Mystery opening keynote - Eva Galperin

we have I don't know if you guys remember that we have a tradition at besides we have a shot sometimes they do it after we do it before because it helps people deal with the stress but it's not compulsory if you don't like alcohol then we can give you other things as special pink juice yes good morning everyone once get this party started thank you so much for coming out my name is Eva galperin I'm the director of cyber security for the Electronic Frontier Foundation and also the head of EF Epps threat lab which concentrates on producing research that protects especially vulnerable populations all over the world so I am here to talk to you about one such project that was

non-consensual E foisted upon me by the universe about fighting spell swear and stalker wear so in order to to properly understand the background of this horrible situation we must go back in time it's very timely why me to what I call the beforetime or 2017 so way back in the beforetime in 2017 I had spent several years doing security research specifically research on a PT's targeting journalists and activists back in like 2010-2011 it was still news that that there were a PT's that were not five eyes Russia China or Israel people were very excited to learn this they it was also news that these apt you were targeting journalists and activists and so there was there was a

lot of work to do unfortunately I at the end of 2017 I discovered that one of my research partners with whom I had done many years of this research and published many papers was a serial rapist so oops and I was mad a little bit and I I did what most people do when they get mad I tweeted and okay really just me so what happened was I'm sitting there and I'm reading a an interview with one of his victims and the interviewer the journalist asks his victim what took you so long to come forward it was you know it's been many years this is a really horrific story it sounds like a really bad guy why didn't you say anything

earlier and she said I didn't speak up because he was a hacker and I was scared he threatened to compromise my devices I didn't know what was safe I didn't know what he would be able to do to me if if I spoke up and when I read this I was furious and so I went to the Twitter's and I tweeted if you're a woman who has been sexually abused by a hacker who threatened to compromise your devices contact me and I will make sure they are properly examined so I thought that this was just sort of a you know random angry tweet and maybe I would hear from one or two people it was really no big deal I

was just gonna like event my spleen no no so approximately ten thousand retweets a God knows how many emails later I had a project on my hands and that was no fun so I was getting somewhere between 0 and 12 contacts a day mostly made up of people telling me about the worst thing that had ever happened to them the victims were mostly women the abusers were mostly men but there were also cases of women abusing men of abusive same-sex couples I had one case in which a man came to me because his ex-boyfriend had outed him as gay to his extremely conservative Korean family so there were there were all kinds of things that I saw over the

over the course of my let's go with involuntary research and it turns out as as with most research projects that my original assumptions about what it was that people needed were wrong most people that came to me were not suffering from device compromise most people didn't need forensics sometimes it was a scam I don't know how many of you are familiar with the emailed scam going around in which a stranger sends an email saying I have installed a rat on your machine and I have seen you masturbating and I have recorded this and I'm going to send it out to all of your contacts to your eternal shame this is [ __ ] it is a scam please don't send that

person Bitcoin and so I was contacted by a lot of people who had these things and just like couldn't they couldn't tell whether or not this was legitimate most often what I saw was account compromised basically if I had a login it was compromised email Google Drive Facebook Twitter snapchat Instagram whatsapp Apple IDs tik toks I had to figure out what a tick tock was I am an old person we don't have these things that's like vying only slightly longer so I spent some time thinking that the problem was device compromised the problem was not device compromised it was almost always account compromised and the good news is that we have advice for account compromised account

compromise is reasonably well understood and so if someone comes to you and and says that they're concerned about account compromised you tell them change all your passwords use a password manager turn on the highest level of two-factor authentication that you're comfortable using now I know that I'm about to get a whole bunch of well actually's from the audience about how you should never use SMS 2fa and everybody should be carrying you the keys around at all times listen I agree with you I do but I also believe very strongly in harm reduction if I am talking to a group of people who are not comfortable using you the keys or who can't spend 40 or 50 bucks on on

