Updates from the Crypto War 2.0

all right so for our next speaker we have Wendy Knox Everett Wendy is a software developer who burned out and went to law school where she completed a concentration in national security law and interned with the FTC FCC and some other three-letter agencies which I'm told which none of the fun ones after law school she completed a fellowship in privacy and information security at swill j'en she currently lives in Seattle where she is a senior security advisor at Leviathan security group please welcome Wendy Knox Evan well you guys can hear me so as we just said I am an attorney I'm not actually a practicing attorney these days in my past life lever I did handle a law

enforcement request for companies in swell Jen it was actually Apple's attorneys one of them during the Apple versus FBI fight which is something we're going to talk a lot about here so none of this is legal advice I'm not your lawyer I know other InfoSec attorneys who do practice I'm happy to point you their way if you have any serious legal needs but I'm always happy to chat about this stuff so we're gonna talk about a little bit of history first crypto Wars 1.0 really was in the 90s with the Clipper Chip and Bernstein versus us I through Apple versus FBI in here also because I want to talk about the history of it but I would kind of

say it like there was a 90s crypto war and there's the current one what we have right now so the Clipper Chip oh and I do not have my speaker notes one second actually no we'll do this without speaker notes don't mind me all right so the Clipper trip had this thing called leaf it was a physical chip that would basically do encryption for you and basically federal agencies would hold keys to it there was this whole system or two different agencies had to go in and put the key in to be able to unlock it the NSA went out to security researchers is like hey we you guys help us verify the security of this thing

and medleys who is at Bell Labs at the time I got ahold of one of these systems and he realized that they were doing a checksum on it and I don't have my speaker notes so I can't get the actual number it was something like 16,000 bits or something it was some high number but not ridiculously high and he figured out it would take him about 42 minutes to essentially fuzz a number that would pass the checksum but would not be valid and so the system would take a encrypted message with this ago oh you correctly encrypted a message and our agencies will be able to later decrypt this if we need to get the s code access to it but

oops no they weren't really and so essentially it foiled the point of using the system so you published this paper that you can find on his website today protocol failure and s crowd encryption standard I have a sources slide at the end of this that has a link to this so I'll release my slides later and you can it's basically a screen full of URLs you can go to teach yourself about this stuff but that was one of the first failures of backdoored encryption and people talk a lot today about like well how is this any different from the Clipper Chip another part of the first round of the crypto Wars was the Bernstein versus US cases there's three

cases here because like it went up to the circuit and there's an unpacked of it not on Bach which is a bunch of leaked legal essentially process wrangling it doesn't really have that much impact on the fundamental part of what was happening was Bernstein was a professor and he had an encryption algorithm and he wanted to publish the software code that implemented this encryption algorithm algorithm and publish a paper about it and at the time if you had encryption that was stronger than you liked be be like toy like Caesar ciphers or something you had to go register under set of regulations called the ITAR regulations which do still exist and they regulate things like gun sights tanks f-35s whatever if

you're going to export arms you have to register as an arms dealer is a super complicated body of law Brendan and I went to a two-day CLE which is like attorney education on this in Seattle this past year like we barely skimmed the surface of it and going alongside ITAR there's a concept called the ears which is a slightly less onerous set of regulations overseen by Department of Commerce the Bureau of Industry and society bis which are the people that until whole Wassenaar restricting vulnerability stuff in 2015 anyway Bernstein filed this case saying like hey I just want to publish my software I don't want to have to go register as an arms dealer in order to

release the software code and the EF f took the case and it came out the courts decided essentially like yes software is expressive this is protected by the First Amendment we're going to move most instances of software out from under ITAR into ear which is much easier and there's been some recent updates to make it since 2016 to make it a little even easier to publish encryption software so that was kind of the first round in the 90s of the crypto Wars then we come to 2015 there's a San Bernardino shooting in November 2015 the gunman and his wife had what law enforcement thought were messages back and forth to each other using iMessage on the phone

and it turns out that the FBI got a hold of this phone and they're also iCloud backups and they couldn't get access to the phone there was actually some goof-ups with lake if they had 24 hours they could have and they missed it so basically the FBI goes to a judge and is like hey we want to get a warrant to search this phone but even though we have the warrant we can't get access to it because of the way Apple encrypts the software so in February 2016 a magistrate judge basically issued an order to Apple saying you need to go help FBI serve this warrant this warrant was lawfully issued you need to assist

