slides.org (Policy and Government): Nearly complete draft slides
Daunting. Hopefully I don't get rid of too much of this; it's a lot of history to be talking about.master
parent
5a1e0b7b78
commit
8dfc7cb030
231
slides.org
231
slides.org
|
@ -16,6 +16,8 @@
|
||||||
#+BEGIN: columnview :hlines 3 :id global
|
#+BEGIN: columnview :hlines 3 :id global
|
||||||
| ITEM | DURATION | TODO | ENVIRONMENT |
|
| ITEM | DURATION | TODO | ENVIRONMENT |
|
||||||
|-----------------------------------------------+----------+---------+---------------|
|
|-----------------------------------------------+----------+---------+---------------|
|
||||||
|
| * LaTeX Configuration | | | |
|
||||||
|
|-----------------------------------------------+----------+---------+---------------|
|
||||||
| * Slides | 0:44 | LACKING | |
|
| * Slides | 0:44 | LACKING | |
|
||||||
|-----------------------------------------------+----------+---------+---------------|
|
|-----------------------------------------------+----------+---------+---------------|
|
||||||
| ** Introduction / Opening | 00:00:30 | DRAFT | fullframe |
|
| ** Introduction / Opening | 00:00:30 | DRAFT | fullframe |
|
||||||
|
@ -66,7 +68,7 @@
|
||||||
| **** ALPRs | 00:01 | LACKING | |
|
| **** ALPRs | 00:01 | LACKING | |
|
||||||
| **** Car Itself | 00:00:30 | LACKING | |
|
| **** Car Itself | 00:00:30 | LACKING | |
|
||||||
|-----------------------------------------------+----------+---------+---------------|
|
|-----------------------------------------------+----------+---------+---------------|
|
||||||
| ** The Web [0/6] | 0:12 | LACKING | |
|
| ** The Web [0/6] | 0:10 | LACKING | |
|
||||||
|-----------------------------------------------+----------+---------+---------------|
|
|-----------------------------------------------+----------+---------+---------------|
|
||||||
| *** Introduction [0/1] | | DRAFT | ignoreheading |
|
| *** Introduction [0/1] | | DRAFT | ignoreheading |
|
||||||
| **** Introduction | | DRAFT | fullframe |
|
| **** Introduction | | DRAFT | fullframe |
|
||||||
|
@ -81,18 +83,18 @@
|
||||||
| **** Trackers | 00:01 | LACKING | |
|
| **** Trackers | 00:01 | LACKING | |
|
||||||
| **** Like Buttons | 00:01 | DRAFT | |
|
| **** Like Buttons | 00:01 | DRAFT | |
|
||||||
|-----------------------------------------------+----------+---------+---------------|
|
|-----------------------------------------------+----------+---------+---------------|
|
||||||
| *** Fingerprinting [0/3] | 0:04 | LACKING | |
|
| *** Fingerprinting [0/3] | 0:03 | LACKING | |
|
||||||
| **** Summary | | DRAFT | |
|
| **** Summary | | DRAFT | |
|
||||||
| **** Alarmingly Effective | 00:03 | DEVOID | fullframe |
|
| **** Alarmingly Effective | 00:03 | LACKING | fullframe |
|
||||||
| **** Browser Addons | 00:01 | DEVOID | |
|
| **** User Agent | | DRAFT | |
|
||||||
|-----------------------------------------------+----------+---------+---------------|
|
|-----------------------------------------------+----------+---------+---------------|
|
||||||
| *** Anonymity [0/4] | 0:04 | LACKING | |
|
| *** Anonymity [0/4] | 0:04 | DRAFT | |
|
||||||
| **** Summary | 00:01 | LACKING | fullframe |
|
| **** Summary | 00:01 | DRAFT | fullframe |
|
||||||
| ***** TODO Anonymity | | | |
|
| ***** Anonymity | | | |
|
||||||
| ***** TODO Pseudonymity | | | |
|
| ***** Pseudonymity | | | |
|
||||||
| **** IANAAE | | DRAFT | fullframe |
