London Cryptofestival, 2013

• practical
• policy
• security
• computing

It’s a Saturday and I’m heading to a conference. I’m late, because it’s a Saturday. But I’m going to sit in a lecture theatre in my free time because it’s London Cryptofestival.

Billed as ‘coming together [...] to reclaim our right to communicate and experiment on the internet’, this independent, DIY event is aimed at both the usual security conscious techheads and non-experts just interested in the possibilities of, and threats to, privacy online. Given numerous recent revelations about the NSA and GCHQ’s work, as well as an increasing amount of our lives being documented online, I was up for that. I might even get to meet some people I could share my new PGP key with.1

Disclaimer: Although this was not a massive event, I couldn’t have gone to everything even if I had got up early enough in the morning. The following are highlights, useful things I found out about and unrepresentative personal thoughts.

If you have nothing to hide, what are you doing with your life?

First up, we saw a panel of speakers talking about general principles — appropriately enough. As we came in, Annie Machon (former M15 agent who now works doing a variety of punditry) was recapping reasons for being concerned about data gathering, in the context of protests and physical action.

Surveillance records are kept indefinitely and may be referred to after the fact. As government’s views on what constitutes legitimate dissent change, this can mean that you went to a protest and ended up as a ‘person of interest’ associated with extremist groups. Ms Machon cited the example of Occupy, which was described by organisers and participants as peaceful protest, but which the FBI subsequently defined as ‘domestic terrorism’. This means that anything that their surveillance brought up related to this could be used in the wide range of prosecution options available to the US under their terror legislation.

In the UK, infiltration of anti-fascist, animal rights, environmental and other protest groups also raises questions about how much protesting you can do before you become liable for criminal investigation. If you’re involved in any political movements at all, this blurry boundary may be worth some thought.

Ms Machon mentioned some tells for spotting infiltrators, such as their offering to do all the boring jobs, encouraging extreme behaviours, and wanting to keep their friends/partners/family out of their campaigning life. I think this method could be somewhat refined, as it also identifies the keen and those who want to have a private life (something much loved by many other security speakers).

Confidently, the ex-spy declared that ‘no-one would organise on Facebook these days’, which seems a bit optimistic to me. There are plenty of good reasons not to — excluding people who aren’t part of the gestalt, poor accessibility of records, and their capricious terms of service to name a few — but its ubiquity means it gets used for pretty much everything.

She concluded by talking about the dangers of self-censorship — knowing that officials may be reading you, you may not say what you think, and this can push public debate and opinion. Which is a point, but runs somewhat counter to the oft-uttered injunctions to not put on Facebook anything you wouldn’t be happy seeing in Times Square. I communicate so much online (social networks, self publishing, etc) that self-moderation is necessary to avoid things biting you. I guess you could say that if FB was more trustworthy, we could share more of our true feelings, but that still doesn’t allow for simply changing ones mind, falling out of love with an idea/person/concept/abstract noun, or indeed for platforms like Twitter or blogs where the point is wide publication. The desirable extent of the digital self in space, time and opinion is a problem I think we have yet to crack.

This brief introduction pretty much reassured me about my reasons for going. I used to believe in ‘security by obscurity’ — a fiercely-held modesty that noone would bother investigating little old me. However, given that I am pro-animal rights, anti-climate change, anti-inequality and have occasionally gone on marches — and mention this in electronic format — I think I can, sadly, no longer rely on that.

Ms Machon said:

We do have something to hide, which is our lives and our privacy and our security.

Which is a very inspiring way to combat the ‘nothing to hide, nothing to fear’ dictum. Personally I'm quite boringly prosaic and I like to invoke the existence of bathroom doors to justify not showing what you're doing to everyone, even if it is not (yet) illegal.

