NSA's Survaliance of the Internet

NSA’s survaliance of the internet

Can open-source help?

KLID presentation

May 21, 2015

Professionelle Keld Simonsen [email protected] Linux-Interessenter Can open-sourcei Danmark help? May 21, 2015 1/ 82 → Contents

1 Introduction

2 Tailored Access Operations

3 Data Collection

4 Analysis

5 Hacking (Malware)

6 Cryptography

7 Using the Data

8 Open-Source Possibilities

9 Conclusion

Can open-source help? May 21, 2015 2/ 82 Introduction → NSA

National Security Agency (NSA) ”The National Security Agency/Central Security Service (NSA/CSS) leads the U.S. Government in cryptology that encompasses both Signals Intelligence (SIGINT) and Information Assurance (IA) products and services, and enables Computer Network Operations (CNO) in order to gain a decision advantage for the Nation and our allies under all circumstances.”

Can open-source help? May 21, 2015 3/ 82 Introduction → 5 Eyes

The 5 Eyes alliance (FVEY)

UKUSA Agreement

• Great Britain • New Zeeland • Canada • Australia

Founded August 1941

Backbone STONEGHOST Intel Network

Can open-source help? May 21, 2015 4/ 82 Introduction → Partners

Partners as of 2013

Glenn Greenwald: No Place To Hide, May-2014.

Can open-source help? May 21, 2015 5/ 82 Introduction → Edward Snowden

Edward Snowden • Born: 21 June, 1983 • 2006: CIA System admin. • 2009: Dell Consultant at NSA • One of approx. 1000 NSA admins authorised to access almost all systems. • 2010: NSA allows USB sticks to be used in secure areas. • 2013: Charged with Theft of government property, unauthorized communication of national defense information, and ...

Can open-source help? May 21, 2015 6/ 82 Introduction → Publication

Edward Snowden (ES)

• ES stationed at the NSA’s Remote Operations Center facility in Hawaii. • Raytheon’s Sureview Insider Threat Management not installed due to “bandwidth issues” • Contacted Glenn Greenwald (GG), a journalist at The Guardian in late 2012 • Problems setting up GnuPG lead GG to abandon contact • Contacted Laura Poitras (LP) in January 2013 • May/June 2013: Travels to Hong Kong hands over documents to GG and LP • All distribution and analysis of documents by GG and LP

Can open-source help? May 21, 2015 7/ 82 Introduction → Other Leakers

At least 3 US intelligence community leakers

1 Edward Snowden

2 A person who is passing secrets to Jake Appelbaum, Laura Poitras and others in Germany: • Angela Merkel surveillance story • TAO catalog • X-KEYSCORE rules (Not in Snowden documents) Likely an NSA employee/contractor working in Germany, or someone from German intelligence

3 New leaker, with access to a different stream of information (National Counterterrorism Center), whom the Intercept calls "a source in the intelligence community."

Can open-source help? May 21, 2015 8/ 82 NSA’s survaliance of the internet Can open-source help?

Tailored Access Operations

Can open-source help? May 21, 2015 9/ 82 Tailored Access Operations → Tailored Access Operations

Tailored Access Operations (TAO) A cyber-warfare intelligence-gathering unit of the NSA • Active since at least 1998 • More than 1,000 engineers • I 2010 TAO undertook 279 operations against 258 targets in 89 countries • Responsible for a “toolbox” of attacks know as the ANT (Access Network Technology) catalogue • Slogan:"Getting the ungettable"

Can open-source help? May 21, 2015 10/ 82 Tailored Access Operations → ANT - Cottonmouth-I

Cottonmouth-I: Computer hidden in a USB cable with a radio transmitter

50 units for $1 million in 2008.

Can open-source help? May 21, 2015 11/ 82 Tailored Access Operations → For example Cottonmouth-III

Cottonmouth-III: Same idea, just in an RJ45 or USB port

50 units for $1.2 million in 2008.

Can open-source help? May 21, 2015 12/ 82 Tailored Access Operations → Monitors & Keyboard

Monitors $30 Keyboards $30

Can open-source help? May 21, 2015 13/ 82 Tailored Access Operations → ANT: Nightstand

Nightstand: Portable system which wirelessly attacks MS Windows systems from up to 8 miles.

