mikegerwitz
/
sapsf
1
0
Fork 0
Code Releases Activity

slides.org (Policy and Government): Nearly complete draft slides 

Daunting.

Hopefully I don't get rid of too much of this; it's a lot of history to be
talking about.
master
Mike Gerwitz 2017-03-10 02:07:56 -05:00
parent 5a1e0b7b78
commit 8dfc7cb030
1 changed files with 199 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

231
slides.org
View File

@ -16,6 +16,8 @@
#+BEGIN: columnview :hlines 3 :id global
| ITEM | DURATION | TODO | ENVIRONMENT |
|-----------------------------------------------+----------+---------+---------------|
| * LaTeX Configuration | | | |
|-----------------------------------------------+----------+---------+---------------|
| * Slides | 0:44 | LACKING | |
|-----------------------------------------------+----------+---------+---------------|
| ** Introduction / Opening | 00:00:30 | DRAFT | fullframe |
@ -66,7 +68,7 @@
| **** ALPRs | 00:01 | LACKING | |
| **** Car Itself | 00:00:30 | LACKING | |
|-----------------------------------------------+----------+---------+---------------|
| ** The Web [0/6] | 0:12 | LACKING | |
| ** The Web [0/6] | 0:10 | LACKING | |
|-----------------------------------------------+----------+---------+---------------|
| *** Introduction [0/1] | | DRAFT | ignoreheading |
| **** Introduction | | DRAFT | fullframe |
@ -81,18 +83,18 @@
| **** Trackers | 00:01 | LACKING | |
| **** Like Buttons | 00:01 | DRAFT | |
|-----------------------------------------------+----------+---------+---------------|
| *** Fingerprinting [0/3] | 0:04 | LACKING | |
| *** Fingerprinting [0/3] | 0:03 | LACKING | |
| **** Summary | | DRAFT | |
| **** Alarmingly Effective | 00:03 | DEVOID | fullframe |
| **** Browser Addons | 00:01 | DEVOID | |
| **** Alarmingly Effective | 00:03 | LACKING | fullframe |
| **** User Agent | | DRAFT | |
|-----------------------------------------------+----------+---------+---------------|
| *** Anonymity [0/4] | 0:04 | LACKING | |
| **** Summary | 00:01 | LACKING | fullframe |
| ***** TODO Anonymity | | | |
| ***** TODO Pseudonymity | | | |
| *** Anonymity [0/4] | 0:04 | DRAFT | |
| **** Summary | 00:01 | DRAFT | fullframe |
| ***** Anonymity | | | |
| ***** Pseudonymity | | | |
| **** IANAAE | | DRAFT | fullframe |
| **** The Tor Network | 00:01 | DEVOID | |
| **** TorBrowser, Tails, and Whonix | 00:02 | DEVOID | |
| **** The Tor Network | 00:01 | DRAFT | |
| **** TorBrowser, Tails, and Whonix | 00:02 | DRAFT | |
|-----------------------------------------------+----------+---------+---------------|
| ** Data Analytics [0/2] | 0:04 | LACKING | |
|-----------------------------------------------+----------+---------+---------------|
@ -109,16 +111,23 @@
| *** Introduction [0/1] | 0:00 | DRAFT | ignoreheading |
| **** Introduction | 00:00:30 | DRAFT | fullframe |
|-----------------------------------------------+----------+---------+---------------|
| *** Surveillance [0/4] | 0:06 | LACKING | |
| **** History of NSA Surveillance | 00:02 | DEVOID | |
| **** Verizon Metadata | 00:00:30 | DEVOID | |
| **** Snowden | 00:01 | DEVOID | |
| *** Surveillance [0/7] | 0:06 | LACKING | |
| **** History of NSA Surveillance | 00:02 | DRAFT | |
| **** Ron Wyden | | DRAFT | fullframe |
| **** The Leak | | DRAFT | fullframe |
| **** Verizon Metadata | 00:00:30 | DRAFT | |
| **** PRISM | | DRAFT | |
| **** Snowden | 00:01 | DRAFT | |
| **** Tools | 00:02 | DEVOID | |
|-----------------------------------------------+----------+---------+---------------|
| *** Crypto Wars [0/3] | 0:03 | LACKING | |
| *** Crypto Wars [0/6] | 0:04 | LACKING | |
| **** Introduction | 00:00 | DRAFT | fullframe |
| **** Bernstein v. United States | 00:01 | DEVOID | |
| **** Makes Us Less Safe | 00:02 | DEVOID | |
