CG - What if Petraeus was a hacker? Email Privacy for the Rest of Us - Fak3r

all right we're ready cool thank you hey so um okay so what if betray us the hacker uh let's talk about email privacy for the rest of us uh I'm Phil CER better known online as Faker open source technologist um infos researcher and sometimes speaker and uh privacy and one thing I have plenty of time for this there any questions or comments feel free to interrup me so let's talk about M us is really no it's I'm sorry in the US it's a violation of the federal law to open anybody else's mou and also the the privacy of Correspondence in other countries is also protected um and then controlling people's mail is a is a civil rights

issue of course there's been times where governments are actually opening mail sometimes it's for criminal conspiracy but uh sometimes they just do it extra legally uh so what about you know a recent interview with W had some good comments mentions that back in the day when um computers weren't connected to have to actually you know mail a letter and when you did that you had you know legal guarantees and now we don't know those guarantees with email so we send as email uh is just publicly doable and totally open in the beginning they thought that the internet was going to kind of raise everybody up raise a average person up to be equal to the tyrants or big

governments controlling you think that Microsoft and Apple really missed an opportunity when they were building their web c or email clients they didn't include pgp if they would have done that emails would have been encrypted obviously more

private what about the laws States there's really no constitutional guarantee on email privacy you got the secret of Correspondence which is from the Fourth Amendment but it's limited with the reasonable expectation of privacy which is can be subjetive email is protected by the Electronic Communications Privacy Act from 1986 that's been criticized there's a an agency doesn't need J judicial review to get uh consumer data from service providers and to top it off after six months those messages email messages are not protected Communications anymore and they just become like a regular database record and that means that they only need a subpoena to be able to get a hold of your information of course we know email

providers scan email to present you with different ads if you're at work and send email of course that email could be property of the company and then uh government interests sometimes are screening things in the perceived interest of National Security other countries they have uh better privacy protection laws concerning email some are even u in the Constitution so uh the betray inent so what happened there so yeah David he was working at the CIA working with a biographer Paula she was writing a book about him and his work in Afghanistan leading our troops now they were both married to different people they started a relationship that was not appropriate and that included messages back and

forth uh Jill comes along Jill's friends with David and his wife start shooting him some emails Paula doesn't like this she thinks uh Jill's a threat so she starts hammering her with threatening emails and Jill's just not going to put up with that she got the FBI involved and everything pretty much fell apart after that so David's called to the White House he goes there and promptly resigns now we can look at how betrayus was caught again they used like a a shared Gmail account but instead of sending emails they just went in and and left messages in the drafts

folder from this FBI was able to get logs and they're able to connect the anonymous Gmail account with follow from there they add other things like guest records uh tracking Wi-Fi networks and then you know make sure that all match for travel history none of this required a Judicial approval or for commended search warrant so things like that guest records for motels IP logs these are all forms of uh information that the government can get and they also list information about other accounts that have logged in from this IP again the the target Thea generally won't know that they've been targeted unless there's criminal charges at a later point now the FBI went after this as a

Counter Intelligence investigation instead of the cyers shopping they could have had pretty much all that stuff even without a spa got national security letters uh secret tools basically just the require of a say so the FBI field office Chief Mark Rothenberg with the Epic says that it's not it's not unusual for things like this to happen the uh the chain of uh all this disclosures in computer centc cases just because it comes open-ended because there's so much detail out there and that's exactly what happened to pus he wasn't really the focus but they found out about him because of just him being related to it

so wh blower Edward Snowden he brought us prism and prism basically showed us how the big internet companies had uh some visibility from the NSA as far as uh getting data about their users we also learned that their graphic design skills are really terrible

s said that to become the Target by the I say you could be picked just because of your email or Facebook profile and in that case an analyst will get a updates about what happened what changed on the system that day and it even includes pcaps packet captures from the user's system so the targets machine really just belongs to the government at that point he also points out that the NSA wants to have it so where they can store at Le all the metadata in a lot of cases the metadata is going to be more important than the content because it allows you to point to the content you need and you can always go

