It looks like you're having connection troubles. Reconnect now.
01/25/2022 22:14:42
30c3-talk-5495 Latest text of pad 30c3-talk-5495 Saved Jan 25, 2022 |
Hallo Du!
Bevor du loslegst den Talk zu transkribieren, sieh dir bitte noch einmal unseren Style Guide an: https://wiki.c3subtitles.de/de:styleguide. Solltest du Fragen haben, dann kannst du uns gerne direkt fragen oder unter https://webirc.hackint.org/#irc://hackint.org/#subtitles oder https://rocket.events.ccc.de/channel/subtitles erreichen.
Bitte vergiss nicht deinen Fortschritt im Fortschrittsbalken auf der Seite des Talks einzutragen.
Vielen Dank für dein Engagement!
Hey you!
Prior to transcribing, please look at your style guide: https://wiki.c3subtitles.de/en:styleguide. If you have some questions you can either ask us personally or write us at https://webirc.hackint.org/#irc://hackint.org/#subtitles or https://rocket.events.ccc.de/channel/subtitles .
Please don't forget to mark your progress in the progress bar at the talk's website.
Thank you very much for your commitment!
======================================================================
All right. Yeah. Actually, this thing is an alpha version of a talk. It might be the draft of our 20 to 14 to do list. It might be also just a draft to be discussed. However, after running some years of wiki called Planet Info, which I created in the pre Snowden area, and unfortunately it turned out to be totally true. So yeah, planet, it's like that. I thought I need to move on and we got to find ways to debunk planet Earth. So I'm looking at this whole thing. I'm trying to structurally look at this whole thing, as I did when I created Park Planet. I, first of all, collected like stuff on companies providing surveillance technologies on countries and country specific situations. So you'll find a planet that info wiki page for each country on this planet. So looking at worldwide ticket installations, actually my this year I was a lot more busy than all the time before with adding entries because with the Snowden stuff, there's a lot more on NSA programs and their structure and so on, but also on the cooperation models of intelligence agencies as it looks like our enemies. So to see those guys applying surveillance technology, being under control freak mode, the assholes get along with each other quite well as they have stuff to share and interest to share and so on. But also, I want to talk a little bit about the technology side of which stuff we must consider compromised at this point. So if you look at it from a global point of view, said to say we have this information at hand and we have a process or we have more information than actually find their way into the public understanding at the moment, I'm working for quite some time now with Spiegel and others to like, get the material to a level of understanding. And if you look for example at the simplification process, when we found material where the NSA, they do not break encryption, OK, but to circumvent it, they have ways to steal the keys to limit the key links and so on. But journalists who are not aware of
this whole area and to try to, you know, we're going to simplify it a little bit. And then the editorial process again thinks, Oh, this is too complicated for our readers. Let's simplify the message to the end user and the newspaper is done and it's a breaks encryption, which is exactly the wrong message. But this is one of the problems we are facing, that we are in a level of complexity here where we need new ways to bring this into the public, understanding what we are talking about and what the problem is and how to get out of this problematic situation here and there. So next to that type of problems, we have missing bits. Snowden comes from a department called S2, and below that is those guys organizing technical data. I'm thinking about ways to exploit other systems, thinking about crypto circumvention, stealing data, the one or the other way. However, this is all and most of the material is about technology. The material contains not so much about, let's say, the targets because the targets are like individual cases, but the individual cases only find their way into the material if an especial effort was required. So if not, the standard way of, let's say, underwater cable tapping or having a compromised infrastructure in the country helps, but they needed to do something specifically. There is a department. If you look at the way the NSA works, there's a department above as to what's called as one is called customer relations. Unfortunately, we don't have a lot of stuff about them at this moment, so we have an idea who the customers of the NSA are like the White House, the State Department, the CIA and so on, and how they are liaison officers from the customers meet the liaison officers from the NSA. Well, this finds its way into a process called a request. And where that again finds its way to a process called tasking, Jake was explaining tasking earlier this day, this is actually tasking is sometimes done by someone who understands the technical capabilit
ies of the different programs and who manages to get the targets information out of the systems or like initiates collections, initiates exploits or whatever is required to get the data about the target. But then all this type of technical data goes back to what's called the rope, the requesting office of Primary Interest. And they write reports, they write a lot of the code reports. And here we come to in that interesting area because it helps us also to understand why the NSA has a $50 billion budget because there is people using that material in negotiations in what kind of things. So if we have a delegation of the Department of Commerce or whatever, maybe goes to Germany and they meet five 10 people, they can submit that list of people to the NSA and say, Get me all of them your hat and they get NIS briefly need briefly report about what these people like, what they don't like, what they think about the issues to be discussed, what their financial figures are or who their enemies are, who