| **** Export-Grade Crypto | 00:01:30 | DRAFT | |
| **** Bernstein v. United States | 00:01 | DRAFT | |
| **** The First Crypto Wars | 00:01 | DRAFT | |
| **** Re-repeats Itself | 00:00 | DRAFT | fullframe |
| **** Modern Crypto Wars | | DRAFT | fullframe |
| **** ``Going Dark'' | | DEVOID | |
|-----------------------------------------------+----------+---------+---------------|
| *** Espionage [0/1] | 0:01 | LACKING | |
| **** US Can't Keep Its Own Secrets | 00:01 | DEVOID | |
@ -141,6 +150,8 @@
|-----------------------------------------------+----------+---------+---------------|
| ** Thank You | | | fullframe |
|-----------------------------------------------+----------+---------+---------------|
| ** References | | | appendix |
|-----------------------------------------------+----------+---------+---------------|
| * Exporting | | | |
|-----------------------------------------------+----------+---------+---------------|
| * Local Variables | | | |
@ -1270,7 +1281,7 @@ TODO
#+END_COMMENT
*** LACKING Crypto Wars [0/3]
*** LACKING Crypto Wars [0/6]
**** DRAFT Introduction :B_fullframe:
:PROPERTIES:
:DURATION: 00:00
@ -1278,7 +1289,7 @@ TODO
:END:
#+BEGIN_CENTER
History repeats itself
\Huge History repeats itself
#+END_CENTER
#+BEGIN_COMMENT
@ -1290,34 +1301,189 @@ The Crypto wars.
#+END_COMMENT
**** DEVOID Bernstein v. United States
**** DRAFT Export-Grade Crypto
:PROPERTIES:
:DURATION: 00:01:30
:END:
- <1-> Cryptography classified as munitions (Arms Export Control Act; ITAR)
- <1-> ``Export-grade'' cryptography
- <2-> Lotus Notes
- <2-> 40-bit export-grade symmetric key
- <3-> Agreement with NSA: 64-bit export, but 24 of those bits a "workload
reduction factor" for the NSA
- <4-> Phil Zimmerman: PGP (\geq 128 bits)
- <4-> Formal investigation by US government in 1993
- <4-> Published source code in a book, which could be OCR'd
- <5-> Still suffer long-term effects today
(downgrade attacks, e.g. POODLE)\cite{poodle:paper}
#+BEGIN_COMMENT
Back in the 1990s,
cryptography was classified as munitions.
If you wanted to export it to other countries,
you essentially had to make it crackable by the NSA.
Lotus Notes is often used as an example of the negative effects of such
regulation.
Interestingly, it was actually the first widely used software to use
public-key cryptography.
Due to export restrictions,
the maximum symmetric key size they could support was 40 bits.
This was easily crackable by the NSA,
but also feasible for other adversaries.
They compromised with the NSA:
64-bit keys, but 24 of those bits would be encrypted specially for the NSA
as a "workload reduction factor".
So you had protection against most adversaries,
but not the US government.
Then we have Phil Zimmerman, author of PGP.
He didn't consult the NSA.
Instead, he published the source code for PGP in a book with MIT Press,
and widely distributed it.
If someone wanted to use PGP,
they could unbind the book, OCR the pages, and compile it with GCC.
The US government opened a formal investigation into the case in 1993;
the charges were dropped years later.
We are still observing the fallout from export-grade crypto today.
They are called "downgrade attacks",
where a program such as a browser is tricked into using a weaker
cipher or keysize,
allowing an attacker to MitM the connection.
POODLE is an example of this.
#+END_COMMENT
**** DRAFT Bernstein v. United States
:PROPERTIES:
:DURATION: 00:01
:END:
- <1-> 1995: Bernstein v. US Department of Justice\cite{eff:bernstein:doj}
- <1-> Argued that restrictions violated First Amendment
- <2-> **Code Is Speech**
- <1-> 1996: Bill Clinton Executive Order 13026 transferred to Commerce
Control List\cite{fedr:export-controls}
- <1-> Department of Commerce relaxed rules in 2000\cite{doc:rev-export-reg}