Can open-source help? May 21, 2015 14/ 82 Tailored Access Operations → ANT: Other Products

Other ANT Selected Products • DROPOUTJEEP: Attack software for Apple iPhone. Modular design which allows reading/writing files, SMS, contacts, voicemail, geolocation, and microphone/camera monitoring etc. C&C and data ex-filtration possible via SMS, data or voice. All communication hidden and encrypted. • IRATEMONK: Malware aimed at HDD firmware, compatible with: Maxtor, Samsung, Seagate, og Western Digital drives. • CANDYGRAM: A $40,000 suitcase which simulates a GSM base-station. • GINSU: Technology which exploits the PCI bus in a computer. Allows for reinstall of malware on system restart. • DEITYBOUNCE: Technology which installs arbitrary software on Dell PowerEdge servers via there BIOS. • FEEDTROUGH: Attack software for Juniper Networks firewalls with similar capabilities. • HEADWATER: Same idea for Huawei routers. • JETPLOW: Same idea for Cisco PIX and ASA firewalls.

Can open-source help? May 21, 2015 15/ 82 NSA’s survaliance of the internet Can open-source help?

Data Collection

Can open-source help? May 21, 2015 16/ 82 Data Collection → Collect it all

Can open-source help? May 21, 2015 17/ 82 Data Collection → TURBULENCE

TURBULENCE: Goal to collect “the vast majority of worldwide communications”

• Project started in 2005, to collect data world-wide • Denotes a family of mass-surveillance programs • Provides input to a range of analysis tools

Can open-source help? May 21, 2015 18/ 82 Data Collection → Collect it all

The worlds data

Can open-source help? May 21, 2015 19/ 82 Data Collection → Collect it all

NSA Bases Worldwide

Can open-source help? May 21, 2015 20/ 82 Data Collection → MYSTIC

MYSTIC: Telephone call interception program • Started in 2012 • Collects all of a test country’s telephone calls • Targets call content by means of speech-to-text software • Those calls are stored in a database codenamed NUCLEON, and can be retrieved at a later date using a tool codenamed RETRO. • Calls collected number in the billions (30 day cache). • Expanded to a least one more test country in 2013

Can open-source help? May 21, 2015 21/ 82 Data Collection → Undersea cables

OAKSTAR, STORMBREW, BLARNEY & FAIRVIEW: Monitor Undersea cables

Can open-source help? May 21, 2015 22/ 82 Data Collection → Undersea cables

USS Jimmy Carter (SSN-23)

Can open-source help? May 21, 2015 23/ 82 Data Collection → Undersea cables

GlimmerGlass

Can open-source help? May 21, 2015 24/ 82 Data Collection → PRISM

PRISM: Largest Source of Raw Intelligence

Extract information from the servers of nine major American internet companies • Microsoft • Yahoo • Google • Facebook • PalTalk • AOL • Skype • YouTube • Apple

Can open-source help? May 21, 2015 25/ 82 Data Collection → PRISM

Can open-source help? May 21, 2015 26/ 82 NSA’s survaliance of the internet Can open-source help?

Analysis

Can open-source help? May 21, 2015 27/ 82 Analysis → What is collected

What is collected?

• Online purchases/auctions • Internet searches • Credit/debit card transactions • Websites visited • Financial information SWIFT • Emails sent/received • Legal documents • Social media activity (Facebook, • Travel documents Twitter, etc) • Health records • Blogging activity including posts read, written, commented (Patent) • IP television shows watched/recorded • Videos watched and/or uploaded online • Commuter toll records • Photos viewed and/or uploaded • Electronic bus/subway passes online • Facial recognition data from • Mobile phone GPS-location data surveillance cameras • Mobile phone apps downloaded • Educational records • Phone call records (Patent) • Arrest records • Driver license information • Text messages sent and received

• Skype video calls

Can open-source help? May 21, 2015 28/ 82 Analysis → Analysis

The analysis hierarchy

Can open-source help? May 21, 2015 29/ 82 Analysis → XKeyScore

XKeyScore

Can open-source help? May 21, 2015 30/ 82 Analysis → XKeyScore

XKeyScore

Can open-source help? May 21, 2015 31/ 82 Analysis → XKeyScore

XKeyScore

Can open-source help? May 21, 2015 32/ 82 Analysis → TRAFFICTHIEF

TRAFFICTHIEF: Long term metadata storage

Data: Imagine you hired a detective to eavesdrop on someone. He might plant a bug in their ofﬁce. He might tap their phone. He might open their mail. The result would be the details of that person’s communications.

