>> All right. Thanks a lot. Yes, so I didn't know that disobedience was going to be the theme when I submitted this talk so I guess I didn't fuck it up. Because this... >> Hazing. This is not my first talk you know. Oh, I thought you were going to make me drink or something. Are you going to get anything for that? In the Penn and Teller, yeah. Sure if it gets me some booze. All right. Disobedience is what makes hackers who we are. Using things in ways that were never intended or allowed. Sometimes to show there's a better way to do things you need to break some rules and a big way is violating unjust laws. Civil disobedience. And I was partly inspired to give this talk because some of the biggest practitioners of criminal disobedience in this country today are the secret police, unrepentant career criminals like Michael Hayden who presided over the Bush warrantless wire tapping and James Clapper who lied to congress repeatedly -- they disregard and weasel around the law when it's convenient for them to do so. They are telling us, that the end justifies the means, so we can play that game too. We have a duty for civil disobedience where the law is plainly wrong and turning the United States into a surveillance state in the name of fighting terrorism, which as a public health problem rivals the Bubonic plague in this country. It is worse than criminal, it's stupid. So we can't let the surveillance state stop us from doing what's correct. Remember back to the crypt o wars, DCSS, to protect big media from hackers playing their legally purchased DVDs on their Linux laptops, DVD encryption code was illegal. That's a perfect example of a law that's worse than criminal, it's stupid because it only hurts people legitimately using media. Of course, hackers have a duty to put a stick up the ass of the people responsible for these laws. Making illegal T-shirts, making illegal ties, illegal games of mine sweeper. [Laughter.] Now, of course there are more or less trivial injustices to be disobedient to. On the low end, breaking some bullshit eula, to using technology to resist truly tyrannical and oppressive regimes out there, which people are out on the ground doing right now. Mortaring the man, there is an app for that. The point is using technology to push boundaries is what people who come to this conference are supposed to do. And on the other side of this which I will return to in a little bit is that actually you have no idea whether what you are doing is legal or illegal in many cases. None other than the congressional research service has stated they don't know the precise number of federal laws in effect in a region at a given time. So not even a good lawyer knows off the top of her head whether or not her client is doing something illegal. Then take into account that laws in this country and others are interpreted by historical precedence. Now, it also matters when you are accused of doing something. Forget deliberate disobedience -- people break the law all the time without knowing it so you have got to be careful. Here is one of my favorite DEFCON examples. This slide is only just an illustration, an example of being disobedient but good. DEF CON is full of them. I think we can mostly agree, breaking into people's bank accounts that are not your own is illegal. One of my favorite DEF CON moments was meeting the guy who hacked into the Nigerian scammers back-end database, got their bank account info and got a little old lady's money back from them. I think this photo by the way should say Goatsee lovers. Missed opportunity. Leaking things is also another disobedient act currently en vogue and, I think, helpful to society. A lot of what's been leaked lately comes down to control of the internet. People with a lot more money and power, than those of us are who are in this room are trying to lock it down. Disobedience is a part of that resistance to power and control. Locked down internet, one without the freedom to share information regardless of one's wealth of power or regardless of what that information is, is a fucked up internet. And so, we should refuse to be obedient to that. If you are going to deliberately disobey of course there's just one rule and anyone who has been Hacker Jeopardy knows what it is so I want a shout out on the count of three. One, two, three. Thank you. The other reason I was inspired to give this talk, is because I have been obsessively reading every Snowden leak that has come out this past year. And okay, that's fine for me, I can feel smug. But I wanted to contribute some of my insights on that and give back to the community, and start this -- be involved in the discussion here on that. So, this talk is for everyone who hasn't had the free time to go through all of those leaks and really pore over all of this stuff. If everyone in this room knows everything that I'm going to say I will be really happy but that's probably not the case. Especially . . . People don't seem to be thinking about this stuff because people who should know better keep fucking it up. Remember this, the good old days back when the internet hadn't yet transitioned to cat based humor. Nowadays everyone on the internet knows you like ascii goatsee. [Laughter.] Google even suggests it. I'm sorry it's not a DEF CON talk without a goatsee. But seriously the good old days were not even that good. I'm not even really old school. We were package sniffing in the 90s. It's been a quarter century of realizing that the trust assumptions that underlied the early internet were completely wrong and that attitude change, as slow as it's been has been a good thing. You shouldn't listen to anyone who is like back in the day it was better. It wasn't that good, but it's definitely worse now because now the business model of the entire internet is stockpiling, monitoring and tracking your shit. And the real game changer is the storage. This is the Bluffdale, Utah NSA data center, your shit out there is not just vulnerable temporarily when it's being transmitted but it's stored to be mined later. Keith Alexander when he came here to DEF CON 20, he pissed me the fuck off, because he came here and said "oh you guys are so smart right? Come and work for me" but he thinks that we're so smart that putting on jeans and a T-shirt is enough to convince us that yeah you are a good guy even though your agency is preventing people like us from becoming who we are, preventing the next generation of hackers. Think about if someone walked around in our community with a tape recorder shoving it in your face all the time recording everything you said, you would find it