them with getting access to this content an Apple is like whoa like you want us to write software to break our own encryption like that software is really important when you're I messages are encrypted and to end that's protecting you from having your messages sniffed by leak so you like area by someone else on your Wi-Fi network and like if we do this once this is going to be very dangerous so Apple push back on it as well John was one of the law firms that assisted with doing that and Apple actually published out to the public a letter on their website which is pretty uncommon for them to do explaining like hey we're not the bad

guys here like we are not just saying no FBI like we love criminals we're trying to explain to you that this is an extremely dangerous thing to do we can't just break the encryption or build this one custom piece of software for you and that's it we're gonna lock it up right and pretend we never saw it again that is not gonna happen I and I said we probably could actually write this software but then it's going to exist and how are we going to protect who's going to use it in the future so part of what you need to know to be able to understand sort of what's move with the sort of equities and whatever and happen

in this area is that there's the Fourth Amendment and there's a bunch of statutes in this area so I'm gonna try to teach you guys crimper Oh in about five minutes this is actually a two semester class and in law school and it's super complicated I had to learn a lot of this once I was out of law school so let's see how this goes so we started the Fourth Amendment it creates the expectation a reasonable expectation of privacy most pure Fourth Amendment law is case law things like the carpenter case that was before the Supreme Court recently and Reilly talking about could police officers search your cellphone when they pull you over and arrest you

there's also statutes that govern this area wiretap law is extremely precise about what kinds of crimes you can use wiretaps to investigate this is actually the area I have the most experience with I used to serve wiretap and PR tt processes for internet companies and it's very complicated sort of stuff so Electronic Communications Privacy Act is sort of an umbrella over this and it also contains the stored Communications Act this law was written in 1986 so you can guess about how well it works with our modern like cloud world or whatever like in 1986 we did not have web mail it assumes some concept equivalent hotmail of like email it's been on the server for 30 days like you don't need a

warrant for it anymore which is not actually how we do it anymore but technically the statute still says this there's also this thing that we call a network investigate it of warrant these changed recently about two years ago with a change to rule 41 of the federal rules of Criminal Procedure which is a super gained way of saying that DOJ and FBI used essentially a procedure change to be able to do many more of these and a lot of times what these are these are put on child porn websites to try to get the IP addresses behind people using tor browsers or so forth so I actually have an example of one for you which is not

one of these tor browser exploits it was talking about trying to get access to an email account of someone doing basically phishing like they got in between some business email compromised sort of stuff it's a little bit older so you can see here we're talking about that we're searching for evidence of a crime and we're targeting a target email they basically had an exploit they're trying to use to get access to this guy's email figure out where he actually was we didn't have I think an IP address at this point in time the information that they wanted to get was the IP address and they wanted the user agent string so I could figure out or it's just like a

mobile phone or a laptop or something on the other end and as with every warrant you need probable cause that a crime has happened and so this is a probable cause they're talking about hey there's this wider chance for a fraud it's basically a business email compromise and this is why we would like this so cool government is all these ways to request data using lawful access except tech change is a lot like I mentioned the SCA was created in the 1980s tons has changed since then so the all writs Act was originally created in 1786 it's really old this is basically one of the first Criminal Procedure style statutes created except it's not actually usually used in Criminal

Procedure it is generally used to basically make the courts able to function so things like we're going to issue a writ to be able to handle a will or an estate or something in a certain way or used in a real estate case or something it's basically the court tells someone and you do to go do something in order for this case to progress of this investigation to go not very commonly used most states actually also have their own equivalent of it it's considered sort of part of the enabling legislation for our modern judicial system in the 1970s there was actually a case not too dissimilar to Apple versus FBI where the FBI wanted to go get access to

some phone records in order to investigate something I think this might have been like horse betting or something so the 1970s the phone system was changing it used to be that for a wiretap it literally was like putting alligator clips on the wires like in the central closet it's not like that anymore it's all software when I would process this stuff I was basically doing sequel queries essentially through a web GUI to later return stuff so the network had essentially changed in the 70s and the police come to New York telephone like hey we had this wiretap order please do it for us in New York telephone is like we can't put alligator clips in our wires anymore that it