Metadata: Imagine you hired that same detective to surveil that person. The result would be details of what he did: where he went, who he talked to, what he looked at, what he purchased – how he spent his day. Metadata = Surveillance

Can open-source help? May 21, 2015 33/ 82 NSA’s survaliance of the internet Can open-source help?

Hacking (Malware)

Can open-source help? May 21, 2015 34/ 82 Hacking (Malware) → Implants

Implants: NSA term for spyware/malware • CAPTIVATEDAUDIENCE take over a targeted computer’s microphone and record conversations taking place near the device • GUMFISH covertly take over a computer’s webcam and snap photographs • FOGGYBOTTOM records logs of Internet browsing histories and collects login details and passwords used to access websites and email accounts. • GROK is used to log keystrokes. • SALVAGERABBIT exﬁltrates data from removable ﬂash drives that connect to an infected computer.

Can open-source help? May 21, 2015 35/ 82 Hacking (Malware) → TURBINE

TURBINE • Designed to make deploying malware by reducing overseeing implant functions. • The system would “relieve the user from needing to know/care about the details” “One of the greatest challenges for active SIGINT/attack is scale,” explains the top-secret presentation from 2009. “Human ‘drivers’ limit ability for large-scale exploitation (humans tend to operate within their own environment, not taking into account the bigger picture).”

Can open-source help? May 21, 2015 36/ 82 Hacking (Malware) → TURBINE)

Can open-source help? May 21, 2015 37/ 82 Hacking (Malware) → TURBINE)

Can open-source help? May 21, 2015 38/ 82 Hacking (Malware) → QUANTUM

QUANTUM: Family of systems to install spyware by means of the quantum insert network. (Basically METASPLOIT with a budget)

Can open-source help? May 21, 2015 39/ 82 Hacking (Malware) → QUANTUM-INSERT (1/5)

Can open-source help? May 21, 2015 40/ 82 Hacking (Malware) → QUANTUM-INSERT (2/5)

Can open-source help? May 21, 2015 41/ 82 Hacking (Malware) → QUANTUM-INSERT (3/5)

Can open-source help? May 21, 2015 42/ 82 Hacking (Malware) → QUANTUM-INSERT (4/5)

Can open-source help? May 21, 2015 43/ 82 Hacking (Malware) → QUANTUM-INSERT (5/5)

Can open-source help? May 21, 2015 44/ 82 Hacking (Malware) → QUANTUM-X

”Many Ways to Quantum”

Can open-source help? May 21, 2015 45/ 82 NSA’s survaliance of the internet Can open-source help?

Cryptography

Can open-source help? May 21, 2015 46/ 82 Cryptography → Formally

Cryptography Encryption can mathematically be described as a function:

E : M∗ ×K→M ∗

so that m0 = E(m, k) is the cipher text, which is created from the clear text m using the key k.

Decryption Decryption can mathematically be described as a function:

D : M∗ ×K→M ∗

so that m = D(m0, k 0) is the clear text, derived from the cipher text m0 using the key k 0.

Can open-source help? May 21, 2015 47/ 82 Note It is far from certain that modern cryptography systems meet all of these requirements

Cryptography → Good cryptography

Kerckhoff’s Principles (1883) • The code should be practically (but not necessarily mathematically) impossible to break. • The encryption function does not need to be secret - the enemy may well know the algorithm, just not the key. • It should be possible to create/modify keys and exchange keys without writing anything down. • Must be useful for telegraphy or similar. • Should be portable and usable by a single person. • Should be as user-friendly as possible in the circumstances, i.e. must be able to is used by an ordinary person.

Can open-source help? May 21, 2015 48/ 82 Cryptography → Good cryptography

Note It is far from certain that modern cryptography systems meet all of these requirements

Can open-source help? May 21, 2015 48/ 82 This is an example of a single alphabet (monoalphabetic) code (The full text is coded with the same ordering of the alphabet)

Cryptography → Substitution

Cyclic permutation

The Caesar System With key n, replace each character in the clear text with the character n places further down the alphabet. If the end of the alphabet is reached, loop round.

Can open-source help? May 21, 2015 49/ 82 Cryptography → Substitution

Cyclic permutation

The Caesar System With key n, replace each character in the clear text with the character n places further down the alphabet. If the end of the alphabet is reached, loop round.