hard to accept that person as part of the community. You would probably stop talking to that person entirely but that's what's happening. We have to remember that's what's happening even though we can't see it in our faces. Collect it all, exploit it all. etcetera. We have always assumed and expected they were doing some of this but thanks to our friend Snowden we now know they were doing what we long expected and more. You've got to remember the government double speak here, eh? When they say, we don't do this, that means, we get our foreign partners to do this and then they give it to us. When they say we don't collect that under this program it means yes, we collect it under a different program. So it's not just one particular TLA. So now there's a million ways to fuck it up, right. Not just in the moment but going back in time. So if anything you do makes you a person of interest they can go back and find other interesting stuff to pin on you. Whether it's a parallel construction so they don't have to admit how they know this stuff, or other reasons. Most of this is not the fault of technology. Think about problems with technology, it has problems. We find bugs all the time but the number of bugs is dwarfed by the number of errors that exist between the chair and the keyboard. So people say they say they've got nothing to hide. You've heard this a million times before. Everyone's got plenty to hide, right? They are the source of many of those problems. Everyone has always had something to hide even now or in the past. If people had nothing to hide a lot more people would post status messages to facialbook that say just jerking off. For all the people in the audience, if you are feeling smug because you already do that -- [laughter.] You are morally consistent but I would say you are lacking in long-term planning skills. So people who are trained to do sketchy shit and not fuck it up, including organized crime and the feds, two groups to which there is not an insignificant overlap, you will hear terms like trade craft and upset. Trade craft means techniques and methods and I'm going to throw up a few things to our friends the CIA. I will make fun of them later, but they spend a lot of time thinking about ways they cannot fuck it up. The best way to go when looking at CIA analysis by the way is operations. Operations is where they fuck it up. Analysis is where they spend a lot of time thinking about this stuff. One thing, if you go to the CIA trade craft manual, where this is from, you can download and read it. There's a big thing about evaluating biases and analysis. This stuff is also really useful for operations. I will just go through a couple of these. Perceptual biases. Seeing what we want to see only. I think you can think of some CIA examples about that. Biases in terms of evaluating evidence. If a consistency, small samples are more consistent, they contain less information. Only relying on available models when estimating probability, and problems with causality -- for example, attributing events to the fixed background context. Sunni good Shiites bad for example, something like that. All of these things transfer over to when we analyze our own operations when we're doing something bad. There are also a number of activities that you can do to counteract biases. This is where the interesting stuff happens, this is just a quick selection that has a good crossover from analysis to operations. Checking key assumptions. At the beginning of the project or when a project changes. Checking the quality of information. Doing contrarion techniques like devil's advocacy. High impact, low probability and what if, how that happened. And then of course things we're familiar with, from pen testing. Red team analysis, opposing force and adversary analysis. Doing these on your operations and looking at where they're applicable. The other side of that is OPSEC. People say that a lot in this community, it stands for operational security. It basically means preventing leakage of information which could lead to discovery or advantage by the other side. This World War II image sums it up. Incidentally, on the topic of being old school, I showed this picture to someone under the age of 25 and they said why is Gandhi the enemy? [Laughter.] I can't wait until all education comes from Wikipedia or IMDB. The government uses your tax dollars to produce literature to help you with OPSEC so you need to check this stuff out. You need to understand what information is relevant. Likely threats and vulnerabilities. Risk assessment and applying counter measures and the point of this poster is, it's tough to see the text but you can look at it on the DEF CON DVD that OPSEC doesn't end with the operation itself. It covers all of your initial explanation and exploration and everything afterwards. What you really want to get into your mindset is, you don't even know you are going to do it and then you forget about it afterwards. OPSEC is a 24/7 job. So here, my variant of the seven deadly sins. The seven deadly fuckups. What makes you a candidate for getting busted? Over confidence, thinking they'll never find me. I am using an automization tool. So depending on a single tool is a point of failure. Excessive trust. In surveillance states, for example in East Germany, 1 out of 66 individuals was a government informant. What do you think that ratio is like in the hacking community? Emmanuel Goldstein estimates one in five. Probably that's the high bound, but talk to Chelsea Manning for example. I bet she's regretting the trust model in the community. Conviction that your guilt is minor and no one is going to care. Oh no one's going to care what I'm doing, I'm just defacing a website for example. It's all going in your permanent record. Guilt by association. Visiting the wrong chat room, coming to the wrong conference, being associated with the wrong people. Like the real estate people say location, location, location. Exposing where you are coming from is always likely to fuck you up. It can expose you to many things besides just reverse exploitation which the government has been doing. Of course sending anything in the clear not just personal identifying information but browser fingerprints, unique device IDs, locations you are or might be at in the future. Keeping too much documentations about what's going on. People who are like really fighting the state and doing serious business know about this. This is a quote from a Ukrainian separatist. Home computers and personal cell phones should never be used for operational purposes. Identifying documents should never