doesn't work that way sorry and so the case went they went and gotten all writs act order requiring your telephone to comply and the court actually said yes this has been something we've always been able to do New York telephone you changed your network but just because you change your network doesn't mean that you'd no longer have to like help out these investigations and so we say unreasonable burdens can't be imposed but we don't think this is actually an unreasonable burden because you've identified a couple ways that like you could go in and assist with this so we know how this law called kaliya this was passed about 1994 if I remember correctly that is the communications

assistance for Law Enforcement Act if I remember this is really fun doing this with those speaker notes I it specifically says that telecom companies need to build their systems in a way such that they can help serve warrants and wiretaps and so forth like you can go design your system whoever you want but you need to be able to help law enforcement they come to you with a valid process but 1994 is the start of the internet where the web VoIP is just starting to be a thing and so forth and so they went in and explicitly excluded Internet services it says like this does not apply to Internet services in 1994 clearly is a little different than what

we had now but they kind of had an idea of what stuff was what we were getting yeah so we say it's a fuzzy applicability to Internet service companies the FBI will try to totally tell you that like no this should apply to you know whatsapp or something like that's a messaging service there every so often pushes to update Kalia to make it clearer that it applies to Internet service companies but at the moment you know it doesn't technically and people try to go back to New York telephone if you go look at the things that the government filed an Apple versus FBI case or like we already have a case using the all writs act

saying that you must go assist with law enforcement investigation and applied to that is yes that keys at that time said you had to and then Congress acted and implemented Kalia and Congress specifically exempted Internet service providers from it so therefore that holding should no longer apply but it's never actually been overruled or anything you gonna do very fun statutory interpretation sort of lawyer nerd fights with this stuff so anyway as you mentioned or attacked was the process that was used for Apple versus FBI so it was the outcome so we had an order from a judge in California at around the same time judge Ornstein his magistrate judge in Brooklyn had a similar case before

him where the FBI would I believe is the FBI still is asking for assistance with unlocking a cell phone that's used by a drug dealer in Ornstein right this big long opinion saying basically like this is requiring Apple to break their security and it's really important these days we've made data breaches we have cybercrime and whatever this is going too far like we can't ask Apple to break everybody security just so we can get some information for this one case and there was going to be this big hearing there were a bunch of more filings I want to is gonna be a big hearing on it and like the day before the FBI funding thing saying no we need like just a

couple more days everybody gosh what happened who knew and they came back about a week later and said well we were able to get into this the San Bernardino phone essentially using a software vulnerability which essentially negated the case like it was no longer controversy anymore whether they could access it or any more so this is actually still fairly unsettled there are no clear ruling saying definitively that software companies do or do not actually need to write custom code in order to assist law enforcement and this is very much not the last that we've heard of this they're still seeking assistance with breaking into stuff ms-13 essentially I believe this was also well actually no I

don't remember what sort of device it was but it's a facebook messenger case it was essentially leaked that they were trying to require Facebook to go in and write a version or write some software to crack the encryption used for this Facebook refused or like we would basically have to rewrite all of messengers app code is gonna get exploited by people that's the same thing this is unsafe ACLU filed a process are filed in this case asking for essentially the government's request and Facebook's response and everything to be released this was November 2018 I just talked to a friend who works at ACLU two days ago and I was like hey I'm researching for this talk and I can't

find anything for November 2018 like what's up he's like yeah the court is sitting on it we don't know there's been no update in this case nobody actually knows what happened here did Facebook really do this we don't think they did but it's unclear also you may have seen this article in New York Times recently here's the fun thing with doing digital civil liberties work there are really horrible horrible people out there doing extremely horrible things like child porn is a huge problem and DOJ is starting to shift tactics now instead of being like oh we need this stuff because of terrorism which is what they're trying to a standard you know now they're going well we need to be able to