their friends are. And I discussed this type of usage of second with William Binney, the former architect of the NSA, who was here last year and became one of the very early whistleblowers. And he said, don't think black and white. It's not that we have to use that information for blackmailing because blackmailing is, you know, is offending people. And, you know, they might find it abusive and so on. Thin gray mailing. It just works like this. You have this all this information about a prison. And you know, you know what? You don't want to talk about this and went right, and we don't want to talk about this. So why don't we agree to each other? So it's like a gentlemen's way of, yeah, not blackmailing mailing, which is an important procedure to understand if we ask ourselves, what the hell are they doing with all this data? Why are they doing this? And how does this also affect a policy making big business and other things? So next to this, there's a lot more to learn how this
data is being used, but this talk is not about how this data is being used. This talk is trying to get some ideas together what we can do against it. So there is this term of tcim of technical surveillance countermeasures, and within that terminology, there's a thing called a TSM survey, which is defining or defined as service provided by qualified personnel to detect the presence of technical surveillance devices and hazards, identified technical security weaknesses that could aid in the conduct of a technical penetration of the service facilities. So the facility in this case is planet Earth. But to simplify it a little bit and make it maybe manageable, I would hypothetically like to think of a country which maybe says, you know, we want to get out of this shit. We would like to provide our citizens and infrastructure for communication that is not pre owned by default by the NSA and whether data does not and so on and so on. So if we think of a country who might, you know, want to move in that direction, there is a few steps required. My definition of TCM is not the clinical one. So clinical one is the DSM just detects what the hell is around there, because the theory from the very old days where you went into a room and you would do a sweeping, you would look, where is the hidden park under the table or whatever? You would remove that and you'd be fine. Things are unfortunately no more of that easy. So communication, security, operational security, I consider all parts of a successful TCM approach if it should lead to something. Meaning in the scope of the problem is OK, identify the points where the surveillance is all the second takes place. Identify the technological problems of the framework. That technology you're dealing with are the parties involved, the supply technologies and their jurisdictions. And although those related things and then construct services, processes and devices in a way where surveillance get nothing except maybe encrypted data where n
etwork software process architecture issues are being reconstructed in a way that data does not get easily into wrong hands by default. And where device is being used in process is being used by human beings, are under the control of the user and or the process owner at least. So that's quite a high attitude of to achieve. But I guess it's what we want. The scope of the problem, however we come to that, is that transnational infrastructure must be considered compromised, at least by roughly three parties a country, a country B. Then you've got the NSA, the Q and the Mossad as party number three. Just if we simplify, then consider that one block. Many national infrastructures must even be considered compromised because they are pre owned, often operated by parties where the American, British, whatever players have access. And on top of it is the national intelligence who also has the idea of, you know, applying surveillance, getting the data and so on. So we're dealing with even more people and then we have exploitation methods that are built into technology. And that is what was released by the Spiegel this morning at 11:00, where Jacob Jake referred to slightly also built in implant, which is their terminology for exploits, plus something that remains and the devices in order to control it. So a lot of technology we use by default, but Cisco Juniper, whereby whatever must be considered compromised and subject to computer network exploitation or tailored access operations, that's NSA terminology. And also cryptic circumvention tools are available on a scalable dimension, meaning that they collect so-called fingerprints of all our computer parameters. So operating system, browser plug ins, versions of those plugins and so on and have standard exploits at hand ready to inject into our deceptive his streams. And this is just a very rough picture. It's NSA puts this very rough picture in a bit more of a beautiful form. So I don't want to like analyze this here in front
of you. You can do that at home, but you could rough the idea of, you know, cables connecting countries or continents, regional infrastructures of the collection services, cooperating operators of fiber optic networks within or cross-country plus implants, which makes the infrastructure of foreign countries and foreign network operators removed controllable for the NSA. The structure of the NSA programs is roughly like this you can in the hope that this is interest for you. I spend a lot of time identifying the programs of the different sections of the substance. Sections are the script analysis guys. They collect handshakes and stuff. The global access guys, they go for their high fiber cables. Special collection sites. That's mostly the embassies. Special source operations is corporations with companies, telcos, carriers who run infrastructure and tailored access operations is, you might call it, hacking that I don't call it hacking. I call it like, that's a military way of attacking computers and taking control over them. So because there's no hacker attacks involved, I don't call these guys hackers. These are assaults in governmental contract adjacent to. All right, and then we have next to be before we can come to straight technology specific solutions in this area. We have to watch a bit of principle because again, let's put yourself or it's put ourselves on the mind of a group who maybe advises the government of a country who says, we want to get out of this. OK, so what what what do we find next to these NSA based operations and so on? We have problems of exclusivity of security. The NSA calls this the noblest principle. No one but us. If we are looking for example, at a heavy military grade encryption systems which are capable of indeed providing security over an even insecure network environments, this technology tend to be not only expensive but also subject to export controls and because surveillance systems you can sell all over the planet, there's roug
