardware.
-
So as you're doing your job, even if you have all free software for your laptop, for example, you have this
-
unfortunate conundrum where, to do the basic work that you need to do, you are completely surrounded
-
by proprietary hardware and proprietary software. Now, the NSA has toolkits that they can deploy
-
into those SIM cards, and into the basebands, not just as a matter of exploitation but actually in some cases by design.
-
Some SIM cards, for example, allow you to add an app to the SIM card without even having
-
a cryptographic key or even exploiting the device, just sending a well-formed message will actually do this.
-
Carson Noll, without realizing it, rediscovered this and he showed this at the CCC.
-
It's almost identical to things that we showed in the Der Spiegel reporting from last year that I discussed at the 30C3.
-
I gave a talk there that was called "To Protect and Infect, Part 2," and I don't want to rehash too much
-
of that talk, but I would really encourage all of you to watch it, because I basically talk about the technical details.
-
And the technical details are important, because in a democracy, for us to be able to understand what it is
-
that we're consenting to, we need to have some concept of what it is we're talking about.
-
Unfortunately the laws are not so great, and from what I can tell, some people have even called
-
for my prosecution as a result of showing and discussing these things.
-
Now, that went through very careful editorial control at Der Spiegel, so I don't feel too threatened by it,
-
but it's an important point that people don't want you to understand how the machines that control you and
-
surveil you work. They don't want you to be able to change the way that those things work,
-
because it is about power. It's about controlling you, it's about controlling your machines, and it's about
-
ensuring that those people stay in control over you and your devices, should they wish it.
-
So, in a democracy I think it's fundamentally important for us to understand how the machines work,
-
to understand how the power works, to understand what the dynamics are, to make sure that these
-
devices, for example, how they're being subverted, that we understand it.
-
For example, when we understand that exploitation often leads to hoarding of bugs, that means we understand
-
that people are letting us stay in a vulnerable state so as to be able to exploit us.
-
But many people may find those bugs and exploit us, so it is not nearly a simple thing where we say
-
we cede some of our autonomy so that people will be able to do their job. You know, the local policeman needs
-
to do their job, cooperate with them, for example. Because it is every local policeman on the planet.
-
It is every intelligence officer on the planet, with enough of a budget or the technical know-how,
-
who will be able to exploit those things. So on balance, it seems very clear that we want to build secure systems
-
and not make that trade-off, because we can never actually ensure that the people who are doing this
-
are acting in our best interest, are democratically in a position of authority that is legitimate,
-
if, you know, you bear with me here and we say there is some authority that is legitimate...
-
I know it's a free software crowd, so I like to think that some of you there apt-get install anarchism
-
from time to time. But it's very important to understand that that balance is something which is not
-
a part of the discussion, and a big part of ensuring that it's not a part of the discussion is to try to hide the details.
-
And so for me, I think it's very important to bring out the details. It's very important to show that they use
-
continuous wave generators bounced against reflectors that they've installed after stealing your mail.
-
Do we want to live in a world where these people steal our mail? And where they take our laptops
-
when we buy them online and add devices to them? I don't want to live in that world.
-
I like to think that people that work on free software not only don't want to live in that world, they are actively
-
working to ensure that everyone on the planet can choose to live in a different world.
-
To get back to the point, things like the Milkymist, Novena, coreboot, these are on a spectrum of free
-
hardware to, as we go down the line, free software-enabled proprietary hardware.
-
Now, I use an X60 with coreboot and I removed almost all of the hardware I don't need.
-
I try, for example, to get rid of anything that would need a binary blob. I think I've done that.
-
This laptop, I think, only has one binary blob left, and that's in the embedded controller for the keyboard.
-
I sometimes use an external keyboard that doesn't have that, although obviously that keyboard has some
-
binary firmware device inside of it. Hopefully not remotely flashable. As far as I can tell, that's the case.
