PyCon Ireland Keynote: PRISM as a Service

Transcript

1. PRISM-as-a-Service Not Subject to American Law

2. PRISM-as-a-Service Not Subject to American Law

3. PRISM-as-a-Service Not Subject to American Law

4. PRISM-as-a-Service Not Subject to American Law

5. PRISM-as-a-Service Not Subject to American Law

6. PRISM-as-a-Service Not Subject to American Law

7. PRISM-as-a-Service Not Subject to American Law Lynn Root | @roguelynn

   | roguelynn.com

8. rogue.ly/prism Write-up and references @roguelynn

9. @roguelynn Who am I? • Engineer at Spotify • PSF

   Board Member • PyLadies of San Francisco

10. @roguelynn Why am I here? • What is PRISM? •

    Unanswered Questions • How does it affect cloud services? • What can we do now?

11. @roguelynn Disclaimer • I am not a lawyer! • I

    have no three-letter-agency or PRISM-cooperative-company insight • Thoughts & opinions are my own

12. PRISM Overview

13. @roguelynn Planning tool for Resource Integration, Synchronization, and Management

14. @roguelynn What is it? • electronic data mining tool •

    purpose is for mass surveillance • collect intelligence that passes through US servers • supposedly only metadata

15. @roguelynn Who does it affect? • Targets foreigners’ communication •

    Can not specifically or intentionally target US Citizens

16. @roguelynn Who’s involved? • 98% of PRISM data comes from

    Google, Microsoft, and Yahoo • Other companies: Apple, AOL, Facebook, PalTalk, Skype, & YouTube

17. @roguelynn How does it work? NSA Company

18. @roguelynn How does it work? FBI

19. @roguelynn How does it work? FBI Company

20. @roguelynn How does it work? FBI Company

21. @roguelynn How does it work? FBI Company NSA

22. @roguelynn How does it work? FBI Company NSA

23. XKeyscore Overview

24. @roguelynn What is it? • Digital Network Intelligence Exploitation System

    • 500-700 servers as of 2008) • Federated query system • Completely unfiltered data

25. @roguelynn Wait, what?!!? • Searches collected email addresses, user activity,

    phone numbers • Extracts files e.g. attachments • Client-side HTTP traffic parser • Real-time interception

26. @roguelynn All your email are belong to US • Query

    for an email address • Searches bodies of emails, web pages, documents, including To, From, CC, and BCC lines

27. Some example XKeystore Queries

28. @roguelynn Show me... • Encrypted word documents from $X country

    • PGP usage in $X country • VPN connections in $X country, and give me all data to I can decrypt and discover users

29. @roguelynn Show me... • All Excel spreadsheets containing MAC addresses

    coming out of $X country • All exploitable machines in $X country • Email addresses tied to Google Map searches • All documents that reference $Y

30. Mass Surveillance Timeline

31. @roguelynn 1952 1973 1978 2000 2001 1946 Five Eyes Group

    • USA, UK, Australia, Canada & New Zealand • Purpose to share intelligence, concentrating on signal intelligence

32. @roguelynn 1952 1973 1978 2000 2001 1946 NSA Established Purpose

    for collecting, processing, and disseminating intelligence information from foreign electronic signals for national foreign intelligence and counterintelligence purposes and to support military operations.

33. @roguelynn 1952 1973 1978 2000 2001 1946 Warrants needed Supreme

    Court rules that warrants are now required for domestic intelligence surveillance.

34. @roguelynn 1952 1973 1978 2000 2001 1946 FISA signed to

    law Foreign Intelligence Surveillance Act to protect widespread abuse of wiretaps.

35. @roguelynn 1952 1973 1978 2000 2001 1946 “live on the

    network” NSA transitions into 21st-century by expressing desire to “live on the network” to perform its offensive and defensive missions.

36. @roguelynn 1952 1973 1978 2000 2001 1946 9/11 WTC Attacks

    Culture against spying begins to shift at the NSA.

37. @roguelynn Winter ’01/02 Summer ’02 Fall ’01 Winter ’02 NSA

    resurfaces spying plan from 1999 Originally illegal in 1999 as deemed by FISA, NSA resurfaces its plan to perform contact chaining on metadata it collected.

38. @roguelynn Winter ’01/02 Summer ’02 Fall ’01 Winter ’02 Telecoms

    + Domestic spying US Admin gains access to large telecom switches carrying the bulk of US’s phone calls. Seems to be no obstacle to prevent NSA from eavesdropping.

39. @roguelynn Winter ’01/02 Summer ’02 Fall ’01 Winter ’02 Total

    Information Awareness Program to record and analyze all digital information generated by all US citizens. Defunded, but continued to run under different names.