hly no regulation in place yet. But if you come to encryption, this is considered as the ability of a country to protect itself from the global surveillance, so it's not available to all countries legally to be exported. Hence, one also signal intelligence so that the data being accessed through all this programs is a currency. It's being exchanged between countries. If, for example, Miss Merkel, the German chancellor, if this lady would in theory have the idea of, Oh, we need to, you know, stop that the American success, German data and turn and we need to stop any cooperation with the NSA on this one. I guess she would find herself in the very difficult situation that if the Americans don't provide the German army and the German foreign intelligence data from their signal to signal intelligence infrastructure like imagery, satellite imagery of stuff happening in Afghanistan or elsewhere, she will have a few hundred dead German soldiers to handle and a problem justifying that. So there is dependencies of countries in this exchange of seguinte, and these dependencies are very different depending on the country and so on. But they need to be identified because as long as we don't, let's say, integrate that in our concept, we stay pretty naive. OK, because reality is not only what can be done technology, but also what our interests and what are trade offs and what kind of deals are being made to ensure that national governments exist or whatever. And by the way, that's the third point, and that's not so unimportant one that also country specific control freaks fractures, the so-called governments that tend to be control freaks by nature as they need to, or have this idea of controlling not only a geographic territory T, but also people living there and, you know, companies acting there and so on and so on, and borders and all these things that define a country. And so we might, of course, even if you know, it's it's a bit of a strange idea, but we might of course say,
Well, yes, OK, maybe a world is better with strong Nation-States than with One Nation State that all the other social groups, all the others have. However, you said, however, governments tend to want to avoid third party excesses. They want to be in exclusively, by the way, that also helps them to raise the value of their own seguinte because of the others have it already. Then it's heavy. It's hard to trade it. Okay, but if you are, like are able to establish a bit of exclusivity on your stuff, it's more worth. And if we like, that principle is another question, but maybe we can use it in some way. And also, they want to ensure that they have their access to self. And here it gets here. We run into a lot of problems and I'll come to that. So let's say we have our country, we look at the interconnection stuff, we look at cross country stuff. We might identify the companies acting here, their jurisdictional obligations, meaning if they are American companies, if they like it or not, they are obliged by law to allow NSA access to their stuff and also their options clandestinely so covertly to do whatever. With the infrastructure, we have to identify whatever exchange and cooperation agreements between the national intelligence guys and foreign intelligence are existent because that's, as I said, very important and we need to identify what. Kind of foreign embassy, so situations we have as we learn that the United States National Security Agency uses the embassies locations quite intensely for especially, of course, acting in unfriendly environments but also in other countries. I come to that in a second and then the target, the implant, so whatever infrastructure there is in place and not physically, but logically. So what part of our infrastructure in our country is already or might be subject to remote control network speed, our normal network of Cisco, whatever technology providing switching and so on. If we look at this first area of the costs, cross-country inst
allations, we have a lot of material already thanks to Snowden in our hand to identify the taps to possibly reconfigure rooting. To think about bulk encryption for international traffic between specific points and also building up alternative connections, circumventing those points where we know that, by the way, started to happen, that likes countries like Finland connecting their stuff, not through Sweden and other areas. So this is unfortunately like a screenshot from a bloody television where Glenn Greenwald was browsing through some stuff. But this is just some of the operations of what it's called funded so far in satellite communications are being collected and we have more of those things. The other is on. The second point is reviewing third parties operating in the country. So identify who owns what. Companies review network architecture to identify critical points. Review of or identifying clean operators. So those who do not by default, hand over their data. And there is, as usual, for a nation state. If we are a country of a government of some country, there's a lot of options to put conditions into licensing. So to make, you know, the national reporting or this or that, this stuff is already already happening, but it often happens also on the just very selfish interest of countries who say, OK, we just play, Noble says, Well, OK, we'll just say we get all the data, all the citizens in our country, not the NSA by default. And if the NSA won something, then we have something to trade. That's of course not what we want. So we we got to be careful about the ideas we're spreading and where they end up in national agendas. So and you can shift, at least that's important. Your critical service to operators where you suspect a better level of understanding of the problems and taking care of it. We have countries specific situations where normally this should have happened long ago, like the if you look at Greece and Greece in 2006, there was a huge interception
