Pervasive Cloaking

Video thumbnail (Frame 0) Video thumbnail (Frame 616) Video thumbnail (Frame 2917) Video thumbnail (Frame 4840) Video thumbnail (Frame 7576) Video thumbnail (Frame 9582) Video thumbnail (Frame 10534) Video thumbnail (Frame 12508) Video thumbnail (Frame 13811) Video thumbnail (Frame 17046) Video thumbnail (Frame 18494) Video thumbnail (Frame 19346) Video thumbnail (Frame 22264) Video thumbnail (Frame 23566) Video thumbnail (Frame 27369) Video thumbnail (Frame 29106) Video thumbnail (Frame 35693) Video thumbnail (Frame 40174)
Video in TIB AV-Portal: Pervasive Cloaking

Formal Metadata

Title
Pervasive Cloaking
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2013
Language
English

Content Metadata

Subject Area
Abstract
What Cloak? Recent policy proposals from the US Executive seem to call for government support for strong encryption use by individuals and vendors in the name of protecting privacy and anonymity. Yet strong encryption is still considered a controlled resource, requiring explicit permission to import or export from the US. This is also true for other countries. This talk will try to couch these proposals in light of past crypto rules, illuminate some possible ways forward, and touch on the advantages of and weaknesses inherent in a global cyber domain that has interoperable, strong crypto based encryption capabilities for the masses. Bill Manning has been involved in data communications and Internet protocol design and operations for the past 25 years. He ran one of the first DNSSEC enabled environments, circa 1998, and as such was affected by the difficulties in getting crypto source code released for global use.
Cybersex Domain name Game controller Physicalism Bit Digital signal Control flow Information privacy Information privacy Degree (graph theory) Chain Ubiquitous computing Chain Right angle Quicksort Lie group Identity management Metropolitan area network Identity management
Building Dependent and independent variables Authentication Source code Information privacy Perspective (visual) Direct numerical simulation Chain Cryptography Internetworking Software Touch typing Encryption Physical law System identification Identity management Task (computing) Exception handling Authentication Scripting language Source code Dependent and independent variables Regulator gene Forcing (mathematics) Physical law Bit Lattice (order) Cryptography Information privacy Internetworking Software Password Chain System identification Right angle Encryption Quicksort Exception handling Resultant
Execution unit Link (knot theory) Key (cryptography) Multiplication sign Projective plane Menu (computing) Core dump Cyberspace Electronic mailing list Mereology Control flow Regulärer Ausdruck <Textverarbeitung> Information privacy Information privacy Mathematics Category of being Internet forum Video game Formal verification Right angle Gamma function Form (programming) Identity management
Key (cryptography) Regulator gene GUI widget Source code 1 (number) Web service Web service Strategy game Self-organization Integrated development environment Right angle Identity management Resultant
Standard deviation Group action State of matter Graph (mathematics) Real number Device driver Information privacy Rule of inference Expected value Circle Information Implementation Communications protocol Identity management Distribution (mathematics) Graph (mathematics) Regulator gene Software developer Feedback Greatest element Wave packet Information privacy Inequality (mathematics) Similarity (geometry) Expected value Circle Chain Self-organization Right angle PRINCE2 Quicksort Information security Identity management Spacetime Traffic reporting
Domain name Multiplication Regulator gene Digitizing Multiplication sign State of matter Mereology Rule of inference Computer programming Different (Kate Ryan album) Right angle Key (cryptography) System identification Identity management
Intel Source code Client (computing) RAID Mereology Rule of inference Perspective (visual) Computer programming Web service Insertion loss Information security Identity management Key (cryptography) Forcing (mathematics) Database Control flow Data mining Process (computing) Pattern language Right angle Encryption Whiteboard Identity management Laptop Force
Point (geometry) Multiplication sign Continuum hypothesis Analogy Online help Information privacy Number Chain Spreadsheet Coefficient of determination Internetworking Analogy Energy level Information security Booting Personal identification number (Denmark) Identity management Vulnerability (computing) Multiplication Key (cryptography) Information Regulator gene Digitizing Binary code Internet service provider Plastikkarte Bit Digital signal Cryptography Public-key cryptography Voting Spreadsheet Internetworking Internet service provider Chain ECos Website Right angle Key (cryptography) Encryption Quicksort Information security Identity management
Point (geometry) Trail Presentation of a group State of matter Real number 1 (number) Set (mathematics) Cyberspace Rule of inference Internetworking Spacetime Error message Identity management Trail Inheritance (object-oriented programming) Mapping Regulator gene Information Digitizing Physical law Independence (probability theory) Digital signal Lattice (order) Boiling point Identity management Spacetime
thank you very much for having the perseverance and the gonad mill fortitude to stick around at the end of the week you've had lunch and this is the talk that's going to put you to sleep or not right I will ask some questions and i am going to encourage audience participation I was left ammunition up here so i may have to throw things so what i had to give this
a talk a title and i put parentheses around pervasive and the idea of cloaking how many people in the room have a nick or some sort of handle that they use because they don't want to use their real name okay we're going to talk a little bit about why you do that actually why do you do that you don't get caught okay so we want to be protected against physical harm plausible deniability lawsuits shorter than typing your own name man after my own heart right the only problem is is that when you create these sort of digital identities you create a chain a chain of custody we're going to talk a little bit about that what that means first of all the disclaimer my name is Bill Manning it is not my neck that's my real name if you want to find me you can google me and you'll find five or six other guys named Bill Manning make sure you pick the right one I'm currently employed by booz allen hamilton in their analytics group and these are my opinions I have not actually had these vetted by the company so hopefully they won't fire me when I go to work monday so i look at this is