be carried. Details of military operations should never be discussed on phones or in front of family members. You may even need to do things that you don't like to do like abstaining from alcohol. Like sins you are going to commit one of these, you are going to fuck one of these up. Use your trade craft analysis to figure out how you can recover from making mistakes. One of the things you can use to stop fucking things up is tools. But tools can also help you fuck it up. A computer is a tool that helps you fuck things up a billion times faster than you could do by yourself. They increase confidence. The sin of overconfidence. That is the likelihood of fucking it up. Using a tool badly or stupidly can be worse than not using it at all. This is one of my favorite tool injury pictures, or tool hazard pictures because this is from the water jet cutter. It puts out a stream of compressed water at 15,000PSI -- it breaks the sound barrier, it cuts through steel, and everyone who walks in the room is like what would happen if I stuck my hand in that thing? So here's the first tool. VPNs. You're going to use an insecure network. Two questions when it comes to tools, should I use it and how should I use it? What do you get from VPN? You get some traffic encryption but only between you and the VPN itself but not necessarily from the VPN to the remote location. You may get some location obfuscation to the remote server. They may not know exactly where you are. Maybe you get some request concealment to the ISP, between you and the VPN, not afterwards. So it really depends on where the listener is located. It's a single hot proxy. So anyone who is watching both ends, like a state agency, can do traffic correlation very, very easily. It also shifts the trust model over to the VPN provider, a provider you probably have a financial relationship with. That could be traceable, depending on how you are paying for it. So think about those things. VPN providers really vary on what they promise. Many of them say they don't keep logs. You should know their logging policy, but that doesn't tell you the whole story, especially if they're not located in the United States because they can start logging any time they want to -- for example when they receive a national security ladder which they have to refuse to tell you, by law, that they have received. So just because they don't log now doesn't mean they won't in the future if you become interesting. VPN clients vary on how well they hook you up. They can leak informations depending on the client. I've seen this myself. If you plan on hiding behind a VPN then you better see what the client left you exposed. Connect to the VPN. Run wire shock or a package sniffer on another computer and see what's coming out of the computer you're going to use for operations. Is everything going through the VPN or not? If this small amount of thing is too much effort for you then internet scoff law is probably not the job for you. You should work for the government instead. Here is a simple test for the lazy. Open up an SSH connection and fire up your VPN and see if it drops. If it stays open, then stuff is still being leaked. Existing connections are allowed to go through and all kinds of things could be falling out with your real IP. A lot of VPN clients are also shitty for mobile use. Every time you put your computer to sleep or move around, the tunnel goes down and you have to reconnect. When that happens every freaking app on your computer phones home and tries to immediately reconnect before the VPN reconnects, and exposes your IP. Mail clients. Browsers with open tabs just like to reload them. Browsers that are doing all kinds of Java script in the background, that are communicating. All your shit is exposed. If this applies you to make sure all this stuff is shut down before you close the VPN. Even if it's as simple as doing a kill all minus stop, I know that's impossible to read but that's what it says, think about everything that could possibly phone home and stopping it before you close the VPN, is a good habit to get into. Of course, habits are fragile, you will eventually fuck it up so try to automate that process. Another thing on that subject, randomize your Mac address. It's already been exposed that the Canadian government was probably illegally tracking people using airport WiFi from their Mac addresses so they could see where people were moving around in various airports. So I like to randomize my Mac address as often as not too inconvenient. So, should you use a VPN? What kind of a list does it get you on? VPNs have their uses and flaws so if you are going up against the big guys and they are on both sides of the VPN, traffic correlation is trivial. Simply using a VPN makes you look interesting. This is the from the Exchesco manual in 2008. Got to also remember with Exchesco, this is not a real time traffic processor. This is a database miner. It is a set of filters for stored data. People often say to me you should be on a list. Well I use a VPN when I travel especially so I'm definitely on some sort of list. This is from Pacific Sig-Dev in March 2011 also mentions ingesting and storing VPN data, and once again identifying VPN use and finding out ways to get into those networks. It mentions a program called Birdwatch, we know nothing more about this. But clearly some sort of data mining program that could perhaps be put to use collecting VPN key exchanges for later encrypt analysis. By the way this is also from Pacific Sig-Dev. I am really pleased to see in this presentation we got a category of our own, right next to terrorists, criminal groups and foreign intelligence agencies, so we're in the big time. Here's another NSA slide, black pearl, a survey database from the taps on the undersea fiberoptic cables, presumably providing high level communication of things such as communications having a foreign end point because technically they're only allowed to look at things with a foreign endpoint. They can collect everything, but it only counts as domestic data collection if they look at it. This is that legal weaseling. So once again, using VPNS is something that can attract attention. This was reported as a tool for specifically targeting private networks but that doesn't seem to be the case. So if using a VPN puts you on a radar -- Is that a reason not to use it? I don't think so. Because you might as well make things more difficult for them but perhaps in certain cases you should be aware of it when you do your trade craft analysis. Here's another about intercepting and decrypting VPN traffic, this is the