Mike Gerwitz

Activist for User Freedom

summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMike Gerwitz <mtg@gnu.org>2017-03-10 02:07:56 -0500
committerMike Gerwitz <mtg@gnu.org>2017-04-02 22:04:28 -0400
commit8dfc7cb0305f9da0ee26d5170820d9ae21239d3f (patch)
tree7120066b58ac4d061e4fa23b423d93bdf97ca986
parent5a1e0b7b78653c30aec6b824130b2493a90a6de5 (diff)
downloadsapsf-8dfc7cb0305f9da0ee26d5170820d9ae21239d3f.tar.gz
sapsf-8dfc7cb0305f9da0ee26d5170820d9ae21239d3f.tar.bz2
sapsf-8dfc7cb0305f9da0ee26d5170820d9ae21239d3f.zip
slides.org (Policy and Government): Nearly complete draft slides
Daunting. Hopefully I don't get rid of too much of this; it's a lot of history to be talking about.
-rw-r--r--slides.org231
1 files changed, 199 insertions, 32 deletions
diff --git a/slides.org b/slides.org
index 9f1fe9e..a66f7e1 100644
--- a/slides.org
+++ b/slides.org
@@ -16,6 +16,8 @@
#+BEGIN: columnview :hlines 3 :id global
| ITEM | DURATION | TODO | ENVIRONMENT |
|-----------------------------------------------+----------+---------+---------------|
+| * LaTeX Configuration | | | |
+|-----------------------------------------------+----------+---------+---------------|
| * Slides | 0:44 | LACKING | |
|-----------------------------------------------+----------+---------+---------------|
| ** Introduction / Opening | 00:00:30 | DRAFT | fullframe |
@@ -66,7 +68,7 @@
| **** ALPRs | 00:01 | LACKING | |
| **** Car Itself | 00:00:30 | LACKING | |
|-----------------------------------------------+----------+---------+---------------|
-| ** The Web [0/6] | 0:12 | LACKING | |
+| ** The Web [0/6] | 0:10 | LACKING | |
|-----------------------------------------------+----------+---------+---------------|
| *** Introduction [0/1] | | DRAFT | ignoreheading |
| **** Introduction | | DRAFT | fullframe |
@@ -81,18 +83,18 @@
| **** Trackers | 00:01 | LACKING | |
| **** Like Buttons | 00:01 | DRAFT | |
|-----------------------------------------------+----------+---------+---------------|
-| *** Fingerprinting [0/3] | 0:04 | LACKING | |
+| *** Fingerprinting [0/3] | 0:03 | LACKING | |
| **** Summary | | DRAFT | |
-| **** Alarmingly Effective | 00:03 | DEVOID | fullframe |
-| **** Browser Addons | 00:01 | DEVOID | |
+| **** Alarmingly Effective | 00:03 | LACKING | fullframe |
+| **** User Agent | | DRAFT | |
|-----------------------------------------------+----------+---------+---------------|
-| *** Anonymity [0/4] | 0:04 | LACKING | |
-| **** Summary | 00:01 | LACKING | fullframe |
-| ***** TODO Anonymity | | | |
-| ***** TODO Pseudonymity | | | |
+| *** Anonymity [0/4] | 0:04 | DRAFT | |
+| **** Summary | 00:01 | DRAFT | fullframe |
+| ***** Anonymity | | | |
+| ***** Pseudonymity | | | |
| **** IANAAE | | DRAFT | fullframe |
-| **** The Tor Network | 00:01 | DEVOID | |
-| **** TorBrowser, Tails, and Whonix | 00:02 | DEVOID | |
+| **** The Tor Network | 00:01 | DRAFT | |
+| **** TorBrowser, Tails, and Whonix | 00:02 | DRAFT | |
|-----------------------------------------------+----------+---------+---------------|
| ** Data Analytics [0/2] | 0:04 | LACKING | |
|-----------------------------------------------+----------+---------+---------------|
@@ -109,16 +111,23 @@
| *** Introduction [0/1] | 0:00 | DRAFT | ignoreheading |
| **** Introduction | 00:00:30 | DRAFT | fullframe |
|-----------------------------------------------+----------+---------+---------------|
-| *** Surveillance [0/4] | 0:06 | LACKING | |
-| **** History of NSA Surveillance | 00:02 | DEVOID | |
-| **** Verizon Metadata | 00:00:30 | DEVOID | |
-| **** Snowden | 00:01 | DEVOID | |
+| *** Surveillance [0/7] | 0:06 | LACKING | |
+| **** History of NSA Surveillance | 00:02 | DRAFT | |
+| **** Ron Wyden | | DRAFT | fullframe |
+| **** The Leak | | DRAFT | fullframe |
+| **** Verizon Metadata | 00:00:30 | DRAFT | |
+| **** PRISM | | DRAFT | |