|
| **** IANAAE | | DRAFT | fullframe |
|
||||||
| **** The Tor Network | 00:01 | DEVOID | |
|
| **** The Tor Network | 00:01 | DRAFT | |
|
||||||
| **** TorBrowser, Tails, and Whonix | 00:02 | DEVOID | |
|
| **** TorBrowser, Tails, and Whonix | 00:02 | DRAFT | |
|
||||||
|-----------------------------------------------+----------+---------+---------------|
|
|-----------------------------------------------+----------+---------+---------------|
|
||||||
| ** Data Analytics [0/2] | 0:04 | LACKING | |
|
| ** Data Analytics [0/2] | 0:04 | LACKING | |
|
||||||
|-----------------------------------------------+----------+---------+---------------|
|
|-----------------------------------------------+----------+---------+---------------|
|
||||||
|
@ -109,16 +111,23 @@
|
||||||
| *** Introduction [0/1] | 0:00 | DRAFT | ignoreheading |
|
| *** Introduction [0/1] | 0:00 | DRAFT | ignoreheading |
|
||||||
| **** Introduction | 00:00:30 | DRAFT | fullframe |
|
| **** Introduction | 00:00:30 | DRAFT | fullframe |
|
||||||
|-----------------------------------------------+----------+---------+---------------|
|
|-----------------------------------------------+----------+---------+---------------|
|
||||||
| *** Surveillance [0/4] | 0:06 | LACKING | |
|
| *** Surveillance [0/7] | 0:06 | LACKING | |
|
||||||
| **** History of NSA Surveillance | 00:02 | DEVOID | |
|
| **** History of NSA Surveillance | 00:02 | DRAFT | |
|
||||||
| **** Verizon Metadata | 00:00:30 | DEVOID | |
|
| **** Ron Wyden | | DRAFT | fullframe |
|
||||||
| **** Snowden | 00:01 | DEVOID | |
|
| **** The Leak | | DRAFT | fullframe |
|
||||||
|
| **** Verizon Metadata | 00:00:30 | DRAFT | |
|
||||||
|
| **** PRISM | | DRAFT | |
|
||||||
|
| **** Snowden | 00:01 | DRAFT | |
|
||||||
| **** Tools | 00:02 | DEVOID | |
|
| **** Tools | 00:02 | DEVOID | |
|
||||||
|-----------------------------------------------+----------+---------+---------------|
|
|-----------------------------------------------+----------+---------+---------------|
|
||||||
| *** Crypto Wars [0/3] | 0:03 | LACKING | |
|
| *** Crypto Wars [0/6] | 0:04 | LACKING | |
|
||||||
| **** Introduction | 00:00 | DRAFT | fullframe |
|
| **** Introduction | 00:00 | DRAFT | fullframe |
|
||||||
| **** Bernstein v. United States | 00:01 | DEVOID | |
|
| **** Export-Grade Crypto | 00:01:30 | DRAFT | |
|
||||||
| **** Makes Us Less Safe | 00:02 | DEVOID | |
|
| **** Bernstein v. United States | 00:01 | DRAFT | |
|
||||||
|
| **** The First Crypto Wars | 00:01 | DRAFT | |
|
||||||
|
| **** Re-repeats Itself | 00:00 | DRAFT | fullframe |
|
||||||
|
| **** Modern Crypto Wars | | DRAFT | fullframe |
|
||||||
|
| **** ``Going Dark'' | | DEVOID | |
|
||||||
|-----------------------------------------------+----------+---------+---------------|
|
|-----------------------------------------------+----------+---------+---------------|
|
||||||
| *** Espionage [0/1] | 0:01 | LACKING | |
|
| *** Espionage [0/1] | 0:01 | LACKING | |
|
||||||
| **** US Can't Keep Its Own Secrets | 00:01 | DEVOID | |
|
| **** US Can't Keep Its Own Secrets | 00:01 | DEVOID | |
|
||||||
|
@ -141,6 +150,8 @@
|
||||||
|-----------------------------------------------+----------+---------+---------------|
|
|-----------------------------------------------+----------+---------+---------------|
|
||||||
| ** Thank You | | | fullframe |
|
| ** Thank You | | | fullframe |
|
||||||
|-----------------------------------------------+----------+---------+---------------|
|
|-----------------------------------------------+----------+---------+---------------|
|
||||||
|
| ** References | | | appendix |
|
||||||
|
|-----------------------------------------------+----------+---------+---------------|
|
||||||
| * Exporting | | | |
|
| * Exporting | | | |
|
||||||
|-----------------------------------------------+----------+---------+---------------|
|
|-----------------------------------------------+----------+---------+---------------|
|
||||||
| * Local Variables | | | |
|
| * Local Variables | | | |
|
||||||
|
@ -1270,7 +1281,7 @@ TODO
|
||||||
#+END_COMMENT
|
#+END_COMMENT
|
||||||
|
|
||||||
|
|
||||||
*** LACKING Crypto Wars [0/3]
|
*** LACKING Crypto Wars [0/6]
|
||||||
**** DRAFT Introduction :B_fullframe:
|
**** DRAFT Introduction :B_fullframe:
|
||||||
:PROPERTIES:
|
:PROPERTIES:
|
||||||
:DURATION: 00:00
|
:DURATION: 00:00
|
||||||
|
@ -1278,7 +1289,7 @@ TODO
|
||||||
:END:
|
:END:
|
||||||
|
|
||||||
#+BEGIN_CENTER
|
#+BEGIN_CENTER
|
||||||
History repeats itself
|
\Huge History repeats itself
|
||||||
#+END_CENTER
|
#+END_CENTER
|
||||||
|
|
||||||
#+BEGIN_COMMENT
|
#+BEGIN_COMMENT
|
||||||
|
@ -1290,34 +1301,189 @@ The Crypto wars.
|
||||||
#+END_COMMENT
|
#+END_COMMENT
|
||||||
|
|
||||||
|
|
||||||
**** DEVOID Bernstein v. United States
|
**** DRAFT Export-Grade Crypto
|
||||||
|
:PROPERTIES:
|
||||||
|
:DURATION: 00:01:30
|
||||||
|
:END:
|
||||||
|
|
||||||
|
- <1-> Cryptography classified as munitions (Arms Export Control Act; ITAR)
|
||||||
|
- <1-> ``Export-grade'' cryptography
|
||||||
|
- <2-> Lotus Notes
|
||||||
|
- <2-> 40-bit export-grade symmetric key
|
||||||
|
- <3-> Agreement with NSA: 64-bit export, but 24 of those bits a "workload
|
||||||
|
reduction factor" for the NSA
|
||||||
|
- <4-> Phil Zimmerman: PGP (\geq 128 bits)
|
||||||
|
- <4-> Formal investigation by US government in 1993
|
||||||
|
- <4-> Published source code in a book, which could be OCR'd
|
||||||
|
- <5-> Still suffer long-term effects today
|
||||||
|
(downgrade attacks, e.g. POODLE)\cite{poodle:paper}
|
||||||
|
|
||||||
|
#+BEGIN_COMMENT
|
||||||
|
Back in the 1990s,
|
||||||
|
cryptography was classified as munitions.
|
||||||
|
|
||||||
|
If you wanted to export it to other countries,
|
||||||
|
you essentially had to make it crackable by the NSA.
|
||||||
|
|
||||||
|
Lotus Notes is often used as an example of the negative effects of such
|
||||||
|
regulation.
|
||||||
|
Interestingly, it was actually the first widely used software to use
|
||||||
|
public-key cryptography.
|
||||||
|
Due to export restrictions,
|
||||||
|
the maximum symmetric key size they could support was 40 bits.
|
||||||
|
This was easily crackable by the NSA,
|
||||||
|
but also feasible for other adversaries.
|
||||||
|
They compromised with the NSA:
|
||||||
|
64-bit keys, but 24 of those bits would be encrypted specially for the NSA
|
||||||
|
as a "workload reduction factor".
|
||||||
|
So you had protection against most adversaries,
|
||||||
|
but not the US government.
|
||||||
|
|
||||||
|
Then we have Phil Zimmerman, author of PGP.
|
||||||
|
He didn't consult the NSA.
|
||||||
|
Instead, he published the source code for PGP in a book with MIT Press,
|
||||||
|
and widely distributed it.
|
||||||
|
If someone wanted to use PGP,
|
||||||
|
they could unbind the book, OCR the pages, and compile it with GCC.
|
||||||
|
The US government opened a formal investigation into the case in 1993;
|
||||||
|
the charges were dropped years later.
|
||||||
|
|
||||||
|
We are still observing the fallout from export-grade crypto today.
|
||||||
|
They are called "downgrade attacks",
|
||||||
|
where a program such as a browser is tricked into using a weaker
|
||||||
|
cipher or keysize,
|
||||||
|
allowing an attacker to MitM the connection.
|
||||||
|
POODLE is an example of this.
|
||||||
|
#+END_COMMENT
|
||||||
|
|
||||||
|
|
||||||
|
**** DRAFT Bernstein v. United States
|
||||||
|
:PROPERTIES:
|
||||||
|
:DURATION: 00:01
|
||||||
|
:END:
|
||||||
|
- <1-> 1995: Bernstein v. US Department of Justice\cite{eff:bernstein:doj}
|
||||||
|
- <1-> Argued that restrictions violated First Amendment
|
||||||
|
- <2-> **Code Is Speech**
|
||||||
|
- <1-> 1996: Bill Clinton Executive Order 13026 transferred to Commerce
|
||||||
|
Control List\cite{fedr:export-controls}
|
||||||
|
- <1-> Department of Commerce relaxed rules in 2000\cite{doc:rev-export-reg}
|
||||||
|
|
||||||
|
#+BEGIN_COMMENT
|
||||||
|
In order to publish information on encryption algorithms and the like,
|
||||||
|
you had to get permission from the government.
|
||||||
|
|
||||||
|
In 1995, Daniel Bernstein---then a graduate student---wanted to publish the
|
||||||
|
source code and mathematical papers for his encryption algorithm
|
||||||
|
/Snuffle/.
|
||||||
|
Like Zimmerman,
|
||||||
|
Bernstein thought export restrictions to be a violation of his First
|
||||||
|
Amendment rights.
|
||||||
|
But instead of blatant defiance,
|
||||||
|
he decided to sue the US government.
|
||||||
|
He was represented by the EFF.
|
||||||
|
The Ninth Circuit Court of Appeals ruled in his favor.
|
||||||
|
|
||||||
|
The following year, President Bill Clinton signed an executive order that
|
||||||
|
removed encryption from the munitions list,
|
||||||
|
and in 2000 the Department of Commerce relaxed export restrictions.
|
||||||
|
|
||||||
|
You might have heard the term "code is speech".
|
||||||
|
Bernstein v. United States case had wide-reaching consequences,
|
||||||
|
not just for cryptography.
|
||||||
|
Source code is protected under the First Amendment.
|
||||||
|
|
||||||
|
(See also Junger v. Daley.)
|
||||||
|
#+END_COMMENT
|
||||||
|
|
||||||
|
|
||||||
|
**** DRAFT The First Crypto Wars
|
||||||
:PROPERTIES:
|
:PROPERTIES:
|
||||||
:DURATION: 00:01
|
:DURATION: 00:01
|
||||||
:END:
|
:END:
|
||||||
|
|
||||||
TODO
|
- <1-> These incidents part of the first Crypto Wars\cite{w:crypto-wars}
|
||||||
|
- <2-> DES Originally 64-bit key; NSA wanted 48 bits; compromised at 56.
|
||||||
|
- <2-> Two version of the browser: 128-bit "U.S. edition" and effective
|
||||||
|
40-bit "international".
|
||||||
|
- <3-> **Clipper Chip** was a hardware backdoor that employed a key escrow
|
||||||
|
system
|
||||||
|
- <3-> Complete failure
|
||||||
|
- <3-> Terribly insecure (property of key escrow in general)
|
||||||
|
- <3-> Opposite effect: spurred development of Nautilus and PGPfone
|
||||||
|
|
||||||
#+BEGIN_COMMENT
|
#+BEGIN_COMMENT
|
||||||
...
|
These incidents are classified into a period of time informally described as
|
||||||
(Include export-grade crypto)
|
the "Crypo Wars".