Hammerstein slide, referring to doing a man in the middle attack on VPN traffic via compromised network route with implants inserted. So these refer to selected decrypted content. So the good news is, going to all this trouble probably means it's not all vulnerable. But at least some of it, no doubt, refers to crypto-attacks on PPTP VPNs. None compromised since about 2012. Moxy, Milon Spike and David Holdon DEF CON 20 presentation -- And release of cloud cracker for PPTP. So a VPN is probably still worthwhile but you have got to make sure it's up to date. Don't just rely on that one thing. One thing you can do if you are truly paranoid is hop VPNs every few minutes. Some providers offer this service within a single provider. Again, you are depending on one provider. Now you are generating really interesting traffic for the NSA but against some listeners you have decorrelation noise in there. Good for research, like searches and port scans. Just don't fuck it up believing this one hop proxy is going to be a magical all-in-one solution. And remember it leaves a financial trail and that can connect to your real identity unless you are paying anonymously. So let's go multi-hop. Don't fuck it up when you use TOR. Hopefully everyone here knows what TOR is and the main way you fuck it up when you use TOR, which is thinking that TOR encrypts your traffic by default. It doesn't. TOR is for anonymization, not for encryption. The layers of encryption adjust to protect the routing within the onion. It's not protect your base traffic. You need to encrypt as well. TOR is very, very important. There's been talk recently about is TOR broken or is TOR a honey pot developed by spooks because they have federal funding? I don't think either of those are true but we're going to talk about some of that now because I think it's really important that we do. TOR is the main way dissidents get out and communicate out of oppressive regimes. It's how researchers can look up suspicious information about themselves without being targeted. It's the way ordinary people can search and communicate without being tracked and monitored. And it's how all of you do a search after DEF CON for catastrophic liver damage without raising your insurance premiums. So it pisses me off with people say that TOR is only for illegal acts. Don't fuck it up TOR by only using it when you are doing sketchy shit. Pump a whole lot of your normal traffic through it. Even if you completely squeaky clean and you are not doing anything wrong still use TOR because that helps out everyone else. Also the nature of TOR is for anonymity, it's tough to tell people that you are using TOR for good. If you can, if you have a use you can talk about get it out there. Hash tag, tweet something like TOR for good. The TOR devs will appreciate it. Let's talk about people who should know better who have fucked it up using TOR. We all remember this. Saboo. Lolsec and antisec. 4chan and nons, trolling the web, for SQL injection vulnerabilities, DDOSing websites, dumping user account databases and taking down high profile things that will really get them in trouble, like the CIA's website. They were coordinating IFC channels accessed by TOR. The feds discovered that, monitored the channels, waited for someone to fuck it up. Saboo committed the sin of packet origin, logs in just once without using TOR. Gets owned immediately, immediately a few seconds later gets turned into a snitch, because what's he going to do, right? He's facing decades of federal imprisonment. So even though he's been doxed months prior at that point it's confirmed he goes snitch. So that's not the interesting part. The interesting part is what happened to Jeremy Hammond. He gets identified from information in recorded chat logs with Saboo, the feds log that packet meta data from his wi-fi access point, they get a chat register, a regular pin register track and trace order. Standard wire tapping, right? They match his Mac address, of his computer, to packets going to a TOR entry node, correlate the times of TOR access, his TOR access on his wi-fi access point to his presence, his ID in the IFC channel. So traffic correlation attack but not of the normal kind we think of when we talk about TOR. So there's no compromise necessary of TOR to acquire the circumstantial evidence that eventually put Jeremy Hammond away. The moral of that story, is, don't fail unsafe with TOR. That is the Saboo moral. Practice hygiene. If it's going to matter that you are doing this, then don't have two browsers open even, right, if you accidently type something in that's not in TOR browser. Make sure everything, even your DNS goes through TOR. Use a separate machine, that's proven to only connect through TOR, it's a very good idea. Or if you want to firewall it, use a firewall like PF sense to make sure that all the traffic through your network goes through TOR then check what you are exposing, go to something like IPcheck.info and make sure that things are not being exposed. And of course don't only use the TOR for operations. Don't provide the correlation of TOR usage with doing bad things. And of course OPSEC is 24/7. This is a chat on Reddit with Saboo after he was a snitch saying keep your OPSEC up 24/7. Friends will try and take you down you know if they have to. Never a truer word spoken by a fed snitch at that time. Another one we've all heard about. Harvard student. A bomb threat gets called in to Harvard during exams. Takes a matter of hours before the perp is uncovered as a student freaking out about exams. Use TOR to connect to guerilla mail which adds an originating IP header. So, a lot of OPSEC fails in this case. Mainly the folly of only using privacy tools when you are up to no good. Privacy should be had for breakfast, lunch and dinner. Privacy is like bacon. It makes everything better. So here's how he fucked it up. Harvard's network requires you to register your Mac address. Another reason why MIT is better than Harvard, because we don't do that. But Harvard requires registration tied to Mac address, and they log the outgoing traffic. These things provided multiple potential vectors for this guy to fuck it up. Again no compromise of TOR necessary, and this is kind of a microcosm. At one university of pervasive surveillance and pervasive correlation because there's lots of ways that those two things put together could fuck it up for him. For example, investigators could look at who went and downloaded the TOR browser bundle right before the bomb threat got called in. Or look at everyone who connected to a known TOR entry node at that time or who