slides.org (Policy and Government): Nearly complete draft slides
Daunting. Hopefully I don't get rid of too much of this; it's a lot of history to be talking about.master
parent
5a1e0b7b78
commit
8dfc7cb030
231
slides.org
231
slides.org
|
@ -16,6 +16,8 @@
|
|||
#+BEGIN: columnview :hlines 3 :id global
|
||||
| ITEM | DURATION | TODO | ENVIRONMENT |
|
||||
|-----------------------------------------------+----------+---------+---------------|
|
||||
| * LaTeX Configuration | | | |
|
||||
|-----------------------------------------------+----------+---------+---------------|
|
||||
| * Slides | 0:44 | LACKING | |
|
||||
|-----------------------------------------------+----------+---------+---------------|
|
||||
| ** Introduction / Opening | 00:00:30 | DRAFT | fullframe |
|
||||
|
@ -66,7 +68,7 @@
|
|||
| **** ALPRs | 00:01 | LACKING | |
|
||||
| **** Car Itself | 00:00:30 | LACKING | |
|
||||
|-----------------------------------------------+----------+---------+---------------|
|
||||
| ** The Web [0/6] | 0:12 | LACKING | |
|
||||
| ** The Web [0/6] | 0:10 | LACKING | |
|
||||
|-----------------------------------------------+----------+---------+---------------|
|
||||
| *** Introduction [0/1] | | DRAFT | ignoreheading |
|
||||
| **** Introduction | | DRAFT | fullframe |
|
||||
|
@ -81,18 +83,18 @@
|
|||
| **** Trackers | 00:01 | LACKING | |
|
||||
| **** Like Buttons | 00:01 | DRAFT | |
|
||||
|-----------------------------------------------+----------+---------+---------------|
|
||||
| *** Fingerprinting [0/3] | 0:04 | LACKING | |
|
||||
| *** Fingerprinting [0/3] | 0:03 | LACKING | |
|
||||
| **** Summary | | DRAFT | |
|
||||
| **** Alarmingly Effective | 00:03 | DEVOID | fullframe |
|
||||
| **** Browser Addons | 00:01 | DEVOID | |
|
||||
| **** Alarmingly Effective | 00:03 | LACKING | fullframe |
|
||||
| **** User Agent | | DRAFT | |
|
||||
|-----------------------------------------------+----------+---------+---------------|
|
||||
| *** Anonymity [0/4] | 0:04 | LACKING | |
|
||||
| **** Summary | 00:01 | LACKING | fullframe |
|
||||
| ***** TODO Anonymity | | | |
|
||||
| ***** TODO Pseudonymity | | | |
|
||||
| *** Anonymity [0/4] | 0:04 | DRAFT | |
|
||||
| **** Summary | 00:01 | DRAFT | fullframe |
|
||||
| ***** Anonymity | | | |
|
||||
| ***** Pseudonymity | | | |
|
||||
| **** IANAAE | | DRAFT | fullframe |
|
||||
| **** The Tor Network | 00:01 | DEVOID | |
|
||||
| **** TorBrowser, Tails, and Whonix | 00:02 | DEVOID | |
|
||||
| **** The Tor Network | 00:01 | DRAFT | |
|
||||
| **** TorBrowser, Tails, and Whonix | 00:02 | DRAFT | |
|
||||
|-----------------------------------------------+----------+---------+---------------|
|
||||
| ** Data Analytics [0/2] | 0:04 | LACKING | |
|
||||
|-----------------------------------------------+----------+---------+---------------|
|
||||
|
@ -109,16 +111,23 @@
|
|||
| *** Introduction [0/1] | 0:00 | DRAFT | ignoreheading |
|
||||
| **** Introduction | 00:00:30 | DRAFT | fullframe |
|
||||
|-----------------------------------------------+----------+---------+---------------|
|
||||
| *** Surveillance [0/4] | 0:06 | LACKING | |
|
||||
| **** History of NSA Surveillance | 00:02 | DEVOID | |
|
||||
| **** Verizon Metadata | 00:00:30 | DEVOID | |
|