This is an example of a single alphabet (monoalphabetic) code (The full text is coded with the same ordering of the alphabet)

Can open-source help? May 21, 2015 49/ 82 Cryptography → Caesars code

Caesars code Cyclic permutation where n = 3

Alphabet: ABCDEFGHIJKLMNOPQRSTUVWXYZ Coding: DEFGHIJKLMNOPQRSTUVWXYZABC Clear text: THIS IS MY SECRET TEXT Cipher text: WKLV LV PB VHFUHW WHAW

Can open-source help? May 21, 2015 50/ 82 Cryptography → Cryptanalysis 1

Frequency analysis Single substitution alphabet digits can be analyzed by calculating frequencies of characters in a cipher text and compare with the frequencies of characters in typical text of the putative language.

The frequency of characters in an English text and in a classic cipher text.

Can open-source help? May 21, 2015 51/ 82 Cryptography → Cryptanalysis 2

Frequency analysis can also be applied to groups of characters to get better results.

Distribution of 2 character pairs in general English text.

Can open-source help? May 21, 2015 52/ 82 A One-Time Pad is typically implemented using a XOR (eXclusive OR) function: ⊕ : {0, 1} × {0, 1} → {0, 1} INPUT OUTPUT 000 011 101 110 The key to a One-Time Pad is corresponding to the length of the message which is encrypted. The key is randomly selected, that is, given any number of digits, n, from the key one can not guess the next number, n + 1. Key 01011000 01100101 10100000 01110001 01010101 01111001

Cryptography → One-Time Pads

A One-Time Pad is a symmetric cryptography system which emph completely eliminates redundancy in the cipher text.

Can open-source help? May 21, 2015 53/ 82 INPUT OUTPUT 000 011 101 110 The key to a One-Time Pad is corresponding to the length of the message which is encrypted. The key is randomly selected, that is, given any number of digits, n, from the key one can not guess the next number, n + 1. Key 01011000 01100101 10100000 01110001 01010101 01111001

Cryptography → One-Time Pads

A One-Time Pad is a symmetric cryptography system which emph completely eliminates redundancy in the cipher text.

A One-Time Pad is typically implemented using a XOR (eXclusive OR) function: ⊕ : {0, 1} × {0, 1} → {0, 1}

Can open-source help? May 21, 2015 53/ 82 The key to a One-Time Pad is corresponding to the length of the message which is encrypted. The key is randomly selected, that is, given any number of digits, n, from the key one can not guess the next number, n + 1. Key 01011000 01100101 10100000 01110001 01010101 01111001

Cryptography → One-Time Pads

A One-Time Pad is a symmetric cryptography system which emph completely eliminates redundancy in the cipher text.

A One-Time Pad is typically implemented using a XOR (eXclusive OR) function: ⊕ : {0, 1} × {0, 1} → {0, 1} INPUT OUTPUT 000 011 101 110

Can open-source help? May 21, 2015 53/ 82 Key 01011000 01100101 10100000 01110001 01010101 01111001

Cryptography → One-Time Pads

A One-Time Pad is a symmetric cryptography system which emph completely eliminates redundancy in the cipher text.

A One-Time Pad is typically implemented using a XOR (eXclusive OR) function: ⊕ : {0, 1} × {0, 1} → {0, 1} INPUT OUTPUT 000 011 101 110 The key to a One-Time Pad is corresponding to the length of the message which is encrypted. The key is randomly selected, that is, given any number of digits, n, from the key one can not guess the next number, n + 1.

Can open-source help? May 21, 2015 53/ 82 Cryptography → One-Time Pads

A One-Time Pad is a symmetric cryptography system which emph completely eliminates redundancy in the cipher text.

Can open-source help? May 21, 2015 53/ 82 Key 01011000 01100101 10100000 01110001 01010101 01111001 ⊕

Cipher text 00001011 0010000 11100011 00110011 00010000 00101101 Key 01011000 01100101 10100000 01110001 01010101 01111001 ⊕

Clear text 01010011 01000101 01000011 01010010 01000101 01010100 Text SECRET

Notice 1: The cipher text gives an attacker no information about the clear text. At most one the maximum length of a message is revealed. Problem: The key to a One-Time Pad is just as large as the data to be transmitted.