accessed the TOR directory servers. So when I think about this, I think about what we've already got in this country for a model of pervasive surveillance that everyone's familiar with, and that's the credit agencies, right? And we do a kind of OPSEC with the credit agencies. We get credit before we expect to need it, to build up a rep, right. Use privacy before you need it. We don't cancel credit cards even when we don't need them anymore because they just sit there keeping on building up our reputation so don't stop using the privacy tools when you finish doing something bad. So just like when the credit agency TOR usage can put you on a list. But, you've got a good reason for being on that list. So, there's a lot of ways this guy could have not fucked it up. For start, He should have done, as we said in our trade craft, key assumptions and high impact, low probability analysis, being prepared for that inevitable interview with the cops as a TOR user. Or he could have used a bridge relay to connect to TOR. More on this later, we know the NSA has been tracking bridge relays too. He could have been prepared for traffic analysis on his entry point so if he had gone off campus and used a Starbucks or a burner cell phone with a data plan then he probably wouldn't have got busted. People do swattings and bomb threats all the time and there aren't really resources to track it down. You just have to make it hard. And of course he could have used a mail service that didn't IP identify and expose his TOR exit node. What do we know about how vulnerable ordinary TOR users are to state surveillance? What we do know is TOR was troublesome enough for NSA GSHQ that they had at least two anti-TOR symposia, remation one and two, most recently remation 2 in 2012. So probably there isn't a straightforward backdoor. That's good news that they had to have a conference on it. We do know that using TOR is obvious. TOR is designed to make TOR users look alike, not TOR users look like non-TOR users. So fingerprinting is already done for you. We know that attacking TOR seems to have been challenging enough in 2012 that they went for a browser instead delivering a native exploit to the version of Firefox used in the TOR browser bundle. I think that's a good sign too. This is from the famous TOR Stinks presentation which I am sure you have also seen, so this is going to be quick. We have an admission that de-anonymizing old TOR users all the time is not able to be done, so de-anonymizing is possible but trivial. So you have to practice your comsec inside of your TOR sessions. Of course they're doing traffic correlation attacks, it doesn't seem to be on a big scale though. And staining of TOR users, either by storing cookies or by using quantum man on the side attacks to force the browser to give up identifying like Yahoo and Google cookies, this is one reason why using the TOR browser is good, because it doesn't store those cookies. And also quantum methods to deliver exploits to the computer, like the Firefox asset program. You can look that up. I won't talk about it. So some of that certainly should give you pause about how safe TOR is as a single solution. Don't ever use single solutions. The good news for regular TOR usage is that it makes things harder. This is the third document released at the same time. The system as far as low latency and anonymity goes is still the king. Similarly a lot of counter TOR efforts going to client side exploitation so tails gets a positive review from the secret police. Adds severe computer exploitation misery to the equation. So what does all of this tell me? TOR does put you on the radar and it entails making these people's lives harder. That is a risk trade-off you need to think about. So how I think about it is using it puts you on a list, a big list and if your disobedient acts would put you on a much smaller list, the list of people warranting serious attention, then it's probably worth being on that big list as well. The more people who are on that big list the better it is. Also security of your whole system is still more important in the big picture than any one single element. To put it another way, there doesn't seem to be a critical flaw in TOR that makes all of these other attacks necessary. But if your life, or your freedom, depends on it, don't ever trust one single element. This include TOR and lots of other tools in your communications chain. Do your trade craft. One example I like to use, I like how it says on crypto-cat's website you should never trust your life or your freedom to software. I think that's slightly over stating the problem, right? We trust our lives to software pretty much every day, every time we get in a car or an airplane. But, when you get in the car you also put on your seat belt. It's like the old Islamic proverb: Trust in Allah, but tie up your camel. Here's more good news. The big list and the small list, this is the recently leaked filter rules. I know this is totally unreadable but basically these ones show the security agencies are hell bent on making that big list as big as possible. Anyone who connects to the TOR directory service, or the TOR website, gets put on that big list. In terms of the state admission, they're the secret police. This is great. This is akin to looking for a needle in a hey stack by piling on more hey. Great work. This is really good. t's upsetting that they're targeting everyone that uses TOR, especially in the less than criminal, it's stupid way but no more so than the blanket surveillance we're talking about. It's just reinforcing that we need more people using these services. This part is worse. I mentioned collecting the addresses of bridge relays by mining them out of E-mails people send when they get a bridge relay. I think this is a really scummy thing to do and it's worth being aware that they're doing it. So the Harvard student may not have been caught using a bridge relay. Maybe, maybe not. We don't know why. We don't know, because we don't know how much information gets shared between these three letter agencies but be careful out there. Finally in terms of really loading up on the hey, tails and TOR are advocated by extremists on extremist forums. That is a comment from the Eschecor rules. So congratulations. We're all extreme. Have a Red Bull. Silk roaders and Dread Pirate Roberts. We all know the story. Silk Road operates as a TOR hidden service. Over two years before someone gets busted. Not a bad effort, in spite of some metrics. We know that the feds made hundreds of drug purchases through Silk Road, slowly carefully doing the case they