||||
| **** Snowden | 00:01 | DEVOID | |
|
||||
| *** Surveillance [0/7] | 0:06 | LACKING | |
|
||||
| **** History of NSA Surveillance | 00:02 | DRAFT | |
|
||||
| **** Ron Wyden | | DRAFT | fullframe |
|
||||
| **** The Leak | | DRAFT | fullframe |
|
||||
| **** Verizon Metadata | 00:00:30 | DRAFT | |
|
||||
| **** PRISM | | DRAFT | |
|
||||
| **** Snowden | 00:01 | DRAFT | |
|
||||
| **** Tools | 00:02 | DEVOID | |
|
||||
|-----------------------------------------------+----------+---------+---------------|
|
||||
| *** Crypto Wars [0/3] | 0:03 | LACKING | |
|
||||
| *** Crypto Wars [0/6] | 0:04 | LACKING | |
|
||||
| **** Introduction | 00:00 | DRAFT | fullframe |
|
||||
| **** Bernstein v. United States | 00:01 | DEVOID | |
|
||||
| **** Makes Us Less Safe | 00:02 | DEVOID | |
|
||||
| **** Export-Grade Crypto | 00:01:30 | DRAFT | |
|
||||
| **** Bernstein v. United States | 00:01 | DRAFT | |
|
||||
| **** The First Crypto Wars | 00:01 | DRAFT | |
|
||||
| **** Re-repeats Itself | 00:00 | DRAFT | fullframe |
|
||||
| **** Modern Crypto Wars | | DRAFT | fullframe |
|
||||
| **** ``Going Dark'' | | DEVOID | |
|
||||
|-----------------------------------------------+----------+---------+---------------|
|
||||
| *** Espionage [0/1] | 0:01 | LACKING | |
|
||||
| **** US Can't Keep Its Own Secrets | 00:01 | DEVOID | |
|
||||
|
@ -141,6 +150,8 @@
|
|||
|-----------------------------------------------+----------+---------+---------------|
|
||||
| ** Thank You | | | fullframe |
|
||||
|-----------------------------------------------+----------+---------+---------------|
|
||||
| ** References | | | appendix |
|
||||
|-----------------------------------------------+----------+---------+---------------|
|
||||
| * Exporting | | | |
|
||||
|-----------------------------------------------+----------+---------+---------------|
|
||||
| * Local Variables | | | |
|
||||
|
@ -1270,7 +1281,7 @@ TODO
|
|||
#+END_COMMENT
|
||||
|
||||
|
||||
*** LACKING Crypto Wars [0/3]
|
||||
*** LACKING Crypto Wars [0/6]
|
||||
**** DRAFT Introduction :B_fullframe:
|
||||
:PROPERTIES:
|
||||
:DURATION: 00:00
|
||||
|
@ -1278,7 +1289,7 @@ TODO
|
|||
:END:
|
||||
|
||||
#+BEGIN_CENTER
|
||||
History repeats itself
|
||||
\Huge History repeats itself
|
||||
#+END_CENTER
|
||||
|
||||
#+BEGIN_COMMENT
|
||||
|
@ -1290,34 +1301,189 @@ The Crypto wars.
|
|||
#+END_COMMENT
|
||||
|
||||
|
||||
**** DEVOID Bernstein v. United States
|
||||
**** DRAFT Export-Grade Crypto
|
||||
:PROPERTIES:
|
||||
:DURATION: 00:01:30
|
||||
:END:
|
||||
|
||||
- <1-> Cryptography classified as munitions (Arms Export Control Act; ITAR)
|
||||
- <1-> ``Export-grade'' cryptography
|
||||
- <2-> Lotus Notes
|
||||
- <2-> 40-bit export-grade symmetric key
|
||||
- <3-> Agreement with NSA: 64-bit export, but 24 of those bits a "workload
|
||||
reduction factor" for the NSA
|
||||
- <4-> Phil Zimmerman: PGP (\geq 128 bits)
|
||||
- <4-> Formal investigation by US government in 1993
|
||||
- <4-> Published source code in a book, which could be OCR'd
|
||||
- <5-> Still suffer long-term effects today
|
||||
(downgrade attacks, e.g. POODLE)\cite{poodle:paper}
|
||||
|
||||
#+BEGIN_COMMENT
|
||||
Back in the 1990s,
|
||||
cryptography was classified as munitions.