-
Systems like the Novena, made by Bunnie, I think, are the future. That is, he has built almost entirely,
-
as much as is possible at the moment, an open hardware device based on an ARM CPU, where you can fab this
-
device, where you can very easily, if you are a hardware person, modify it, and you can fab this
-
changed device. So that, I think, is critical. There's still a proprietary CPU, but there's a trade-off to be
-
made here. So in this case, the Freescale CPU that he included is pretty fast, it's a quad-core CPU, and it
-
has a hardware random number generator. Who knows if it's SIGINT-enabled, hopefully not.
-
If we see this, we see that it is significantly better than, for example, the ThinkPad that's sitting in front
-
of me where we don't know the designer, we don't know their intentions, we don't know for example if
-
the Intel microcode, if it can be updated remotely by someone who has the key that isn't Intel.
-
Probably, would be my guess, if they understand the format, if they can add backdoors, which, if they understand
-
the way the microcode works and they have the key, then of course they can do all of those things.
-
So there are some architectural changes in the Novena which I think are pretty spectacular for that.
-
If we go all the way, I see something like the Milkymist, which for a time I used instead of as a video mixer
-
but as a machine for running screen and irssi. And it actually is a FPGA device where the CPU itself is
-
free software. Unfortunately the tools for synthesizing the FPGA, those are not free. We lack free software tools
-
for those things, as well. And we really, really, really need free software tools for all of these things,
-
and we need free hardware platforms to build on top of. Without that, it's very difficult for us to secure our systems.
-
I think that it's critical to do that. And there are some people that are doing that.
-
So lekernel, the guy who's working on the Milkymist, and some of these other free hardware devices,
-
I think he really needs support, and I think it would be great, because his devices are the kinds of devices
-
where you can do forensics on it, but you can also prevent adversarial forensics.
-
That is, you can program your device to self-destruct, but you can also check to see if someone has changed
-
the bootloader, if someone has changed the VHDL output, you can actually verify these things.
-
Novena is much the same. I've been working on making Debian GNU/Linux run really well on it.
-
I actually have a Novena here in front of me, with the little helpful Intel sticker, but that's just as a joke,
-
because there's no intel inside with free hardware and free software, if we do our jobs correctly.
-
So, I'd like to think that this is a good start, but the only thing that makes this useful is, of course, the free software on top of it.
-
So in this sense, I think that Debian GNU/Linux is very important. I think lots of things, like Trisquel, for example,
-
are very important. And we need to work on making those systems usable. I think the GNOME project
-
has done a very excellent job with that. There are a few things about it that drive me crazy, but mostly
-
just because I've been using computers long enough to have bad habits, so I think that that's a sort of humbling experience.
-
The Tails operating system, which is a derivative of Debian, is set up in such a way that you don't
-
need to understand anything about anonymity, you don't need to understand anything about security and privacy.
-
It comes with a chat client that has off-the-record messaging by default. Everything is configured
-
to work over Tor by default. This is great. This helps us with this paradigm shift of privacy by policy to privacy by design.
-
Now, there are a couple of problems that still exist. Even if you have Tails, even if you find it usable,
-
which it isn't, in my opinion... It's much more usable than all of these things were before Tails, but it's
-
a progression. If we take a step and we go further and further down the line, one of the things we'll note
-
is that there isn't an easy wizard for setting up, for example, a chat account that just works.
-
Where you can just easily send a message. Where it's not hard. As an example, I installed Jitsi on this laptop,
-
and at the bottom of the screen you see "surveillance_target@jit.si". You can, of course,
-
ask me questions via OTR if you want here, and if you'd like to, you'll note that it is, of course,
-
using OTR, it is also using SSL/TLS... well, it's TLS 1.0, I think, to connect there.
-
You'll note that it's essentially... it's like an email address. That is pretty good, and I think we may have
-
to sit with that for a while, while we work on coming up with different naming systems.
-
Zooko's triangle, if you haven't heard of it, I would recommend you look it up on the Wikipedia,
-
it's definitely the case that we have some hard problems to try to tackle.