scandal on the prime minister, the most important ministers. It was a very technically complicated thing that was a lawful interception system, which was reprogramed in a way that these ministers would be targeted, a lawful interception measures which would not show up in the normal lawful interception systems, statistics and so on. It was all identified to be coming from Vodafone. There was the chief technician of Vodaphone Security. Greece found hanged. So a so-called suicide which no one police and the police investigation indeed started after some years again. But the funny thing is that it went to the level that the Greek government understood that Vodafone is a problem for them. But what they did was not revoking their license, but just cashing in 150 million euro on compensation charge and everything remained in service. So that was 2006 and 2013. We learned about the same company that indeed they do have obligations to the British government, similar to those to the Americans. So not always enough that we know what companies is doing, what the the idea of national governments than acting the right way also needs to be. They need to be instructed, obviously, or kind of like that. And then we have this situation of the cooperation agreements from national local. Intelligence agencies with the NSA, where a review of the national capabilities and so on is like of utmost importance in Germany, especially, this situation is as fucked up as it can be. By the way, the when Germany was still east and west, the east German government, the intelligence of the East German government, got hold of what is called the NSA RL. That's the national second requirement list. That's one of the most secret documents of the NSA listing all the targets in all the countries like what they want on that government, what they want on that company, in that country and so on and so on. So they had that list and they knew the Americans knew that East German intelligence had it. The author
ity keeping the records of the East German intelligence headed by a guy called Gulick turned over that material that A. R. L. List, which is, by the way, the same list that identified later that Mrs Merkel is a target. They gave it back to the Americans without keeping a copy under police protection, and they had of that authority keeping that records later was not punished because he betrayed German interest of American interest. No. He became Germany's president. So that's the same guy being our president now. And when Snowden came up in late June, he said stuff like, Oh, I don't have any sympathy for traitors. And then later a month or few days later, we had him, yeah, OK, well, maybe we need to find out what happened, whatever. But at least he gave us an idea on his recycling ability in the situation because I mean, what do you want to do with a guy who's heading your country, who's obviously putting U.S. interests over the interests of the country? He's meant to be the president and take care of? I mean, you might be able to recycle that guy maybe as dogfood or so, but I don't really get the idea what he can play for a helpful role in politics. So if we come to the areas where clandestinely, so covertly, embassies and similar offices, so also, let's say foreign companies are in disguise of foreign companies, offices do stuff there. Actually, we tried this in Germany and we spent quite some time with it looking. What the hell are they doing and what can we find out? So to look at their installations, their areas, they target the prisons like working in the embassies, their roads, their movements, their activities. I mean, if you are or if we are like to think of to be a government of a national, a country, we obviously would have some options to look closer of who might be dealing here. But also, of course, the next step would be then to target that kind of stuff. So using strong encryption, improving physical security, shielding and integrity of components and
so on. So this sounds all pretty wild, but I think it's pretty important. This is the list of the CIA sites, all the special collection service, and most of them are indeed in embassies. We if you look at, for example, this is the rooftop of the U.S. Embassy in Berlin. I mean, that's pretty obvious that this is not a wall right in the middle. And we looked at it with 10ml imagery. We even identified the spots where the stuff is being like located and so on. However, 100 meters behind us, the British Embassy, the British Embassy don't even cover it. They just put a fucking huge in insulation with a random on their embassy. So the Americans at least tried to make it look a little bit nice. However, this is unfortunately in Germany as well. The stuff I made in the Latics for the smoker's situation, so they have one of these walls, which are not walls on the bottom right corner with the red things in each cell north, east, west, south in each direction and their location is pretty good for getting just them and other like while their stuff and so on from the parliamentarian offices, from the parliament itself, from, uh, the most important hotels and the governmental district and stuff like that. There is actually Duncan Campbell collects these embassy pictures. He has a lot more. I don't want to bore you with that, but if you're into nice pictures, he has a lot more. Um, what we found and what is being what was published just today is that also embassies play. So there's a special collection service plays a role in the active exploitation methods. So when they want to inject data packets, when they redirect internet traffic and they want to corrupt or shut down to IP connections, what they need is the red and blue differentiation. Here is the actually the blue is high latency sites, all that stuff being done abroad in the NSA facilities in Langley or wherever. And the red stuff is low latency. So that's local infrastructure. And in order to be able to do specific attack