Cryptography → One-Time Pad Example

Clear text SECRET Data 01010011 01000101 01000011 01010010 01000101 01010100

Can open-source help? May 21, 2015 54/ 82 Key 01011000 01100101 10100000 01110001 01010101 01111001 ⊕

Clear text 01010011 01000101 01000011 01010010 01000101 01010100 Text SECRET

Cryptography → One-Time Pad Example

Clear text SECRET Data 01010011 01000101 01000011 01010010 01000101 01010100 Key 01011000 01100101 10100000 01110001 01010101 01111001 ⊕

Cipher text 00001011 0010000 11100011 00110011 00010000 00101101

Can open-source help? May 21, 2015 54/ 82 Notice 1: The cipher text gives an attacker no information about the clear text. At most one the maximum length of a message is revealed. Problem: The key to a One-Time Pad is just as large as the data to be transmitted.

Cryptography → One-Time Pad Example

Clear text SECRET Data 01010011 01000101 01000011 01010010 01000101 01010100 Key 01011000 01100101 10100000 01110001 01010101 01111001 ⊕

Cipher text 00001011 0010000 11100011 00110011 00010000 00101101 Key 01011000 01100101 10100000 01110001 01010101 01111001 ⊕

Clear text 01010011 01000101 01000011 01010010 01000101 01010100 Text SECRET

Can open-source help? May 21, 2015 54/ 82 Problem: The key to a One-Time Pad is just as large as the data to be transmitted.

Cryptography → One-Time Pad Example

Clear text SECRET Data 01010011 01000101 01000011 01010010 01000101 01010100 Key 01011000 01100101 10100000 01110001 01010101 01111001 ⊕

Cipher text 00001011 0010000 11100011 00110011 00010000 00101101 Key 01011000 01100101 10100000 01110001 01010101 01111001 ⊕

Clear text 01010011 01000101 01000011 01010010 01000101 01010100 Text SECRET

Notice 1: The cipher text gives an attacker no information about the clear text. At most one the maximum length of a message is revealed.

Can open-source help? May 21, 2015 54/ 82 The key to a One-Time Pad is just as large as the data to be transmitted.

Cryptography → One-Time Pad Example

Clear text SECRET Data 01010011 01000101 01000011 01010010 01000101 01010100 Key 01011000 01100101 10100000 01110001 01010101 01111001 ⊕

Cipher text 00001011 0010000 11100011 00110011 00010000 00101101 Key 01011000 01100101 10100000 01110001 01010101 01111001 ⊕

Clear text 01010011 01000101 01000011 01010010 01000101 01010100 Text SECRET

Notice 1: The cipher text gives an attacker no information about the clear text. At most one the maximum length of a message is revealed. Problem:

Can open-source help? May 21, 2015 54/ 82 Cryptography → One-Time Pad Example

Clear text SECRET Data 01010011 01000101 01000011 01010010 01000101 01010100 Key 01011000 01100101 10100000 01110001 01010101 01111001 ⊕

Cipher text 00001011 0010000 11100011 00110011 00010000 00101101 Key 01011000 01100101 10100000 01110001 01010101 01111001 ⊕

Clear text 01010011 01000101 01000011 01010010 01000101 01010100 Text SECRET

Can open-source help? May 21, 2015 54/ 82 Cryptography → Confusion and diffusion

Confusion and diffusion: Often introduced by repeated use of a Feistel network. Convenient to use, since decryption uses the same Feistel network in reverse order.

Left Block Li Right Block Ri Key ki

⊕ f (Ri , ki )

Li+1 =Ri Ri+1 =Li ⊕ f (Ri , ki )

Where: f is a combination of substitutions and swaps of bits, parameterized by the part key.

Can open-source help? May 21, 2015 55/ 82 Cryptography → Confusion and diffusion

Confusion and diffusion: Often introduced by repeated use of a Feistel network. Convenient to use, since decryption uses the same Feistel network in reverse order.

Left Block Li Right Block Ri 00011101 Key ki 11010101 11000101

⊕ f (Ri , ki )

Li+1 =Ri Ri+1 =Li ⊕ f (Ri , ki ) 11010101 01100000 Where: f is a combination of substitutions and swaps of bits, parameterized by the part key.