-
Skype, for example, is really easy for people to use, and they do use it because they have probably purchased
-
every webcam in the world, and then they've made it work with every piece of software and hardware
-
combination that they could get their hands on. And they also solved the problem of making it as simple
-
as adding, for example, one username and password, and then forever just keeping that identifier.
-
And then you just have to simply say, "Hey, I'm Alice at, I'm Bob at" and it's really easy to use.
-
For example, if Jitsi had a setup wizard, where it automatically generated your OTR keys and it
-
automatically did everything that needed to be done and it added you to their server, but it also allowed
-
you to configure a secondary server, that would be fantastic. It would mean that you could just download
-
Jitsi and it would work. If it forced OTR, even better. Those kinds of things are really simple changes
-
that really would make a world of difference. And since Jitsi works on other platforms other than pure
-
free software platforms, it can even be used as a kind of gateway crypto system.
-
So, I think that kind of stuff becomes very important, because once you have something like Tails
-
and you have something like Jitsi and you put them together, you still have that last step.
-
And that last step is a hard one. But we're really close. In looking through and understanding some of
-
the things that I've been looking at and studying with regard to the technology, and I said this before,
-
usability and security are absolutely critical. But I also mentioned before the active attackers.
-
So one of the issues that we see is that these active attackers are actually pretty good, right?
-
So if you have a longterm cryptographic key but you don't use it correctly, that is, you encrypt all your
-
traffic in a non-forward secret way, you have a pretty serious problem, which is that these people will
-
break into the computer and actually take the key so that they can decrypt traffic, or to impersonate you.
-
So we do need to come up with some notions about, for example, ratcheting.
-
So Tech Secure, which Moxie Marlinspike has been working on for many years now, it has this notion
-
of forward secrecy as well as future secrecy. I think that we need to think about some of the stuff that he's
-
been working on to make this kind of system usable. Adam Langley, who is probably, I would say, one of the
-
great living cypherpunks right now, he has written a system called Pond. I've worked a little bit on the key
-
agreement system PANDA, where we dynamically meet by using a shared secret.
-
That kind of a system is really important. It changes the game from "you're totally surveilled, but maybe
-
you have PGP email if you're lucky," or "you're totally surveilled, but maybe you have OTR if you've had
-
a proper chat client for it." And basically it switches it, so everything goes over Tor, everything goes to a server,
-
that server only sees a delayed set of messages. That kind of system is really a significantly different way of
-
doing communications, and it's not so different from email in some ways. But it's different in the ways that
-
are really important. So that, however, is completely useless without a usable interface,
-
without having it be deployed, without teaching people things. So as an example, when you teach
-
a journalist something—one of the things that I've found is almost impossible to do is to teach journalists—
-
but if you teach journalists something, you want to teach them one or two things that you absolutely
-
impress on them that they must do. So for example, verifying an OTR fingerprint is one of the things
-
that I impress on every journalist that I work with. And that's actually my litmus test.
-
If they cannot use Tor and OTR and Jabber together, I don't work with them, because they can't maintain
-
confidentiality, authenticity, any kind of integrity in a digital sense. And that, for me, is important.
-
But it's also the case that I spend a lot of time teaching people how to build Tails disks, or building
-
Tails disks for them, or getting a special laptop and then setting that up for them and then adding Tails to
-
that system, or a Debian GNU/Linux setup. And it would be nice if it was as simple as "just use Trisquel."
-
If it was as simple as "buy a laptop from this vendor and it's all free software enabled."
-
Now there are some vendors that do it, and the problem of interdiction, which I mentioned before,
-
where they steal mail and change things, that's a serious problem. So we really need to make sure
-
that these things are available in regular stores where regular people go. That makes targeting, again, much harder.
-
I have a couple of other things before I start to take questions, but I think that the real key stuff that
-
we need to consider is that we need verifiability. So for example, reproducible builds, things like Gitian,
-
which is what we're doing for the Tor browser, that's very critical because anytime you build software for
-
anyone, you are a target. Especially if the person you build software for is themselves a target.
