Decentralization: Mo' Systems, Mo' Bridges, Mo' Comms, ... Mo' Problems?

well hello everyone um as you can see my usual um well you might not know that these are usual AV curses that follow me around but it's happened a few times where a ltop just does not do the AV it's supposed to do for no reason at all despite working perfectly well in every other environment than the actual environment that it's supposed to run in but hey it worked on my laptop um so going a bit about this uh who am I I am my um I am basically a cyber security information security person that does many things uh I'm intentionally vague about this for various reasons uh but on the side I do various things such as communities um

handle some ctfs do some um CTF challenges go to conferences such as this one and yeah I basically I'm an extremely silly person in general so what is this talk exactly about or rather what is this talk not about uh so you might have seen the word decentralization and you're like well this is going to be something analogous to maybe blockchain web 3 all that [ __ ] we've been hearing for the last three or four years and no um so just as a pref this there's uh no snake or vendor [ __ ] in this at all this is purely my own opinions they are worth exactly what they're worth to whomever they are worth to so if you

disagree that's fine we can talk about it over a beer I'm fine with this um there's nothing relating to Academia at all I might cite one or two papers on accident I'm not doing it on purpose but had the best graphics for the situation and uh yeah it's it's not this what is this talk about though um well actually it's old stuff about as old as the internet because our current understanding you know blockchain web 3 C cryptocurrencies all that stuff the things that we most commonly nowadays associate with uh decentralized services or at least if we've read a post or if we've read someone talk about it it's usually in reference to these types of

systems no many systems from way back in the day already made use of some form of decentralized architecture and although we won't be talking about it as in not as the core Focus we will still have to address it sadly because it's a matter of making certain that the words we use are the same ones on both sides of the presenter stage um you need to understand what I'm talking about and I need to be certain that you understand what I'm talking about so yeah yeah um and the end or goal of this conf uh this talk is really like given current trends what people are saying how it's being shipped to people we we can really ask the question

like is the centralization a good thing just in general a blanket statement if you know any kind of blanket statement in cyber security answer is always going to be invariably it depends so spoiler alert it depends but um moving on part one uh let's already like Nick the buzz in the egg or whatever we're going to remove the whole buzzword aspect of decentralization because it is a buzzword and everyone has a different meaning for it so it's a trendy topic that everyone from yourself myself uh someone's Uncle some politician somewhere some CEO somewhere and a lot of experts uh some deservedly in quotes some deservedly without quotes have opinions on but it's currently a hot bed

of innovation and it's becoming a Core theme in a lot of discussions not only in web 3 kind of oriented spaces but decentralization in for example the fety verse was a core topic of C3 Camp uh this year so the chaos computer club's uh camp in Germany which was fun um har the official definition I'm saying official in quotes because that's the one that you'll find on Wikipedia if you're actually looking for it uh is decentralizing the underlying infrastructure of the internet shifting away from centralized data storage and management and relying on newer protocols this says nothing these are words that are stringed together that mean everything and nothing at the same time and there is a bit of a semantic

hiccup for example if you have a big Corp let's just call big Corp that are a social media company and technically a social media company will have multiple servers all around the world to cater for availability uh to cater for just the chance that one of their servers goes down uh to cater latency to cater all of that jazz but since it's the same service being on multiple instances across the globe is it decentralized that's where the semantic kiup comes in so my own kind of take on decentralization is purposefully fragmenting the internet into smaller Pockets that are not controlled by Mega corporations or governments but by organizations foundations or people or whatever combination of let's

say free people without the entire um weight of conglomerates and other money-driven institutions so I mentioned that uh decentralized ation was an old ass topic what it became a trending topic again but it's not really new like 1989 was the worldwide web if you look at this graphic hopefully it render big enough yeah all of these servers are in different places the information is accessible from most of the places that are routed to but the servers the physical information itself is located in multiple areas so the worldwide web technically is a decentralized story of information so it's not a New Concept and so like I mentioned it was talked about really at the chaos computer uh