people have digital identity and it identities because they want to be in control right you want to control your own identity your own destiny I me I'm in control it's my identity I'm entitled to privacy and anonymity I want to be able to be safe from physical harm when I say things that people don't like I want to do things where I have plausible deniability I want to be called anonymous right how many of you in here are called anonymous everybody raise your hand right you're all anonymous to some degree and so what you have is you have this sort of cloak that you wrap around yourself to hide and that's what i mean by cloaking is that you hide your true persona and you project another persona out there unfortunately in these in this digital or in this cyber domain it's a chain of trust you can't unilaterally and independently create an identity and have it meaningful unless you share it with somebody so the question is is how long is your chain all right you're going to be tethered to somewhere
so we're going to look a little bit in the in the back about how these chains were formed with crypto identity does anybody remember the crypto Wars of last century right what was the result of the crypto Wars phils immerman right we love Phil Zimmerman what was the result result turns out to be that there were some regulations that says you cannot export cryptography source code outside your country this was actually pretty much applicable across all countries import and export of cryptography was considered bad it was a artifact of war was ammunition and therefore was controlled that way so there's sort of this blanket you can't do it after the crypto Wars partly because it fills in ruin and PGP and partly because of the DNS SEC work those regulations changed and now it's possible to actually move crypto software around the problem here is what is this threat to anonymity if you have pervasive cryptography I mean how many people need to know if you actually crip you know encrypt something we in the previous talk it was I encrypt something with a password and then I want to share that encrypted data somebody else needs the password right and then public key private key kind of get around that but you have to share and as soon as you share what happens to privacy anybody build tools to do you know eavesdropping so nobody knows what's going on right liars or maybe they've already left town and then maybe then the smart people so the responses
are very briefly all of the script ah grog all is crypto was considered prior to about 1998 was considered an artifact of war aren't and they had the laws I covered most of this from the internet perspective the internet engineering task force the ITF has regular meeting they had a meeting in Danvers Massachusetts in the mid-90s and I remember in that meeting a guy got up on the podium in his camo and with his m16 and he said they're going to pry cryptography out of the internet over my cold dead fingers great guy he's dead now they didn't pry it out of his fingers what we have is we have strong crypto for authentication identification was allowed and encouraged that's why things like DNS SEC made it out into the world and even the source for encryption this little quote here is from the department of commerce from februari 18 2015 for encryption you can send it you can export it we can't touch you this is the general rule except for some people
and this is where it gets dicey these are the current regs if you fall into one of those five categories right they can detain you they can harass you they can arrest you right and it basically says is if you're somebody we don't like or we're suspicious of we can hold you we can make your life miserable so previously it was nobody can do it and now it's if we think you're suspicious you can do it what's going to trigger the US government's suspicion right
well that's one sided let's move on to this next thing there is a thing called mystic and it has to do with trusted identities in cyberspace this is a aspirational document from the White House that says privacy and anonymity are important they are core principles of this document we think everybody in the United States is entitled to anonymity and privacy except there has to be a trusted third party right previously the United States did this innate did this with a project called clipper which was you have to give your keys to the US government and trust them there take care of you right if I'm doing this wrong throw something at me yes you you know this no no someone further back so that was called clipper and basically people kicked at this and they said you're esco policies are not sufficient not good we don't really want this and so the government backed off and now they're coming back and I'm saying let's try this again and this time you don't have to use the government you just have to use somebody that we trust all right and a few people
looked into this and they said wait a minute this is a national ID they came back I said no it isn't not really it's not a national ID because they're a bunch of people in this ecosystem that we're going to create and they're going to be the ones that hold your keys they just have to meet our guidelines whatever those guidelines happen to be right and then everything will be hunky-dory because we have these organizations services devices individuals that can trust each other because we have these third-party authoritative sources this morning's talk with whitfield diffie and Moxie Moxie is really hot on this idea about these trusted authoritative sources it's a little fuzzy on how that works and we'll see that there's some problems
there the end result is if we got this ecosystem defined by the US government it's kind of barren because there's only a few players that are actually going to meet potentially what the regulations require for a trusted third party right