40. @roguelynn Winter ’01/02 Summer ’02 Fall ’01 Room 641a AT&T

    employees discover NSA officials on an undisclosed mission; also discovered secret rooms being built within AT&T offices. Winter ’02

41. @roguelynn Winter ’01/02 Summer ’02 Fall ’01 Telecoms enter formal

    agreement to give data Major telecommunication companies enter into voluntary formal agreement to give metadata of calling information to the NSA. Winter ’02

42. @roguelynn 2007 2008 2011 2012 2005 NYT reveals companies gave

    backdoor access NSA gained cooperation with US telecoms to obtain backdoor access to streams of domestic and international communication.

43. @roguelynn 2007 2008 2011 2012 2005 Protect America Act President

    Bush signs bill to give NSA the right to collect communications without warrant and without court oversight.

44. @roguelynn 2007 2008 2011 2012 2005 PRISM data collection September

    2007, PRISM data collection began with Microsoft, the first of the PRISM-cooperative companies.

45. @roguelynn 2007 2008 2011 2012 2005 FISA Amendments July 9th,

    Congress passes amendments to FISA that gives telecoms legal immunity for those that cooperated with NSA’s wiretapping.

46. @roguelynn 2007 2008 2011 2012 2005 UK’s turn Estimated launch

    of GCHQ’s Tempora program, clandestine security electronic surveillance program after first trialled in 2008.

47. @roguelynn 2007 2008 2011 2012 2005 NSA Datacenter The NSA

    starts building its biggest spy center in Utah for the purpose of intercepting, deciphering, analyzing, and storing vast swaths of the world’s communications.

48. @roguelynn 2007 2008 2011 2012 2005 Wiretap-ready sites FBI pushing

    for wiretap-friendly websites.

49. @roguelynn ? ? ? ? 2013 PRISM revealed June 6th,

    Washington Post reveals PRISM program, 6 years after data collection started.

50. @roguelynn ? ? ? ? 2013 XKeyscore revealed July 31st,

    the Guardian reveals the XKeyscore program that has been in use since at least 2008.

51. Unanswered Questions

52. @roguelynn • How is “foreignness” determined? • What if foreigners

    and US citizens communicate? • What do words like “backdoor”, “direct”, “intentional” mean? • How is the PRISM-collected data handled? • What analysis is being done on collected data?

53. @roguelynn • US citizens abroad? • US citizens using services

    abroad? • Are US permanent residents considered foreigners? • Foreign persons/companies using services from US-based companies incorporated abroad? What about...

54. Why should you care?

55. None

56. Why should you care?

57. Effects on the Cloud

58. @roguelynn Recognized effects • 56% less likely to use US-based

    services • 10% cancelled US contracts • Germany forbids future data transfers to non-EU clouds • US economy stands to lose $22-35 billion

59. @roguelynn Recognized effects • Silent Circle’s voluntary shutdown • Lavabit

    now in court over SSL certs • Wikipedia switches to HTTPS • Silk Road shutdown

60. @roguelynn Which is it? • Is security compromised? • Or

    lack of government oversight?

61. @roguelynn Which is it? Does it matter? • Is security

    compromised? • Or lack of government oversight?

62. What can we do?

63. @roguelynn What can we do? • As professionals • As

    nerds ourselves

64. @roguelynn As professionals • Limit foreign gov’t exposure

65. @roguelynn As professionals • Limit foreign gov’t exposure • Enemy

    you know is better than the one you don’t

66. @roguelynn As professionals • Use services that are within your

    company’s jurisdiction

67. @roguelynn As professionals • Use services that are within your

    company’s jurisdiction • DIY-clouds

68. @roguelynn As professionals • Use services that are within your

    company’s jurisdiction • DIY-clouds • Know your neighbors

69. @roguelynn As professionals • Use services that are within your

    company’s jurisdiction • DIY-clouds • Know your neighbors • Encryption

70. @roguelynn Encryption • SSL attacks

71. @roguelynn Encryption • SSL attacks • Certificate Authorities

72. @roguelynn Encryption • SSL attacks • Certificate Authorities • Perfect

    Forward Secrecy

73. @roguelynn

74. @roguelynn As nerds ourselves • Location Tracking • Behavior Profiles

75. @roguelynn Location Tracking • Cell Phone

76. @roguelynn Location Tracking • Cell Phone • Internet/Computer

77. @roguelynn Behavior Profiles • Can we accomplish complete anonymity?

78. @roguelynn Behavior Profiles • Can we accomplish complete anonymity? •

    What about protecting our privacy?

79. Outlook

80. @roguelynn Outlook • How much can we still trust SSL?

    • Do we need to reevaluate CA system? • Reboot our encryption protocols and habits entirely?

81. – Ralph J. Gleason “No matter how paranoid you are,

    what they’re actually doing is much worse than you can imagine.”

82. fin rogue.ly/prism Lynn Root | @roguelynn | roguelynn.com