Camp because it's coming back and a lot of services we use nowadays or some of the ones we are taken to use more and more nowadays because other services are dying in a fury pit of uh dumpster fire a radioactive dumpster fire um are also in that vein and we need to actually get back into it and understand what the challenges are and how everything is building up to a Freer internet so in our everyday lives we we use a bunch of services for daily purposes right we um we want to do Communications we use signal we use WhatsApp we use uh telegram we use the phone um if we're talking about like actual texting uh

there's a bunch of other services that exist um but the more commonly used ones are in their iMessage as well but that's a bit more proprietary uh social media you have your meta Facebook uh Twitter Instagram Tik Tok all that bollocks uh video streaming you YouTube Netflix Prime uh no Amazon why I say Prime whatever um and then for blogging so if if you want to talk about blogging nowadays where do you find blogs half of the time half of the blog post are on medium fair enough they have an infrastructure that works they have a way that is easily access accessible for people to post information onto the internet and attribute it to them um

however a bunch of people have also taken to LinkedIn for blogging which is like okay fair enough you do you um but if you look at the entire providers the list of companies that are behind this you could potentially call this uh Fang m gedon there are a bunch of companies in that sphere which are tied back to like a few companies so the entirety of the services we use daily can be tied back to a few companies maybe slightly less because as you know cyber security enthusiasts or professionals we use many more services example for threat intelligence for all that but the core ones we use in our day-to-day lives can sometimes be traced to this but but

these don't exist in a vacuum right there's many other platforms for all these use cases we want to talk about Communications well Matrix for example is one of them uh the signal protocol not signal protocol as implemented by signal but the signal protocol is open source you can implement it yourself you can take a library that uses it whatever uh xmpp also works um IRC well the previous ones were mostly all encrypted tended to encryption IRC is definitely not um social media for example you have Mastadon you have ploma you have pixel fed you have all those services that exist for social media pixel fed is something that is more analogous to Instagram why not it exists uh video

streaming P Tu Plex Plex is proprietary but you can still host your own um libraries and you don't get ads if you know you're watching someone's else's Plex unless you're something's been [ __ ] up in the last I don't know X time since I've used Plex um so are these things as glorious or omnipresent uh do do you hear about them in your everyday life no do they have all your favorite people on them also no but they are symptoms of a Freer internet I'm saying symptoms because they're not necessarily the cause there are however derivations of what people can build if they're confronted with the question how can we take this away our

social media our video streaming our everything from Big corporations and hosted among people communities so if we look higher than just the services themselves the freedom of choice itself might seem vaguely Bleaker how how many small domain registar do you know I see some person some people smiling there because they all know what I'm going to mention at some point but um yeah how many small hosting providers do you know how many Cloud infrastructure providers do you know like you think cloud infrastructure provider and you have like the big names you have a uh Google Cloud you have AWS you have everyone and you're like there are only so many names that come to mind so we we seem doomed entirely

doomed to basically have big corporations handle some part of our Freer lives on the Internet or are we doomed that's the question there's also options so if we talk about domain registar well there's smaller registar uh gla's one uh there's other ones it doesn't take that well it does take a lot of effort to set one up a bigger your effort to maintain it but and our selection of tlds might be smaller by a significant margin but they do exist hosting providers as well a lot of people well first of all you can start by self hosting you don't don't not everything needs to be a digital ocean droplet come on and you can also just rely on smaller

logo providers a fully static HTML page does not need to be hosted on AWS you can host it on a Raspberry Pi for [ __ ] sake and Cloud infrastructure providers yeah you can find some of course ad senses against you because big companies are paying big money to keep themselves at the top of the list but they do exist uh they might not have as much availability it'll be one rack somewhere in [ __ ] all the middle of England but it exists and that's that's kind of the fun thing of course if you're doing this for business you might have another issue which is just you know legal slas all those fun questions

of compliance people wanting to shoot themselves in the audience apparently but that's that's fine but to summarize uh decentralization is more of a Rebrand new topic than a really new topic of discussion it's existed since well the internet since even before uh the telephone Network at the time was decentralized in a way you couldn't make a call from X to Y International without going through a few hubs because and so decentralization is possible to an extent and with a non- negligible amount of sacrifices in terms of availability in terms of where you can get the information in terms of latency in terms of all of that on most of the supply chain which is good now I I did say we'd have to