s on TCP IP connections, they need low latency. So they need very fast reactions and very fast using of local infrastructure and plans, which they control from a system connecting them in the embassy. So that's pretty funny and makes it pretty necessary to look at the internet connections of the embassies or the fiber optic cables connecting them, or because this is almost cyber warfare. I mean, this is the active attacks on connections. And I discussed this with some guys from, let's say, other government and they told me, Yeah, yeah, you're right. But you know, an embassy. You could, of course think that just you build a huge Faraday cage and you build around it and you'll have a lot of. Of last, but embassies tend to be buildings also not only connected, not only having an air interface to say to whatever is around, but also having like electricity connection, which could be used and not used for stuff telephone, internet like fiber as water drainpipe plumping pumping might, you know, might make you think of here. The system build up on the Congress, but plumbing has a total different meaning in this context because if you look at the traveling of any U.S. president, if he goes to any other country, he comes with his own chemical toilet. He will never sit in the normal hotels plumping because from his whatever he extracted from his body, you can identify his blood group, his medication, his whatever his. He is healthy or is not healthy, his life expectation and so on, and they don't want that information to leak. So it's a sorry for the holistic approach, but. There is there's like many dimensions of knowing your enemy. So the last area and I got to seemed to need to come to an end in this review thing is the implants, the implants in your own infrastructure in peering points, exchange points, but networks, but also in your infrastructure that you, as your own country's government, use falafel interception and monitoring. Because if that infrastructure is pre own
ed, then the NSA doesn't even need to build up their own monitoring infrastructure. They just use your capabilities. And also, these implants, of course, have patterns of phoning home. They need to be controlled. They are doing stuff like that to, uh, are being controlled by this tableland system. So the whole paradigm of national infrastructure, it's actually something to rethink because people think and physical locations and the NSA just totally ignore us, a country, borders and stuff like that. They just see technical components they can use, utilize wherever they are. And that's it. So we might have to even redefine what is a national country and what is a government and what is power and so on. Because if you're just actually paying the electricity bill for an infrastructure that they own, well, then that's not what we want. There is, of course, one very dangerous thought from my point of view, because if we are thinking to military and that's what these guys sometimes suggest us to do is to compare like, for example, networks with rockets like controlling each other, country's territory, flying over infiltrating and so on. Because then we find ourselves in military ideas of how to defeat attacks on other countries. And then we come to strong borders and, you know, nationalization of traffic and so on. And that's not what we want. So there is some dangers in the specific ways of looking at these things. So I'm I'm roughly true. I have some related thoughts, which I wanted to give. If you can protect stuff, if you mind if you can protect your infrastructure, then avoid putting stuff on it that you don't want to be in the wrong hands. That's pretty simple. It also means that we need to maybe apply and suggest also that companies apply a principle of need to process a limitation of that data that is required in a process and not always get the full data set to somewhere where it's just about checking the shipment address or something where you transfer all the cr
edit records and whatever over there. So if you can protect data being collected and data retention systems, then don't have them forget centralized databases. If these centralized databases are maybe a pre owned or easily too accessible them, forget processing more data than required and a process for getting national intelligence collections. Because if you can protect that, then you're just like supporting foreign power, growing without benefit for your own people, and also avoid private collections for marketing or whatever reasons. Next to that, there are some situations that need to be managed that are totally out of control. That's like if your citizens data are in foreign systems and Google and Yahoo and Facebook or whatever. The question is, what what can you do about that? It's more an open question, but it needs to be identified to what extent this is. Reality also that if your national companies have their data and foreign system and cloud providers that can be identified and taken care of. And of course, also if you are in a stage of outsourcing all your governmental administrative services to some companies, you might be doomed as well because you've just got to find out who is really running those companies in which jurisdictions to act and what they do with the data elsewhere and so on. So and then next to that. Not so short To-Do list. There's the whole range of communication, security and operational security where we could also get the idea. Maybe we should live an hour of shielded Faraday tents like these gentlemen tend to do. So this looks maybe like it's somewhere in the desert, but actually these type of tents they built up in the presidential lounges of hotels. So like they create their own small reality to not get radiation in and out. And this means we get to maybe in the intermediate phase. Think about how we survive on the way. I think if we realistically see our infrastructure and it's all the way compromised, we need to start with somet