let it operate probably for longer than they had to make sure they could get a bust. This is like standard organized crime stuff. They busted the Dread Pirate Roberts at the same time they image and seized the Silk Road server. So what fucked it up? We know there were numerous OPSEC fails by the Dread Pirate Roberts, stack exchange posts, forum posts from the same account including his real E-mail. Ordering fake IDs with his face on them, lots of things that were likely to fuck it up for him. But we don't know how the server was de-anonymized. That is the 180,000 Bitcoin question. How did that happen? We don't know the answer. But here are some options. The Dread Pirate Roberts was already identified and monitored. Somehow, he pulls a Saboo. He logged in without TOR one time to fix a server for example. Not out of the realm of possibility. The hosting company could have been identified by commercial means like the pay tracing and imaged all the servers on that hosting company like what happened with freedom hosting. They could have served an exploit to the Silk Road server, owned it and had it de-anonymize itself. That's what they did to the freedom hosting customers or they could have performed a large scale time intensive hidden service de-anonymization attack. We don't know the answers but let's talk about the only one that involves an attack on TOR directly. Hidden services, what you need to know about them is that they are at a huge disadvantage in terms of correlation attacks because the attacker can prompt them to generate traffic. They are basically two TOR circuits connected around a point. Anyone that connects to TOR long-term, to the same thing, is vulnerable to these kinds of things, especially the hostile relays, because the network's not that big so sooner or later you are going to go through a malicious node. Not such a problem for a typical user but if you are maintaining a long-term repeat business like a world wide drug supply company then its dangerous. I don't have time to go into details but this is a paper released recently by Burikov et all about de-anonymizing hidden services. They were able to have a hidden service and map the popularity of a number of hidden services, including Silk Road in two days, so this is mapping onion addresses and the usage of them. Two days, and less than a hundred dollars, and they see two instances. Also able to confirm that a particular TOR node acted as a guard node for the hidden service for the deanonymization of that hidden service, with 90% probability in 8 months for 11,000 U.S. dollars. Well within the realm of possibility for state actors. This relied on a bug that has since been fixed. A black hawk talk this week that was cancelled relied on a different bug, also since fixed. They were able to stain TOR traffic for hidden services. This was very irresponsible of them because that stain is now preserved in all of the traffic that's being collected by state surveillance agencies. So if TOR's crypto is broken at a later date those people could potentially be de-anonymized. The good news about it is this stuff leaves traces. This shows a spike in the number of guard nodes when Burikov and others were doing this so it can be noticed. So that's the good news that you know we can find these bugs and fix them but be aware that yes there are potential attacks on TOR but not against everyone all the time, we think. About hidden services the state actors don't have much to say that's not in that paper. It's the same kind of thing. Harvesting hidden service addresses to see what's out there, and then using cloud instances of TOR relays. Presumably keeping up with what's being done in the open source community, but no reports of noticing these attacks on a continuous basis. And let's remember from the J-trick wiki, conveniently released I think the day or day before DEF CON flags were due so they could put them in here. Spooks use TOR too quite a lot. So these were either the British GCH people, using TOR for all kinds of things. So even though they almost certainly commit the sin of over confidence, among others, they have a sense of surety that their activity is not going to be de-anonymized all the time. For what that is worth. Also on the subject of whatever that's worth, personally even though trust isn't transitive and it doesn't help anyone in this room, I know the TOR developers personally, some of them, and I trust them not to run a government honey pot and not to make back doors for the spooks for whatever that's worth. So the key element to this whole thing is not the de-anonymization of the service. The Silk Road service, which is possible, the key element is being tied to identity of the operation of that service. It's theoretically possible for the server to be completely identified and imaged because it's a bi-directional TOR circuit without Dread Pirate Roberts being busted. So if he practiced COMSEC properly he might not have been caught so the moral of the story is don't run a massive online drug sales place if you don't have a plan for when that thing gets infiltrated. There is a meta-lesson to all that too. Maintaining anonymity with a large organization over a long period of time is really, really hard. You have got to do everything perfectly and not everyone starts out intending to be an international cyber criminal master mind so they don't take precautions ahead of time. So decide in advance where things might go. Do that trade craft analysis. Let's move to phones. What does that little Benedict Arnold in your pocket do to give you away? Well, so much freaking stuff. The meta data of all your calls and location information to all federal agencies being given to them straight by the phone companies. Also locations from the data and photos you take. They leak your contact lists, offer lists to the wi-fi networks you've accessed to anyone who is listening in that area. Unique identifiers such as IMEIs, UEIDs and so on. Preference cookies from browsers and so on. Sometimes the contents of your searches if you do them in the clear. The older devices have weak crypto especially the ones with a mixed version base, especially Android. Web browsers on these tiny little devices have little ram and cache so they're constantly reloading freaking tabs as fast as they can, so everything you've done recently when you move to a different network gets reexposed. Auto connect. The WiFi pineapple's best friend. Hello ATT wi-fi. Hello, Xfiniti WiFi, I remember you. Apps of course. Leaking all kinds of shit. It all adds up to a unique identifier of you and a patent of your life and