There is no security without privacy - Craig Cunningham

are you having fun yeah are you getting us here on the back testing testing all right let's get some audience participation everybody on the right you're aussies austie osceolasi everybody on the left kiwi kiwi come on you're you're new zealanders you're supposed to put the aussies to shame all right just want to make sure you're awake um my talks about security uh that's my real name craig cunningham i'm just an i.t generalist i've been around this area for a long time i programmed a motorola 68 000 a similar language cobalt in high school that gives me an idea how old i am i'm unfortunately not a security ninja and some of you might have come to see a

screen ninja but i know the fundamentals pretty well in other words if i need to get something done i can generally find the tool and get the work done so when i originally made this talk i said well i'm going to talk about how to protect yourself and then i said well i have a 25-minute slot that's not going to work and so i worked on it i worked on it i finally realized nothing i could tell you from a technical standpoint could fully protect you but from a legal standpoint from a moral argument standpoint maybe we can reframe the argument so we don't have to protect ourselves so much and that's what my talk is i hope that i can prove that to

you all right so the government comes out and they talk to you and they say hey do you need uh to give up a little of your privacy for security it's a zero-sum game you know that's the claim they also claim you know the government's here to help you you know that's the classic thing that you know you're in trouble when someone says oh we're here to help you we're the police you're like oh [ __ ] i know things have gone sideways now so my comment related to this is this right here everything above that line is absolute [ __ ] in other words security can't exist without privacy because privacy is part of security if you take any low-level

cert you know security plus the first thing they do is introduce you to the cia triangle and they say hey it's confidentiality integrity availability when you take my privacy away you destroy confidentiality when you put malware on my systems and destroy my process integrity you destroy that in the eye availability i'm willing to bet there's a chance that if the the fiber splitters in the att room dropped out they tell att you need to stop this circuit for a while until we can install some new cards because we need to monitor everything in other words availability can be impacted by people trying to spy on you all right so if you're a wise rabbit one of the

things you do is you turn bluetooth off you turn location services off i saw a guy yesterday in a talk and he said i have seven laptops with me and a raspberry pi he said i wipe one completely after each day and i download only the data to like some kind of sim card to his raspberry pi it's like as long as they don't find the raspberry pi i think i'm good and i was like man that's his stream you know like i'm not screwing around with that guy uh i mean i own a black phone too and i'm not i'm not near that guy all right so is the rabbit wise that's the question

well the wolf thinks so the fox sorry so there are predators out there you know whether they be government people abusing their power whether they be nation states hackers they want to steal your information you know they want they want to use your pc you know krebs on security does these things you know the value of a hacked pc the value of a hacked email account this predator is out there and you should know it during i saw some on television last night and it changed my thought on this talk right here it was about the saint valentine's day massacre and what that was is they went in and dressed as police officers to all these gang

members and they got them to line up against the wall and then they killed them all well would those guys have lined up against the wall if the competing gang had come in hell no they were taught you have to respond this way to the government and when the government accost you and tells you to give up all your weapons and stand against the wall you do so because otherwise it's going to be more trouble for you well in that case they all end up dead because they made no effort to protect themselves they were under the assumption like in v for vendetta you know the finger men pull her aside you know she has no power they have total power

therefore they tend to abuse it all right so let's say i am the rabbit and i start using some anonymization tools to protect my data from being captured well i get on a special list this guy uses tor this guy uses vpn uh he encrypts data in 2013 i traveled across the canadian border and i looked up all the restrictions that might relate to me well one of them said on the us side of customs if you have any encrypted data the u.s government has the right to make a copy of it and keep it forever i think they modified that to five years recently but forever their philosophy was if you've encrypted it it's

suspicious and we should keep a copy of it because it's private to me doesn't mean it should be suspicious to my government but we've got lots of government programs bull run that's all about making sure that we have back doors we have a way into your system once we have an awareness system we gather all data possible key score you know snowden talks about key score he says our x key score he says look i can look up anything i just put in your email address put in your ip address something about you and i could gather all the information about you that was what clapper was talking about when he talked about if i go upstream i will

violate your privacy rights he doesn't say there's anything wrong with collecting it he uses a different term we'll get to that in a minute and this is the goat seeing you that's the only goats you reference you get in this talk sorry but the goat's seeing you all right so they had egotistical giraffe an excessive goat that's basically saying if you're using tor you're not safe we're going to go after you and if you're so egotistical to think that that's going to protect your privacy you're dumb you've made a mistake all right so if that doesn't work we can install malware that will exist in your system no matter what you do stutnex firmware virus

seagate western digital all these companies have been affected so this is a irate monk i'm not really familiar with this uh term very much but i do know that i've seen a piece of firmware virus i don't know what it was i don't know it's flames stuck next but i was working industrial environment we had a machine that had odd behavior we wiped it completely still had the odd behavior we set up another machine just like it put it back in place no odd behavior set that one up in a test lab with test equipment on it same mild behavior i said hey boss this is really cool like we've got something very interesting here i think we have a bios

virus let's investigate he's a pragmatic guy he said pull some chips off that board throw it in the melt barrel and get back to work you know we as normal citizens do not have the resources to compete with this level of attack so we need our laws and our philosophical debates to protect us from this so why have i said i'm so distrustful of the government one of the reasons is right here the supreme court justice had a case where two women were abused in their own home they had called the police the police had come by they'd never come into the home they never like knocked on the door and actually got in response and they

sued and the supreme court says the police do not have a responsibility to you they have responsibility to society so the nsa the cia all the three letter acronyms are defining security for you we will defend your general security rights as we define those words and currently they're finding them in a lot of secret rooms behind locked doors i mentioned you know on the way here how many people did this on the way here a decent number you know is this is this the free the boss you're a free citizen i don't think so it's the same position for hey line up against the wall and getting shot by the saint valentine's massacre you're submitting

yourself you're saying hey i'm completely submissive i have nothing in my pockets inspect me if i tell you that i believe that privacy confidentiality is part of security then my security has been lost at this moment just passing through the airport but they're doing this to protect me when they when they do actual pen testings they evaluate the effectiveness of tsa it doesn't usually go very well 47 of americans hacked last three years you know victims of some kind of breach we're not doing very well on this false choices so i was teaching a class really recently i teach some certification classes i teach cisp and i had an nsa guy in my class and i'm a little bit of

a privacy advocate and he's a little bit of not a privacy advocate and so we had some heated discussions and one day he asked me this stupid question and i kind of really resented at the time but now i'm glad he asked me so i give it to you in this talk he said would you rather the u.s spy on everyone in the planet or no one and i said well if you're going to put me in shitty situation number one or shitty situation number two i prefer the one that costs no resources and he didn't ask me any more questions or make any other arguments during that session in class in other words he

thought he'd back me in the corner because he has learned to define the conversation before we enter the conversation it's clapper recently was accused of saying some incorrect things in court i mean from congress which he did and he said well it was a loaded question it was like saying when are you going to quit beating your wife well they do that the government does that to us all the time they called muni they called encryption a munition so that all the laws relating to encryption would relate to that they threw phil zimmerman in jail because he wouldn't give him the back door when he wrote pgp they said give us the back door give us

the back door key and he said there is none and they couldn't fathom that in other words they're like new one writes encryption without giving themselves the back door he's like no really there's no back door they said well you will put out an update and you will put a back door in the update and he said no and they said we have this really comfy prison cell why don't you sit in for a while and see if you change your mind this is the u.s government what we have done i believe that privacy is part of security the un agrees with me the metadata argument it comes up all the time oh we're not listening to your

conversations we might have them but we're mainly concerned about your metadata all right this is a kind of heavy eye test uh slide i admit but even when psychologists are talking about what you need as a human being they start off with your physical needs i do like the fact that they include sex food water shelter and sex i mean if they threw alcohol up in there you know i'd be great all right and then they say your security needs needs for control over your own environment order a safe place financial security all right people check your bank records they invalidate your passwords they invalidate ssl tls physical safety they know where i am at

all times that data is loose att's got it verizon's got it when you go on your phone and it says uh you know you're here how does it figure that out well google has a list of every wi-fi they've ever picked up and so if they're picking up three wi-fis at these faint strengths they geo-locate you off those three wi-fi's they know exactly where you are and we're given that data out now the government claims if you gave that data to a third party pretty much they have a right to it you gave it away so you know you shouldn't i'd say no i have a relationship with google i am getting some services from them

they are monetizing me in the ways that i understand or vaguely understand that is at least a relationship for you to come as a third party and say we deserve the right to all that data is again my second slide [ __ ] all right so then we get to the third level friendship enemies family can you have any of these things without privacy how many families you know spill all their garbage on the front lawn okay okay a couple of you i know i've seen i i've seen those a couple of those daytime tv shows but most of us want intimacy we want tightness we want friendship we want our friends to know more about us

than anyone else knows we want to feel comfortable that if i make an inside joke my friend gets it and no one else does because i have shared time with that person all right so we move up the chain let's say if we haven't recognized that our friendship intimacy family is messed up self-esteem personal worth social recognition accomplishments well the government says well we need to know all about that too well what are you saying social recognition you're a member of b sites oh eff that's some sketchy organizations you know we need to put you on a special list most of us don't make it probably to this level for the most part i admit if

you make it if you look up here it says once you get to that level you don't care too much about the opinion of others maybe that would make us friendlier just people spying on our privacy i'm probably somewhere in here and figuring that i need my alcohol from up there all right so back in 1700s 1800s uh bentham here he designed a prison people say a panopticon or panoptimism and they're saying the whole design of this prison is that one guard would stand up here behind like mirrored glass or something in other words no one would know when he or she was looking out and all the prisoners would be here so every prisoner would say have to say

i may not be being watched but i could be being watched right now therefore i will alter you know what i do that was the whole idea of this he said a new mode of uh obtaining power over the mind of the mind over the mind and the quantity here without example he is claiming this is a better idea to manipulate people's minds than has ever been around before well this was a prison this was for milling grinding peoples down mentally and we are asked to accept that the nsa will take all our data and watch us at all times well this right here a short review for decoration most of you probably already knew this if you read glenn

greenwald's book stuff like this but you might not know about this the same guy who designed this prison when we had the u.s declaration of independence he wrote a short review mocking it mocking the view of our style of government that we could have a democracy that we could be separate from them that we thought normal people you know had a reasonable say in other words this is a guy who was so against our way of life you know he was an elite elites should be able to do what they want with the serfs all right heisenberg's principle most of what you realize or think of that being if you watch something you change it

technically it's the uncertainty principle i figured someone might scream at me if i didn't point that out but we say if we look at a system we change it quantum cryptography works this way if i pass data from from alice to bob and anyone intercepts it evil eve even looks at those photons we can tell so we we can tell if someone looked at something we are using this principle to guard ourselves with the type of quantum computing that we know we have now if the nsa has got something fancier you know don't tell me because i don't want to be black bagged all right feynman feynman said hey no this is not so true and feinman was a genius in my

opinion all right he said nature doesn't give a damn whether you're looking or not well i assure you there's been many studies that i cannot cover in this 25 minutes that i can assure you that most of us act differently when we're being watched if we're being recorded we act a lot differently all right cost of securities all right some of you see this and they say all right i can understand the first uh you know first amendment right to speech right to associate in other words if i'm tracking everyone you associate with i'm looking at the metadata of what cell phone was in that bar when greg was in there you know what cell phone was in that bar when craig

was in there oh they were in there together once per month what other cell phones we think they're nefarious characters all right second amendment how's that related we currently have the right to guns or at least some people believe so well the supreme court has ruled that there can't be a registry of that in other words they cannot demand to register those things well if you have all information you violate the second what's the third amendment anyone know not very much talked about anymore it said we can't put a soldier in your house well they weren't so concerned about feeding the soldier they were concerned about that soldier having some administrative control or violating their privacy at all times if i want to

control my subjects i put soldiers in all their homes who watch what they do and report in well what the hell's malware on my router it's a soldier in my home who's paying the electricity to run him i am who's paying the air conditioning to cool that i am they're putting someone watching me in my home i we if we're gonna fight for privacy we can't only fight on the fourth amendment that says we should be secure in our papers and our homes and ourselves we have to use every amendment we have because they're going to use every secret ruling they have the ninth amendment the ninth amendment says there are any inalienable rights that are not

defined in the constitution in other words it is not we are not wise enough men at that time they were all men to put in everything we should enumerate that is an innaoble right there are certain things that we just can't list here but that does not mean that they should not be protected so i would say privacy might insert very well right there in the ninth amendment we should have been assured some level of privacy all right uh 14th amendment um due process there are lots of cases right now that are coming up in courts rand paul was talking about one recently the dea was getting all these tips and they were busting people off these tips

but when it went to court they would make up some other story about where they got the news so the defense lawyer now has a false story which to glom onto and make his defense or her defense and so they're living off a fallacy so when that person goes to prison are we surprised they didn't have all the information about the court due processes being just junk thrown out all right the 21st one of my favorite we can drink booze when they shut down when prohibition came about einstein said it's such a shame that we're shutting down all the uh speaking houses why because booze was important everyone sat around they drank booze they chatted they did their political

debates there that's where they talked well what are we doing now we talk on the internet and we're shutting it down we're saying if you search on these terms you might be suspected of something if you're in these chat rooms with these particular people you might be suspected of something so i think the 21st amendment comes around in other words is the exact kind of thing where einstein said if we restrict where people meet and where people chat we will suffer as a society toxic data if you haven't already read it you should read bruce schneier's article about the toxicity of data for decades we've been saying hey hard drives are cheaper let's save everything

we'll use data mining to figure out cool you know high relational rare events that will teach us stuff well ibm watson did that it taught us a way to use viruses to cure cancer very rare but um obvious things to a computer not obvious to us but we haven't learned that having data can cost us money if you get sued and you've got 10 years worth of uh emails you will pay a lawyer hundreds of dollars an hour to go through all those emails maybe it's better to say well after five years we just get rid of emails it doesn't mean you're any more guilty it just means that there's a level at which keeping

that data is wrong so i mentioned foreign here let's say a new dictator comes about in whatever country and that dictator is trying to cozy up the united states the united states trying to cozy up to them get oil rights or uranium rights or whatever and they say hey there's some people we don't like in our company country and we know you have data about them please give us this data the nsa can't say they don't have it it's obvious they're collecting data on about everyone i would rather our government be able to say we don't keep that kind of data otherwise we're going to have to bend to that tyrant and give them that

information if we want to cooperate in that country all right so basically this is this was our bill of rights but we're allowing courts to override it what are we allowing we're allowing surveillance we're assuming we are surveilled and that we can do nothing about that i would like every one of you to make some small attempt over the next day the next week the next year to resist assuming surveillance is going to happen and it's okay or else we'll end up with this and then eventually you'll say well that's okay we're safe they promised us if we let them have all this data we'd be secure well this is the phrase i want to coin

today if it's already been used by someone i apologize it's the hindenburg principle it's when you know that you're safe and good everything's going great and one day something sets your ass on fire you assume that the government is keeping you safe you've assumed that surveillance will negatively never negatively affect you the hindenburg principle all right so the next argument that always comes up is if i don't have anything to hide i don't need to worry about government surveillance i have not found the rock solid um argument for this i found many good arguments against it but i haven't found the rock solid i thought this guy did a really good job terry adams he's saying the way our state was

developed everything in government was supposed to be public and everything in your lives was supposed to be private we even have these terms public meetings private meetings well now what is the government telling us they're telling it this should be the opposite how how many decades in the future will it be before you get someone appointed to the supreme court and they wear a mask like a swat team member i don't want to see that i'm not saying that's coming i'm just saying that's an extreme example to get you to think about what we need to resist you can actually look up who's on the fisa court you just can't look up much else about

the fisa court all right everything's got something to hide this is a very famous statement by probably a very corrupt man because you couldn't really become a head honcho at that time without being a very corrupt man in with the system but the importance of this statement about the six lines is not that he had the intelligence to find something bad if he knew the courts were corrupt enough that if he accused you of something bad you'd be found guilty of it this this is a sorry this is a combination of the system not necessarily a single person all right supreme court justice i'm running out of time here so i'm going to rush this a little bit basically br this

this same article um brian they referenced a federal law about the size of lobster tails they said do you know that you could be arrested for having a lobster tail under a certain size so it doesn't matter whether you bought it in a supermarket whether it was served to you in a restaurant whether you found it alive or dead whether you killed it in self-defense my favorite part but you could be accused of a federal crime this is a supreme court justice the united states warning us that the law is too damn confusing all right when the wall came down there were potentially up to like 500 000 about the top number of informants in east germany

and they said we have all this data from all these informants what do we do with it and a lot of people said let's open up the data and just let everyone know everything and they were like should the data be open or closed and i thought this guy said something kind of funny and i wanted to share with you guys there's only two innocent groups the newborn and the alcoholic and i'm working on that but they they just decided to keep those files closed because they thought it would be a travesty there would be reprisals there would be problems there would be people who cheated on their wives and and all this information would

hit their society at once and it would potentially destroy their society big brother big data i found this through an article about snowden but the guys from yale should really get a credit for this they said basically every time moore's law helps us double our our power our competing power get cheaper our our civil rights will be violated and so every time we need to reevaluate what controls we have in place to make sure that our civil rights are not being violated by that increase in technology all right so getting to the opaque anonymous attempts to be very opaque forces that might help us but we can't control what else is opaque almost opaque is supplies of court

i am not suicidal just for the reference just anyone knows i like to put that out there i mentioned uh in another talk i went to this week i said hey if you went around talking like thomas jefferson they'd lock you up you definitely get on a list well this is the stamp from his his statement but this is the full statement and that's on the memorial i mean this is not something that i didn't verify that he said they're trying to prevent tyranny what do we have we have tyranny we have the ability for the government to come in put malware wherever the hell they want and watch you here's the soldier in my house

all right in if you haven't read this book it's an interesting book it's an old book so it's not up on technology but it's an interesting book and in the end they convicted this guy of stealing electricity years and years ago when hackers got busted for breaking into banks and they couldn't find them guilty on any of the laws currently they would bust them for stealing electricity i think if they can do that then i should be able to bust the feds for putting malware on a system all right here's our our group clapper keith and uh they're i refer to this as engrish because they tend to define words differently than we do they have the word collection which

means whatever we keep we didn't really collect only when we read it did we collect it that's their terminology the government is allowing themselves to redefine our language so they can do whatever the hell they want they can justify it in their court if we let them re-engineer the english language maybe we should have a law that says whenever something's justified with a new interpretation doesn't match with webster's it has to be announced all right senator feinstein finds out the cia's hacking to their um area and all she wants in a as an apology i stole this from lisa laurenson because it was so damn good this is what we need to say when they do this

all right it looks like i have no time left so what to stop doing don't run any scripting don't buy into the cloud if these companies aren't going to guarantee you some security don't use ipv6 unless you understand ipv6 if you don't know whether you're using it then you are go turn it off don't let dina leak dns you know use good vpns ask your vpn providers use encryption um steve gibson you know encrypt things before they go to the internet check out your fingerprints go to eff this will tell you how unique your browser is in the world at one time mine was one in nine million that's pretty unique you know all right what can you do hold this

encryption lock down your firmware make sure your vendors are signing your firmware to where at least they have to be compromised for your firmware to be replaced shout out i want everyone to move to https berners-lee actually says no let's raise the entire bar of http to be secure rather than just doing https either one is good for me what to avoid anything new the government throws out there you know should we have a right to take dna take tattoos take pictures of people who have not been convicted and put them in national databases and then later look and say well we got someone guilty of a crime and they look kind of like this

let's bring that person in they weren't guilty when they got first arrested and now they're considered possibly guilty real change we're only going to do that by things that really matter not the technology itself going to our leaders educating them reversing the patriot act as best we can bailment bailment means i own data about me if you have it you can only use it in ways that i opt in quit spying on the whole world and pissing everyone off we'll have less terrorists that way and everyone please smile because you're probably on someone's camera and it'll make you seem a little less threatening shout out paige actually someone might be here from this besides for letting me

talk chris payne for being my mentor eff i encourage all of you to uh to join give money by the way will you go ahead and pass out those uh i bought you guys all some raffle tickets so the money would go to b-sides eff just pass those out any way you want take one all right thanks for lisa lorenzon she gave some great talks moxie i've actually never met but i like his work bruce schneier chris zoz if you haven't watched zazz's video on uh do not [ __ ] up you absolutely should this runs on metadata so it's something we should be concerned about thank you for letting me speak thank you craig thank you so much

it looks like i'm out of time so i'll take any questions you have and back in the corner away from everyone