hing we can rely on with separate devices for strong security requirements where we have very far limited hardware problems, where we have a hardened operating system, where we have strong encryption and also our own measures to handle that like fingerprint verifications and so on. So in that type of environment, if you're thinking tales of a tour, everything, that's one that's roughly the right direction. But the moment you start using the web images, scripts, plug ins, forget it. You're dead, you're already taken over to that type of mission. So normal internet user usage is like being out in the world by default and data processing needs scenarios where there is limitations. What all is being failed? And if a single node or someone if one of the entities processing stuff is being take over it or whatever. So that's to be honest, of course, just rough ideas. This stuff missing lots of things. Your thoughts and your comments? That was that from my side pictures. It's not like we have like 50 minutes or so, right? Yes, yes, we have lots of time. So if you have any questions or if you have any ideas and want to talk about what one could do if you have a police line up at the microphones, also, all ideas and comments are appreciated. And while I give you time to do that, I also want to mention that the talk from Sol one is going to be streamed here. So if you want to see that you can stay here and there is no time, no need to scramble over for the last seat over there. It's all going to be streamed over here. So any questions from IOC? Yes, there. Audio, could you? Sorry. Yes, our questions. First one, what did the NSA managed to infiltrate Tor? If yes, to what extent it is still usable against an adversary like the NSA by default, Taurus not broken, but there is so many ways to circumvent and to try to nice and to exploit and control clients that it totally depends on your Tor clients environmental operating systems situation, so to say. And of course, there is possi
bilities because you also in most Tor or in many tourist situations, you also still leak information about the type of system you're using. You might still have stuff like JavaScript enabled, which might make you subject to attacks and other ways. So it also depends if you're providing maybe an additional attack vector. What you do over Tor so it's not clear all a safe situation. Question from number two, please. Thank you for the talk. I would like to ask you a question if you are, let's say you're having a commercial institution or a governmental and you need to use some kind of an infrastructure. But then we can suspect that most of the major hardware vendors are compromised. So what other choices do you have when you need performance? OK, your first page of a question. I have no commercial interest involved in this directly, but yes, I'm involved in a company called Cryptic Phone, which tries to do encrypted telephony. I'm involved in Holland Foundation, which tries to support people to support, to build up actually secure communication and also to operate and help projects like WikiLeaks to do what they are meant to be done. And that requires a lot of secure communication to your second part of the question. Indeed, identifying hardware manufacturers or, let's say, trustworthy hardware components to start with is actually, I think we are roughly at the beginning of that journey because just today, the series of implants on Cisco, Juniper Have and Swann was released by The Spiegel, and I utterly hope that maybe, for example, Chinese companies will see their chance that the only way out of this is to provide trustworthy, open hardware. Because if we don't have that, well, where are we going to end up building our luxury security environment on sand, which is not helpful? So but I don't have a clear advice at this moment what I would myself consider a secure hardware. I maybe I just haven't found it yet. A question from number one, please. Well, not a question, bu
t I like the the things you showed about Obama and how he uses, like all these crazy things, and I think we have to copy their ideas and change them, modify them so that we can use them in small ways. I don't know. We have to be more aggressive and conscious, counter a spying back like, I mean, this thing about the embassies. We could have made years ago pictures with infrared cameras. It's just as simple as that. You're totally right. And actually, I also had some exchange with Duncan Campbell about it. And I actually hope that because I have this list of the SARS collection points in my wiki and they're like five of them. I have pictures. So there's a lot more work to do in many countries, and this can be a crowdsourcing thing. We don't need national governments. They are helping us. We just need to get them out of the way for us to do that. You're totally right. We should have done that long ago. And the funny thing is, the Ricky, you started, we in our group, our local group, we started the same things and we didn't know about many of the other whiskeys probably already existed. Just interesting. Yeah. Well, I'm not sure there was a question, but no, I'm done. But the point is that I mean, building up your own intelligence agency and replacing and it's a by the galactic hacker community's intelligence agency as a neat idea. However, there is one problem and that while Holland said it with a word that is slightly difficult to play with those guys making the rules. And that's unfortunately true for part of that thinking. Still. You guys should definitely exchange information. Oh, yeah. Have I seen it before? Actually, there's another question for us here. Yes. Two extra eight. So this is a question from Finland and starting January 1st, our police gets new legislation that enable them to engage an active network in surveillance. Secondly, our government will soon publish a new cyber security strategy, and they want to initiate the signal intelligence operations ex