a you the key or who can only you know sort of wrap their mind around 2fa SMS it is better than nothing and so following the harm reduction approach you meet people where they are not where you think that they should be and certainly if they're not where you think they should be you don't tell them well you just don't deserve security clearly your partner should be able to spy on you wherever you go and whatever you're doing so the bad news is that sometimes it really is around a very small fraction of the cases that I looked at involved actual rats but they were also the most disturbing they were usually the ones that were

linked to a long-term harassment to physical threats to physical violence to kidnapping and all kinds of really disturbing abuse including weirdly financial abuse and it turns out also the rats were usually not on devices that hackers had threatened to compromise because it turns out the hackers are lazy and hackers are also usually kind of cowardly and so often what they would do is they would threaten to compromise the device in order to maintain a certain amount of control without actually having to install a rat but in the cases where a rat was installed usually you didn't see that kind of threat because the hacker didn't want to tip his victim off and wants to maintain access so you

don't see that particular type of control there and one thing to note is that abusers lie about their capabilities all the time it helps keep the victims feeling confused and powerless when they don't know the shape and the limits of the abusers surveillance so here I am looking like brie Larson hair flowing in the wind and I had so many emails and so many messages every day from people telling me the worst thing that had ever happened to them and I just plotted through it like I was the universe's helpdesk and started to help one person at a time now this is not efficient this is the hero model I get to feel very good about

myself because every day there's somebody who tells me something terrible I tell them how to fix it they tell me you know oh you're you're a superhero you're a saint you're brie Larson wired writes up an article about me Fast Company writes up an article about me I look out into the distance like a thought leader very dramatically lit but the hero model is [ __ ] being a hero is very satisfying but it doesn't scale I and so I spent some time thinking about what I could do that would help more than the people that knew to contact me directly and more than one at a time because helping one person at a time

is extremely satisfying but a really good way to end up burnt out I and not do I don't know the rest of my job so I engaged in some thought leadership so I have advice for people who compromised accounts but the worst abuses that I'm seeing oh the result of compromised devices mostly Android phones running spouse we're in stalker where they were giving away people's locations the contents of their emails their text messages their whatsapp messages photos snapchats insta their web browsing searches the contents of a phone are really revealing searching somebody's phone is the next best thing to having access to the contents of their mind this is one of the reasons why why a PT's find

compromising phones so great for Intel and this is also the reason why abusers think that compromising the the phones of their of their former partners or if their victims will get them so much so this leads us to the next question which is so how do I know it's spouse where the good news is that it's much easier to find spouse where then it is to find a state actors malware you can just go to google and search for it I am as I've pointed out before extremely lazy and so I was excited to discover that I could just search for this stuff and pull down sample after sample after sample so this is the results of a search for how do I

spy on my girlfriend's phone it's pretty straightforward you just click on all the links download a bunch of packages so again how do I know it's spouse we're like they will tell you this is from cocoa spies advertising copy access to Coco spy gives you the lead on how to spy on your wife with ease you don't have to worry about where she goes who talks to or the websites that she visits or have an actual conversation with her about your relationship and just in case you didn't think that was creepy enough oh don't worry the creepiness goes up to 11 so this is a screenshot from mobile spy mobile spies spy app for personal catch

cheating spouses this is a lengthy paragraph about how common cheating is in in relationships and why cheating is very bad and this is a photo of a man who is beating his female partner and there is blood on her face now let's be clear in this photo cocoa Spy is on the side of the abuser they want you to be that guy doing that to this woman and they're selling you a product in order to help make that happen so that brings us to this guy Jean Pierre Lister there it's actually not a big difference between sort of free easily available rats and stalker where or spouse where so Jung careless sewer was a hacker who

went by the name of like that dark comic coder I and he made dark comic rat which you may or may not be familiar with it was cheap it was easy it was ubiquitous and I spent many years tracking the use of dark comet by a group of pro-assad Syrian hackers who are using it to target opponents of the of the Assad government now when John Kerr the sewer read these reports and his his work became synonymous with tracking Syrian activist you've shut the project down and one of the things that that he said was essentially listen when I built this thing I thought guys were just going to use it to spy on their girlfriends it