Can open-source help? May 21, 2015 55/ 82 Cryptography → DES

Digital Encryption Standard (DES) [1979]

Can open-source help? May 21, 2015 56/ 82 e = E(m, PKb) m = D(e, SKB)

A B

0 0 0 0 m = D(e , SKA) e = E(m , PKA)

Note: Ideally it will not be possible, from the transmitted information to calculate the inverse function E−1. (E is a Trapdoor one-way function)

Cryptography → Asymetric Crypto: Public Keys

Asymetric Crypto (Public Key Crypto-systems) System A System B

Secret key: SKA Secret key: SKB Public key: PKA Public key: PKB Each system knows the others public key and uses it for encryption of messages sent to the other party. (Conﬁdentiality)

Can open-source help? May 21, 2015 57/ 82 Cryptography → Asymetric Crypto: Public Keys

Asymetric Crypto (Public Key Crypto-systems) System A System B

Secret key: SKA Secret key: SKB Public key: PKA Public key: PKB Each system knows the others public key and uses it for encryption of messages sent to the other party. (Conﬁdentiality)

e = E(m, PKb) m = D(e, SKB)

A B

0 0 0 0 m = D(e , SKA) e = E(m , PKA)

Note: Ideally it will not be possible, from the transmitted information to calculate the inverse function E−1. (E is a Trapdoor one-way function)

Can open-source help? May 21, 2015 57/ 82 Cryptography → Asymmetric vs Symmetric Crypto

Asymmetric vs Symmetric Crypto

Applications: • SKCS: Encryption of large amounts of data • PKCS: Encryption of small amounts of data, in particular SKCS keys, and for digital signatures.

Key size: For equivalent security, RSA requires much larger keys than DES or AES. Number of Keys: For N users, SKCS requires one key for each pair of users. PKCS requires N key-sets (public and private). Speed: SKCS much faster than PKCS.

Can open-source help? May 21, 2015 58/ 82 Cryptography → NSA & Cryptography 1

NSA Cryptography Breaking Capabilities: • Largely unknown • NSA spends $11 billion annually on their “Consolidated Cryptologic Program” • NSA is largest single employer of mathematicians worldwide • Extensive quantum computer research

However • “Trust the math” • Most attacks aimed at endpoints

Can open-source help? May 21, 2015 59/ 82 Cryptography → NSA & Cryptography 2

Known Broken • Dual-EC DRBG generator • RC4 Stream chiper • RSA 1024 with PKCS1 (Possibly)

Probably Safe • RSA 2048+ (Asymmetric) • AES (Symmetric) Considered very secure, but ...

Can open-source help? May 21, 2015 60/ 82 Cryptography → Undermining Cryptography

Cryptography is a “Threat”

Can open-source help? May 21, 2015 61/ 82 Cryptography → Undermining Cryptography

Undermining Crypto

Can open-source help? May 21, 2015 62/ 82 NSA’s survaliance of the internet Can open-source help?

Using the Data

Can open-source help? May 21, 2015 63/ 82 Using the Data → Done Attacks

Drone Attacks

Can open-source help? May 21, 2015 64/ 82 Using the Data → Social Manipulation

Social manipulation NSA/GCHQ are attempting to control, infiltrate, manipulate, and warp online discourse, and in doing so, are compromising the integrity of the internet itself. • GATEWAY: the "ability to artificially increase traffic to a website". • CLEAN SWEEP which "masquerade[s] Facebook wall posts for individuals or entire countries". • SCRAPHEAP CHALLENGE for "perfect spoofing of emails from BlackBerry targets". • UNDERPASS to "change outcome of online polls". • SPRING BISHOP to find "private photos of targets on Facebook".

Can open-source help? May 21, 2015 65/ 82 Using the Data → Tactics

Social manipulation Techniques (against individuals or organisations): • To inject all sorts of false material onto the internet in order to destroy the reputation of its targets; and • To use social sciences and other techniques to manipulate online discourse and activism to generate outcomes it considers desirable. • “false ﬂag operations” (posting material to the internet and falsely attributing it to someone else) • Fake victim blog posts (pretending to be a victim of the individual whose reputation they want to destroy) • posting “negative information” on various forums.

Can open-source help? May 21, 2015 66/ 82 NSA’s survaliance of the internet Can open-source help?

Open-Source Possibilities

Can open-source help? May 21, 2015 67/ 82 Open-Source Possibilities → Open Source

Open Source Generally, open source refers to a computer program in which the source code is available to the general public for use and/or modiﬁcation from its original design.