-
So, for example, we can imagine that with this three- or two-hop-out idea of targeting, we know that it's possible
-
for someone to target a sysadmin because the sysadmin is interesting, but it follows that if the
-
sysadmin is really good, and a lot of people in the free software community are really good with securing
-
their systems, those people will be targeted by targeting their operating system vendor.
-
So, for example, we know that Debian has been compromised in the past. We have to make it so that
-
compromising Debian is not only detected, but that it doesn't make sense to do that.
-
So if, for example, you were to think about this from the Gitian perspective, if we have anonymized
-
builders that are regularly building packages and reporting those results, it will allow us to see if
-
someone has changed a package on the server, it'll allow us to tell if that piece of software has been tampered with.
-
We need to have a kind of binary verification process which, at the moment, we don't really have a
-
binary verification process. Some people use proprietary software like IDA Pro to reverse engineer
-
this, some people try to disassemble or decompile the software to see if it matches what they thought,
-
but that's usually a hand process. We need to automate some of those things, and we need to
-
do it in a way where people are able to report back to the community anything that they see, basically in
-
real time, that is problematic. So for the Tor browser, I actually have a machine that builds with Gitian,
-
and if it ever builds a hash that doesn't match what I would expect, then it alerts me.
-
And it alerts me in a way such that it just looks like any other person downloading the source code,
-
so it's harder to target, and it is the case that it verifies signatures where I've verified the keys in person.
-
So I think that's pretty good, I think it works relatively well, but that doesn't scale.
-
And right now, it's a one-off. So we really, really need to consider this as a reality.
-
We need that also for devices. For example, if I buy a hardware device and the NSA adds something to it,
-
what has happened? Right? Well, usually, they've won. That's a really serious problem.
-
And it's not just the NSA, it's anybody who can steal mail, and especially at scale. Right?
-
Computers go through customs. Free software might not always go through customs, but computers do.
-
And that's where the state's advantage is often used against people in a way that they don't understand
-
and certainly wouldn't consent to. And so we need to have a way, really, and this sounds kind of outlandish,
-
but let's go for outlandish. We need a way to be able to X-ray our hardware and compare it with
-
a known good state. And with no binary blobs, it becomes a little bit possible. A little more possible for
-
us to make sure that the systems we're carrying around are not just bugs for an oppressor.
-
They're not just systems to be used against us. Now, I know that that's a tall order, but the GNU project itself
-
is a tall order. And so we need to move towards free systems: free hardware and free software systems for freedom.
-
Because really, it would be very difficult to maintain freedom and liberty in the future,
-
and even, I think, to keep our democracies in a world of mass surveillance. Especially if all of our devices
-
are the thing that is oppressing us, or that are acting as an oppressor.
-
In the past it was the case that you had a neighbor, and the neighbor maybe received some benefits.
-
Now the changes are different. Now people report on each other as a matter of, you know, fun.
-
For society. With Facebook, for example. Well, what happens when the Philip K. Dick nightmare is not
-
just worrying about every person spying on you, but what if it becomes every thing that's spying on you?
-
Part of the way that I deal with this is I literally remove the physical microphones from my computers,
-
because I know that it is almost impossible to secure machines such that a really powerful, well-funded
-
adversary could enable them again. So that is not really something that scales.
-
But we can think about it when we build free software laptops, we should make sure that there is an LED
-
that if the microphone is powered up, the LED is on. Just the same way with a camera, but not as badly-designed
-
as most cameras. I guess probably now, we should probably take some questions, given the timing.
-
Is there anybody that wants to ask a question? If so, we're in #libreplanet on OFTC, because OFTC allows
-
me to use Tor to connect to their IRC network, which I'm very thankful for.
-
I would be happy to take some questions, and I know that some of you have contacted me on Jabber.
-
So you can of course, you can of course ask me questions. The first question says, "What is, in your opinion,
-
the most important technology for journalists to learn?" You know, it depends on what kind of journalist.
