The loyal friend, the phone Privacy is an Illusion and you’re all losers! - Cryptocow - Infosecurity 2013

privacy is an illusion and you’re all losers or how 1984 was a manual for our panopticon society ! By Cain Ransbottyn - @ransbottyn

End of privacy • 9/11 attacks invigorated the concept of terrorist threats • Post 9/11 there was a strong and understandable argument to prioritise security

End of civil liberties • New word: “asymmetrical threats” • Actually means: “please give up your civil liberties”, in 2001 55% US citizens were pro; in 2011 only 40% (and declining). • Patriot Act changed the world for good

So, terrorism huh ? • systematic use of violent terror as a means of coercion • violent acts which are intended to create fear (terror) • perpetrated for a religious, political, or ideological goal • deliberately target or disregard the safety of noncombatants (civilians)

Global terrorist threat map Data of 2010. Seems legit.

Year on year doubling in surveillance budget since the Patriot Act Except for 2013, then there was a dark budget of US$ 52,6B

Fear. Uncertainty. Doubt. • Instilling fear is a premise for coercion. But to whom ? • Mass media works as a catalyst to bring fear in the homes of citizens. • We all are very shitty at threat and risk assessments. Pigs or sharks ? • 23,589 40 Or terrorist attacks ? 13,200 * 2010 facts and ﬁgures worldwide

Are we really capable of understanding the real threat level ? Please demonstrate you can spot a rhetorical question when you see one

The convenience of circular logic • Gov’t: We’re using surveillance so we can prevent terrorist attacks  You: I don’t see any terrorist threat or attack  Gov’t: Awesome stuff, hey ?  • Him: I’m using this repellent to scare away elephants.  You: But I don’t see any elephants.  Him: Awesome stuff, hey ?

quis custodiet ipsos custodes ?

Total Information Awareness The 2002 - 2003 program that began a data mining project, following warantless surveillance decision in 2002

PRISM, XKeyScore, Tempora ! Thank you Microsoft, Facebook, Yahoo!, Google, Paltalk, YouTube, AOL, Apple, Skype Snowden leaks the post 2007 surveillance industry is much worse than anyone could have imagined

The rise of private intelligence agencies • The welcome gift of “social networks” • The thankful adoption rate of smart phones • The cloud as the ultimate data gathering extension to governments • The phone operators remain a loyal friend • The overt investment strategy of In-Q-Tel

The In-Q-Tel investment firm • Founded 1999 as not-for-profit venture capital firm • So… if you are not looking to make a profit, what are you looking for then ? • Investments in data mining, call recording, surveillance, crypto, biotech, … • E.g. 2007 AT&T - Narus STA 6400 backdoor = product of In-Q-Tel funded company • Many (many) participations worldwide (also Belgium)

Social networks as a private intelligence agency • Perfect front ofﬁces • Facebook as the ﬁrst global private intelligence agency • Otherwise hard to obtain intel is being shared voluntarily by everyone (e.g. hobbies, etc.) • US$ 12,7M investment by James Breyer (Accel), former colleague of Gilman Louie (CEO In-Q-Tel)

Smart-phones as the ultimate tracking device • Device you carry 24/7 with you. With a GPS on board. • Android has remote install/deinstall hooks in its OS (so has IOS) • OTA vulnerabilities allow remote installs of byte patches (e.g. Blackberry incident in UAE) • Apple incident (“the bug that stored your whereabouts”) • Any idea how many address books are stored on iCloud ? :p

Smart-phones as the ultimate tracking device Wi-Fi based positioning has become very accurate and quickly deployed mainstream

Cloud providers as the perfect honeypot • There is no company that is so invasive as Google • Records voice calls (Voice), analyses e-mail (GMail), knows who you talk to and where you are (Android), has all your documents (Drive) and soon will see through your eyes (Glass) • Robert David Steele (CIA) disclosed Google takes money from US Intel. community. • In-Q-Tel and Google invest in mutual companies (mutual interest)

Cloud providers as the perfect honeypot • Not only Google. The latest OSX Mavericks actually asked me to… store my Keychain in the cloud *sigh* • While Apple claims iMessage cannot be intercepted, we know it is possible because Apple is the MITM and no end-to-end crypto is used nor certiﬁcate pinning.

The loyal friend, the phone operator • Needs to be CALEA and ETSI compliant. Yeah right :-) • Operators are both targets of surveillance stakeholders (e.g. Belgacom/BICS hack by GCHQ) and providers of surveillance tactics (taps, OTA installs, silent SMS, etc.) • Does KPN really trust NICE (Israel) and does Belgacom really trust Huawei (China) ? • Truth of the matter is: you cannot trust your operator…

Privacy is for losers If you think you have privacy, you really are a loser

#dta If a government needs to understand its enemy, and we’re being surveilled. Then, who exactly is the enemy ?

Conspiracy theory ? ! Whistleblowers showed that reality is far worse

So now what ?

Change your attitude. Wake the f*ck up…

Reclaim ownership of your data. Demand transparency of every service you use.

Encryption is your friend

Encryption today is built for security professionals and engineers. Not for your mom or dad.

Security and crypto engineers don’t understand UI and UX

Android and IOS planned. Microsoft Mobile perhaps.

Requirements • Must provide strong crypto • Must be open source (GitHub) • Must be beautiful and easy to use, we actually don’t want the user to be confronted with complex crypto issues • Provide deniability • Provide alerting mechanisms that alert the user when something is wrong • Even when your device is conﬁscated, it should be able to withstand forensic investigation

How it’s built • Using tor as transport layer for P2P routing and provide anonymity (no exit nodes used). • Obfuscated as HTTPS trafﬁc to prevent gov’t ﬁltering. • Using OTR v3.1 to ensure perfect forward secrecy and end-to-end crypto. • Capable of detecting A5/GSM tactical surveillance attacks. • Extremely effective anti forensic mechanisms and triggers

How it’s used

Who’s using it • Journalists • Freedom Fighters • Whistleblowers • Lawyers and security professionals • …

Why use it ? • To protect your human right on privacy • To protect your human right on freedom of speech • Because your communication needs to remain conﬁdential • Because excessive surveillance is a threat to modern democracy

Privacy might be for losers, but that doesn’t mean you are OK to give up your human rights…