plicitly in the name of or for network security and to leverage their position in intelligence trading with other states. What kind of political and technical message would you have for the Finnish citizens here on video? What things and jargon should we keep an eye on and what should we demand on our government and politicians? So in that sense, a Google data center we have is it's a second collection site. So I'm starting with the last one, just kind of it is because if Google likes it, likes it or not, they are subject to U.S. jurisdiction legislation and it can get anything they want from them. And that doesn't mean that Google does evil, but yes, they do, because they don't encrypt everything in a way that only the users have the keys and one coming to the more serious other questions. Indeed, the Swedish was it Sweden, Finland, Finland? Sorry, the Finnish situation got to be evaluated. I guess it's very important to first understand the cooperation agreements of the national intelligence agencies because if you don't have them on your side and that is true in many countries and places, then you have them, then they are not part of the solution, but part of the problem. And then maybe they need to be dissolved and the guys need to be imprisoned and they need to be handled as traitors of national interests. So having having said that, the other big question is actually what kind of legislation is in place to allow or not allow foreign telecommunication operators to operate in the countries and to really list identifier? That's a lot of research. What countries have, what kind of jurisdictional obligations to us to understand and what kind of network of dependencies you're into? I can't give a fast answer on the Finnish situation. I guess it's a few days of work for quite some people, but that is stuff that can be done locally and should be done locally because that people know better what they're dealing with. So I hope that this idea, as it was giving it like p
rocedures for the Finnish people and for many other people to, you know, do that tasking that that is a lot of work, but it got to be done country specific anyhow. So it's like there's not one solution fits it all. No, it has a comment or question. Please go right ahead. OK, well, thank you for your talk, which I found pretty inspiring, but I was surprised to see you fingerprint identification on the list of tips. As far as I know your client revoke fingerprints, they knew how unique they couldn't get her to file false hands. So could you comment on that under which circumstances it could be wise and how to use your fingerprints for identification? OK. It is true, however, that fingerprints can be, you know, done, exchanged and handled and misused in many ways. However, in the former times, we tended to think that encryption is pretty good and so on. What I have learned through studying the Snowden material is that they have a massive global, scalable infrastructure for many of the medal games for crypto, as a convention for playing with our clients, for playing whatever is in the middle, getting messages from A to B, and without verification of that, we are working on the same keys that this is what this is about and fingerprint verification might be one way there might be other ways, but that's for like the standard scenario JPEG stuff into one or two. Ah, that's the best we have for the moment. How you do that? Sorry, I don't have an answer yet. It might be very inconvenient, like having to do with traveling and using unsecure communications are doing whatever. That's probably better and better people than me answering that question. I think you're doing fine. One last question from IOC, please. Or maybe they are more now for the moment, it's the last one is using non-smart phones better and protecting information stored on the phone. Yes. If you can't install any software and you don't have the capability to run the task or display images, that because there's n
o image viewer end when there's no imagery can be exploited. If there's no scripting language and cannot be used if there's no, you know, that's all right. However, SIM toolkit, as we have seen in the NSA implant selection program, is also a way to play with mobile phones so that even totally independent from the model of telephone you use, the SIM card might be used to track your location to send covered SMSes with a film book entry stored on this SIM and other things. So maybe no telephone is sometimes better than a telephone, but. Number two, one. And yet picking up the question from from from Finland, so what you would you recommend in general for four legislative changes, be it like warranties, liability in services like that? They are some and are strong like recommendations on what should be changed on the on the legal side of of of of of of regulating technology. And you have technology. Well, actually, you'd be the better prison to answer some part of it because you have been more involved in the European legislation of it. But I mean, obviously stuff like data retention is a huge risk because it collects data that does not have to be collected and it does not ensure at all that that data does not get on the wrong hands. And there's many other like collection of data which maybe should be general forbidden in such forums because it can be abused too easily. So principles of using and storing as less data as possible and required and decentralizing the infrastructures well, there's no central abuse options and so on. But it totally depends on the area. What what we're talking about, what's the best solution I'm just identifying for me, I think this need to process principle set to limit whatever data you need in a process to really that required and not to always carry around too many data with you through like components that could be compromised. That's, I think, an important part of a policy to be looking at whatever the concrete example is. So I think. M