|
||||
|
||||
If you wanted to export it to other countries,
|
||||
you essentially had to make it crackable by the NSA.
|
||||
|
||||
Lotus Notes is often used as an example of the negative effects of such
|
||||
regulation.
|
||||
Interestingly, it was actually the first widely used software to use
|
||||
public-key cryptography.
|
||||
Due to export restrictions,
|
||||
the maximum symmetric key size they could support was 40 bits.
|
||||
This was easily crackable by the NSA,
|
||||
but also feasible for other adversaries.
|
||||
They compromised with the NSA:
|
||||
64-bit keys, but 24 of those bits would be encrypted specially for the NSA
|
||||
as a "workload reduction factor".
|
||||
So you had protection against most adversaries,
|
||||
but not the US government.
|
||||
|
||||
Then we have Phil Zimmerman, author of PGP.
|
||||
He didn't consult the NSA.
|
||||
Instead, he published the source code for PGP in a book with MIT Press,
|
||||
and widely distributed it.
|
||||
If someone wanted to use PGP,
|
||||
they could unbind the book, OCR the pages, and compile it with GCC.
|
||||
The US government opened a formal investigation into the case in 1993;
|
||||
the charges were dropped years later.
|
||||
|
||||
We are still observing the fallout from export-grade crypto today.
|
||||
They are called "downgrade attacks",
|
||||
where a program such as a browser is tricked into using a weaker
|
||||
cipher or keysize,
|
||||
allowing an attacker to MitM the connection.
|
||||
POODLE is an example of this.
|
||||
#+END_COMMENT
|
||||
|
||||
|
||||
**** DRAFT Bernstein v. United States
|
||||
:PROPERTIES:
|
||||
:DURATION: 00:01
|
||||
:END:
|
||||
- <1-> 1995: Bernstein v. US Department of Justice\cite{eff:bernstein:doj}
|
||||
- <1-> Argued that restrictions violated First Amendment
|
||||
- <2-> **Code Is Speech**
|
||||
- <1-> 1996: Bill Clinton Executive Order 13026 transferred to Commerce
|
||||
Control List\cite{fedr:export-controls}
|
||||
- <1-> Department of Commerce relaxed rules in 2000\cite{doc:rev-export-reg}
|
||||
|
||||
#+BEGIN_COMMENT
|
||||
In order to publish information on encryption algorithms and the like,
|
||||
you had to get permission from the government.
|
||||
|
||||
In 1995, Daniel Bernstein---then a graduate student---wanted to publish the
|
||||
source code and mathematical papers for his encryption algorithm
|
||||
/Snuffle/.
|
||||
Like Zimmerman,
|
||||
Bernstein thought export restrictions to be a violation of his First
|
||||
Amendment rights.
|
||||
But instead of blatant defiance,
|
||||
he decided to sue the US government.
|
||||
He was represented by the EFF.
|
||||
The Ninth Circuit Court of Appeals ruled in his favor.
|
||||
|
||||
The following year, President Bill Clinton signed an executive order that
|
||||
removed encryption from the munitions list,
|
||||
and in 2000 the Department of Commerce relaxed export restrictions.
|
||||
|
||||
You might have heard the term "code is speech".
|
||||
Bernstein v. United States case had wide-reaching consequences,
|
||||
not just for cryptography.
|
||||
Source code is protected under the First Amendment.
|
||||
|
||||
(See also Junger v. Daley.)
|
||||
#+END_COMMENT
|
||||
|
||||
|
||||
**** DRAFT The First Crypto Wars
|
||||
:PROPERTIES:
|
||||
:DURATION: 00:01
|
||||
:END:
|
||||
|
||||
TODO
|
||||
- <1-> These incidents part of the first Crypto Wars\cite{w:crypto-wars}
|
||||
- <2-> DES Originally 64-bit key; NSA wanted 48 bits; compromised at 56.
