>>So I wanted to start with uh I’m gonna go kind of fast because this is only a 20 talk and I uh uh it’s action packed. I wanted to start with the sort of general presumption which is that it’s frustrating when p-technology.. There’s not transparency, it’s not made public. And I’ll, I’ll start with the example of breath analyzers uh back in the mid 2000’s cops would be pulling people over making them blow in a tube, using that to make a decision as to whether or not to make an arrest. And people thought well what if there are problems with the breath analyzer? Why should we trust it? Why was there really probable cause for an arrest here and indeed eventually some enterprising people got their hands on the s-source code for intoxilyzer and found out that it did have some real problems. And and might y-yeild some false positive results and anyone who remembers the 80’s will remember the clipper chip uh en-endeavor when the government just said ‘Hey I know what we’ll do, we’ll hold on to 1 true key for all encryption and you guys can have your own keys but we’ll be able to just kinda backdoor that and this is a a an idea with a a just a built in fundamental flaw uh should be pretty obvious to everyone here. But anytime you hear just kind of trust us we know what we’re doing, that’s what gets gets me riled up. And so I’m gonna talk about is a series of tools that are are more developed for for servailing um peer to peer networks and they are not made public and the government just says just trust us we know what we’re doing. And and because they’re not public I haven’t seen them I don’t know anyone who has seen them unless they are a sworn agent and they won't talk to me about it. Uh and so the inferences that I’m gonna show you here are made from just reading dozens and dozens of search warrant affidavits when they describe how the thing works and what it does, so we can make some deductions about what it actually what it actually does, that’s where we’re headed. 


Um so surveillance is fairly pervasive these days um there’s a law that says you probably shouldn’t install an untappable phone system um we’ve got uh the NSA metadata call collection or call metadata collection stuff where they we realize the content uh analysis is fun but traffic analysis can be just as fun. Uh and and surveillance is also pretty secret we usually don’t find out about it until there is a leak and everyone gets in the press and heads roll. And there's more than just surveillance going on, surveillance by surveillance I mean is just passive collection of information but we see now some more invasive uh efforts as well and there’s a uh uh series of cases right now that playpen serious of cases which some people in the room are familiar with were the government embedded uh some malware that opened a side channel - people would browse to a website using TOR the government operated that website for awhile and implanted some some malware that opened a side channel and would leak the user’s public IP address back back to the government so uh that’s not just surveillance that’s actually changing things and and you might need a warrant for that and some some cases are getting tossed for that reason but by far not all. And we know that the government is collecting exploits that’s not been a secret at all so one of the questions that we have to ask ourselves is where is the boundary between just good old fashioned aggressive investigation of crime and violating people’s rights and sort of taking things one step too far. So that’s the prologue let’s get down to it. 


Um when I s-s-s talk about peer to peer networks I mean things like BitTorrent Gnutella Ares or Edonkey or whatever they call it. These have been around for a long time. Uh the new Gnutella variant of the tool that I’m talking about was in use at least as early as 2009 I don’t know if anyone really uses Gnutella anymore I’m sure the tool still exists um and these are generally the tools that I’m talking about are generally forks of open source software, so there’s been a a a tool developed like micro torrent or whatever or um Phex that’s one of the ones and some enterprising software developer says I’m gonna make my own version of this that does some extra stuff. So they they make use of aspects of the peer-to-peer protocol that are normally obscured from the user they’re they’re below what the user sees. And they add in some features that were not really of interest to ordinary users and we’ll talk about what those are. So who develops these? Well one guy the the the tool for the Ares network was developed by this one person Joseph Versace, he’s a he’s a Canadian law enforcement uh programmer and analyst uh there’s a there was a collaboration between the CS department at a couple of universities and some police departments that produced a roundup which is kind of the most best known of these tools um and it’s based on the the Phex uh Gnutella client and there’s a a version of it for BitTorrent as well. 


So it they’re developed by a you know normal folks, academics and so forth, and they make new uses of existing features. So for Gnutella when you do a search when you get a query hit it comes back and it includes the SHA-1 hash value of the files that the search hits are so this is a nice quick easy way to identify if you happen to have a database of files that you knew nobody should possess uh you could just quick see, do these hash values match?, and then you would instantly have good targets for investigation um and Gnutella also has a feature called Swarming where if if I admit that I’m sharing a file I will also try to tell you about all the other people I know about that are sharing that file. So that you can grab it from multiple peers and it doesn’t all have to come from me and then you can directly uh browse peers as well, not just do searches but once you’ve found someone who’s in Gnutella client you can just go and query them and and get a list of uh what files they have what regardless whether your search turned up those files or not. So that’s those are, you know, kinda interesting features if you are an investigator that’s kind of fun. 