-
I tend to think that the key technology for people to understand is not a specific technology,
-
but rather the philosophy of free software. I mean, Richard Stallman, who is one of the most brilliant people to have ever lived,
-
really hit the nail on the head when he talks about free software not as a matter of cost but as a matter of freedom.
-
And I think that when people understand that power dynamic, when they understand the tradeoffs they're really making,
-
they'll change the pieces of software that they use. And hopefully, by the time they make that choice,
-
that software will be usable, so that when you use Jitsi, for example, it does not allow non-OTR conversations.
-
Or when you make a video call, it doesn't allow the user, basically, to make an unencrypted stream
-
without jumping through hoops. By default it is secure. By default is privacy by design.
-
And so, if people are going to learn one specific tool, I feel like we're sort of failing.
-
I think, as Schneier is often quoted as saying, privacy and security is a process, not a product.
-
Maybe he only said that about security, but let's modify it a little bit. Right? Liberty is also a process,
-
it's not a product. So journalists need to learn about the world around them, but that's for every person as well.
-
And so when we want every person to have this, we need to make sure that the devices and the software that we use
-
actually enable that by default. The next question is, "How useful is a SHA-256 sum
-
for checking software binary zip integrity checking?" My feeling is that hash functions are not going to be the weakest point.
-
But if you would like, you can take the approach that Debian takes. When you upload a package, it has MD5, SHA-1, and SHA-256,
-
and then you do a GnuPG signature over that. Now I use, because of the fact that I'm certain there are
-
people that are trying to attack my systems, I use this, which is unfortunately not completely free. But it is a GnuPG smart card.
-
And that GnuPG smart card, I also don't leave it plugged into my system very often, and I usually use it on an offline machine
-
so someone has to break into my house to be able to even begin to mount an attack on the smart card.
-
But that, I think, is really the way to go about it. It's not just about hashing, it's also about ensuring that you compose
-
those hashes into a system that makes some kind of sense. But again, in this case with Debian,
-
when you hash the files and you upload them, the binaries I built on my system are the ones that Debian gives out to users.
-
Is that really what we want? I think that's a bad idea. What if my system has been compromised, right?
-
We don't want that binary going out. And there's some work on changing that. But if we think about it just in terms of hash functions,
-
I think we'll rarely find the hash function is the issue. Obviously there are some things, like MD5, that are just hopelessly broken,
-
so we should be moving towards things that are not hopelessly broken, but it's difficult, because a lot of our standardization agencies,
-
they're not very good at their job, in my opinion. Right? When NIST collaborates with the NSA willingly or unwillingly,
-
wittingly or unwittingly, I think we have a problem. So we should look for diversity in this, and not just choose one thing,
-
but choose a few things that make it significantly harder for someone to attack any single thing.
-
And as far as average users being able to verify software, I think this is a really tough problem.
-
Basically, the real issue is a bootstrapping problem. We need to make sure that operating systems have some notion
-
about actual integrity of packages. And that's a really difficult problem to solve because many people start with a
-
proprietary software platform, like Microsoft Windows or Mac OSX, and those platforms, they do not respect peoples' liberty.
-
And naturally, they don't want to help you to move to a new platform that respects your liberty.
-
So, in a free software world though, we should be able to have packages that do have verifiability in the operating system,
-
as well as in the packages. That is, that are signed, that are hashed properly, that have some notion of the web of trust,
-
or something that replaces it, plus a user interface that makes sense. And that's a really difficult one.
-
Snowden calls it the "Greenwald test". And I think that that's a good test, actually. As someone who actually
-
asked Glenn to use a bash shell on Tails and showed him how to use a bunch of command line tools,
-
allow me to elucidate how important that test is. Jesus Christ, that is a serious test. It's really, really, really hard to get
-
Glenn to use those tools securely. But it shouldn't be. In fact, every time that a user can't figure something out,
-
we should say to ourselves that we have failed. Not seriously, but we should say to ourselves that we have failed,
-
and we should try to succeed where we have failed before.