Spies are gonna spy; by the numbers

Smári McCarthy, information activist and techie, talked about what techies need to do to achieve a freer internet. He rattled through a lot of telling numbers:

• 2.8 billion people worldwide are on the Internet (source: International Telecommunications Union data on Wikipedia)
• ‘Over’ 425 million people use Gmail (Monthly unique users as of mid-2012, source: Google figures)
• 325 million people use Hotmail (Source as of mid-2012: As measured independently by Comscore, excludes smartphone usage)
• 298 million people use Yahoo (Source as of mid-2012: As measured independently by Comscore, excludes smartphone usage)
• “Over” 1 billion people on Facebook (source: Wall Street Journal, 1bn as of Sep 2012)

(quick reminder: a billion has 9 zeroes)

Most people use centralised, commercial services online — making it easy to physically tap/monitor communications, legally compel to hand over evidence, and even when not under external pressure these services use the vast amount of data they handle to improve what they do, necessarily examining what you’re sending to do it. That final use enables everything from allowing enough space for heavy users to save attachments, providing evidence to advertisers of what they are buying, to developing spam filters. I don’t find all those things necessarily evil, but YMMV.

Smári wants to move people off those megaliths onto decentralised services, created and maintained by the open source community. These would enable features such as encryption, hopefully be less susceptible to backdoors due to the transparency of the project, and spread transaction records around making it more tiresome for intelligence officers to collect this information.

(Smári himself is currently working on Mailpile, which will ‘take email back’ by providing encrypted storage and sending of emails in a hopefully user-friendly way. Full disclosure: I have donated to it.)

However, he acknowledges that a lot of current free, open source software just isn’t good enough to tempt users away from the high-quality user experience provided by the big guys. This is his challenge to the festival code monkeys, and perhaps more importantly the user interface designers: build things that people can and want to use.

This is one thing I was really pleased to see at the event: an understanding that if regular joes aren’t doing something, they probably have their reasons. If you want people to change you need to explain why in a compelling way and make it as easy as possible to do so, and if you can’t make things accessible to non-experts that’s your failure, not them being stupid.

He wrapped up with the estimated cost to monitor everyone on the Internet: found by dividing the budgets of the information agencies by the number of people to be surveilled. He makes this to be 13 cents per person per day. I don’t know what assumption he’s making as to which budget should be included and at what granularity, but here’s some figures with sources on funding:

• US National Security Agency : $10.8 billion dollars
• US National Reconnaisance Office: $10.3 billion dollars (Source: The Black Budget, released in the Snowden leaks, as published in the Washington Post)
• UK Single Intelligence Account (which funds UK security and intelligence services): £1.9 billion (Source: MI5 website)

This puts the cost at 2.3cents/day (discrepancies probably due to how one counts the budgets and number of people to be watched), but the order of magnitude is the important thing here. Smári suggests pricing the surveillance agencies out of the market. If the cost of surveilling everyone could be pushed into the tens of thousands of dollars, they would be unable to conduct the operations they currently do. Spies are going to spy; you can only control the degree to which they do.

Decrypt/Encrypt It Yourself

Parallel to the talks on the big picture of why security is needed ran sessions on how to do it. My major take home from this is that proper security is extremely difficult and needs a different life to mine (or some clever people to make it work better, see Smari’s injunction above)

Operating System Security

Best practice security would mean not browsing on machines you do e-banking on; not mixing work and personal emails; generally, segregating everything. This is because you can easily pick up malware from low-security activities (downloading, browsing) which can then infect your high-security stuff. Unfortunately, this sage advice doesn’t work for people who don’t have several computers. Of whom I am one.

A suggestion for what to do comes from QubesOS, developed by Invisible Things Lab. This is a free, open-source operating system that segregates different programmes and tasks into a number of Virtual Machines (VMs) — ‘computers in bottles’ that can’t communicate except under pretty locked down conditions. Each VM can run a different operating system within it; even the despised Windows (which I still use, because editors are really into their proprietary formats and I’m really into getting paid money). There are a lot more details on how this works on the Qubes OS site, but I think a comment from the dude talking about the services is quite telling:

Warning: best practice security comes with a learning curve.

There were also some questions in the session about the hardware required, where 2gig of RAM was mentioned as ‘usable’, but 8gig as ‘desirable’. That is quite a difference.

Smart phone security

If you have a smart phone you basically carry in your pocket a small computer containing a list of the people you talk to, when you talk to them, where you go, what you look at on the internet or with your camera, and any files you generate. Said computer passes on a lot of this to the programmes it runs, the companies that own them, and any governments who care to look into it.

You cannot hide:

• Your location
• and who you communicate with

without violating the whole idea of a phone (although i wonder if a Tor-like phone routing system might be possible?).

Your phone is also, probably, hijackable.

Commercial companies that make software that will open up your smartphone (for military and intelligence uses, also used by police) to gather forensic evidence.

• The Gamma Group — offer software that, once inserted into a smartphone or computer via a Trojan, can ‘listen in to Skype talks, chats and encrypted emails, turn on a computer’s microphone or webcam remotely, [...] and gain access to encrypted files on a hard drive.’ (source: Reporters Without Borders
• Cellebrite can copy the entire memory of the phone to obtain “intact and deleted passwords, installed applications, geo tags, location information, media files such as photos and videos taken by the user, GPS fixes, emails, chats and more” (Source: Cellebrite website)
• Microsystemation xry can recover data, decrypt partitions, recover deleted files. Interestingly their site is a lot more coy about what they do.

This is big business. I searched ‘phone surveillance’ to try and locate a good news source on the NSA phone surveillance story, and found a lot of people offering this sort of service, with various degrees of effort to seem legitimate and presumably allow themselves to sleep at night.

Bottom line: if you are a ‘person of interest’ — to criminals, governments, suspicious romantic partners — your phone is pretty much toast if anyone who is interested in you gets hold of it. There are multiple companies offering products that can uncover anything you have on it, and even if they don’t have it physically malware can reveal what you’re doing.

However, if you want to make it slightly more difficult for intruders (for cost reasons given above, or just out of sheer awkwardness):

• Encrypt all the things. VOIP (voice over IP), text messages, the stored contents of your phone.
• Deny apps the information they want — does a comedy bird-throwing game really need your location? Tell it to stuff it.

Services that offer these things:

• XPrivacy restricts the categories of data an application can access, by feeding it fake or no data.
• Redphone by Whisper Systems offers you end-to-end voice call encryption. Free, open source, for Android.
• Textsecure, again by by Whisper Systems offers over the air text message encryption (AKA, they're sent encrypted). Free, open source, for Android — but you do lose some characters off the already scant 140.

However, the problem with encrypted communications is you need everyone you want to communicate with securely to play along. This is proving comedically difficult for me, even with the very technical friends I have. Even the dude who writes cryptographic protocols2 had to be reminded to set up GPG. My friend sent an encrypted email to his cryptography lecturer when in uni, and got a return email asking for plaintext because he couldn't be bothered. Persuading my drinking buddies to encrypt their text messages is going to be interesting.

Final thought:

There are many reasons to be concerned about privacy, and while governments and companies will spin it as ‘the innocent have nothing to fear’, it seems that having a conscience is becoming a risky businesses these days. As they move the boundaries of legitimate dissent, it would be smart to move with them. Even people with squeaky clean lives, that in even the most dystopan future would hold not a shade of misconduct, might dislike the idea of being surveilled by default, and wonder where else the law might go.

The current tech level is somewhat there: mathematical crypto is strong, open source solutions for platforms real people (sorry geeks) use exist. I see key challenges as the hardware backdoors (not mentioned at the sessions I was in but I went to a lecture by Adi Shamir once and am thoroughly scared), but mainly social takeup.

There are some changes in tech needed (better user interfaces, less fussy software, easier to install) but the main problem will be to get people to want to do it, find it easy enough to do and learn to think about security by default. The usefulness of the protocol scales with the number of people using it; much like the hated social networks really.

I eventually joined Facebook as I was missing out on parties: perhaps communicating rave locations or locking pictures of cats with PGP encryption is the way forward...

1. PGP KeyID: 0x394490BF Hash: 2C2A CA28 3761 7D46 541A AE00 50D9 F1FA 3944 90BF I’m on the Global Directory as Scary Boots ←

2. BLISS: I may write more on this later! ←