it really boils down to who vouches for you in real world space the people about for you how many people got a passport people have a driver's license work ID work badge school ID right all of those institutions vouch for you right that's your nation state your you know the nation you're in the state you're in the organization you work for the school that you attend all of those things vouch for you and they assemble this little chain that says that's really who you are right you pile all together Phil Zimmerman took a slightly different approach and I think we see some of that in this community which is that circle of friends who do you hang out with who do you share things with who do you swap keys with right and then there are a few people who do self-assertion so I don't really need anybody else I don't need to have anybody tell me who is i am prince I am Madonna right self-assertion important people really want to do that by themselves and the social graph really says you can do this from monistic expectation the whatever they pick is trusted third parties have to meet their guidelines which are not defined question becomes one of can bottom-up groups become approved mystic branded if you will parties don't know and so the idea here is that self-assertion is sort of right out unless you are actually you know really famous anyway the problem here is that
that aspirational document for mystic doesn't actually have the backing of any regulation and this is where the trusted third parties break down does everybody use the same rules for keeping your private data do you have any rights to manage the data that you've been given or that you're giving to somebody else can you control the distribution of that data do you have any feedback do there is there any sort of watchdog agency over the folks that manage your identity how do you do this transient trust problem and how do we have this idea about having meaningful voice in the development of policy for this stuff none of that's really there yet those are open questions so I look at this I
said wait a minute en ecosystem out there that manages identity right and it's pretty robust and it's got all this good stuff and so what the US government's really talking about is is that we're going to approve this little corner in the lower right-hand side all right that's going to be our little domain of trust well what happens if you're outside of the US right you've got a whole other part of that ecosystem that you can wander in and still not have a problem so if I'm a multinational
corporation if I'm based in Bangalore India do I care about mystic and I don't do business in the US probably not but I do care about tracking my employees and it's probably associated with whatever regulations are in side India about managing trust digital identities similarly if I'm in South Africa or if I'm in Taiwan or Japan right so if i'm outside am i there a nation-state or I'm a multinational corporation the u.s. rules are only a part of the landscape that I have to work in and then there are these people that I call hobos I hang out or used to hang out with a lot of people who spent more time on airplanes into more different places and had multiple passports from many different jurisdictions who they report to write I don't know right which rules do they follow and it really boils down to who are the trusted third parties trusted by whom do you trust your government raise your hand you trust your government yet all in favor say aye on all against say I okay right I trust my government to not have my best interests at heart most of the time right you could put it on a t-shirt I'll take ten percent off the top right and then there's this idea of self-identification right I told you or somebody else told you the program told you my name was will Manning am I really how do you know right so there's this
idea about trusted by whom there are trust if there was a trusted third party and this woman had given her digital identity her credentials for secret keys to this trusted third party would the US Department of Justice be asking these questions does anybody know what this was going on here right would they I mean basically what they're doing is they're saying we want a trusted third party and we think that probably one of the rules of being a trusted third party under our program is if there's a warrant you have to give us somebody else's data that they've escrowed with you do I want that no maybe maybe not you don't want that you
really don't you don't want me to hand over to my fed buddy over here yeah I mean you know what me to hand that date over to them right just because you told me something don't give it to me if I don't have it I can't give it to somebody else right so from a law enforcement perspective though they have some real legitimate reasons for tracking people and identities and stuff right and if there are multiple digital identities and you hand them out to intermediaries who manage that stuff for you you're making their job a little bit more difficult because then they have to correlate and data mine many many more sources of data to try and actually track the patterns that identify you but they'll do it right and then there's this other part but we haven't really talked about much which is market forces if you're if I'm going to become one of these trusted intermediary so I'm going to become this notary unless there are some explicit provisions for me to not share your data I'm going to collect this big database and the first thing I'm going to do is I'm going to go to my board of directors and say see we've got all of these clients they're going to go how do we monetize this data they're going to want me to sell the data either individually or an aggregate to other people so we can make more money and so what I'm doing now is I'm actually creating a two-faced thing I talked to my people that say register with me you can trust us and out the other side of my face I'm saying look at all this nice interesting aggregated data that talks about people that use this service right that's a false sense of security on the part of users because I think I'm protected but my answer me thierry my trusted third party isn't right so they're going to collect my data they're not going to tell me about it and they're going to commoditize that data with aggregates with everyone else just for grins what if somebody collected all the data for all the attendees at Def Con and sold that right bad idea right
and then there are always and this came up this morning again is the budget trusted identity or trusted eco identity ecosystem provider we're going to hold your personal identity your data your shop you know 1024-bit keys using high security actually it's kind of like high security we're over here you're over there we're going to put in this nice little digital Locker we're going to protect it with really really strong security wrote 13 my dog can decrypt broke 13 my dog is dead all right we're going to put it in XML site spreadsheet on this XP connected cluster directly connected to the Internet for twenty bucks a month what a deal right so the real problem is is that when you actually see the emergence of multiple providers people wanting to be your trusted third party there's no regulation no information about how these people should operate and protect your data right there's nothing that still needs to occur right so I'm going
to ask the question is anonymity analog or digital where digital I mean is it binary am I either anonymous or am I completely exposed or is it more of an analog thing I can show you a little bit but i'm going to show these guys more which is it we have vote for analog all in favor of analog say I why are you raising your hands can't you follow instructions okay digit binary okay both how is it both why not okay so what I'm telling you is is that I have exposed to you a couple of bits of information about myself my employer my name and the fact that I'm sitting here at Def Con I have given you nothing else right I haven't given you my date of birth I haven't given you my mother's maiden name I haven't given you my social security number I haven't given you my private keys I haven't given you my credit card information my bank account number any of that stuff right I've only given you to bits of information exposed a little bit other people over here know more about me than that all right so I think it's kind of a continuum when you think about anonymity you cannot be completely anonymous I don't think and the real kicker for me here is that we are known by the company we keep I can be I can try and be anonymous but unless i'm actually using something like wrote 13 where i have plausible deniability right if i'm using strong crypto I'm trackable or my strong crypto is trackable and as soon as you can track me all you have to do at one point in time is to correlate that digital identity with me and then you've got my entire history of that what happened and I have no longer any sort of plausible deniability this is a weakness with people using strong crypto and then there's this question what does it mean to be or to remain anonymous in the 1930s there was a cartoon called Betty Boop anybody remember Betty Boop that would be the old school people and remember Betty boot right and Betty Boop had one of in one of the things in 1930 actually 1929 there was a character that emerged called mysterious Mo's which turned out to be an artifact that frightened the socks off of this poor lady and everybody else including the guy who was running and it turns out it was a fabricated identity and nobody really knew anything about and so if we attempt to be anonymous or attempt to maintain our level of privacy need to be a little bit worried because sometimes those things can turn on us and at the end of the day the problem is is how do you manage your digital identity trust chains can you do it alone how much information have you shared with others and can you be assured they haven't shared it with other people and how do you revoke information that's bad help me be an answer Eddie I'm sorry whatever I put out there is out there and I can't recover it right you know what's scarier whatever you put out there about me is non recoverable and you may be lying through your teeth about me and I have no idea right so there's this whole idea about actually being able to manage the I digital identities that you create and I don't know that we should create too many so
I'm going to start wrapping up here the digital identity or identity ecosystem or online persona however you want to call it all of those things map back to meet space identity where existing law and rule applies I'm sorry John Perry Barlow there is no independence in cyberspace it all maps back to meet space then that would be a admission that I attended California State Public Schools when I was little and I didn't spell check please feel free to correct the spelling errors all right so no one is really isolated after this stuff you are all up someplace you're grounded in a rule of law and everyone to some degree or other is partially cloaked nobody knows everything about you conversely everybody is partially exposed somebody knows something about you may be many people I hope that no one goes and knocks on my parents door and asks them about me because they're going to get all kinds of stories about how I was as a little boy I don't want those stories getting out the point being is that there is a trail everybody leaves a trail the more you work in the digital space those trails are actually more persistent than the ones in real world because nothing is ever really erased or gotten rid of they're always copies around someplace and people make money going and investigating those trails additionally if you build tools try and hide yourself those tools will be distributed if they ever show up on the internet they will get copied and they will be used contrary to your interests this is a war of escalation the more we try and hide the more people try and uncover what we're doing and they use the same tools against us that we use against them so the advice here is to choose your traveling companions wisely be very comfortable in who you trust with your digital identities anchoring this back to Mystic it's still being formulated there are some discussions going on and it's not too late to influence the outcome particularly when it comes to the sets of regulations that are going to describe and regulate these trusted third parties so people in this community want to influence what the US government is likely to do it's an opportunity to do that and it really
boils down to this is something I mentioned this morning is the idea of influence ripples as soon as you do anything it affects somebody else and that affects what how they interact with other people and so your influence the things that you do online ripple out and affect a larger and larger community and you cannot recall that information so it's important to be very careful in whatever and that's my presentation
Feedback