address a topic which I don't like at all but you hear decentralization you think those words cryptocurrencies blockchain Etc yeah we have to open that parenthesis I'm sorry that I apologize in the some cryptocurrencies take control of Finance from Big Banks or protects people from retribution because they can make payments which can't be traced back to them uh allows people to escape forc poverty or gives people dis gives disenfranchised people an opportunity and unequivocally dis [ __ ] just there there's one case of cryptocurrencies which I won't mention but being useful for a good thing and that's about it and a lot of people know what it is and I'm not going to elaborate but Finance was really never

centralized was it like you think money money isn't centralized first of all money isn't real nowadays uh there's no real not every single pound you have is leveraged against by an amount of a physical whatever in a vault somewhere that just doesn't exist anymore plenty of payment system exist whether official or unofficial uh you can have country level instant banking in switzland we have twin the Netherlands have those systems exist ideal whatever um but those systems exist and allow people from the same country to transact without actually being entirely Tethered to their Bank okay if you want to talk about something that's slightly less official and wildly more illegal haala does anyone know what haala is

show hands one 2 3 4 yeah a honor based uh system where people at one end put in money and people at the other end of the word world have money delivered to them I'm oversimplifying it grossly for the purposes it's a ledger system based on honor for off the Record transactions doesn't seem like it work it works surprisingly well and Banks can't really op operate a loan like for two people that are on two different banks to have like money from A to B there needs to be relationships at least from A to B or from a to c c to B there it doesn't just exist in a vacuum and so when you think about it

it's more of a worldwide postal system for money just oversimplifying grossly but that's kind of what it is and so cryptocurrency only has value if real money is basically backing that value so concept we off it banks are still involved if you want to take money out an ATM you can't just put your Bitcoin card in and expect it to work unless someone that I haven't found out has made an entir Financial processor based entirely on the concept of Bitcoin straight to dollars but still at the end of that day it's another currency coming out so yeah um other claims that I'm going to address much more quickly protection from retribution uh it's the literal opposite of

anonymity uh that I it's a signed immutable transaction statement how more less Anonymous can you get um allows people to escap force poverty or gives disenfranchise people opportunities One does not simply acquire cryptocurrency or no value or one can acquire a small amount and wait for it to rise but if through the magical opium of whatever that's just not effective and also like everyone's like everyone is able to mine right well no because if you have more money you can buy more rigs to mine more and get richer quicker and everyone else is then disenfranchised the same amount except more because the entire power they use to mine well they still have to pay their

utilities at the end of the day so yeah so a TV series called Almost Human back in whenever 2000s Bas uh no 2015 I believe it was I did one series based entirely Upon A dystopia of like future world with a bunch of Androids and all that jazz they had adopted Bitcoin as their transaction system with like sticks you could poke and like currency would magically transact still a dystopia people are still poor like I I don't know this reality is just whatever so uh for example if you if you've looked at the news in the last two days and this is the last I'm going to mention about anything about cryptocurrency yeah so binance is giving

over all their books to the Fed so this is going to be fun not for anyone in that world but I do expect a lot of arrests to be fun and based on a bunch of things anyhow uh part two uh going deeper into like this entire scheme the fetty verse is a beautiful system um it's a collection as the fetty verse. to the main reference for everything is collection of community-owned adree decentralized and privacy Centric social networks is that the actual definition of it well I disagree despite it being like one of the main sources citing this it's like it stretches what a social network actually consists of uh video streaming is YouTube a

social network technically you can post and interact and post content but are you really going there to have a conversation with someone no picture hosting uh are you going to have a conversation with someone same same question journaling same question digital libraries Etc same question but all those things exist on the feters just it's part of the entire scheme so if we want to go deeper Matrix and Matrix protocol for example you can choose to host or not a server you can just take an official server you can go on someone else's server fine Matrix protocol is open source it's reasonably well documented um and the in encryption around it has been audited publicly the findings have been released

the comments on those findings have been released all of that is viewable by yourself and myself okay you might not have expected this email at a base level it's just information being sent between systems hosted in various places okay if you're hosting your own email server which most people will tell you don't which all speak the same language vaguely protocols being protocols and we could encrypt it into end but like uh okay a show of hands has anyone here actually used pgp or Sim in last month okay that's actually vaguely half of the room which is surprising but otherwise the the messages are just being sent of course enveloped in the entire TLS Etc scheme but the