the agencies monitor this kind of stuff constantly, especially looking for concurrent presence and the on-off patterns of your phones. I'm kind famous for not carrying a cell phone because I don't like publicly associating myself with criminal organizations by which I mean of course the phone companies. But there is one time of year I carry a phone, it is this little seven year old Nokia feature phone and it must look great in the meta data store, because every time this phone is used, it's constantly surrounded by thousands of notorious hackers. But for the secret police, smart phones are the best gift they could ever get. It's like Christmas, Hanukkah, and Steak and Blowjob Day all rolled up into one big spy orgasm. Their perfect scenario is just a very simple thing. A simple photo share that happens millions of times a day, they get everything I just mentioned and more. They know this, and yet even the spy agencies manage to fuck it up. Here we go with the CIA. February 2003 rendition of Egyptan cleric Abu Omar from Italy. The police were able to reconstruct a minute by minute rundown of that abduction from the cell phone records. 25 CIA employees and one United States Air Force lieutenant colonel were named and charged by the Italian authorities for pulling this guy off of the street and illegally abducting him and spiriting him out of the country. They did this because the phones were geo-located near the abduction at the time. They found the numbers had called one another and even family members in the U.S. They never removed their phone batteries. They geo-located the phones to the hotels at night, checked the phones against registration records, many used their own names, and some made sure their hotel stays were registered to their frequent flyer numbers so they got the miles. So if you are going to use a burner phone under this kind of capacity to massively correlate every phone that's in use all the time, then you need to know what to do to not to fuck it up. In fact if you are carrying a personal tracker device, AKA a cell phone you've probably already fucked it up. Here's what you have got to do to use a burner phone. Agencies specifically look at traffic to identify burners, looking at things like length of time from activation to when they go away and are never used again. Patterns of use. Try to identify burner cycling, if they get used again. Fingerprinting of phones. EFF is suing the NSA about this right now. They log signal strengths at cell towers to get your location every time the phone is turned on and used as a record and the number used to activate the phone or SIM is also recorded. And also the purchases. They'll go back to security video in the WalMart where you got it from. So here's what you want to do if you want to use a burner phone securely. Purchase them a long time in advance, before the operation. Register them far away from the operation's area. Use false information when you register them. Go with dumb or feature phones instead of smartphones. Remove the battery when you aren't using it. Fill the phone with fake contacts. Use each one as little as possible and switch phones when you switch locations and leave the phone at that location so you don't fuck it up. Call unrelated numbers so there's a different pattern of network per phone and remember the purpose for each phone and finally destroy it when you are finished or, you can do what McAfee does, which is tape it to the bottom of a long distance 18 wheeler and let it go for a ride. I'm not saying that's the best thing to do it because eventually someone will find it and do forensics on it but think about that. Don't ever turn a phone on in a location that you can be placed at. Allow your phone to be on at the same time or placed with another phone that you own. Call the same non-burner phone from multiple burners. Store any real contacts on that phone. Matching entry and exit point. We know specifically that they work for that so don't match the last use and first use of phones. Overlap it. Don't tie them to online services that can bridge that meta data for example Gmail accounts. Think what you would do to red team a massive database of location, time, call destination, call link meta data. Anonymity is hard. If you can't go to the trouble to not fuck it up then evaluate whether the risk you are taking is worth it. Messaging. After all of these years E-mail still fucking sucks. Fighting spam aids tracking, because that's why they insert sender IPs and other information into the headers. After all these years of the wall of sheep, let's give it up for the wall of sheep because they're awesome. After all these years of the wall of sheep, Web mail service is still going to HTTP and not forcing HTTPS. So the accurate more accurate sheep-related analogy is this, a sheep filled with God damn worms. Mail services, even if they implement SSL, they have weak service-side storage. Remember the GCHQ slide with that infamous smiley face. They may not encrypt on their internal networks. E-mail is still fundamentally broken because even if you use PGP or S mine the meta data is still not encrypted and the meta data can still fuck you up. This is a huge one. People keep their E-mail. It's logged insecurely on the client side - either in browser caches and so where it can be exposed, or people just having bad retention habits and saving all their email. Like someone famously said, "It doesn't matter that I don't use Gmail because Google has my mail because all my friends do." Remember that. Google is part of the problem. They never delete their mail, that thing. Instant Messaging is not much better. Remember the psycho example principle. Never say anything, never put anything in a message packet that a psycho ex could use credibly against you later. Assume everything is being saved forever especially by the NSA, if it's encrypted. Their retention rules allow them to keep it for forever if it's encrypted. We all like to make fun of security by obscurity. But sometimes, that's all we have. These are the code talkers in World War II, a classy example of security by obscurity that worked. At its best, it's fully deniable. It's arguably the safest communication, because either no one even knows it's a communication, but if you are going to use it, security by obscurity, make sure you don't fuck it up. Here's another CIA example. General Petreus, picking on these guys going all the way to the top -- he's having an affair with his biographer. They write messages in draft emails and don't send them, they just delete them when they're read. Multiple people have