refetch it once you have the metadata to to guide you to yesterday we learned about X key store so generally it's a it's a system they use that allows them to uh put all the data together index it and then the front end to actually search it they'll keep things like email addresses name phone number browser language in 2012 they had uh one month of collecting data and they got 41 billion individual records over 30 and it actually contained email text in the database but it was just such a high volume of stuff they could at all so they only stored most of it for 3 Days the metadata they could store for longer for 30 days but something was

really interesting they could pull it aside transfer to another database and store it for up to five

years he also points out that there's the five eyes um UK Australia New Zealand Canada and they go far beyond what the NSA does we already know that the Bri Taps into fiber optic cables and they grab everything there's a rolling buffer so they just don't miss a a bit just keeps going BR Schneider points out that uh NSA collected emails and data on activity of Americans and foreigners and that the NSA collected it under you know certain legal pretense but then when that went away they searched around and and got another pretense meanwhile web providers really leave the open for this kind of surveillance you log into web mail you have https so you're secure but that's

only good you know from your connection to the servers it's not it doesn't mean anything once your email leaves that server there's a study looking at different uh servers and how they used if they used TLS for the SMTP transfer Google is actually the the best one so the point is you know people don't think about that so the risks of the server to server unencrypted emails just a big

deal it also kind of lend Credence to the idea that maybe these companies uh the big internet companies are kind of telling the truth maybe they're not working with the NSA as much or more than they're legally required to you know maybe the government doesn't care because they can just grab it as it comes over the line unct it and just worth mentioning that Obama let this go on for two years during his administration of course this was all started up by Bush in 2001 but they're still going to go after Snowden so good luck and now for the NSA for their part there's been a number of different uh Revelations before leaks they collect did metadata on

Americans Bill Binny brought it up once and um a recent report by the Inspector General actually confirmed some of the things vny actually brought brought ahead and again bul emails of us persons they were they analyze meditated with the United States persons or people that they believe to be in the United States so all the stuff when they said well we're targeting people but it's very selected and not including Americans a little less than true for and again that it's just metadata argument but met data can tell you a lot you know who was the email from or to IP access which can you know give up their location MIT media lab has a program

called a merger you can log in you give it access to your Gmail and what it does is it goes through and grabs all the Gmail metadata and then it makes a visualization about it shows all sort of different ction and it's just it's amazing the way it does it it uh you'll just end up with like groups of people and you'll say hey I work with all those people or hey there's my my relatives and then there connections that you just wouldn't have thought about like why is this person connected to this person like you can click on it and figure out why think to expain that meditate is just such an emotional issue because it

it deals with uh people's interactions with other people also interesting if your data is encrypted um NSA might want to look at that a little closer so the point is they can keep SSL encrypted or encrypted data because they they assume it has some sort of secret meaning so default by NSA is if they're not sure about anything they can just keep it later if they find anything potentially criminal uh they can use that even if that's not why they originally collected it the default the communications unprotected which is the opposite of how it's supposed to be in the Constitution so's website some senators were complaining about some of the bullet points basically mentioning that

uh NSA is protecting Americans privacy and all this stuff so they wanted them to make some changes on it and said and just pulled the page so we don't really know the what were on that page that the Senators thought were so misleading because a lot of it's classified but you're able to go to archive.org and find some of it and the second bullet point is really the the one us the government cannot Target any us persons anywhere in the world under this Authority nor Target a person outside of the USA so it seems pretty pretty cut and dry there but with each new disclosure it comes clear that you know the government's been doing this and

concealing this for a while and tarting innocent Americans so thanks to whistleblowers like Thomas Drake William byy and Kirk Reby as well as Snowden the public can actually have this uh have this conversation and debate now I think that's kind of what should have happened after 911 these three whistleblowers got together and had a a talk a few weeks ago and it's on USA today for some reason but it's really interesting it's worth your time and we really should be having this conversation because we're paying for it multip way

now n say is building a new data center in Utah this is a really big project at the ribbon cutting uh the main point they're trying to get across was that it would be 100% committed to protecting the civil liberties and privacy rights of the American people this was a couple of months before Snowden so it's probably an easier sell it's over a million square feet price bag over a billion dollars it's assumed to take up over $40 million worth of power and um again Keith Alexander the said that it was to strengthen and protected Nation cyber security and the the facility has its own private police force and of course generators did going for another three