+| **** Snowden | 00:01 | DRAFT | |
| **** Tools | 00:02 | DEVOID | |
|-----------------------------------------------+----------+---------+---------------|
-| *** Crypto Wars [0/3] | 0:03 | LACKING | |
+| *** Crypto Wars [0/6] | 0:04 | LACKING | |
| **** Introduction | 00:00 | DRAFT | fullframe |
-| **** Bernstein v. United States | 00:01 | DEVOID | |
-| **** Makes Us Less Safe | 00:02 | DEVOID | |
+| **** Export-Grade Crypto | 00:01:30 | DRAFT | |
+| **** Bernstein v. United States | 00:01 | DRAFT | |
+| **** The First Crypto Wars | 00:01 | DRAFT | |
+| **** Re-repeats Itself | 00:00 | DRAFT | fullframe |
+| **** Modern Crypto Wars | | DRAFT | fullframe |
+| **** ``Going Dark'' | | DEVOID | |
|-----------------------------------------------+----------+---------+---------------|
| *** Espionage [0/1] | 0:01 | LACKING | |
| **** US Can't Keep Its Own Secrets | 00:01 | DEVOID | |
@@ -141,6 +150,8 @@
|-----------------------------------------------+----------+---------+---------------|
| ** Thank You | | | fullframe |
|-----------------------------------------------+----------+---------+---------------|
+| ** References | | | appendix |
+|-----------------------------------------------+----------+---------+---------------|
| * Exporting | | | |
|-----------------------------------------------+----------+---------+---------------|
| * Local Variables | | | |
@@ -1270,7 +1281,7 @@ TODO
#+END_COMMENT
-*** LACKING Crypto Wars [0/3]
+*** LACKING Crypto Wars [0/6]
**** DRAFT Introduction :B_fullframe:
:PROPERTIES:
:DURATION: 00:00
@@ -1278,7 +1289,7 @@ TODO
:END:
#+BEGIN_CENTER
-History repeats itself
+\Huge History repeats itself
#+END_CENTER
#+BEGIN_COMMENT
@@ -1290,34 +1301,189 @@ The Crypto wars.
#+END_COMMENT
-**** DEVOID Bernstein v. United States
+**** DRAFT Export-Grade Crypto
+:PROPERTIES:
+:DURATION: 00:01:30
+:END:
+
+- <1-> Cryptography classified as munitions (Arms Export Control Act; ITAR)
+- <1-> ``Export-grade'' cryptography
+- <2-> Lotus Notes
+ - <2-> 40-bit export-grade symmetric key
+ - <3-> Agreement with NSA: 64-bit export, but 24 of those bits a "workload
+ reduction factor" for the NSA
+- <4-> Phil Zimmerman: PGP (\geq 128 bits)
+ - <4-> Formal investigation by US government in 1993
+ - <4-> Published source code in a book, which could be OCR'd
+- <5-> Still suffer long-term effects today
+ (downgrade attacks, e.g. POODLE)\cite{poodle:paper}
+
+#+BEGIN_COMMENT
+Back in the 1990s,
+ cryptography was classified as munitions.
+
+If you wanted to export it to other countries,
+ you essentially had to make it crackable by the NSA.
+
+Lotus Notes is often used as an example of the negative effects of such
+ regulation.
+Interestingly, it was actually the first widely used software to use
+ public-key cryptography.
+Due to export restrictions,
+ the maximum symmetric key size they could support was 40 bits.
+This was easily crackable by the NSA,
+ but also feasible for other adversaries.
+They compromised with the NSA:
+ 64-bit keys, but 24 of those bits would be encrypted specially for the NSA
+ as a "workload reduction factor".
+So you had protection against most adversaries,
+ but not the US government.
+
+Then we have Phil Zimmerman, author of PGP.
+He didn't consult the NSA.
+Instead, he published the source code for PGP in a book with MIT Press,
+ and widely distributed it.
+If someone wanted to use PGP,
+ they could unbind the book, OCR the pages, and compile it with GCC.
+The US government opened a formal investigation into the case in 1993;
+ the charges were dropped years later.
+
+We are still observing the fallout from export-grade crypto today.
+They are called "downgrade attacks",
+ where a program such as a browser is tricked into using a weaker
+ cipher or keysize,
+ allowing an attacker to MitM the connection.
+POODLE is an example of this.