y ability to give you an extension of this was all of our data. Also on the security side of it, I mean, it's basically dealing with insecurity in the technical world. So that's also something which could be regulated in terms of we have some sort of technical regulations in Germany. Every school is regulated, so there are recommendations to to to have the processing of dealing with insecurities and dealing with their abilities. Are there like recommendations, how to deal with it in like the regulation? Yes, I think we're coming to that because as we have learned through the material, most default fireball, a commercial firewall, so-called security mechanisms must be considered more part of the problem than part of the solution because they provide the illusion that you could protect an environment where a lot of you know, highly valuable target data is there. And that illusion of security is a lot more danger than, you know, there's no fucking way we can protect if we are online. So to to to simplify it a little bit, but I don't really have the set of policy like I think we need to right that actually to to write the guidelines on how to secure how to provide security under these circumstances. But actually, I think we are still in the status of identifying the size of the problem. We're not there yet in all areas to really say that is the solution and. Casualties over the last days with a couple of those who thought all about like doing insecurity much, much more expensive and security, sure. And I think that's the right way to to raise the costs. But but but if people think that I'm exploiting millions of clients is raising a lot of cost, they are wrong. So first, we need to. I mean, right now, the exploitation of infrastructure is massive. It's scalable. It doesn't cost a cent for them to do it. It's just too easy. And to raise the cost is quite. I totally agree with you on the goal, but we need to identify how to get there. We're not there yet. I think, or only
very rough. OK, two more quick questions. Oh gosh, even more. Yeah. In this context, I see that most of the problem is related also to the concentration of power that the U.S. gained through all the NSA activities. In this context, the question is shouldn't the national security authorities, especially law enforcement agencies or even the national intelligence agencies do something to protect their own citizens in their own countries? Well, yes, that's the theory of their job description. However, the problem is that I mean, I had this discussion with a member of the German parliament. He asked, You know, should we dissolve the intelligence agencies or should we give them a lot more money so that they can do their job independently from the Big Brother? And actually, before I find myself on the role of advising someone from the parliament to get a lot more money to the intelligence, I want to sleep some nights and think about it. I'm. Just to comment on this, using national intelligence to protect against foreign to foreign intelligence by empowering the national one is probably wrong. But when we was discussing today with me about the fact that some law enforcement authorities are very upset about all this, I about the intelligence because they are doing an activity that is heavily regulated while the intelligence can do whatever they want. So there could be some conflict of the interest in having the law enforcement agencies going against foreign intelligence powers. You are totally right, but unfortunately, that type of conflict often ends if the law enforcement guys get whatever they want. Okay. Like bulk access to all data, trillions, you know, data, whatever they want, they are kind of jealous on the intelligence guys. That is true. But I'm not sure if that is part of the problem solving process to make them satisfied with their requirements. I mean, maybe it is to some extent, but not to the extent that they get whatever they want. I mean, that can be it. So
it turns out we're actually out of time, I'm sorry, but maybe I could ask you to come down and great question. Go ahead. Sure. The seals the stones of the company Mr Yano Lynell, is referred to as cybersecurity general in Finland. And I think the politicians look up to him as some kind of authority. And there's there's a kind of commercial connection in this. To be honest, I didn't really understand the question, but could you repeat the question? And. Is it the problem that the cybersecurity general is a CEO of a commercial company, which is not anymore finished, but it's sold to some foreign other company? Well, let's say it like this. I mean, the militarization of cyberspace is obviously there, if we like it or not. And it's there for quite some time. If you look at Israel companies, you will be find no technology companies where the guys have not been attached to the Israel Army Service and so on. If they all have to go there and if they're good with technology, they end up in those departments. So and we can like it or not like it. If you look at France companies like Groupon selling exploits, that's also run by, you know, former people of the government and firemen, of course, they have now only a private, beautiful life selling weapons to attack all of us. Mm-Hmm. So. Well, I mean, cyber peace is a good idea, and we need to establish principles for that and hopefully pointed out that I don't like military thinking in these ideas because military thinking is, you know, you end up at best in this Italian triangle where different people hold big guns to each other's head and then they call that peace. And relatively it's a stable situation like half. That's not what I want to end up. So we got to find our own ways without those type of people coming from those type of environments. I think so. But I think that's good enough for today. Thank you, Andy. Thank you.