days if they ever need if they ever need that supplier say appear to be probably the most sophisticated super computer and maybe the largest collection of data on the planet they think that it might hold as many with 1.25 million 4 terab drives which comes out to about five zaby and five zaby equal over a trillion gigabytes going to be run some crate computers and the XC 330 which is partially funded by uh by dark develop it they're hoping to get speeds of 100 ped flops which is 1,000 trillion calculations a second or three times faster than the world's current fastest computer now Bruce schneer had a comment also and just he brings up well these

are just rough estimates and this really shouldn't be the focus the focus should be the government is on a secrecy binge I did some research came up with this this shows a number of of documents classified each year so see 2010 it's quite a lot more and I just remember being excited about Obama with the the promises of a more transparent government so looking at the numbers now they're they're definitely they're classifying five times more of the documents than not

classified say that they really classify things not because they need to be secret but because it'd be embarrassing to the government and that the government's putting their own self-interest ahead of alls so I think pracy and anonity is a right so if you want to Shield yourself if you're standing up for something you believe in or if you just don't want to share if you just want to be private and the eff came out to say right protection to the fors are critical for internet and also the free exchange of ideas on the internet has driven largely in part by the ability of users to actually communicate anonymously and the Supreme Court has continuously repeated that the right to

Anonymous free speech is protected by the First Amendment and then it's a shield from the tyranny of the majority and again points out the bill of the reasons for the B of rights in the First Amendment so propos ideas and tools so with all this going on of course we're seeing more focus on uh some privacy tools encryption of course and making it more easy for the user to use something as simple as like crypto chat crypto Communications just something big like Silent Circle and Silent Circle sells it is global and crypto Communications but uh they might have something they're run by Phil Zimmerman who cre of PHP or pgp pretty good privacy and they have a s of projects um

encrypted emailed video chat encrypted phone calls and text messaging start mail is coming up pretty soon and they're advertising is the world's most private email and they might have a shot too because it's uh it's it's run by iqu which is a really private search engine yeah they want an alternative to dat collecting services like G and Y and a suite of completely open web products imagine that the culture of the free is to have deating effects on our privacy but also our economy so the question will come down to if people actually want to pay for email since they're used to getting it for free for so long but they need to realize it's it's a matter of paying

with your wallet or with your data the founder of the Pirate Bay to have NSA proof messenger app as well he mentions that in this day and age we can do we can't do without encryption but he takes it beyond that he says it's important to look at who runs the infrastructure how do you know their intentions and also what kind of rules their jurisdiction has as far as what they have to

do and also kim.com for Mega wants to have spy proof messaging so he wants to start with messaging and then privacy his apps but also encrypted mail servers for everybody uh recently at& applied for uh a patent to do self-destructing email so that point that conventional email is not right for sending private info but this app has a client application side that would you know destroy the email on their sipping computer regardless if they read it or not depending how you have it set it's like I don't know how that would work but there's privacy focused organizations rise up to really good one they provide online communication tools for people that are trying to affect social

change and they think by controlling their own secure means of communication going forward is really the way I found another group this one out of Italy with similar goals they want be able to choose free rather than commercial Communications and they want to get people's awareness that they need to protect their privacy and escape the Looting that's going on with their data now really good overview website called private prison break has all sorts of tools you can use online for encrypted Communications or just other more private ways of communicating purpose privacy tools so the New Yorker is using strong box strong box is a more secure private way for sources to get data to to the

Publishers you can only connect through the tour Network and they don't collect any information on the the users browser or anything now strong boox is based on dead drop and dead drop was the last project of uh Aaron Schwarz so how it works is it the source is given a code name and they able to use that that to have a relationship between them and their name their code name and themselves again without tracing it back to a name or an email this way they can have a two-way conversation with the journalist they can actually post questions and receive email back basically by going in checking that code in for for messages of course online there's tons

of resources for improvement Snowden points out that encryption works and it's one of the few things we can really rely on sites like eff they self surveillance self-defense site walking through what's going on online and and better ways you can protect yourself just a few months ago freedom of the press Foundation had an article on how to protect your privacy in the age ofsa surveillance and it's it's quite extensive again lots of tools just lots of ideas so you know what's going on when you're online rise up has a really good primer talking about Concepts and uh different things you need to think about then this one's fun is is crypto party people are in crypto parties