didn't occur to me that it was going to be used by you know murderous hackers in order to send you know innocent dissidents to torture camps and so what I'm going to be doing is I'm going to be shutting this project down what is implied here is the guys spying on their girlfriends using this route is perfectly fine and that is really the the notion that we need to change that is really the most important thing interestingly enough the wired coverage of Jean peerless sewers decision to shut down dark comet was hilariously sympathetic the title of the column the story that Wired wrote about it was how the boy next door accidentally built a Syrian spy tool sure he accidentally

built a Syrian spy tool but he deliberately built spouse we're in stalker where he's not the boy next door he's not a good guy if you see this guy tell him I'm looking for him so again how do you know it spouse we're how do you know the the software that you're looking at is not just some sort of innocent like keep track of your kids keep track of like everybody in your family so that you know whether or not your partner is going to be late for dinner kind of situations and the key here is deception spouse we're and stalker wear is designed to run invisibly on the victims device and so if the program

runs invisibly you can't give consent even if in order to install the the program you need to have the username and password and up until recently most of the companies that I talked to including most most AV and and security companies would tell me that if you have the if you have the login credentials you have legitimate access to the device and my reply to them was I have some news for you about how abuse works it was extremely common to see abusers convince their victims to hand over their login credentials in fact this sort of behavior was routine and that's why we really need to rethink our our definition of this stuff so I did a

little research I went and downloaded all of the most common spouse wear and stalker wear again very easy because all you have to do is search for it on the Internet then I ran the packages through through virustotal almost immediately I think just same-day checking and I discovered that the pickup was very low these are my results from I think back in April right here I think this is a result for the truth spy showing a showing that only seven out of sixty a V products were accurately recognizing this product is malicious here is another one we were seeing 10 out of 61 again not very good and what this means is that even if you

had a even if you had the truth spy on your phone maliciously installed by a by an abusive partner and you had AV e on your phone it still wouldn't pick it up so that's useless so back in April I managed to Vince Kaspersky just start taking stock aware and spouse we're more seriously and what they did was they added this sort of capability to their to their product if you download the Kaspersky you know mobile mobile AV now if they run into any of the stalker where a spouse where you will get this message right here a privacy alert letting you know that that this stuff is malicious and bad and offering to remove it now it

does not remove it automatically one of the reasons for this is the way that abuse works it turns out that there are situations in which alerting your abuser to knowing that you are being watched or taking steps to thwart them can sometimes lead them to escalate to greater violence and I really want to leave it up to the to the target to the victim the the survivor to decide what their appetite for risk is instead of making decisions for them because if there's one thing that I have learned over the course of this project it is that every assumption I made about who was the victim about what they needed about what needed to be done and about

what was helpful turned out to be wrong so the more power that you give them to make their own decisions the better additionally look out put out a a blog post saying essentially oh we have always done this we have always taken spouse born stalker we're very seriously and you can you can download look out and it will find all of this stuff for you yay so two down sixty something to go so there's still some work to do but it is my understanding that the AV industry has really started to pay attention and the they are looking at adding this sort of capability to their products which is really cool because now I will be able

to tell people just download antivirus and you will know whether or not their spouse where stalker where on your on your device so again what can antivirus do I antivirus can start detecting spouse wear and stalker wear label it is malicious and stay on top of it there also a few things that Google can do Google could do a better job of policing the Google Playstore right now spouse weren't stalker where in the manner that I describe it stuff which is designed to run invisibly to the user on your device I is not allowed under the Google Play stores policies but sometimes this stuff sneaks in anyway so Google should really stay on top of it you may also ask yourself

what can developers do one of the things that developers can do no matter what product they're building is make it easier to rule out a rat and pin down actual account compromised and you could do this by having one page or tab where the user can see all of the accounts that have access to the data and which data they have access to you can have one page or tab that allows users to see devices and IP addresses that have recently brought logged into their account and of course support 2fa again preferably something stronger than SMS I would really really like to see the normalization of not just to IFA but the strongest level of 2fa that you can

