Privacy is an Illusion and you’re all losers! - Cryptocow - Infosecurity 2013
Transcript
- 1. privacy is an illusion and you’re all losers or how 1984 was a manual for our panopticon society ! By Cain Ransbottyn - @ransbottyn
- 2. End of privacy • 9/11 attacks invigorated the concept of terrorist threats • Post 9/11 there was a strong and understandable argument to prioritise security
- 3. End of civil liberties • New word: “asymmetrical threats” • Actually means: “please give up your civil liberties”, in 2001 55% US citizens were pro; in 2011 only 40% (and declining). • Patriot Act changed the world for good
- 4. So, terrorism huh ? • systematic use of violent terror as a means of coercion • violent acts which are intended to create fear (terror) • perpetrated for a religious, political, or ideological goal • deliberately target or disregard the safety of noncombatants (civilians)
- 5. Global terrorist threat map Data of 2010. Seems legit.
- 6. Year on year doubling in surveillance budget since the Patriot Act Except for 2013, then there was a dark budget of US$ 52,6B
- 7. Fear. Uncertainty. Doubt. • Instilling fear is a premise for coercion. But to whom ? • Mass media works as a catalyst to bring fear in the homes of citizens. • We all are very shitty at threat and risk assessments. Pigs or sharks ? • 23,589 40 Or terrorist attacks ? 13,200 * 2010 facts and figures worldwide
- 8. Are we really capable of understanding the real threat level ? Please demonstrate you can spot a rhetorical question when you see one
- 9. The convenience of circular logic • Gov’t: We’re using surveillance so we can prevent terrorist attacks You: I don’t see any terrorist threat or attack Gov’t: Awesome stuff, hey ? • Him: I’m using this repellent to scare away elephants. You: But I don’t see any elephants. Him: Awesome stuff, hey ?
- 10. quis custodiet ipsos custodes ?
- 11. Total Information Awareness The 2002 - 2003 program that began a data mining project, following warantless surveillance decision in 2002
- 12. PRISM, XKeyScore, Tempora ! Thank you Microsoft, Facebook, Yahoo!, Google, Paltalk, YouTube, AOL, Apple, Skype Snowden leaks the post 2007 surveillance industry is much worse than anyone could have imagined
- 13. The rise of private intelligence agencies • The welcome gift of “social networks” • The thankful adoption rate of smart phones • The cloud as the ultimate data gathering extension to governments • The phone operators remain a loyal friend • The overt investment strategy of In-Q-Tel
- 14. The In-Q-Tel investment firm • Founded 1999 as not-for-profit venture capital firm • So… if you are not looking to make a profit, what are you looking for then ? • Investments in data mining, call recording, surveillance, crypto, biotech, … • E.g. 2007 AT&T - Narus STA 6400 backdoor = product of In-Q-Tel funded company • Many (many) participations worldwide (also Belgium)
- 15. Social networks as a private intelligence agency • Perfect front offices • Facebook as the first global private intelligence agency • Otherwise hard to obtain intel is being shared voluntarily by everyone (e.g. hobbies, etc.) • US$ 12,7M investment by James Breyer (Accel), former colleague of Gilman Louie (CEO In-Q-Tel)
- 16. Smart-phones as the ultimate tracking device • Device you carry 24/7 with you. With a GPS on board. • Android has remote install/deinstall hooks in its OS (so has IOS) • OTA vulnerabilities allow remote installs of byte patches (e.g. Blackberry incident in UAE) • Apple incident (“the bug that stored your whereabouts”) • Any idea how many address books are stored on iCloud ? :p
- 17. Smart-phones as the ultimate tracking device Wi-Fi based positioning has become very accurate and quickly deployed mainstream
- 18. Cloud providers as the perfect honeypot • There is no company that is so invasive as Google • Records voice calls (Voice), analyses e-mail (GMail), knows who you talk to and where you are (Android), has all your documents (Drive) and soon will see through your eyes (Glass) • Robert David Steele (CIA) disclosed Google takes money from US Intel. community. • In-Q-Tel and Google invest in mutual companies (mutual interest)
- 19. Cloud providers as the perfect honeypot • Not only Google. The latest OSX Mavericks actually asked me to… store my Keychain in the cloud *sigh* • While Apple claims iMessage cannot be intercepted, we know it is possible because Apple is the MITM and no end-to-end crypto is used nor certificate pinning.
- 20. The loyal friend, the phone operator • Needs to be CALEA and ETSI compliant. Yeah right :-) • Operators are both targets of surveillance stakeholders (e.g. Belgacom/BICS hack by GCHQ) and providers of surveillance tactics (taps, OTA installs, silent SMS, etc.) • Does KPN really trust NICE (Israel) and does Belgacom really trust Huawei (China) ? • Truth of the matter is: you cannot trust your operator…
- 21. Privacy is for losers If you think you have privacy, you really are a loser
- 22. #dta If a government needs to understand its enemy, and we’re being surveilled. Then, who exactly is the enemy ?
- 23. Conspiracy theory ? ! Whistleblowers showed that reality is far worse
- 24. So now what ?
- 25. Change your attitude. Wake the f*ck up…
- 26. Reclaim ownership of your data. Demand transparency of every service you use.
- 27. Encryption is your friend
- 28. Encryption today is built for security professionals and engineers. Not for your mom or dad.
- 29. Security and crypto engineers don’t understand UI and UX
- 30. Android and IOS planned. Microsoft Mobile perhaps.
- 31. Requirements • Must provide strong crypto • Must be open source (GitHub) • Must be beautiful and easy to use, we actually don’t want the user to be confronted with complex crypto issues • Provide deniability • Provide alerting mechanisms that alert the user when something is wrong • Even when your device is confiscated, it should be able to withstand forensic investigation
- 32. How it’s built • Using tor as transport layer for P2P routing and provide anonymity (no exit nodes used). • Obfuscated as HTTPS traffic to prevent gov’t filtering. • Using OTR v3.1 to ensure perfect forward secrecy and end-to-end crypto. • Capable of detecting A5/GSM tactical surveillance attacks. • Extremely effective anti forensic mechanisms and triggers
- 33. How it’s used
- 34. Who’s using it • Journalists • Freedom Fighters • Whistleblowers • Lawyers and security professionals • …
- 35. Why use it ? • To protect your human right on privacy • To protect your human right on freedom of speech • Because your communication needs to remain confidential • Because excessive surveillance is a threat to modern democracy
- 36. Privacy might be for losers, but that doesn’t mean you are OK to give up your human rights…