Um on BitTorrent we have a couple of other things that are what are called tracker messages and this tells which peers are interested in which torrents so if someone is looking for something you might be able to detect them on that basis um and when they connect for downloads or when they acquire new segments they’ll uh uh um clients will send out some announcements of what segments of what they’ve got so they can immediately begin participating and sharing. Remember the whole idea of BitTorrent was that bandwidth is asymmetrical we can upload, we can download things way faster than we can upload them generally speaking, and so we wanna share large files uh what we’ll do is everybody shares segments of the files or you know you share the whole file but we’ll grab segments a segment from here and a segment from there and a segment from here and that means that we can download multiple things while we’re only uploading, you know, whatever our up upstream bandwidth is. Uh and then there’s something called peer exchange which is kind of like the swarming feature for Gnutella so these are the features that exploits on on BitTorrent and then we add in some features as well.  Um known file lists, so a database of known files of interest so that we can quickly determine when we seize search query results whether they are things that we want to be investigating. IP Geolocation - are these doofuses in our jurisdiction? So before we spend a whole lot of time investigating something can we at least tell if we would have the power of arrest over these people. Uh Single-source downloading, this is uh we don’t wanna find out we don’t want to swear out a warrant and go and arouse someone out of bed and seize their computer only to find out that they only had the first 3 segments of an 80 segment torrent. Uh we wanna know that they have the whole thing so that means we have to download the whole file from them so this is completely antithetical to what BitTorrent is designed to do uh we’re gonna instead of grabbing things from all over the place we’re gonna grab them from just one thing and that’s so that’s it’s not really subversion of the protocol but it uh a use other than what it was designed for and then fake file share also uh we’ll get throttled if we’re not sharing anything. Uh and if we share the right kinds of things we might attract people into connecting to us.. Am I doing something funny with the mic or is.. Okay I’m okay? Alright! 


[laughter]


Um so we we we we we don’t wanna actually be distributing contraband so we’re not going to actually do that but we’re gonna announce that we have it to share to see who will connect to us and so also so that we don’t get throttled. Uh so that it looks like we’re sharing and we don’t get um taken out of the out of the network. Finally we’ll have the ability to tag individual clients that we connect to. And that’s there's gonna be more on that later but that’s a pretty interesting thing. Can I identify some point down the road that this was the, you know, the client that connected to you know that I connected to and downloaded from. That’d be that’d be an important piece of evidence. Uh and we’ll talk a little bit about how that works. Um so what they’re gonna do, these tools, is impersonate regular old peers on the network. They’re gonna engage in activity design to attract connections whether they’re doing searches uh or or um announcing what they’ve got uh they’ll do queries of their own to find things of interest they’ll inspect the systems that they connect to to look at as much as they can in the shared areas. They’ll perform those single source downloads and they log their activity and this is the game plan, right? We’ll we’ll the investigators will go make themselves a a good log of what they did and what they found and they’ll use that as the basis for obtaining a warrant. Alright so um if you were accused of a crime on the basis of a log file - you might like to know is that log file a reliable source of information. Does it work? Uh and so people over time attorneys have tried to get their hands on these tools because they wanna know how does it work? What does it do? And they’re uniformly rebuffed uh nobody’s to my knowledge ever succeeded in that quest. And there have been times where the court has ordered the court has sided with the defense attorney and said yeah, um law enforcement cough up, cough up this code or give them access to a working instance of it or something. And uh the case will get dropped so they’d rather do that then burn their source and this is a curious thing because on the one hand they say there’s nothing interesting about these tools. They’re just simple forks of regular open source software uh anyone could make this it’s not a big secret and yet they’ll go to great lengths to preserve the secrecy. And reason number 1 that they give is it would divulge our database of you know naughty files. Uh and and first off I think the software developers in the room just snickered because who embeds a database in the software that they’re distributing, it should be two separate things so that you can update the database without having to distribute a whole new build of the code. So it’s probably not exactly that. I don’t think the database is literally part of the software but the reason that they give is that if we do this everyone who wants to trade illegal materials would just go and flip one bit in them and then all of our hash values wouldn’t be uh any good anymore and while that’s true it works it’s a two way street it wouldn’t be any good for the people who are sharing either because they’d not they would not know if you were out on the internet and everybody, you know, claimed to have different files if the hash values, didn't match how would you know you were getting segments of the same file? So that reason is a little bit shaky to me. Um but even if everyone did flip bits in their files that would be so disruptive to the trade of contraband maybe you’d want that result anyway. Okay, the code must remain secret reason number 2. It would disclose the undercover investigators and here I think they’re speaking kind of metaphorically. The the the metaphor that they use is well, you know, if we had um someone buried deep undercover in a drug cartel we would use information that they gave us and that’s okay there’s nothing wrong with that we wouldn't identify that person unless and until we absolutely had to. Um well this isn’t quite like that I don’t think uh but it but it’s interesting. So I can think of two possibilities and they both revolve around the idea that we don’t want one law enforcement inadvertently targeting agents of another law enforcement agency going out on the on the networking and seeing that these guys announced their sharing all of this stuff let's go pick on them. So possibility number 1 is that nodes know about one another there’s some either central database or a list that’s published of who's using this software and that that way you can identify your friend on the network and you don’t go and and pick on them. Um this also is probably not part of the software itself but maybe the software contains the the means of obtaining that list or something. and that list really should remain secret we that that’s a legitimate secret. Um but I I don’t think that’s it because from time to time they will give you the log file and that contains their IP address in it so that that doesn’t make a lot of sense so the other possibility is there’s something distinctive in the way the tool does its initial handshake so when the when the when the two peers connect, when two peers connect, they’ll exchange some information usually uh it’ll have a globally unique ID or something like that that it exchanges and there might be something unique in that handshake that would identify this as a non traditional uh peer to peer client. And I think that’s a pretty likely guess. And I’ll talk a little bit more about that because this is how the tagging feature works. Alright so we have some problems with not being able to look at this software and one of them is just the reliability of the software. Does it ever erroneously make a report? Well it’s quite common I can tell you from my own experience consulting with attorneys it's quite common that investigators when they go and they seize a computer they don’t find the files that they say they downloaded from that computer that happens well over half the time. There are two explanations for this possible uh one is the files weren't there in the first place and the report is wrong and the second is um they don’t usually execute their warrants until months after they did the initial download so the files is not there anymore uh and that that’s probably pretty likely but uh what we don’t know is how many warrants have they obtained and executed that didn’t result in an arrest. We don’t see those, that’s stuff that never makes it across and attorney’s desk. And so we don’t know so we don’t know if there are false positives, we don’t know it’s the the tool’s false positive rate and that I think is a worrisome thing. And the are there conditions under which it malfunctions? Well I’m here to tell you that software has bugs and um I mean we wouldn’t even have this conference if that weren’t true.
 