really convince users to accept which leads us to the next question what can government's do so I'm a little skeptical of authority governments I know that this is going to come as a terrible surprise to everybody in this room and so when faced with a problem frequently people say there ought to be a law and when I hear there ought to be a law become very suspicious so let's start by looking at the laws that already exist the following is a US legal analysis because I have a floor of angry us barred attack lawyers in my office and I do not have a floor of angry Israeli barred lawyers this is a sort of project for anybody who is who

is listening to this talk if you are an attorney a analysis of the laws that these that these programs are breaking in your country would be extremely welcome recently citizen lab put out a put out their own legal analysis of the laws which are being broken in Canada by these companies so there's room for everybody let a thousand angry lawyers bloom and write analyses so US law and we will go through this fairly quickly because I imagine US law is not terribly interesting to you there are some federal laws that are being broken including the federal wiretap Act the stored Communications Act and the Computer Fraud and Abuse Act I am extremely hesitant to use the

Computer Fraud and Abuse Act because frequently the Computer Fraud and Abuse Act is the law under which most hackers are prosecuted and it's extremely broad but there are definitely cases in the use of spyware and stalker where where it's not a broad reading of the law to go after them so the federal wiretap Act prohibits the manufacture distribution possession and advertising of certain intercepting devices it's not limited to the developers of spyware the FWA s prohibitions are quite broad generally covering the devices that are primarily useful for the purpose of syrup just interception uh not just illegal surreptitious interception and as a result even the surreptitious monitoring of children which may be legal advertising it may may still be illegal

and as you can see we've had the government go after a company called stealth of Jeannie for this very reason and they were violating the FWA the federal wiretapping Act you can also call in the FTC the Federal Trade Commission in 2012 the FTC charged designer where LLC a company that provided spyware to rent-to-own computer owners and entered into a consent decree with the company agreeing not to collect data from computers without giving clear and prominent notice and obtaining affirmative consent we also have state laws so one of the most annoying things about US law is that we have laws for we have federal laws and then we have state laws and we have 50 states with 50

different laws for greater confusion I and almost every state I believe has its own wiretapping statute some of the states have what we call two-party consent wiretapping laws which is to say that in states such as California and Maryland you cannot record a conversation which is happening between two people without the consent of both people which makes spyware and stalker where that records your conversations de facto illegal because the person who who has the stuff installed on their on their phone was not able to consent they don't know it's on there but also the person that they're talking to is not able to consent because they're not able to ask them for consent there's also the

consumer protection against consumer spyware act a awkwardly named California law that is specifically designed for for the purpose of going after spyware so again the tools exist this is not a situation where we need new laws what we need is for the Department of Justice and for state attorneys general to start enforcing the laws that already exist and we need to see greater analysis all over the world of the laws that are being broken in other countries because the Internet is global and spouse where and stalker where and abuse are global and it's not just limited to to the United States so the more lawyers that I can throw at this problem the better and

finally I just want to remind everybody that I didn't invent the terms stalker wear or spouse wear I don't do this work in a vacuum I it is only possible for me to do this work because so many people did research before me that includes the journalists at motherboard who have a series called when when spies come home who did a lot of the research that that my work is based on Thomas Brewster at Forbes did a lot of this work Chris Cox has done an enormous amount of work Harlow Holmes who works for the freedom of press foundation has been doing a lot of the sort of one-on-one hero work that I was talking about earlier helping

women individually and without them I would have essentially had to reinvent the wheel I'd also like to give a shout out to citizen lab for their for their Canadian analysis of the laws that are already being broken I think that that stuff is extremely important and I would like to give a shout out to Dave Moss and Cooper Quinton who are my co-workers at ya FF the right lab who supported me all through my research and last of all I want to give a shout out to you guys because somebody has to build on this research somebody's gonna have to do with legal analysis somebody's gonna have to go and make the cases at the AV companies

somebody's gonna have to show up when somebody makes a new product and say well let's talk about the domestic abuse case and what I'm hoping is that it's going to be you thank you very much [Applause]