information is still readable from the servers on which it is so yeah um we mentioned maedon aoma key others ploma as well activity Pub uh just exists it's seamless is communication between instances say is because well these diagrams are very nice but they sometimes don't account for issues um it allows for easy bridge building there's no algorithm to generate engagement which is good and bad the networks are smaller but they're also more interactive uh veiled unveiled at Defcon fully decentralized no trust hierarchy at all multimodal system of like you have a core you have many applications that can be built on this every node pitches in beautiful I I actually ran a few nodes a

few times just for fun it it works um I just want to see it work better and you have many projects that you could do uh just host having web ring just that's funny uh ASN pering also funny uh writing a bridge for systems also funny writing an app also funny rolling your own crypto don't but also funny so uh kind of halfway through it did tell me I did have the full 45 minutes at the beginning because of the whole issues and we're 25 minutes in so I'm yeah this isn't really a niche concept any longer entities like the European commission have established and maintain an act of presidence on the European commission uh

on the fers sorry many industry peers have established presences there it's fun to interact with real people that aren't basing everything based on engagement and this is an enjoyable concept but now we can kind of move on to the motivations why would one want to do this well there's a bunch of legislative strands which are let's say worrisome there's the Online safety bill in the UK which if you've read any kind of um you know communication about that is not genial France has a new law which is basically the Online safety bill but French uh the EU has eii us uh 2.0 which is itself uh why wouldn't you have trusted by default rout certificates

that you you whatever um you also has the chat control bill which is basically the Online safety bill but European and actually worse um you have a bunch of worsome phrasing uh so you have multiple things that can be simultaneously true children are at risk at on the internet yes that that is true breaking encryption does not make anyone safer you can't just put a back door and assume that only good people can use the back door that's not how encryption works that's not how math works but yeah so the NCA is a National Crime agency posting oh yeah um uh we will no longer be able to keep children safe on the platform [ __ ] you just

seriously [ __ ] the NCA I hope no one's from the NCA here but this is entirely [ __ ] entirely but moving away from the rage Fest for 5 minutes yes our corporate overlords are spying on us Android phones have bloatware a bunch of it uh Play Store and services more things that track exactly what app you're using at what time and for what tracking analytics across the wo Windows does the exact same thing with bloatware and the Microsoft store and all the other Telemetry services that exist the Apple ecosystem it's just the entire ecosystem I'm just not even going to go into it and so you could just make the choice and go like oh yeah I just want to go on

calx OS or whatever other non- googlefi W you want and yeah you could but also you're losing certain conveniences that you might want but hey privacy is a human right maybe not legally everywhere like it's not written in the law certainly isn't in the UK but it should be and a corporation government should not know anything about well first of all our sex lives for example just the most easy example I could give to just disincentivize people from the government knowing what they do know our purchases our watch History our habits or shopping list or letters to Santa [ __ ] it why just end to end encrypt that any one condition to privacy is

just that math is used as intended and math is not broken you design a system to be broken by using math that leads to it being broken not just one person can abuse this and anything that isn't encrypted is sure to be abused TW Engineers were admitting to reading DMS Facebook Messenger only uh implemented each like days ago like okay but certainly there's legitimate targets for legislation right you have board proof hosting services forms which have hate crimes or hate speech hosted on them uh fors with documents uh which with which Target children just in a documented fashion platforms known to host APS All That Jazz those are those are terrible places that yes should be the target of

legislation however we shouldn't Target how these people are conversing but the actual people conversing then you can just say these people are doing X Y and Z and we should criminalize that not the platform that is hosting them for example or depending if it's the platform that is done for this then yes but whatever that then becomes illegal whatever and there's a gray area because of course there's a gray area services like Library genisis scub are considered illegal in some areas in France you can't even access them just P will tell you no it doesn't exist but there uses less unfair if you consider that first of all people don't actually make money off of like the