-
I have another question here: "What are the bare minimum fundamentals we should teach the general public
-
when advocating privacy?" Well, I tend to think that the bare fundamental is that we're not talking about privacy, actually.
-
We're talking about autonomy, we're talking about dignity, and we're talking about our liberty.
-
Privacy is merely one of the manifestations of this. So, for example, when people say that they don't have anything to hide,
-
it's not about hiding things. It's about having a private sphere in which to think about things before you reveal what you have decided.
-
Where you don't have to reveal the process by which you make a decision. But also, where you get to choose.
-
It's not that, for example, I have nothing to hide underneath this great Cyberpeace t-shirt,
-
but it should be me that actually chooses if I should take it off. And so, for example, right now since I understand
-
there are sixty people watching this webstream, I'm going to keep it on. And that is, when we talk about privacy,
-
in a sense when we say that privacy is dead, what we're hearing is our modern generation saying that liberty is dead.
-
And I don't like that. So I refuse to say that privacy is dead when people really mean liberty.
-
And I think it is important that we reject that notion, and we should talk about how we should have a right to autonomy,
-
we should have a right to express solidarity, we should have the ability to be able to, in the case of free software and free hardware,
-
have devices that actually empower us and that we understand how they work. And we should be able to be secure, end-to-end secure.
-
So, I've got a couple other ones. Oh, wow, joeyh! One of my favorite Debian developers of all time, that's incredible.
-
I feel honored that you're asking me a question. "Should Debian work towards integrating Tor more?"
-
Yes. So I'm a new Debian developer, it took me ten years, because I'm slow at becoming a Debian developer.
-
But I'm error@debian.org, and I'm super happy to help anybody to be able to integrate Tor and anonymity software
-
by default into Debian. As an example, I have a transparent Tor network that I use to be able to ensure that I can
-
install Debian on new machines without my Internet service provider being targeted by the NSA or other people.
-
I also run a Tor mirror on the Tor hidden service, as well, and a Debian mirror on the Tor hidden service as well,
-
so that I can install packages on these systems without having to worry about basically being attacked.
-
Even if a Debian developer FTP Master's key is compromised. So that a targeted attack is significantly harder.
-
As you can imagine, that's not very usable for regular people, and as you can also imagine, it probably doesn't work very well.
-
So yeah, we should make it so that a Debian user can say, "help! I'm a target of surveillance, and I'd like to be
-
able to use free software without being tampered with." And that would be great if we could make Debian,
-
if we could make Debian more friendly to that. Because basically we, for a long time, have lived in a world of privilege,
-
where we thought we were exempt from the power dynamics of the world. And I think one of the things we will learn,
-
especially with Debian, is that that isn't the case. And the more international a team is, the more the legal authorities
-
of intelligence agencies suggest that they are fair targets. So, that also extends to the users. So I'd love to make that happen.
-
And, yeah, wow. It's incredible to be able to talk to you guys here. Probably the only group of people that really can make these changes, right?
-
I mean, there are other free software people around the world other than the ones in this room, but it's really critical to understand the role
-
that you guys play. And that all of us play, together.
-
I have a couple of other questions here. Helican asks, "Do you think the time is right for a free hardware FreedomBox
-
with Tor built in, and do you have any news on the FreedomBox front?" Well, I was very depressed about some of the discussions
-
around FreedomBox for a while, where I felt like people were taking anonymity as a sort of, like a luxury good.
-
And they felt like we didn't need Tor, or something like that. Now, obviously, I work on Tor and I'm paid to work on Tor,
-
so I feel like it's a conflict of interest for me to say this, but yeah, I think we of course need to do that.
-
At the same time, the reason that I work on Tor is because I really believe it. I think Tor has probably saved my life a couple of times
-
every month for the last several years, from military dictatorships to other places where I've traveled.