You can use several Open Source tools to protect yourself: • Pretty Good Privacy (PGP) • Mailvelope • Off-the-Record Messaging (OTR) • Tails

Can open-source help? May 21, 2015 68/ 82 Open-Source Possibilities → Open Source

WHY?

Can open-source help? May 21, 2015 69/ 82 Open-Source Possibilities → Pretty Good Privacy (PGP)

Pretty Good Privacy (PGP) • Pretty Good Privacy (PGP) is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. • PGP is often used for signing, encrypting, and decrypting texts, e-mails, ﬁles, directories, and whole disk partitions and to increase the security of e-mail communications. • It was created by Phil Zimmermann in 1991. • PGP and similar software follow the OpenPGP standard (RFC 4880) for encrypting and decrypting data.

Download: GnuPG

Can open-source help? May 21, 2015 70/ 82 Open-Source Possibilities → Mailvelope

Mailvelope • Mailvelope is an easy-to-use web-browser extension which brings OpenPGP encryption to webmail services such as Gmail, Yahoo and others. • Focus on usability • It’s based on OpenPGP.js • Mailvelope’s development started in March 2012 and has been available in the Chrome Web Store since August 2012. • Mailvelope stores the keys in the local storage of the browser and only there.

Download: Mailvelope

Can open-source help? May 21, 2015 71/ 82 Open-Source Possibilities → Open Source

Mailvelope

Can open-source help? May 21, 2015 72/ 82 Open-Source Possibilities → Pretty Good Privacy (PGP)

Why?

Can open-source help? May 21, 2015 73/ 82 Open-Source Possibilities → Off-the-Record Messaging (OTR)

Jabber: Off-the-Record Messaging (OTR) • OTR is a cryptographic protocol that provides encryption for instant messaging conversations. • OTR uses a combination of AES symmetric-key algorithm with 128 bits key length, the Difﬁe–Hellman key exchange with 1536 bits group size, and the SHA-1 hash function. • OTR provides authentication, encryption, forward secrecy and malleable encryption. • The motivation for the protocol was to provide deniable authentication for the conversation participants while keeping conversations conﬁdential.

Download: Jabber

Can open-source help? May 21, 2015 74/ 82 Open-Source Possibilities → Off-the-Record Messaging (OTR)

Jabber-OTR

Can open-source help? May 21, 2015 75/ 82 Open-Source Possibilities → Off-the-Record Messaging (OTR)

Why?

At the NSA

Can open-source help? May 21, 2015 76/ 82 Open-Source Possibilities → Tails

Tails • Tails or The Amnesic Incognito Live System is a security-focused Debian-based Linux distribution aimed at preserving privacy and anonymity. • All its outgoing connections are forced to go through Tor, and direct (non-anonymous) connections are blocked. • The system is designed to be booted as a live DVD or live USB, and will leave no trace (digital footprint) on the machine unless explicitly told to do so. • The Tor Project has provided most of the ﬁnancial support for its development. • Laura Poitras, Glenn Greenwald, and Barton Gellman have each said that Tails was an important tool they used in their work with Edward Snowden. Download: TAILS

Can open-source help? May 21, 2015 77/ 82 NSA’s survaliance of the internet Can open-source help?

Conclusion

Can open-source help? May 21, 2015 78/ 82 Conclusion → Many more programs

Many more programs

Can open-source help? May 21, 2015 79/ 82 Conclusion → How did we get here?

A series of changes has bought us to this point • technology development • A lack of legislation • Social polarisation (e.g. threat of terrorism) • Increased living standards in many western worlds have meant a lack of activism on privacy issues compared to for example the 60s and 70s

Can open-source help? May 21, 2015 80/ 82 Conclusion → Who cares anyway?

Who cares anyway? Well.... • Fact is few people do • Pew Research has a new survey on Americans’ privacy habits in a post-Snowden world. • 34% of those who are aware of the surveillance programs (30% of all adults) have taken at least one step to hide or shield their information from the government. • The remaining of those who are even aware of the programs have not acted! • Why this passivity (even among people who know about it)? • “Not a threat to me” attitude • A belief it is worth sacriﬁcing some freedoms to stay safe from terrorists etc. • A lack of understanding (or interest in) what this lack of privacy really means

Can open-source help? May 21, 2015 81/ 82 Conclusion → The End

THE END Questions

Can open-source help? May 21, 2015 82/ 82