|
||||
- <2-> Two version of the browser: 128-bit "U.S. edition" and effective
|
||||
40-bit "international".
|
||||
- <3-> **Clipper Chip** was a hardware backdoor that employed a key escrow
|
||||
system
|
||||
- <3-> Complete failure
|
||||
- <3-> Terribly insecure (property of key escrow in general)
|
||||
- <3-> Opposite effect: spurred development of Nautilus and PGPfone
|
||||
|
||||
#+BEGIN_COMMENT
|
||||
...
|
||||
(Include export-grade crypto)
|
||||
(Code is speech)
|
||||
These incidents are classified into a period of time informally described as
|
||||
the "Crypo Wars".
|
||||
|
||||
There's a couple other good examples that I don't have time to get into:
|
||||
The DES encryption algorithm, for example, was originally 64-bit;
|
||||
the NSA wanted 48-bit, but compromised with 56.
|
||||
Netscape had /two versions of their browser/: one with 128-bit SSL and the
|
||||
other with 88 of those bits exposed to meet export regulations.
|
||||
This sounds insane today---because it is.
|
||||
|
||||
But there's even more insanity.
|
||||
|
||||
The Clipper Chip!
|
||||
It was the US government's attempt to backdoor communications with hardware.
|
||||
It used a key escrow system,
|
||||
and the algorithm they devised---called Skipjack---was classified,
|
||||
and so could not be reviewed by crypto experts at the time.
|
||||
Backlash was large.
|
||||
It failed miserably.
|
||||
Later cryptanalysis yielded scathing flaws,
|
||||
as is generally the case with key escrow cryptosystems.
|
||||
It even had the opposite effect:
|
||||
it spurred the development of encrypted communication programs like
|
||||
Nautilus and PGPfone (the latter being proprietary).
|
||||
|
||||
So,
|
||||
why did I go into so much history in a talk meant to deal with today's
|
||||
privacy and security threats?
|
||||
#+END_COMMENT
|
||||
|
||||
|
||||
**** DEVOID Makes Us Less Safe
|
||||
**** DRAFT Re-repeats Itself :B_fullframe:
|
||||
:PROPERTIES:
|
||||
:DURATION: 00:02
|
||||
:DURATION: 00:00
|
||||
:BEAMER_env: fullframe
|
||||
:END:
|
||||
|
||||
TODO
|
||||
#+BEGIN_CENTER
|
||||
\Huge History repeats itself
|
||||
#+END_CENTER
|
||||
|
||||
#+BEGIN_COMMENT
|
||||
Because history repeats itself.
|
||||
|
||||
Today's attempted legal/policy assault on privacy and security are enormous.
|
||||
We've already covered some.
|
||||
I don't have time to cover more than a small fraction of them.
|
||||
#+END_COMMENT
|
||||
|
||||
|
||||
**** DRAFT Modern Crypto Wars :B_fullframe:
|
||||
:PROPERTIES:
|
||||
:BEAMER_env: fullframe
|
||||
:END:
|
||||
|
||||
#+BEGIN_CENTER
|
||||
\Huge ``Going Dark''
|
||||
#+END_CENTER
|
||||
|
||||
|
||||
#+BEGIN_COMMENT
|
||||
But the big phrase you hear today is "going dark".
|
||||
Government agencies are fearful of broadening use of encryption
|
||||
because they can't read many of those communications.
|
||||
#+END_COMMENT
|
||||
|
||||
|
||||
**** DEVOID ``Going Dark''
|
||||
|
||||
#+BEGIN_COMMENT
|
||||
Apple v. FBI
|
||||
|
||||
- Backdoors
|
||||
- Clipper chip
|
||||
- LOGJAM, etc from export-grade crypto
|
||||
- VEP
|
||||
VEP
|
||||
#+END_COMMENT
|
||||
|
||||
|
||||
|
@ -1332,6 +1498,7 @@ TODO
|
|||
#+BEGIN_COMMENT
|
||||
- Office of Personnel Management
|
||||
- DNC
|
||||
- VEP
|
||||
#+END_COMMENT
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue