Security

Summarized using AI

No Secrets Allowed

Steve Klabnik • November 28, 2013 • Earth

In the talk "No Secrets Allowed: You, Me, and the NSA Makes Three," delivered by Steve Klabnik at GoGaRuCo 2013, the speaker explores critical issues surrounding privacy, security, and governmental surveillance in the digital age.

The presentation is broken into three main sections:

1. Current Reality: Klabnik emphasizes the pervasive nature of surveillance, particularly focusing on the revelations about the NSA's capabilities and practices. He shares insights into the extent of government spying, the role of technologies like fiber optic splitters, and the historical context provided by programs such as COINTELPRO, which targeted civil rights activists and various dissenting groups.

  1. Tools for Privacy: Klabnik highlights various tools to enhance personal security online, focusing on:

    • Tor: A network for anonymizing web traffic, which works by routing data through multiple servers to obscure the user's IP address. However, he notes that it does not protect against all forms of surveillance, especially if users log into identifiable accounts.
    • GPG (GNU Privacy Guard): A tool for encrypting messages to maintain privacy. Klabnik explains how GPG utilizes public and private key pairs but also mentions challenges related to key authenticity and usability hurdles faced by average users.
  2. Future Directions: The speaker encourages the audience to prioritize security and privacy in their daily lives, stressing that in a world where collecting data is prevalent, individuals must adopt practices that protect their communication and personal information.

Through his talk, Klabnik aims to raise awareness of the significant implications of digital privacy breaches and inspire proactive measures in enhancing personal and communal data security.

No Secrets Allowed
Steve Klabnik • November 28, 2013 • Earth

If there's anything that recent events have shown us, it's that what we thought was secret actually isn't. So what to do? Even if you're not a dissident, many of our applications need some form of private communications. And why aren't RubyGems signed, anyway? In this talk, Steve will discuss some of the basic tools, theory, and techniques that you can use to help keep secrets secret.

Help us caption & translate this video!

http://amara.org/v/FG7x/

GoGaRuCo 2013

00:00:20.080 Now, on to our penultimate talk. It's my second favorite word.
00:00:27.359 Our speaker, Steve Klabnik, is someone who's been programming for 20 years, since long before he ever had to shave.
00:00:34.160 He still doesn't have to shave, to be honest. He's been doing Ruby for six years and is one of the most dedicated open source supporters I know.
00:00:41.840 Steve suffers for your good; he is a Rails committer, though not a Rails core member. Today, I asked Steve to deliver a talk that would be a little different for you.
00:00:48.559 I don't know how much code he's going to show you; probably none. But he will talk to you about some issues that I believe we all care about. Thank you, Steve.
00:01:23.920 Hi everybody, I'm Steve. I will let you know that my amazing ThinkPad X1 Carbon worked on this projector on the first try, so Linux is good!
00:01:30.479 I took a lot of crap for switching away from Mac, so anyway, this talk is called "No Secrets Allowed: You, Me, and the NSA Makes Three."
00:01:36.400 Basically, I want to share some insights about security and privacy and how these issues have affected all of us.
00:01:42.640 And more importantly, why they affect us all. I know a lot of people think, "Steve, you're the resident crazy person who cares about security stuff."
00:01:48.000 You're the oddball who's using Linux because you don't want to use proprietary software. So, please explain all the stuff I need to know about these issues.
00:01:59.840 I decided that this would be a good candidate for a talk to shake it up a little, and also so I could later point people to the URL instead of having to explain everything all the time.
00:02:12.160 So let's discuss this. There are basically three parts to this talk. The first one is what is the current state of reality. A lot of people don't appreciate what reality is at the moment.
00:02:23.599 Then we'll discuss the tools we have in this reality and how they allow us to shape the current situation. Finally, what do we do from here? Where do we go? How should we think about these problems?
00:02:35.599 And what should we do with the stuff we learned? Those are the three parts of the talk.
00:02:41.519 First of all, let's have a reality check. This privacy issue has been in the news a lot lately.
00:02:47.280 I will specifically address the NSA issues that have been coming out due to recent events over the last year.
00:02:53.920 As someone who has cared a little bit about privacy, I admit I haven’t always prioritized it. I’ve used Macs for a long time, and while I don’t think they are inherently insecure, I’ve often traded security for convenience.
00:03:06.080 This is not a talk about how I know everything on this topic while you all don't. I only started paying attention when these recent scandals occurred.
00:03:12.080 But as someone who is generally privacy-focused and a little anti-NASA, FBI, CIA, I find it frustrating that for years people have said things like, "The government can read your stuff on the Internet." And people dismissed it by saying, "Yeah, whatever, you're nuts."
00:03:30.319 Then leaks come out proving that the government has been reading everything on the Internet, and suddenly everyone says, "Oh, that's old news; it's been happening forever." It's exasperating! While it’s frustrating, they are actually right.
00:03:48.400 I want to start by sharing some history about what our government has done in your name and mine. Apologies to friends not from the U.S. I’m going to lump everyone together, as that’s what we tend to do here in the U.S.
00:04:10.319 I mention this because some South American friends have actually appreciated that I say 'the States' instead of 'America' since they, too, are Americans.
00:04:15.680 So in this first wave of history, I want to share a chunk of Google Maps. This line here is where we currently are, and according to Google Maps, it’s about a 17-minute walk to what’s essentially the corner of Second and Folsom.
00:04:34.639 This is a building that, for a long time, nobody thought that much of, but that has since become somewhat terrifying. Brutalism is a style that stands out, right? This building has no windows, and people just come in and out.
00:04:49.760 Inside this building, there’s a room, I believe it’s 641A, where a technician was working. One day, he walked in and thought, "Huh, this is strange; what's this doing here?"
00:04:56.320 What he found turned out to be classified, and he was subsequently sued after coming out about it, leading to a huge court case where all of this information came to light.
00:05:05.760 What was installed there was something called a fiber optic splitter. Essentially, this technology does not mean that half of the data goes one way and half goes another.
00:05:19.600 This is about copying; it sends a full copy of the data to one place while still sending another full copy to the intended recipient.
00:05:30.720 Many people know that SOMA has become important for internet companies as a connection point. It’s questionable at best to think about someone potentially spying and keeping a copy of all data flowing through this area.
00:05:41.039 This was occurring back in 2001, and though many people freaked out over this incident, eventually, apathy set in. This is just one prominent incident, but there’s a history of terrible things happening, particularly in the 70s, relating to something called COINTELPRO.
00:06:01.039 COINTELPRO is an abbreviation for Counter Intelligence Program, and it was a series of shady behaviors conducted by the FBI and CIA under the guise of national security.
00:06:13.440 The terrible things included monitoring, infiltrating, and disrupting groups that the FBI considered subversive. This included any communists, socialists, and people involved in the Civil Rights Movement.
00:06:27.599 People fighting for racial equality, those in the National Lawyers Guild working with dissidents, and various independent political groups were surveilled by the government.
00:06:44.640 Even Albert Einstein, who was a staunch socialist, was monitored. It’s disturbing to think of the kind of intimidation tactics used; for example, they even mailed a letter to Dr. Martin Luther King, encouraging him to kill himself.
00:07:01.040 Most of the information about these surveillance practices eventually came out because of FOIA laws. Out of interest, the resources of COINTELPRO were utilized 85% against people advocating for equality.
00:07:10.160 Only a mere 15% were used to monitor white supremacy groups like the KKK. It’s quite a shocking statistic and reflects the systemic injustices present.
00:07:26.480 A notable example is Eleanor Roosevelt; as the first First Lady, once the NSA was formed, they compiled a 3000-page document on her due to her involvement in the Civil Rights Movement. Frank Sinatra also had an extensive file, largely due to his frequent travel.
00:07:45.040 Similarly, Marilyn Monroe had one, and John Lennon found himself in the radar as well, where they tried to see if they could deport him. The Beatles, as a group, also had a separate dossier.
00:08:01.760 These files show extensive documentation of surveillance conducted against individuals who were merely advocating for social justice or challenging the status quo. Most notably, Barry Goldwater was also subject to spying, making the social climate of that time highly suspicious.
00:08:18.080 One other casualty of the paranoia was Dr. Seuss, who was investigated amidst concerns he might be a communist. This is merely a small example of the digital and historical surveillance that has faced activists.
00:08:35.840 The Church Committee, which met in the 70s, revealed shocking details about the CIA. They uncovered that a quarter of a million letters were opened and photographed at the post office between 1953 and 1973.
00:09:06.560 There were lists cataloging individuals who would be rounded up during a national emergency—26,000 people! Think about that for a moment; it raises profound moral questions about surveillance and security.
00:09:32.800 These examples are just snippets of history painting a dismal picture of government oversight. I understand the collection of the current events information can be complex. If you're unfamiliar, search for the 2013 Mass Surveillance Disclosures on Wikipedia.
00:10:01.760 The leaked information is crucial in understanding the extent of surveillance that has taken place. I hesitate to label it merely as 'the Snowden stuff,' as it’s less about the leaker and more about the implications of what was disclosed.
00:10:18.560 There are several key points I want you to take away. First, any byte that leaves your computer unencrypted is basically public. For instance, logging into your webmail without SSL makes you vulnerable.
00:10:41.760 Second, the phrase 'I have nothing to hide' signifies that one may be under-informed on this issue. Privacy and security affect all of us, regardless of whether we think they do.
00:11:03.200 And lastly, cell phones can be seen as spy devices. Many wonder why I still use an iPhone when I care about privacy. My first answer is personal preference, but the truth is, both Android and iPhones have vulnerabilities.
00:11:16.480 Smartphones are structured in a way that they continuously ping the closest tower to use cellular networks, including location data. This makes them insecure by design, as evidence shows that governments can get access to your microphone.
00:11:28.480 There are many instances of the government using these methods to gather intelligence, which are often revealed during court cases. To sum it up, if it leaves your computer unencrypted, someone can intercept it, and your phone is a constant surveillance device.
00:11:54.080 Now let’s talk a little about metadata—the data about data. Metadata is potentially more dangerous than plain content.
00:12:00.880 In the context of HTTP, this includes headers, which provide insight into where a request is going. It’s similar with phones; the call logs reveal whom you're contacting.
00:12:19.600 What you’re saying isn’t always as significant as who you are contacting and when. That context could reveal more than we think, and it can affect innocent people based on appearances.
00:12:38.080 Governments argue that metadata surveillance isn’t dangerous while suggesting it’s crucial for counter-terrorism efforts. This contradiction is unsettling and needs addressing within the public sphere.
00:12:53.440 An example of the power of metadata can be gathered from some leaked documents, which depicted a program analyzing who interacts with whom, determining who to target for significant actions.
00:13:07.440 We see how innocent individuals can be placed under a spotlight of suspicion merely from metadata patterns—those who correlate with ‘shady’ individuals can get caught in the crosshairs, regardless of their actual activities.
00:13:30.560 Further, there have been troubling stories of familial trust dissolving under the harsh spotlight of data analysis, such as a father discovering his daughter’s pregnancy due to Target ads.
00:13:43.840 In another case, Facebook might know about a user’s sexual orientation before they do, based solely on metadata. These insights into someone's life can have dire ramifications, particularly for individuals in unsupportive environments.
00:14:01.760 As we move forward, I will share two tools we can use. The first one is Tor. For those interested in navigating these issues, Tor can be a useful asset.
00:14:14.080 I will mention that no tool is perfect, and each comes with a set of drawbacks alongside benefits.
00:14:24.000 Tor works through a process where you can connect securely through a network of volunteer-operated servers, masking your original IP address and enhancing your anonymity online.
00:14:44.560 Here’s how it works: your Tor client first retrieves the list of Tor nodes and then forms an encrypted connection through at least three relays. This design ensures that no single point of the network knows both the sender and recipient.
00:15:05.040 While Tor protects against metadata logging, if you log into your Facebook account while using it, you would still have vulnerabilities related to account access.
00:15:19.600 Another important thing to keep in mind is that Tor doesn't protect you from surveillance in the sense that government agencies can analyze traffic patterns and may identify users.
00:15:33.760 The second tool that I want to discuss is GPG, which stands for GNU Privacy Guard. GPG allows users to create encrypted messages or files to maintain privacy.
00:15:54.880 In order to understand GPG, you need to grasp the distinction between public and symmetric key encryption.
00:16:07.040 GPG functions based on a public and a private key pair. So, if you want to send a recipient a secure message, you encrypt your message using their public key.
00:16:29.840 They are then the only one who can decrypt the message with their private key. This allows for secure communication across the internet.
00:16:44.000 It’s also possible to sign your messages using your private key, proving that the message indeed came from you.
00:16:57.440 The downside is that trusting that the public key you obtain corresponds to the actual person can be a challenge, because people can create fake keys.
00:17:11.040 Establishing a web of trust through key-signing events, where mutual acquaintances validate each other's keys, can help combat this issue.
00:17:25.760 Some people have been talking about running key-signing parties at conferences, which would allow the community to establish trust.
00:17:38.080 Ultimately, GPG is powerful if utilized correctly, but the effectiveness relies on widespread use among your contacts.
00:17:55.520 It's essential that the people you wish to communicate with also adopt these practices for meaningful secure conversations.
00:18:07.680 Thus, even if everyone starts sending encrypted emails that are not perfect, it helps everyone involved and reduces the stigma surrounding secure communication.
00:18:26.080 Speaking of that, we need to acknowledge the UX and UI issues prevalent in many security applications.
00:18:41.600 If I ever wanted to generate a new GPG key, the command-line interface can be daunting—even asking technical users complex pathways to establish keys.
00:18:54.720 It’s a tedious process and proves challenging for normal users, requiring someone to take charge of helping.
00:19:06.560 Not to mention the better options available; the Tor browser bundle simplifies the Tor experience for average users, allowing you to surf the web privately with a click of a button.
00:19:27.680 But we still need to focus on the products we build and the subsequent privacy implications. If we simply continue building massive data-collecting platforms, it's no surprise the government will use those systems against us.
00:19:44.320 So in closing, we need to prioritize understanding and implementing security and privacy in our daily lives. Thank you very much for your time!
Explore all talks recorded at GoGaRuCo 2013
+10