-
So I think it's critical to make that possible. So as an example, this device I held up here, this Novena board,
-
well, as you can tell, the basic idea is to have a device that is free hardware and free software that, you know, gives you
-
exactly what you've just asked for. And that's in fact what I have. That device, when I plug it in, it sets up a wireless network
-
that transparently routes people through Tor, and it also sets up a Tor relay so that it will relay traffic for the rest of the network.
-
And it's entirely powered by free software with no proprietary software at all. I think that that is, yeah,
-
I think that's a good thing to do, and that's what I've been spending my time doing lately. If you want to help with that, it would be great.
-
And if we can get the FreedomBox to adopt the Novena board, I think that that is great. I think we should try to raise
-
a million dollars for Bunnie so that we have a free hardware solution, or open hardware solution, that actually is usable,
-
that's fast, that doesn't support a company that doesn't care about our liberty, but instead supports a developer
-
who really does care about our liberty and about our freedom.
-
The next question from Malapart is, "Is .onion today what SSL was in the mid-90s?"
-
I really hope not for a whole bunch of reasons. So the next question... ah. So someone in the audience wants me to elucidate
-
on the link between anarchism and free software ideology and goals. I think that it's important
-
to not focus too much on that, in particular because I think that sometimes talking about anarchist philosophy alienates people,
-
because they think that anarchism is the same as complete chaos, or synonymous with violence.
-
And so I'd like to sidestep that and say if you apt-get install anarchism, literally, that's the Debian package,
-
you can read about the philosophical texts of anarchism. But the basic idea of anarchism is about mutual aid,
-
it's about solidarity, it's about respect for human rights, it's about the same things that the free software movement are about.
-
But there's a lot of propaganda out there about the notion of democracy, in fact, in the form of anarchy.
-
And that's unfortunate, actually. And I think we can change that. One of the ways that we can change that
-
is to actually have propaganda of the deed. In this case, making free software and free software available
-
to everyone means that people understand the fundamental tenets of anarchist philosophy
-
in their everyday life, and they don't have to learn about the philosophy too much
-
to be enabled by it. And if they want to, they can learn about it. I think that's a very powerful way
-
to make that happen, because it's very easy, for example, to talk about it philosophically,
-
but until you have a tangible thing, it's not really clear. That is, when we didn't have an anonymity network,
-
and people said, "Well, do you really need anonymity?" you would make a different choice than
-
if you have an anonymity network and it will be taken away from you if someone says "do you need anonymity?"
-
and you say no. So when you say yes, and it's there, and it's tangible, it changes it.
-
And the same is true for anarchist philosophy, and the same is true, I think, for free software and free hardware.
-
And especially when these things work together, they actually help us to build autonomous communities,
-
they help us to build secure systems across hostile networks. I think that that's very powerful,
-
and I think that the way to get people to care about that is actually to show them that.
-
People care a lot more about connecting now that it's easy to do. It wouldn't have been a relevant question
-
thirty years ago in the way that it is a relevant question now. So the freedom to connect,
-
the freedom of free hardware and free software, these tie fundamentally into anarchist goals.
-
I'd really encourage people to look up the works of Emma Goldman, for example.
-
I think she's one of the greatest feminists to have ever lived, though most people don't know who she is.
-
And if you looked at the Wikipedia page, for a time there was no mention of her on "Important feminists of the twentieth century",
-
I think is the page I was looking at. I think that is a bit of a shame, but I also think that that's, you know,
-
an easy thing to reconcile with reality if people go and they look it up and they study about it.
-
So hopefully people will install that Debian package and otherwise learn about that if they are interested in it,
-
but really, I think, getting people to have the values that are embodied in that is just as important if not more important.
-
The next question is "What about those countries that are completely blocking projects like Tor?
-
What should we do to help people in those countries?" I tend to think not in terms of charity,
-
or helping people, but rather in terms of solidarity. So, the Tor project, for example,
-
is not having a war with China, right? China often does not respect its citizens' autonomy,
-
and blocks its access to the Tor network. One thing that would be helpful would be to
-
make it so that, by default, a lot of applications use Tor so that the so-called collateral damage,
-
though I'm loathe to use that term, becomes higher and higher, becomes more difficult.
-
And also, such that people start to use what are called pluggable transports, like the obfuscated proxy obfs3.
-
The proxy actually, right now, is not blocked in China. It becomes a sort of cat and mouse game,
-
but it may be the case that as we build more difficult-to-classify protocols, as applications understand
-
that sometimes the Internet does not respect your autonomy and wants to tamper with it,
-
that will be something that will change the dynamic about how that blocking and that arms race works.
-
We have another project, ooni.torproject.org, that's the Open Observatory of Network Interference,
-
or we used to call it Open Open Net. That is a free software tool that we've been working on
-
for several years now, to be able to look at censorship and surveillance. You know,
-
censorship is a second-order effect of surveillance, so this tool, while at the moment not the most usable tool,
-
it actually allows you to diagnose, understand, and share the data. So one thing that can really make a big difference
-
in these topics is to actually share the data. Right? Once we start to study and understand these things,
-
especially the techniques of censorship and surveillance, it allows us to change not only how the networks work,
-
but how societies work around those networks. So, I think studying that can be useful.
-
If you want to be a Google Summer of Code, I know that's kind of ironic, but if you want to be a
-
Google Summer of Code student to work on one of these projects with the Tor project,
-
I think we still have another day to apply for that, though I'm not totally sure about that deadline.
-
If you just want to come hack on free software with us at the Tor project, we have a bunch of projects that are like that.
-
Some other questions. It looks like... Yes, the Novena router does not have AMT, that's right,
-
so it does not have a built-in backdoor, which is, I think, nice. At least not one that we know about.
-
Any other questions here? Ah, I see, there's like twenty. Alright.
-
"Could you please elaborate on the idea or concept that it is required a critical mass of privacy-minded users
-
to create enough obfuscation for making discovery schemes like Tor network node spying to be unlikely?"
-
I don't think we're going to make it unlikely for spying to take place. What we need to do is change
-
the economic balance, and that may allow us to move into a world where mass surveillance of our intentional communications
-
are much too expensive to do for everyone. And this is important, because if you have a phone,
-
and you make a phone call, people think of surveillance and conceptualize surveillance as surveilling your call,
-
but there's all the unintentional data that you leave behind. All the towers you visit, and so on.
-
That stuff is also, unfortunately, a huge target of mass surveillance. So even if everyone's using
-
something like RedPhone, we still have these little spy devices in our pockets.
-
Even if it's free software enabled, the networks themselves are harmful to privacy.
-
That said, we do need a lot of people using this stuff, because the more people that are using it,
-
the more likely it is that it will stick around. If it's just people like Edward Snowden, Julian Assange,
-
Glenn Greenwald, Laura Poitras, or myself using it, yeah, I mean, that's a problem.
-
Not only do we stick out on the network, we have, well, basically it makes it much easier to target,
-
and it also makes it possible for people to try to ban that technology, whether that's by DPI or by legal methods.
-
That is a really serious problem. Okay, I think that we should wrap up here soon, it sounds like.
-
If there are any other questions, I will take them, but otherwise I think I'm going to end the stream.
-
If you'd like to hack on free software with us, and anonymity-related stuff, I'd be happy to talk with you.
-
I will never use this Jabber address again, so that your social graph is not tainted by mine.
-
If anybody wants to send me an email, you can send a mail to jacob@torproject.org,
-
or if you'd like to, for example, chat with me on IRC, I'm ioerror in #libreplanet for now.
-
Thank you so much for the honor and privilege of speaking with you, I'm really sorry that I cannot
-
set foot in my own country right now, to be able to speak with you in person. But thanks to
-
free software, I am able to speak with you. So, thank you so much for making that possible,
-
especially to all of the free software developers in the room that actually made that possible.
-
Thank you, very much for your time, and I hope to meet some of you again, someday, in real life.
-
And remember: if not, it was murder.