#+BEGIN_COMMENT
In order to publish information on encryption algorithms and the like,
you had to get permission from the government.
In 1995, Daniel Bernstein---then a graduate student---wanted to publish the
source code and mathematical papers for his encryption algorithm
/Snuffle/.
Like Zimmerman,
Bernstein thought export restrictions to be a violation of his First
Amendment rights.
But instead of blatant defiance,
he decided to sue the US government.
He was represented by the EFF.
The Ninth Circuit Court of Appeals ruled in his favor.
The following year, President Bill Clinton signed an executive order that
removed encryption from the munitions list,
and in 2000 the Department of Commerce relaxed export restrictions.
You might have heard the term "code is speech".
Bernstein v. United States case had wide-reaching consequences,
not just for cryptography.
Source code is protected under the First Amendment.
(See also Junger v. Daley.)
#+END_COMMENT
**** DRAFT The First Crypto Wars
:PROPERTIES:
:DURATION: 00:01
:END:
TODO
- <1-> These incidents part of the first Crypto Wars\cite{w:crypto-wars}
- <2-> DES Originally 64-bit key; NSA wanted 48 bits; compromised at 56.
- <2-> Two version of the browser: 128-bit "U.S. edition" and effective
40-bit "international".
- <3-> **Clipper Chip** was a hardware backdoor that employed a key escrow
system
- <3-> Complete failure
- <3-> Terribly insecure (property of key escrow in general)
- <3-> Opposite effect: spurred development of Nautilus and PGPfone
#+BEGIN_COMMENT
...
(Include export-grade crypto)
(Code is speech)
These incidents are classified into a period of time informally described as
the "Crypo Wars".
There's a couple other good examples that I don't have time to get into:
The DES encryption algorithm, for example, was originally 64-bit;
the NSA wanted 48-bit, but compromised with 56.
Netscape had /two versions of their browser/: one with 128-bit SSL and the
other with 88 of those bits exposed to meet export regulations.
This sounds insane today---because it is.
But there's even more insanity.
The Clipper Chip!
It was the US government's attempt to backdoor communications with hardware.
It used a key escrow system,
and the algorithm they devised---called Skipjack---was classified,
and so could not be reviewed by crypto experts at the time.
Backlash was large.
It failed miserably.
Later cryptanalysis yielded scathing flaws,
as is generally the case with key escrow cryptosystems.
It even had the opposite effect:
it spurred the development of encrypted communication programs like
Nautilus and PGPfone (the latter being proprietary).
So,
why did I go into so much history in a talk meant to deal with today's
privacy and security threats?
#+END_COMMENT
**** DEVOID Makes Us Less Safe
**** DRAFT Re-repeats Itself :B_fullframe:
:PROPERTIES:
:DURATION: 00:02
:DURATION: 00:00
:BEAMER_env: fullframe
:END:
TODO
#+BEGIN_CENTER
\Huge History repeats itself
#+END_CENTER
#+BEGIN_COMMENT
Because history repeats itself.
Today's attempted legal/policy assault on privacy and security are enormous.
We've already covered some.
I don't have time to cover more than a small fraction of them.
#+END_COMMENT
**** DRAFT Modern Crypto Wars :B_fullframe:
:PROPERTIES:
:BEAMER_env: fullframe
:END:
#+BEGIN_CENTER
\Huge ``Going Dark''
#+END_CENTER
#+BEGIN_COMMENT
But the big phrase you hear today is "going dark".
Government agencies are fearful of broadening use of encryption
because they can't read many of those communications.
#+END_COMMENT
**** DEVOID ``Going Dark''
#+BEGIN_COMMENT
Apple v. FBI
- Backdoors
- Clipper chip
- LOGJAM, etc from export-grade crypto
- VEP
VEP
#+END_COMMENT
@ -1332,6 +1498,7 @@ TODO
#+BEGIN_COMMENT
- Office of Personnel Management
- DNC
- VEP
#+END_COMMENT