access to the account. In spy terminology, that's really casting email as a dead drop instead of a transit mechanism. Now, I would never begrudge anyone a booty call but if you are going to fuck don't fuck it up. They used the exact technique developed by people the CIA was already monitoring. Quote unquite, Al-Quaeda people in the Middle East somewhere. Using multiple accesses to a single E-mail address from different locations, that's exactly what pervasive surveillance was designed to expose. Anyone in the room if given the database and told, write me some interesting queries, one of the first things you would do is say, give me all the accesses to the E-mail accounts that are impossible journeys, that are in times you could physically not make that location transit. Secondly don't rely on things getting deleted. If Google knows about it it's no longer safe. It's cheaper to keep things than delete these days. So be judicious about your insecurity. Understand your insecure channels. It's okay to use them but manage them. Do your quality information check and your what-if analysis. You should understand by now in this talk that Petraeus could have covered his tracks even if it looked plain for all to see that two people were having an affair, as long as it couldn't be tied back to him. This happens millions of times a day, hiding the noise. So here are some common services. Commercial web mail is all fucked. I advise people to run their own mail server. At least when the feds are interested you will know about it. Meta data is still a bitch though, it gives it all away. This is an image of the mail that Lee Harvey Oswald sent to the Kremlin. That's what meta data is. Hopefully darkmail will do something about this, I didn't go to that talk, I'm going to watch it later. Hopefully it was good. Skype. Definitely compromised. No question. This is an enabling document referring to back door and commercial service providers. By 2013 full access to a major internet peer to peer voice and text communication system. What do you suppose that is? Too speculative? NSA briefing notes by the director of German intelligence on the potential land mines, a carefully passed statement saying that the official line, is that Skype is owned by tailored access at the end points, meaning compromising one or more of the communicating party's computers. Not in transit, but a clear implication from the language that they've done a deal with Skype they didn't want to tell the Germans about, even though they are allies. And if that doesn't convince you, JTrig's Wiki spells it out -- realtime records. Bi-directional instant messages and contact lists. Pwnd. So fuck Skype. I mean you can still use it if you want to but understand that people with the right capabilities, it's equivalent to unencrypted. So figure out your threat model. Lots of chat I think is broken if we're including the secret police in our threat model. So I say, let's assume jt IFC is pretty much all collected -- if you can grab all of port 80 then why not grab 6667 for an afterthought, even. If you are using SSL from you to the IFC chat room even one single person in the group chat unencrypted means that is all completely ownable by the massive surveillance. We know that IFC is on the radar because of quantum bot, taking control of IFC bots. Over 140,000 bots taken control of and coopted. Lots of reasons the spooks might be interested in IFC bots. Persistent presence all over IFC is just one of them. Something to be aware of. Remember things when Google promises off the record, all it means they don't keep it. It's not true OTR. Also remember Quinn Norton's great essay Everything is Broken. Some OTR implementations don't encrypt that first message. She has tales of people fucking it up because of the that. Don't let your story be one of them. So what can we use? What might not be completely fucked? Some OTR implementations, some people like Quinn have bad things to say about loop purple, but it's everywhere. Crypto cat I think after some initial security fails really did the right thing. They opened it up to community peer review and security auditing. They really want to make a good product. I have been using bit message a lot lately. Every so often it goes berserk and runs my processes at 100% but it seems to be decent as long as you can connect with it regularly because it throws messages after two days because of security performance problems, so it's not good for intermittent usage. I haven't played with retro share much but I like what I've seen. I like the peer to peer structure and the key management. It seems like a good direction to go in but it sums up that we really need more auditing. We need more peer reviews so we can see what we can really trust, and it also suffers from the floor of standing out of as we need encrypted communications, so we need steganography. I'm about to be dragged off the stage. I have two things to say. Number one, we say there's a lot of suspicion of glass holes, because they might be recording us. Well guess what? Everyone is fucking recording shit. Everyone is keeping E-mail and their IMs for so long and not deleting them - we need ephemeral messaging that's not just in the smartphone app space. We need more steganography. We need, all right I'm getting there. One thing. GCHQ. They had to take people, use special staff to view the chat video they were illegally collecting, because of all the nudity, so send plenty of nudity. Make it the bad -- Ugh one more thing. So the One thing I just had up, a friend of mine wrote this and it mixes cat pictures with things that look encrypted - things that look like security documents. So you can swap cat pictures for porn. One last thing I want to say to the people in the audience, to the haxors, lose the ego. Follow those burner rules for your identities. Keep your real in real life identity real and separate from the ones you do bad things with right? People come to conferences like DEF CON to get cred but cred is your enemy. Don't talk about the shit that you are doing. This is where the criminal complaint against Jeremy Hammond, this is where Saboo goes to great trouble to connect all of Jeremy Hammond's identities together so they can put the criminal complaint together. Finally support the EFF. Ask for things. Good luck. It's better to be lucky than smart sometimes and never surrender to obedience. Thank you. [Applause] >> All right so if anyone wants to talk to him we're going to be out here in the hallway. If you are staying please move your stuff. There are shit loads of people outside who all want to come in.