Publications they do they they get paid in engagement and or views or whatever and most of the time they actually have to pay journals to be posted some books don't exist anymore just don't exist except a digital version somewhere on um a out there and so if you think what even is ownership right so I I saw a post the other day someone couldn't find Battle Star galactico so not that old of a series right on any of the streaming services they had we're losing certain aspects of culture which you can only find in various places on the internet nowadays PlayStation most recently like a week ago announced that they were saying that all discovery shows that day

out on their platform due to licensing agreements would no longer be available to customers that had paid for them with no intentions of reimbursing nothing what the hell so if we just take a hypothetical because these are things that have already been established SoundCloud were to poof out of existence from one day to the other how much would be lost right 250 million tracks the contributions or data generated by 76 million users and the hobby of 175 million listeners that's not nice if you needed more motivation big networks currently are just serving you ads and making money off of them you're you're literally cattle for that I'm sorry uh hyper every move trying to monetize that analysis centrally analo

of all your visits across all the things where they're deployed Google analytics being everywhere and you know them being them pushing Trends on the consumer so like everything that has to do with AI inch ification being whatever the names of the other AI check BS exist it's like I'm not even going to go into home assistance like please moving on can we be too decentralized is there such a thing every single open source thing that has their Wiki on a Discord server or their downloads on a on Discord server why there's several limitations to this right I need to join a public sometimes with no code of conduct unknown place I need to find the

resource and link to the resource is now fmal right because the CDN is they implemented new like rotation for their uh CDN of links all right ipfs worldwide content delivery system yay why not makes use of blockchain unless y has proven effective in cases of anti-censorship uh all those scub legit and other bits that I mentioned earlier academic media access but you don't need to to host your blog like that's silly right I hope everyone can agree on this Mass on is hard allegedly it's not the easiest thing ever to get used to right there's risk of Administrators loing Faith it's harder to find the entire information you're looking for to scrape that information there's also bad people

everywhere just like with every other service and power and capability some consequences such as whatever happened with bad space which I I encourage you to read up on because I'm trying to skim a bit so that's my corner of the fediverse it's not M mine but it's the one I reside on techon LGBT there's a bunch of places around it it's very nice but it's also like there's a lot of space there there's a lot of things there's a lot of people and everything needs administrators and mod do we need to rely on accounts of very nice people not exactly but any like Independent Business has these same limitations question is how do we make

it easier for them because most of these people are not paid for this right yeah and a something verse is a place with N plus1 Things right there's new and extensible protocols allow systems to talk to one another that are required uh we also need Bridges between systems because every time someone builds up a system you need to communicate with that system and this of course brings forward the um XKCD so I Remix this one with uh uh fediverse platforms because it just holds true all the time yes uh the xkcd script font is available on the internet you can download it and use it commercial free and uh yeah so not every geek with

a Commodore 64 can hack into NASA people have heard that sentence before if you listen to uh nerdcore but some form of literacy technical literacy is required you need a lot of disciplines together network engineering All That Jazz systems Administration and people are required people that aren't necessarily in there are not too involved to stay fair and Equitable to people and mistakes will happen like anyone remember bgp incident for Facebook a few years ago yeah and yeah legislation as well who has control R viewership of your data what is the services jurisdiction how can you get content taken down what is the service as SLA all those are very legitimate questions so coming to the end because

this is a cyber security conference um yeah part where cyber secur is actually in this talk we lost a lot so Twitter no longer exists as an ecosystem a onstop shop for information threat intelligence just dried up means of Engagement if you can pay for engagement just does not work anymore uh you need to seek out people to find them uh and monetizing engagement means that people will lie on the internet for money and it gives you a lot of vulner things so um madon had uh cve for domain spoofing uh one of them for translation features allowing injection uh Matrix had inline SVG embedded scripts veed even had one recently for uh dossing due to decompression size

checks it exists it's a sizable learning curve a lot of systems familiar familiarize ourselves with jurisdictions and data protection are important considerations everything we requires more effort and we're behind everyone's behind on the curve on this everyone including myself and everyone probably in this room unless someone had already heard about all these issues maybe a few yeah so uh just one small thing before I end the part where you take back control hosting your old content the world needs more silly little blogs you can do it from scratch but you you don't need to do it from scratch but you can control the information displayed how you moneti how you track people and that is a good thing skipping

over that build your own crypto learn where to fail but don't put in prod seriously uh so that was me trying to do that and I never put in PR obviously um and now to conclude the world is your oyster for all of this is decentralization a good thing it depends I told you depends on who is at the source who has access what was it built for how can you trust them most importantly and abuse is not the ra of a lot of these things but they will be abused so to conclude it is a good thing we just need to use it more and use it correctly any you here's my socials I'll be available

for questions outside because people are shaming me out yes no that's me done