[laughter] 


He’s shocked! This is the first he’s heard of it! I can’t imagine why should think this particular software has less bugs than any other. And it might be useful to know what they are and there’s been no review of this um the government just says yeah it works. 


The next problem is the standard for obtaining a warrant. In order to obtain a warrant you’re supposed to establish probable cause that a crime might be committed. And this isn’t technology by definition this isn’t technology that’s in the hands of the public there’s a really interesting case from the turn of this century. Killo or Kyllo I’m not sure which it is vs United States where the uh the feds used a forward looking infrared radar to visualize what was going on inside of a house and the the supreme court said you needed to get a search warrant for that you can’t just uh you can’t just do this, this is stuff that’s outside of what the public could could have they can’t this it violates their reasonable expectation of privacy. Um and I think that’s the case here too. That nobody thinks that there’s a tool out there that does this and it’s not in our hands we can’t examine it, we can’t see it. Um and again this is where the government tries to tell us that well this is just modified opens for software, any user could do the same thing. Well that’s farcical, maybe any software developer could. But most users are not those. But it sort of raises the the supplementary question how would we know we were doing the same thing? If we can’t see the tool to begin with? Yeah maybe we could, right? Maybe we could write any kind of software but how would we know it works the same way that the government one does? 


Um and that brings us also to tagging. Right now there are when you’re using these tools there are shared areas on your computer so folders full of things that you’re willing to share on the peer to peer network and then there’s the rest of your computer which is supposedly off limits. When, the way that tagging works is in that initial handshake, the the law enforcement software will submit a blob of data that’s gonna get written to a log file in in Gnutella that’s the client dot net file. The list of clients that the thing is connected. That’s not in a shared area of the computer and it contains now a blob of data that the government wrote and when later they come and look through the log they’ll say Yep this is the one we wrote, it’s encrypted with our our our key. Uh so is that something you should have to get a warrant for? I don’t know ah that’s a unlitigated um question right now - or there’s been litigation but we haven’t gotten a sensible result. Uh the next thing is what are the chances you’re gonna find a judge who's able to tell if these statements are reliable that how IP addresses can be connected to subscriber identity how peer to peer networks work um how a government tool based on open source software works. Judges don’t know this. They just get a 20 page warrant affidavit and they say “Ah, okay! Sign” Uh [laughter] cause they don’t have a choice it's it's that or conduct a really serious investigation of their own and it’s not gonna happen. Another thing is who’s qualified to testify about how these tools work in court? You usually see the investigator who operated the software come and say this is what I did on this such and suchin night. But that person can’t really explain, he's that person is trained in how to use the tool but doesn’t necessarily know the inner functioning, you know, the the that the developer of the tool would know. Um so I I think testimony ought to require more than just knowledge about which button you click to make the single search download happen. And then of course again software ha-having bugs it might be exploitable ah to an a really enterprising person. Um you know the-these things we know, there’s java based stuff, there’s dot net based stuff, there’s you know the the the clients that the the tools are derived from any bugs that those have this probably has two. Um and it may have it’s own bugs too of course. And and one of the things that we’ve got here is the exploitation would probably go undetected because of this lack of transparency that we’ve got and because it’s mostly not used by security professionals it’s mostly used by investigators, and they might just not even notice if they’re software crashes in a funny way one day. .


Alright I have I think about one minute left, ah I would uh uh yep okay  I have one? One. Ah So I could do like a question if somebody's got one. [pause] No? Alright well thank you very much and thanks for coming to my talk! [applause]


See you again, soon! [applause]