+#+END_COMMENT
+
+
+**** DRAFT Bernstein v. United States
:PROPERTIES:
:DURATION: 00:01
:END:
+- <1-> 1995: Bernstein v. US Department of Justice\cite{eff:bernstein:doj}
+ - <1-> Argued that restrictions violated First Amendment
+ - <2-> **Code Is Speech**
+- <1-> 1996: Bill Clinton Executive Order 13026 transferred to Commerce
+ Control List\cite{fedr:export-controls}
+- <1-> Department of Commerce relaxed rules in 2000\cite{doc:rev-export-reg}
-TODO
+#+BEGIN_COMMENT
+In order to publish information on encryption algorithms and the like,
+ you had to get permission from the government.
+
+In 1995, Daniel Bernstein---then a graduate student---wanted to publish the
+ source code and mathematical papers for his encryption algorithm
+ /Snuffle/.
+Like Zimmerman,
+ Bernstein thought export restrictions to be a violation of his First
+ Amendment rights.
+But instead of blatant defiance,
+ he decided to sue the US government.
+He was represented by the EFF.
+The Ninth Circuit Court of Appeals ruled in his favor.
+
+The following year, President Bill Clinton signed an executive order that
+ removed encryption from the munitions list,
+ and in 2000 the Department of Commerce relaxed export restrictions.
+
+You might have heard the term "code is speech".
+Bernstein v. United States case had wide-reaching consequences,
+ not just for cryptography.
+Source code is protected under the First Amendment.
+
+(See also Junger v. Daley.)
+#+END_COMMENT
+
+
+**** DRAFT The First Crypto Wars
+:PROPERTIES:
+:DURATION: 00:01
+:END:
+
+- <1-> These incidents part of the first Crypto Wars\cite{w:crypto-wars}
+- <2-> DES Originally 64-bit key; NSA wanted 48 bits; compromised at 56.
+- <2-> Two version of the browser: 128-bit "U.S. edition" and effective
+ 40-bit "international".
+- <3-> **Clipper Chip** was a hardware backdoor that employed a key escrow
+ system
+ - <3-> Complete failure
+ - <3-> Terribly insecure (property of key escrow in general)
+ - <3-> Opposite effect: spurred development of Nautilus and PGPfone
#+BEGIN_COMMENT
-...
-(Include export-grade crypto)
-(Code is speech)
+These incidents are classified into a period of time informally described as
+ the "Crypo Wars".
+
+There's a couple other good examples that I don't have time to get into:
+ The DES encryption algorithm, for example, was originally 64-bit;
+ the NSA wanted 48-bit, but compromised with 56.
+ Netscape had /two versions of their browser/: one with 128-bit SSL and the
+ other with 88 of those bits exposed to meet export regulations.
+This sounds insane today---because it is.
+
+But there's even more insanity.
+
+The Clipper Chip!
+It was the US government's attempt to backdoor communications with hardware.
+It used a key escrow system,
+ and the algorithm they devised---called Skipjack---was classified,
+ and so could not be reviewed by crypto experts at the time.
+Backlash was large.
+It failed miserably.
+Later cryptanalysis yielded scathing flaws,
+ as is generally the case with key escrow cryptosystems.
+It even had the opposite effect:
+ it spurred the development of encrypted communication programs like
+ Nautilus and PGPfone (the latter being proprietary).
+
+So,
+ why did I go into so much history in a talk meant to deal with today's
+ privacy and security threats?
#+END_COMMENT
-**** DEVOID Makes Us Less Safe
+**** DRAFT Re-repeats Itself :B_fullframe:
:PROPERTIES:
-:DURATION: 00:02
+:DURATION: 00:00
+:BEAMER_env: fullframe
:END:
-TODO
+#+BEGIN_CENTER
+\Huge History repeats itself
+#+END_CENTER
#+BEGIN_COMMENT
-Apple v. FBI
+Because history repeats itself.
-- Backdoors
-- Clipper chip
-- LOGJAM, etc from export-grade crypto
-- VEP
+Today's attempted legal/policy assault on privacy and security are enormous.
+We've already covered some.
+I don't have time to cover more than a small fraction of them.
+#+END_COMMENT
+
+
+**** DRAFT Modern Crypto Wars :B_fullframe:
+:PROPERTIES:
+:BEAMER_env: fullframe
+:END:
+
+#+BEGIN_CENTER
+\Huge ``Going Dark''
+#+END_CENTER
+
+
+#+BEGIN_COMMENT
+But the big phrase you hear today is "going dark".
+Government agencies are fearful of broadening use of encryption
+ because they can't read many of those communications.
+#+END_COMMENT
+
+
+**** DEVOID ``Going Dark''
+
+#+BEGIN_COMMENT
+Apple v. FBI
+VEP
#+END_COMMENT
@@ -1332,6 +1498,7 @@ TODO
#+BEGIN_COMMENT
- Office of Personnel Management
- DNC
+- VEP
#+END_COMMENT