around the world basically they get together informally and uh just teach each other how to use crypto to off the mess off the Record messaging a crypto party started by Asher wolf who if you don't follow on Twitter she's just got tons of information there's an article at anate proof your email it's pretty interesting but he basically walking through setting up and running a Linux mail server with information how to have everything encrypted and and secure as you go along so but I think the main email considerations are you need to think about the connection from between you and your email service so htps and then like we talked about earlier service of the connections between you and email

service and other email Services if you want to he the content of your mail of course you can use PTP anma plugin for Thunderbird that allows you to use pgp R and then the the storage of manal dis encryption or offshore hosting so let's talk about that sh your email

offshore in European countries Asia elsewhere generally offer a lot stronger email privacy some have secrecy of Correspondence that's really cool because it equates email with letters so that not only protects the content but also the metadata logs of where Ms was sent from again there's constitutional guarantees European Convention of Human Rights and I like this last one the right to respect for private and family life I'll show our email account is not going to be free the fees are pretty reasonable and again you're not paying for it with your private data one of the companies had this ad which I thought was pretty op so I found a bunch of different companies I want to look at

and check out their offerings for more private email it down to four that I really wanted to focus on now they all kind of have the similar these these things are similar across all of them you know that personal data collected has to come from the consent of theer and if they're going to use that for something else they need to get consent for that personal data can't be stored longer than required and must be confidential of course they don't sell or pass on any information unless required by law and they all feature some version of the open pgp and digital signatures so Shinju is the first one I looked at they're basically hush mail's

official partner in Malaysia so Hushmail is a really pretty popular private email but um it's located in the US so they have to give up well they have given up stuff in the past if it's in Malaysia it's going to be a different story so they use the hush mail encryption toolkit and have other tools like the Hushmail messenger for instant secure in messenging chat file storage and sharing with other Hushmail users they remove your IP address from outgoing emails so it's the headers then they use a Microsoft Exchange I don't know why they do that in there uh mute mail they're basing the Bahamas but um all emails transfer SSL of course and through their their

servers they have non-standard smpp ports for people behind firewalls they don't keep any records or IP addresses over you know people that have received emails and they kind they don't log anything related to the client's activity so even if they were asked to give up something they don't know uh TR light's another one they based out of the nether ones uh there systems are real time encrypted including the email IP is never never visible and Communications of course encrypted pgp support up to 4096 they have a virtual keyboard you can use they claim no logs kept but also you don't need Java or JavaScript you want to use email to and from account holders is

automatically encrypted so it's like an end to end encryption they offer offshore SSH privacy tunnels and then something else they have uh privacy payments that a lot more choices so a lot more uh private options that we really don't have most of the time Community wise they blog and post articles about privacy and inity and uh the lists are public key on their site so Neo mailbox they think uh Switzerland's respect for privacy is the best place to host email IP anonymization where they basically scrub IP and other geographical location information from your from your email again they have alternative ports for sppp as well they keep email traffic logs for seven days but user's IP is

scrubbed before that's even saved and they have Anonymous surfing and those detail or deleted every 10 minutes they have two Factor off so you can get a hardware token they run open BSD kept up to with latest security patches they do Hardware acceler H and they don't require any identical information when you get an account of course if you use a credit card that's going to mess that up but they also offer different ways of paying including digital gold currencies so to sign for an account with them you don't have to give them any personal data keep that so those are really the ones I looked at if you're going to look at them I

recommend uh again figuring out maybe a a more less traditional way to pay than

before so I mean we know a lot more now we know what we're up against we know that privacy doesn't come pre-installed it's something we have to configure and use ourselves so we really need to just talk about demand it know that it's it's something that we want and express that but we're going to have to do some of the work ourselves as well so I hope this is giving you some some ideas on how you can better protect yourself online especially with email please feel free to contact me uh follow me on Twitter at Faker the slides available soon and uh I want to thank besides for to speak Edward for getting the ball rolling e they do and S SPS

creates which is the company that I work for that sends me on trips to come and talk to people like you so thanks for [Applause] listening any questions

yeah no no that's something I've done with my own side too i' like I've got s from start.com but actually gone through and set the different cyers so I get a you know the best rating that they they show that it's the best way to set it

up for