get into facebook Messenger and everything because child porn is a huge problem which absolutely it is this is not in dispute the question is how do we balance our response to this again we have these messaging systems that we can detect child porn with and yet still not have the use for censorship not break all of our digital security it's sort of a balancing act here we also have things like Australia which is requiring people to go in and they can essentially tell Australian citizens you work for a company I need you to go implement a backdoor or share private encryption keys and you can't tell your employer so doj an October 4th in DC

held but they called a lawful access summit on his video for it up I have a link to it at the end of this and bar basically gave his talk saying you know there's criminals out there criminals are using all these digital tools that we do while we shouldn't hesitate to use cyber criminals shouldn't be generally that eviscerates society's ability to defend itself and he's talking about like oh we think the tech companies are telling people that they can make themselves invisible at law enforcement which is very much not true you can always get metadata these companies do a ton of work with serving warrants and wiretaps of what everyone they can a warrant is not a essentially magic like

give me the contents of this a warrant is a right to go search for something and you may or may not find it so he talks about how there are Fourth Amendment balancing tests which is absolutely true that are very much fourth amended balancing test if you go in and read the Reilly in the carpenter cases we talk about how we do have essentially the need to track down criminals in our society balance against people's expectations of privacy but that doesn't necessarily work in the world of math where encryption implies like it's you can't really balance broken encryption it's either backdoored or it's not if there is a backdoor it's extremely hard to have this only be kept

in a way where the government can access it and not hackers blackhat hackers there's essentially back during an encryption algorithm is intentionally weakening it a matelassé was the first person who broke the Clipper Chip stuff is basically he's like oh my gosh this is always key escrow they say it's not key escrow they say nerd harder nerds and then it's key escrow and while the problem with that is how would we protect the estrade keys like forget about just the algorithm also like so say like the FBI and the NSA each has half a key like how did they protect it how does local law enforcement access get it they don't have a lot of clear

that they can articulate using this and also how does this even work with the global Internet's one of the problems is we can mandate US companies use or like basically create these backdoored systems but like I can connect to the internet from anywhere like could I not just go to like Luxembourg and download like a Luxembourg version of signal and use that and one of the things too is people have been using software vulnerabilities if sensibly as like a pressure valve release like that's how the FBI got into the Apple iPhone this is really dangerous it creates a lot of bad sort of incentives for the government to find vulnerabilities and not share them which they're probably

doing already like this is the whole thing with like does the NSA sit on a pot if exploits or not and it's not really as good of a safety valve as we've been relying on the other thing that the global internet is how do we say that only the US government can use this you know China it's going to immediately be like hey we need access to that in China does actually most of that messaging systems used within China China expects to have access to it and people also say oh well can't we just compel people to require to hand over their decryption keys so a if you haven't actually arrested the person yet that that's not gonna work so well and

also the fifth amendment provides a lot of protections here you can refuse to provide an encryption key usually if it's going to give access to something that will incriminate you there is the foregone conclusion there's very iffy applicability to biometric unlocks and so forth so it's not as great of a solution as people might think so essentially that's the state of the world I have a lot of very small URLs for you here if you're interested in this sort of stuff it starts mostly with history and goes down the FBI domestic investigations and operations guide and the US Attorney's manual on electronic surveillance are both fascinating if you have any address in this area the

digital civil liberty sort of stuff I super recommend you pull them down and look at them they're pretty cool so I don't know if I have any time for questions okay so you have any questions we have a mic here I think you want to come to the mic and ask

thank you for keeping this on so I'm curious how the GD RP it's been influencing our privacy and security laws here in the US and if you can speak to that at all if there's been any do you think that that's helpful or so the GD P R has certainly influenced US companies and it's definitely influenced the recent California CCPA so one of the big things that it does has an impact in this area is it kind of incentivizes companies not to hold on to that much data they mostly do anyway but it is sort of a push in that direction um so I'd say that's probably the biggest thing I do also I get very

snarky about the tensions between privacy and security so if you were primarily interested in introspect like you want to see everything going over your network you want full access to people's email accounts and whatever and privacy you know like it's almost a 180 interest in that like the the interests are sometimes aligned but not always so I'm not sure that privacy like regulation is really going to help in this area and people are very concerned about asking for Kalia updates right now because it's assumed that it will just require backdoors for Internet services and then we have the security problems with that do any other questions well thank you everybody [Applause]