|
||||||
(Code is speech)
|
|
||||||
|
There's a couple other good examples that I don't have time to get into:
|
||||||
|
The DES encryption algorithm, for example, was originally 64-bit;
|
||||||
|
the NSA wanted 48-bit, but compromised with 56.
|
||||||
|
Netscape had /two versions of their browser/: one with 128-bit SSL and the
|
||||||
|
other with 88 of those bits exposed to meet export regulations.
|
||||||
|
This sounds insane today---because it is.
|
||||||
|
|
||||||
|
But there's even more insanity.
|
||||||
|
|
||||||
|
The Clipper Chip!
|
||||||
|
It was the US government's attempt to backdoor communications with hardware.
|
||||||
|
It used a key escrow system,
|
||||||
|
and the algorithm they devised---called Skipjack---was classified,
|
||||||
|
and so could not be reviewed by crypto experts at the time.
|
||||||
|
Backlash was large.
|
||||||
|
It failed miserably.
|
||||||
|
Later cryptanalysis yielded scathing flaws,
|
||||||
|
as is generally the case with key escrow cryptosystems.
|
||||||
|
It even had the opposite effect:
|
||||||
|
it spurred the development of encrypted communication programs like
|
||||||
|
Nautilus and PGPfone (the latter being proprietary).
|
||||||
|
|
||||||
|
So,
|
||||||
|
why did I go into so much history in a talk meant to deal with today's
|
||||||
|
privacy and security threats?
|
||||||
#+END_COMMENT
|
#+END_COMMENT
|
||||||
|
|
||||||
|
|
||||||
**** DEVOID Makes Us Less Safe
|
**** DRAFT Re-repeats Itself :B_fullframe:
|
||||||
:PROPERTIES:
|
:PROPERTIES:
|
||||||
:DURATION: 00:02
|
:DURATION: 00:00
|
||||||
|
:BEAMER_env: fullframe
|
||||||
:END:
|
:END:
|
||||||
|
|
||||||
TODO
|
#+BEGIN_CENTER
|
||||||
|
\Huge History repeats itself
|
||||||
|
#+END_CENTER
|
||||||
|
|
||||||
|
#+BEGIN_COMMENT
|
||||||
|
Because history repeats itself.
|
||||||
|
|
||||||
|
Today's attempted legal/policy assault on privacy and security are enormous.
|
||||||
|
We've already covered some.
|
||||||
|
I don't have time to cover more than a small fraction of them.
|
||||||
|
#+END_COMMENT
|
||||||
|
|
||||||
|
|
||||||
|
**** DRAFT Modern Crypto Wars :B_fullframe:
|
||||||
|
:PROPERTIES:
|
||||||
|
:BEAMER_env: fullframe
|
||||||
|
:END:
|
||||||
|
|
||||||
|
#+BEGIN_CENTER
|
||||||
|
\Huge ``Going Dark''
|
||||||
|
#+END_CENTER
|
||||||
|
|
||||||
|
|
||||||
|
#+BEGIN_COMMENT
|
||||||
|
But the big phrase you hear today is "going dark".
|
||||||
|
Government agencies are fearful of broadening use of encryption
|
||||||
|
because they can't read many of those communications.
|
||||||
|
#+END_COMMENT
|
||||||
|
|
||||||
|
|
||||||
|
**** DEVOID ``Going Dark''
|
||||||
|
|
||||||
#+BEGIN_COMMENT
|
#+BEGIN_COMMENT
|
||||||
Apple v. FBI
|
Apple v. FBI
|
||||||
|
VEP
|
||||||
- Backdoors
|
|
||||||
- Clipper chip
|
|
||||||
- LOGJAM, etc from export-grade crypto
|
|
||||||
- VEP
|
|
||||||
#+END_COMMENT
|
#+END_COMMENT
|
||||||
|
|
||||||
|
|
||||||
|
@ -1332,6 +1498,7 @@ TODO
|
||||||
#+BEGIN_COMMENT
|
#+BEGIN_COMMENT
|
||||||
- Office of Personnel Management
|
- Office of Personnel Management
|
||||||
- DNC
|
- DNC
|
||||||
|
- VEP
|
||||||
#+END_COMMENT
|
#+END_COMMENT
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue