WEBVTT
00:00:00.000 --> 00:00:12.590
rC3 preroll music
00:00:12.590 --> 00:00:18.109
Herald: This is Ross Anderson, and he's
giving a talk to us today, and the title
00:00:18.109 --> 00:00:24.079
is What Price the Upload Filter? From Cold
War to Crypto Wars and Back Again. And
00:00:24.079 --> 00:00:31.489
we're very happy that he's here today. And
and for our non-English speaking public,
00:00:31.489 --> 00:00:35.990
we have translations.
speaks german
00:00:35.990 --> 00:00:41.300
Dieser Talk wird auf Deutsch übersetzt.
speaks french
00:00:41.300 --> 00:00:49.839
Cette conférence est traduit en
français aussi.
00:00:49.839 --> 00:00:56.769
Yeah. Um. Ross, ready to start? Let's go.
Have a good time. Enjoy.
00:00:56.769 --> 00:01:09.750
Ross: Yes, ready to go. Thanks. OK. As has
been said, I'm Ross Anderson and I'm in
00:01:09.750 --> 00:01:13.620
the position of being one of the old guys
of this field and that I've been involved
00:01:13.620 --> 00:01:18.680
in the crypto wars right from the start.
And in fact, even since before the clipper
00:01:18.680 --> 00:01:27.510
chip actually came out. If we could go to
the slides, please.
00:01:27.510 --> 00:01:31.407
Right, can we see the slides?
00:01:31.407 --> 00:02:09.505
silence
00:02:09.505 --> 00:02:14.790
surprised the U.S. armed
forces. And guess what happened? Well, in
00:02:14.790 --> 00:02:21.060
the 1950s, Boris Hagelin had set up that
company, secretly sold it to the NSA and
00:02:21.060 --> 00:02:28.110
for a number of years, quite a lot of years,
countries as diverse as Latin America and
00:02:28.110 --> 00:02:33.130
India and even NATO countries such as
Italy were buying machines from Crypto AG,
00:02:33.130 --> 00:02:39.470
which the NSA could decipher. And this had
all sorts of consequences. For example,
00:02:39.470 --> 00:02:44.780
it's been revealed fairly recently that
Britain's success against Argentina in the
00:02:44.780 --> 00:02:50.680
Falklands War in 1982 was to a large
extent due to signals intelligence that
00:02:50.680 --> 00:02:58.790
came from these machines. So, next slide,
please. And in this prehistory of the
00:02:58.790 --> 00:03:03.600
crypto wars, almost all the play was
between governments. There was very little
00:03:03.600 --> 00:03:08.180
role for civil society. There was one or
two journalists who were engaged in trying
00:03:08.180 --> 00:03:13.870
to map what the NSA and friends were up to.
As far as industry was concerned, well, at
00:03:13.870 --> 00:03:18.180
that time, I was working in banking and we
found that encryption for confidentiality
00:03:18.180 --> 00:03:22.319
was discouraged. If we tried to use line
encryption, then false mysteriously
00:03:22.319 --> 00:03:26.880
appeared on the line. But authentication
was OK. We were allowed to encrypt PIN
00:03:26.880 --> 00:03:32.380
pad, PIN blocks. We were allowed to put
MACs on messages. There was some minor
00:03:32.380 --> 00:03:37.250
harassment. For example, when Rivest,
Shamir and Adleman came up with their
00:03:37.250 --> 00:03:42.650
encryption algorithm, the NSA tried to
make it classified. But the Provost of
00:03:42.650 --> 00:03:47.840
MIT, Jerome Wiesner, persuaded them not to
make that fight. The big debate in the
00:03:47.840 --> 00:03:52.880
1970s still, was whether the NSA affected
the design of the data encryption standard
00:03:52.880 --> 00:03:57.800
algorithm, and we know now that this was
the case. It was designed to be only just
00:03:57.800 --> 00:04:04.330
strong enough and Whit Diffie predicted
back in the 1970s that 2 to the power of
00:04:04.330 --> 00:04:08.920
56 key search would eventually be
feasible. The EFF built a machine in 1998
00:04:08.920 --> 00:04:13.510
and now of course that's fairly easy
because each bitcoin block costs 2 to
00:04:13.510 --> 00:04:20.169
the power of 68 calculations. Next slide,
please. So where things get interesting is
00:04:20.169 --> 00:04:25.919
that the NSA persuaded Bill Clinton in one
of his first cabinet meetings in 1993 to
00:04:25.919 --> 00:04:30.270
introduce key escrow, the idea that the
NSA should have a copy of every of these
00:04:30.270 --> 00:04:36.860
keys. And one of the people at that
meeting admitted later that President Bush,
00:04:36.860 --> 00:04:41.280
the elder, had been asked and had refused,
but Clinton when he goes into office was
00:04:41.280 --> 00:04:46.300
naive and thought that this was an
opportunity to fix the world. Now, the
00:04:46.300 --> 00:04:50.159
clipper chip which we can see here, was
tamper resistant and had of secret block
00:04:50.159 --> 00:04:58.620
cipher with an NSA backdoor key. And the
launch product was an AT&T secure phone.
00:04:58.620 --> 00:05:05.030
Next slide, please. Now the Clipper protocol
was an interesting one in that each chip
00:05:05.030 --> 00:05:12.210
had a unique secret key KU and a global
secret family key kNSA burned in. And in
00:05:12.210 --> 00:05:18.189
order to, say, send data to Bob, Alice had
to send her clipper chip a working key kW,
00:05:18.189 --> 00:05:22.890
which is generated by some external means,
such as a Diffie Hellman Key exchange. And
00:05:22.890 --> 00:05:28.430
it makes a law enforcement access field,
which was basically Alice and Bob's names
00:05:28.430 --> 00:05:33.529
with the working key encrypted under the
unit key and then a hash of the working
00:05:33.529 --> 00:05:38.449
key encrypted under the NSA key. And that
was sent along with the cipher text to make
00:05:38.449 --> 00:05:43.209
authorized wiretapping easy. And the idea
with the hash was that this would stop
00:05:43.209 --> 00:05:47.830
cheating. Bob's Clipper Chip wouldn't use
a working key unless it came with a valid
00:05:47.830 --> 00:05:53.889
LEAF. And I can remember, a few of us can
still remember, the enormous outcry that
00:05:53.889 --> 00:05:57.819
this caused at the time. American
companies in particular didn't like it
00:05:57.819 --> 00:06:02.439
because they started losing business to
foreign firms. And in fact, a couple of
00:06:02.439 --> 00:06:07.499
our students here at Cambridge started a
company nCipher, that grew to be quite
00:06:07.499 --> 00:06:13.300
large because they could sell worldwide,
unlike US firms. People said, why don't we
00:06:13.300 --> 00:06:17.019
use encryption software? Well, that's easy
to write, but it's hard to deploy at
00:06:17.019 --> 00:06:22.749
scale, as Phil Zimmermann found with PGP.
And the big concern was whether key escrow
00:06:22.749 --> 00:06:28.620
would kill electronic commerce. A
secondary concern was whether, how on earth,
00:06:28.620 --> 00:06:32.389
will we know if government designs are
secure? Why on earth should you trust the
00:06:32.389 --> 00:06:40.669
NSA? Next slide, please. Well, the first
serious fight back in the crypto wars came
00:06:40.669 --> 00:06:45.259
when Matt Blaze at Bell Labs found an
attack on Clipper. He found that Alice
00:06:45.259 --> 00:06:52.339
could just try lots of these until one of
them works, because the tag was only 16
00:06:52.339 --> 00:06:57.589
Bits long and it turned out that 2 to the
power of 112 of the 2 to the power of
00:06:57.589 --> 00:07:03.749
128 possibilities work. And this meant
that Alice could generate a bogus LEAF
00:07:03.749 --> 00:07:07.589
that would pass inspection, but which
wouldn't decrypt the traffic, and Bob
00:07:07.589 --> 00:07:11.879
could also generate a new LEAF on the fly.
So you could write non-interoperable rogue
00:07:11.879 --> 00:07:16.691
applications that the NSA has no access
to. And with a bit more work, you could
00:07:16.691 --> 00:07:21.479
make rogue applications interoperate with
official ones. This was only the first of
00:07:21.479 --> 00:07:30.089
many dumb ideas. Next slide, please. OK,
so why don't people just use software?
00:07:30.089 --> 00:07:36.189
Well, at that time, the US had export
controls on intangible goods such as
00:07:36.189 --> 00:07:40.430
software, although European countries
generally didn't. And this meant that US
00:07:40.430 --> 00:07:45.610
academics couldn't put crypto code online,
although we Europeans could and we
00:07:45.610 --> 00:07:52.059
did. And so Phil Zimmermann achieved fame
by exporting PGP, pretty good privacy, some
00:07:52.059 --> 00:07:56.099
encryption software he had written for
America as a paper book. And this was
00:07:56.099 --> 00:08:00.509
protected by the First Amendment. They
sent it across the border to Canada. They
00:08:00.509 --> 00:08:04.360
fed it into an optical character
recognition scanner. They recompiled it
00:08:04.360 --> 00:08:08.889
and the code had escaped. For this Phil
was subjected to a grand jury
00:08:08.889 --> 00:08:13.979
investigation. There was also the
Bernstein case around code as free speech
00:08:13.979 --> 00:08:19.059
and Bruce Schneier rose to fame with his
book "Applying Cryptography", which had
00:08:19.059 --> 00:08:24.249
protocols, algorithms and source code in C,
which you could type in in order to get
00:08:24.249 --> 00:08:31.960
cryptographic algorithms anywhere. And we
saw export-controlled clothing. This
00:08:31.960 --> 00:08:36.389
t-shirt was something that many people wore
at the time. I've actually got one and I
00:08:36.389 --> 00:08:41.089
planned to wear it for this. But
unfortunately, I came into the lab in
00:08:41.089 --> 00:08:47.230
order to get better connectivity and I
left it at home. So this t-shirt was an
00:08:47.230 --> 00:08:53.009
implementation of RSA written in perl,
plus a barcode so that you can scan it in.
00:08:53.009 --> 00:08:58.350
And in theory, you should not walk across
the border wearing this t-shirt. Or if
00:08:58.350 --> 00:09:03.270
you're a US citizen, you shouldn't even
let a non-US citizen look at it. So by
00:09:03.270 --> 00:09:08.579
these means, people probed the outskirts of
what was possible and, you know an awful
00:09:08.579 --> 00:09:17.070
lot of fun was had. It was a good laugh to
tweak the Tyrannosaur's tail. Next slide.
00:09:17.070 --> 00:09:25.030
But this wasn't just something that was
limited to the USA. The big and obvious
00:09:25.030 --> 00:09:30.230
problem, if you try and do key escrow in
Europe, is that there's dozens of
00:09:30.230 --> 00:09:35.810
countries in Europe and what happens if
someone from Britain, for example, has got
00:09:35.810 --> 00:09:40.100
a mobile phone that they bought in France
or a German SIM card and they're standing
00:09:40.100 --> 00:09:44.509
on the streets in Stockholm and they phone
somebody who's in Budapest, who's got a
00:09:44.509 --> 00:09:48.699
Hungarian phone with the Spanish SIM card
in it. Then which of these countries'
00:09:48.699 --> 00:09:54.260
secret police forces should be able to
listen to the call. And this was something
00:09:54.260 --> 00:09:59.930
that stalled the progress of key escrow,
that's a good way to describe it, in Europe.
00:09:59.930 --> 00:10:06.839
And in 1996 GCHQ got academic colleagues
at Royal Holloway to come up with a
00:10:06.839 --> 00:10:11.860
proposal for public sector email, which
they believe would fix this. Now, at the
00:10:11.860 --> 00:10:18.919
time after clipper had fallen into
disrepute, the NSA's proposal was that
00:10:18.919 --> 00:10:24.130
also the certification authority should have
to be licensed, and that this would enforce
00:10:24.130 --> 00:10:27.879
a condition that all private keys would be
escrows, so you would only be able to get a
00:10:27.879 --> 00:10:33.530
signature on your public key if the
private key was was held by the CA. And
00:10:33.530 --> 00:10:38.440
the idea is that you'd have one CA for
each government department and civilians
00:10:38.440 --> 00:10:42.190
would use trusted firms like Barclays Bank
or the post office, which would keep our
00:10:42.190 --> 00:10:48.009
keys safe. And it would also work across
other EU member states, so that somebody in
00:10:48.009 --> 00:10:53.870
Britain calling somebody in Germany would
end up in a situation where a trustworthy
00:10:53.870 --> 00:10:59.220
CA, from the NSA's point of view, that is
an untrustworthy CA from our point of view,
00:10:59.220 --> 00:11:03.680
in Britain would be prepared to make a key
and so would one in Germany. This, at
00:11:03.680 --> 00:11:10.630
least, was the idea. So how do we do this,
next slide, on the GCHQ protocol. So here's
00:11:10.630 --> 00:11:14.829
how it was designed to work in the UK
government. If Alice at the Department of
00:11:14.829 --> 00:11:20.120
Agriculture wants to talk to Bob at the
Department of Business, she asks her
00:11:20.120 --> 00:11:26.089
Departmental Security Officer DA for a send
key for herself and a receive key for Bob.
00:11:26.089 --> 00:11:35.360
And DA and DB get a top level
interoperability key KTAB from GCHQ and DA
00:11:35.360 --> 00:11:44.120
calculates a secret send key of the day as
a hash of KTAB and Alice's name and the
00:11:44.120 --> 00:11:50.430
DA's own Identity for Alice which he gives
to Alice and similarly a public receive
00:11:50.430 --> 00:11:55.481
key of the day for Bob and Alice sends Bob
her public send key along with the
00:11:55.481 --> 00:12:00.379
encrypted message and Bob can go
to his DSO and get his secret receive
00:12:00.379 --> 00:12:06.120
key of the day. Now this is slightly
complicated and there's all sorts of other
00:12:06.120 --> 00:12:11.299
things wrong with it once you start to
look at it. Next slide, please. The first
00:12:11.299 --> 00:12:14.790
is that from the point of view of the
overall effect, you could just as easily
00:12:14.790 --> 00:12:19.080
have used Kerberos because you've
basically got a key distribution center at
00:12:19.080 --> 00:12:24.630
both ends, which knows everybody's keys. So
you've not actually gained very much by
00:12:24.630 --> 00:12:31.081
using complicated public key mechanisms,
and the next problem is what's the law
00:12:31.081 --> 00:12:36.390
enforcement access need for centrally
generated signing keys? If this is
00:12:36.390 --> 00:12:40.480
actually for law enforcement rather than
intelligence? Well, the police want to be
00:12:40.480 --> 00:12:47.480
able to read things, not forge things. A
third problem is that keys involve hashing
00:12:47.480 --> 00:12:52.110
department names and governments are
changing the name of the departments all
00:12:52.110 --> 00:12:56.980
the time, as the prime minister of the day
moves his ministers around and they chop
00:12:56.980 --> 00:13:01.810
and change departments. And this means, of
course, that everybody has to get new
00:13:01.810 --> 00:13:06.320
cryptographic keys and suddenly the old
cryptographic keys don't work anymore. And
00:13:06.320 --> 00:13:10.800
those are horrendous complexity comes from
this. Now, there are about 10 other things
00:13:10.800 --> 00:13:15.420
wrong with this protocol, but curiously
enough, it's still used by the UK
00:13:15.420 --> 00:13:19.090
government for the top secret stuff. It
went through a number of iterations. It's
00:13:19.090 --> 00:13:23.939
now called Mikey Sakke, there's details in
my security engineering book. And it
00:13:23.939 --> 00:13:28.129
turned out to be such a pain that the
stuff below top secret now is just used as
00:13:28.129 --> 00:13:32.959
a branded version of G suite. So if what
you want to do is to figure out what
00:13:32.959 --> 00:13:37.050
speech Boris Johnson will be making
tomorrow, we just have to guess the
00:13:37.050 --> 00:13:44.459
password recovery questions for his
private secretaries and officials. Next
00:13:44.459 --> 00:13:51.060
slide, the global Internet Trust Register.
This was an interesting piece of fun we
00:13:51.060 --> 00:13:55.929
had around the 1997 election when Tony
Blair took over and introduced the Labor
00:13:55.929 --> 00:14:00.439
government before the election, Labor
promised to not seize crypto keys in bulk
00:14:00.439 --> 00:14:04.499
without a warrant. And one of the
first things that happened to him once he
00:14:04.499 --> 00:14:09.569
was in office is Vice President Al Gore
went to visit him and all of a sudden Tony
00:14:09.569 --> 00:14:13.449
Blair decided that he wanted all
certification authorities to be licensed
00:14:13.449 --> 00:14:18.520
and they were about to rush this through
parliament. So we put all the important
00:14:18.520 --> 00:14:23.290
public keys in a paper book and we took it
to the cultural secretary, Chris Smith,
00:14:23.290 --> 00:14:27.790
and we said, you're the minister for books
why are you passing a law to ban this
00:14:27.790 --> 00:14:32.580
book. And if you'll switch to the video
shot, I've got the initial copy of the
00:14:32.580 --> 00:14:36.579
book that we just put together on the
photocopying machine in the department.
00:14:36.579 --> 00:14:42.200
And then we sent the PDF off to MIT and
they produced it as a proper book. And
00:14:42.200 --> 00:14:48.350
this means that we had a book which is
supposedly protected and this enabled us
00:14:48.350 --> 00:14:55.209
to get the the topic onto the agenda for
cabinet discussion. So this at least
00:14:55.209 --> 00:14:59.779
precipitous action, we ended up with the
Regulation of Investigatory Powers Bill in
00:14:59.779 --> 00:15:04.830
2000. That was far from perfect, but that
was a longer story. So what happened back
00:15:04.830 --> 00:15:09.860
then is that we set up an NGO, a digital
rights organization, the Foundation for
00:15:09.860 --> 00:15:16.620
Information Policy Research. And the
climate at the time was such that we had
00:15:16.620 --> 00:15:22.310
no difficulty raising a couple of hundred
thousand pounds from Microsoft and Hewlett
00:15:22.310 --> 00:15:28.370
Packard and Redbus and other tech players.
So we were able to hire Casper Bowden for
00:15:28.370 --> 00:15:32.199
three years to basically be the director
of FIPR and to lobby the government hard
00:15:32.199 --> 00:15:38.490
on this. And if we can go back to the
slides, please, and go to the next slide,
00:15:38.490 --> 00:15:47.170
the slide on bringing it all together. So
in 1997, a number of us, Hal Abelson and I
00:15:47.170 --> 00:15:54.569
and Steve Bellovin and Josh Benaloh from
Microsoft and Matt Blaze who had broken
00:15:54.569 --> 00:15:59.430
Clipper and Whit Diffie, who invented
digital signatures, and John Gilmore of
00:15:59.430 --> 00:16:05.689
EFF, Peter Neumann of SRI, Ron Rivest,
Jeff Schiller of MIT and Bruce Schneier
00:16:05.689 --> 00:16:09.339
who had written applied cryptography and
got together and wrote a paper on the
00:16:09.339 --> 00:16:13.830
risks of key recovery, key escrow and
trust in third party encryption, where we
00:16:13.830 --> 00:16:18.470
discussed the system consequences of
giving third party or government access to
00:16:18.470 --> 00:16:23.850
both traffic data and content without user
notice or consent deployed internationally
00:16:23.850 --> 00:16:27.550
and available around the clock. We came to
the conclusion that this was not really
00:16:27.550 --> 00:16:33.550
doable. It was simply too many
vulnerabilities and too many complexities.
00:16:33.550 --> 00:16:38.899
So how did it end? Well, if we go to the
next slide, the victory in Europe wasn't
00:16:38.899 --> 00:16:44.259
as a result of academic arguments. It was
a result of industry pressure. And we owe
00:16:44.259 --> 00:16:48.750
a debt to Commissioner Martin Bangemann
and also to the German government who
00:16:48.750 --> 00:16:56.699
backed him. And in 1994, Martin had put
together a group of European CEOs to
00:16:56.699 --> 00:17:01.190
advise him on internet policy. And they
advised them to keep your hands off until
00:17:01.190 --> 00:17:04.160
we can see which way it's going. That's
just wrong with this thing and see what we
00:17:04.160 --> 00:17:10.670
can do with it. And the thing that he
developed in order to drive a stake
00:17:10.670 --> 00:17:15.180
through the heart of key escrow was the
Electronic Signatures Directive in 1999.
00:17:15.180 --> 00:17:20.330
And this gave a rebuttable presumption of
validity to qualifying electronic
00:17:20.330 --> 00:17:24.640
signatures, but subject to a number of
conditions. And one of these was that the
00:17:24.640 --> 00:17:29.570
signing key must never be known to anybody
else other than the signer and this killed
00:17:29.570 --> 00:17:37.120
the idea of licensing CAs in such a way
that the the NSA had access to all the
00:17:37.120 --> 00:17:41.390
private key material. The agencies had
argued that without controlling
00:17:41.390 --> 00:17:45.260
signatures, you couldn't control
encryption. But of course, as intelligence
00:17:45.260 --> 00:17:49.440
agencies, they were as much interested in
manipulating information as they were in
00:17:49.440 --> 00:17:57.280
listening into it. And this created a
really sharp conflict with businesses. In
00:17:57.280 --> 00:18:00.770
the U.K., with the Regulation of
Investigatory Powers Bill went through the
00:18:00.770 --> 00:18:05.540
following year. And there we got strong
support from the banks who did not want
00:18:05.540 --> 00:18:10.600
the possibility of intelligence and law
enforcement personnel either getting hold
00:18:10.600 --> 00:18:16.380
of bank keys or forging banking
transactions. And so we managed to, with
00:18:16.380 --> 00:18:20.720
their help to insert a number of
conditions into the bill, which meant that
00:18:20.720 --> 00:18:25.520
if a court or chief constable, for
example, demands a key from a company,
00:18:25.520 --> 00:18:29.400
they've got to demand it from somebody at
the level of a director of the company.
00:18:29.400 --> 00:18:33.800
And it's got to be signed by someone
really senior such as the chief constable.
00:18:33.800 --> 00:18:38.910
So there was some controls that we managed
to get in there. Next slide! What did
00:18:38.910 --> 00:18:44.660
victory in the USA look like? Well, in the
middle of 2000 as a number of people had
00:18:44.660 --> 00:18:49.170
predicted, Al Gore decided that he wanted
to stop fighting the tech industry in
00:18:49.170 --> 00:18:54.410
order to get elected president. And there
was a deal done at the time which was
00:18:54.410 --> 00:19:01.070
secret. It was done at the FBI
headquarters at Quantico by US law
00:19:01.070 --> 00:19:04.880
enforcement would rely on naturally
occurring vulnerabilities rather than
00:19:04.880 --> 00:19:10.070
compelling their insertion by companies
like Intel or Microsoft. This was secret
00:19:10.070 --> 00:19:15.017
at the time, and I happen to know about it
because I was consulting for Intel and the
00:19:15.017 --> 00:19:20.800
NDA I was under had a four year time
limits on it. So after 2004, I was at the
00:19:20.800 --> 00:19:25.760
ability to talk about this. And so this
basically gave the NSA access to the CERT
00:19:25.760 --> 00:19:30.930
feed. And so as part of this deal, the
export rules were liberalized a bit, but
00:19:30.930 --> 00:19:38.090
with various hooks and gotchas left so
that the authorities could bully companies
00:19:38.090 --> 00:19:45.580
who got too difficult. And in 2002, Robert
Morris, senior, who had been the chief
00:19:45.580 --> 00:19:50.740
scientist at the NSA at much of this
period, admitted that the real policy goal
00:19:50.740 --> 00:19:54.540
was to ensure that the many systems
developed during the dot com boom were
00:19:54.540 --> 00:20:02.190
deployed with weak protection or none. And
there's a huge, long list of these. Next
00:20:02.190 --> 00:20:11.430
slide, please. So what was the collateral
damage from crypto war one? This is the
00:20:11.430 --> 00:20:15.310
first knuckle pass of this talk, which
I've got together as a result of spending
00:20:15.310 --> 00:20:20.920
the last academic year writing the third
edition of my book on security engineering
00:20:20.920 --> 00:20:26.520
as I've gone through and updated all the
chapters on car security, the role of
00:20:26.520 --> 00:20:32.510
security and web security and so on and so
forth, we find everywhere. But there are
00:20:32.510 --> 00:20:38.050
still very serious costs remaining from
crypto war one, for example, almost all of
00:20:38.050 --> 00:20:43.430
the remote key entry systems for cars use
inadequate cryptography for random
00:20:43.430 --> 00:20:48.290
number generators and so on and so forth.
And car theft has almost doubled in the
00:20:48.290 --> 00:20:55.380
past five years. This is not all due to
weak crypto, but it's substantially due to
00:20:55.380 --> 00:21:01.323
a wrong culture that was started off in
the context of the crypto wars. Second,
00:21:01.323 --> 00:21:06.430
there are millions of door locks still
using Mifare classic, even the building
00:21:06.430 --> 00:21:12.030
where I work. For example, the University
of Cambridge changed its door locks around
00:21:12.030 --> 00:21:17.040
2000. So we've still got a whole lot of
mifare classic around. And it's very
00:21:17.040 --> 00:21:21.150
difficult when you've got 100 buildings to
change all the locks on them. And this is
00:21:21.150 --> 00:21:26.250
the case with thousands of organizations
worldwide, with universities, with banks,
00:21:26.250 --> 00:21:30.990
with all sorts of people, simply because
changing all the locks at once and dozens
00:21:30.990 --> 00:21:35.770
of buildings is just too expensive. Then,
of course, there's the CA in your
00:21:35.770 --> 00:21:40.990
browser, most nations own or control
certification authorities that your
00:21:40.990 --> 00:21:47.380
browser trusts and the few nations that
weren't allowed to own such CAs, such as
00:21:47.380 --> 00:21:53.040
Iran, get up to mischief, as we find in
the case of the DigiNotar hack a few years
00:21:53.040 --> 00:21:59.000
ago. And this means that most nations have
got a more or less guaranteed ability to
00:21:59.000 --> 00:22:05.770
do man in the middle attacks on your Web
log ons. Some companies like Google, of
00:22:05.770 --> 00:22:11.410
course, started to fix that with various
mechanisms such as certificate pinning.
00:22:11.410 --> 00:22:16.160
But that was a deliberate vulnerability
that was there for a long, long time and
00:22:16.160 --> 00:22:22.410
is still very widespread. Phones. 2G is
insecure. That actually goes back to the
00:22:22.410 --> 00:22:27.281
Cold War rather than the crypto war. But
thanks to the crypto wars 4G and 5G are
00:22:27.281 --> 00:22:32.450
not very much better. The details are
slightly complicated and again, they're
00:22:32.450 --> 00:22:37.950
described in the book, Bluetooth is easy
to hack. That's another piece of legacy.
00:22:37.950 --> 00:22:43.380
And as I mentioned, the agencies own the
CERT's responsible disclosure pipeline,
00:22:43.380 --> 00:22:47.690
which means that they got a free fire hose
of zero days that they can exploit
00:22:47.690 --> 00:22:53.780
for perhaps a month or three before these
end up being patched. So next slide,
00:22:53.780 --> 00:23:02.600
please. Last year when I talked at Chaos
Communication Congress, the audience chose
00:23:02.600 --> 00:23:08.900
this as the cover for my security
engineering book, and that's now out. And
00:23:08.900 --> 00:23:12.730
it's the process of writing this that
brought home to me the scale of the damage
00:23:12.730 --> 00:23:18.450
that we still suffered as a result of
crypto war one. So let's move on to the
00:23:18.450 --> 00:23:24.610
next slide and the next period of history,
which we might call the war on terror. And
00:23:24.610 --> 00:23:30.980
I've arbitrarily put this down as 2000 to
2013 although some countries stoped using
00:23:30.980 --> 00:23:36.790
the phrase war on terror in about 2008
once we have got rid of George W. Bush and
00:23:36.790 --> 00:23:41.330
Tony Blair. But as a historical
convenience, this is, if you like, the
00:23:41.330 --> 00:23:46.140
central period in our tale. And it starts
off with a lot of harassment around the
00:23:46.140 --> 00:23:54.700
edges of security and cryptography. For
example, in 2000, Tony Blair promoted the
00:23:54.700 --> 00:24:02.290
EU dual use regulation number 1334 to
extend export controls from tangible goods
00:24:02.290 --> 00:24:07.810
such as rifles and tanks to intangibles
such as crypto software. Despite the fact
00:24:07.810 --> 00:24:13.980
that he has basically declared peace on
the tech industry. Two years later, in
00:24:13.980 --> 00:24:18.090
2002, the UK parliament balked at an
export control bill that was going to
00:24:18.090 --> 00:24:24.140
transpose this because it added controls
on scientific speech, not just crypto
00:24:24.140 --> 00:24:28.900
code, but even papers on cryptanalysis and
even electron microscope scripts and
00:24:28.900 --> 00:24:33.300
so parliament started the research
exemption clause at the arguments of the
00:24:33.300 --> 00:24:39.420
then president of the Royal Society, Sir
Robert May. But what then happened is that
00:24:39.420 --> 00:24:45.820
GCHQ used EU regulations to frustrate
Parliament and this pattern of extralegal
00:24:45.820 --> 00:24:51.700
behavior was to continue. Next slide!
Because after export control, the place
00:24:51.700 --> 00:24:57.310
shifted to traffic data retention, another
bad thing that I'm afraid to say, the UK
00:24:57.310 --> 00:25:02.630
exported to Europe back in the days when
we were, in effect, the Americans
00:25:02.630 --> 00:25:08.530
consigliere on the European Council. Sorry
about that, folks, but all I can say is at
00:25:08.530 --> 00:25:15.900
least we helped start EDRI a year after
that. So one of the interesting aspects of
00:25:15.900 --> 00:25:20.590
this was that our then home secretary,
Jacqui Smith, started talking about the
00:25:20.590 --> 00:25:26.080
need for a common database of all the
metadata of who had phoned whom when, who
00:25:26.080 --> 00:25:30.720
had sent an email to whom when, so that
the police could continue to use the
00:25:30.720 --> 00:25:35.340
traditional contact tracing techniques
online. And the line that we got hammered
00:25:35.340 --> 00:25:39.500
home to us again and again and again was
if you got nothing to hide, you've got
00:25:39.500 --> 00:25:47.490
nothing to fear. What then happened in
2008, is that a very bad person went into
00:25:47.490 --> 00:25:53.550
Parliament and went to the PC where the
expense claims of MPs were kept and they
00:25:53.550 --> 00:25:58.630
copied all the expense claims onto a DVD
and they sold it around Fleet Street. And
00:25:58.630 --> 00:26:03.450
so The Daily Telegraph bought it from them
for 400˙000£. And then for the best
00:26:03.450 --> 00:26:07.500
part of a year, the Daily Telegraph was
telling scandalous things about what
00:26:07.500 --> 00:26:12.170
various members of parliament had claimed
from the taxpayer. But it turned out that
00:26:12.170 --> 00:26:15.730
also Jacqui Smith may have been innocent.
Her husband had been downloading
00:26:15.730 --> 00:26:21.010
pornography and charging it to our
parliamentary expenses. So she lost her
00:26:21.010 --> 00:26:25.820
job as home secretary and she lost her
seat in parliament and the communications
00:26:25.820 --> 00:26:32.950
data bill was lost. So was this a victory?
Well, in June 2013, we learned from Ed
00:26:32.950 --> 00:26:39.310
Snowden that they just built it anyway,
despite parliament. So maybe the victory
00:26:39.310 --> 00:26:43.400
in parliament wasn't what it seemed to be
at the time. But I'm getting ahead of
00:26:43.400 --> 00:26:51.570
myself; anyway. Next slide, please. The
other thing that we did in the 2000s is
00:26:51.570 --> 00:26:56.200
that we spent, I spent maybe a third of my
time and about another hundred people
00:26:56.200 --> 00:27:00.856
joined and we developed the economics of
security as a discipline. We began to
00:27:00.856 --> 00:27:05.660
realize that many of the things that went
wrong happened because Alice was guarding
00:27:05.660 --> 00:27:10.910
a system and Bob was paying the cost of
failure. For example, if you got a payment
00:27:10.910 --> 00:27:17.480
system, then in order to prevent fraud,
what you basically have to do is to get
00:27:17.480 --> 00:27:21.920
the merchants and the bank to buy
transactions from them, to take care of
00:27:21.920 --> 00:27:26.440
the costs of fraud, follow the cardholder
of the banks that issue them with cards.
00:27:26.440 --> 00:27:31.870
And the two aren't the same. But it's this
that causes the governance tensions and
00:27:31.870 --> 00:27:36.906
causes governments to break down and makes
fraud harder than it should be. Now after
00:27:36.906 --> 00:27:41.530
that, one of the early topics was
patching and responsible disclosure. And
00:27:41.530 --> 00:27:45.340
we worked through all the issues of
whether you should not patch at all, which
00:27:45.340 --> 00:27:48.860
some people in industry wanted to do, or
whether you should just put all the bugs
00:27:48.860 --> 00:27:52.690
on bug trackers which some hackers wanted
to do or whether you would go through the
00:27:52.690 --> 00:27:57.200
CERT system despite the NSA compromise,
because they at least would give you legal
00:27:57.200 --> 00:28:03.720
cover. And, you know, bully Microsoft into
catching the bug the next patch Tuesday
00:28:03.720 --> 00:28:10.040
and then the disclosure after 90 days. And
we eventually came to the conclusion as an
00:28:10.040 --> 00:28:16.270
industry followed that responsible
disclosure was the way to go. Now, one of
00:28:16.270 --> 00:28:21.530
the problems that arises here is the
equities issue. Suppose you're the
00:28:21.530 --> 00:28:27.260
director of the NSA and somebody comes to
you with some super new innovative bug.
00:28:27.260 --> 00:28:33.490
You say they have rediscovered Spectre,
for example. And so you've got a bug which
00:28:33.490 --> 00:28:40.640
can be used to penetrate any crypto
software that's out there. Do you report
00:28:40.640 --> 00:28:45.640
the bug to Microsoft and Intel to defend
300 million Americans, or do you keep it
00:28:45.640 --> 00:28:50.830
quiet so you can exploit 450 million
Europeans and a thousand billion Chinese
00:28:50.830 --> 00:28:55.170
and so on and so forth? Well, once you put
it that way, it's fairly obvious that the
00:28:55.170 --> 00:29:00.370
NSA will favor attack over defense. And
there are multiple models of attack and
00:29:00.370 --> 00:29:04.420
defense. You can think of institutional
factors and politics, for example, if you
00:29:04.420 --> 00:29:10.350
are director of the NSA, and you defend
300 million Americans. You defend the
00:29:10.350 --> 00:29:15.720
White House against the Chinese hacking
it. You know, the president will never
00:29:15.720 --> 00:29:19.970
know if he's hacked or not because the
Chinese will keep it quiet if they do. But
00:29:19.970 --> 00:29:24.790
if, on the other hand, you manage to hack
the Politburo land in Peking, you can put
00:29:24.790 --> 00:29:31.040
some juicy intelligence every morning with
the president's breakfast cereal. So
00:29:31.040 --> 00:29:37.150
that's an even stronger argument of why
you should do attack rather than defense.
00:29:37.150 --> 00:29:43.360
And all the thing that I mentioned in
passing is that throughout the 2000s,
00:29:43.360 --> 00:29:47.390
governments also scrambled to get more
data of the citizens, for example, in
00:29:47.390 --> 00:29:51.930
Britain with a long debate about whether
medical records should be centralized. In
00:29:51.930 --> 00:29:56.030
the beginning, we said if you were to
centralize all medical records, that would
00:29:56.030 --> 00:29:59.440
be such a large target that the database
should be top secret and it would be too
00:29:59.440 --> 00:30:06.480
inconvenient for doctors to use. Well,
Blair decided in 2001 to do it anyway. We
00:30:06.480 --> 00:30:10.700
wrote a report in 2009 saying that this
was a red line and that this was a serious
00:30:10.700 --> 00:30:17.030
hazard and then in 2014 we discovered that
Cameron's buddy, who was the transparency
00:30:17.030 --> 00:30:22.440
czar and the NHS had sold the database to
1200 researchers, including drug companies
00:30:22.440 --> 00:30:26.740
in China. So that meant that all the
sensitive personal health information
00:30:26.740 --> 00:30:31.480
about one billion patients episodes had
been sold around the world and was
00:30:31.480 --> 00:30:35.240
available to not just to medical
researchers, but to foreign intelligence
00:30:35.240 --> 00:30:50.760
services. This brings us on to Snowden. In
June 2013. We had one of those game
00:30:50.760 --> 00:30:57.280
changing moments when Ed Snowden leaked a
whole bunch of papers showing that the NSA
00:30:57.280 --> 00:31:02.390
had been breaking the law in America and
GCHQ had been breaking the law in Britain,
00:31:02.390 --> 00:31:06.320
that we have been lied to, the parliament
had been misled, and a whole lot of
00:31:06.320 --> 00:31:10.580
collection and interception was going on,
which supposedly shouldn't have been going
00:31:10.580 --> 00:31:15.790
on. Now, one of the things that got
industry attention was a system called
00:31:15.790 --> 00:31:22.500
PRISM, which was in fact legal because
this was done as a result of warrants
00:31:22.500 --> 00:31:28.190
being served on the major Internet service
providers. And if we could move to the
00:31:28.190 --> 00:31:33.500
next slide, we can see that this started
off with Microsoft in 2007. Yahoo! in
00:31:33.500 --> 00:31:38.121
2008, they fought in court for a year they
lost and then Google and Facebook and so on
00:31:38.121 --> 00:31:44.640
got added. This basically enabled the NSA
to go to someone like Google and say
00:31:44.640 --> 00:31:49.590
rossjanderson@gmail.com is a foreign
national, we're therefore entitled to read
00:31:49.590 --> 00:31:54.660
his traffic, kindly give us his Gmail. And
Google would say, yes, sir. For Americans,
00:31:54.660 --> 00:31:58.240
you have to show probable cause that
they've committed a crime for foreigners
00:31:58.240 --> 00:32:06.060
you simply have to show probable cause
that they're a foreigner. The next slide.
00:32:06.060 --> 00:32:14.700
This disclosure from Snowden disclosed
that PRISM, despite the fact that it only
00:32:14.700 --> 00:32:20.400
costs about 20 million dollars a year, was
generating something like half of all the
00:32:20.400 --> 00:32:27.160
intelligence that the NSA was using. By
the end of financial year 2012, but that
00:32:27.160 --> 00:32:33.100
was not all. Next slide, please. The thing
that really annoyed Google was this slide
00:32:33.100 --> 00:32:38.820
on the deck from a presentation at GCHQ
showing how the NSA was not merely
00:32:38.820 --> 00:32:44.480
collecting stuff through the front door by
serving warrants on Google in Mountain
00:32:44.480 --> 00:32:48.590
View, it was collecting stuff through the
backdoor as well, because they were
00:32:48.590 --> 00:32:53.840
harvesting the plaintext copies of Gmail
and maps and docs and so on, which were
00:32:53.840 --> 00:32:59.350
being sent backwards and forwards between
Google's different data centers. And the
00:32:59.350 --> 00:33:04.650
little smiley face, which you can see on
the sticky, got Sergei and Friends really,
00:33:04.650 --> 00:33:09.890
really uptight. And they just decided,
right, you know, we're not going to allow
00:33:09.890 --> 00:33:13.310
this. They will have to knock and show
warrants in the future. And there was a
00:33:13.310 --> 00:33:17.120
crash program and all the major Internet
service providers to encrypt all the
00:33:17.120 --> 00:33:25.180
traffic so that in future things could
only be got by means of a warrant. Next
00:33:25.180 --> 00:33:38.060
slide, please. The EU was really annoyed
by what was called Operation Socialist.
00:33:38.060 --> 00:33:49.920
Operation Socialist was basically, the
hack of Belgacom and the idea was that
00:33:49.920 --> 00:33:56.710
GCHQ spearfished some technical staff at
Belgacom and this enabled them to wiretap
00:33:56.710 --> 00:34:04.870
all the traffic at the European Commission
in Brussels and as well as mobile phone
00:34:04.870 --> 00:34:11.910
traffic to and from various countries in
Africa. And this is rather amazing. It's
00:34:11.910 --> 00:34:16.940
as if Nicola Sturgeon, the first minister
of Scotland, had tasked Police Scotland
00:34:16.940 --> 00:34:21.781
with hacking BT so that she could watch
out what was going on with the parliament
00:34:21.781 --> 00:34:30.919
in London. So this annoyed a number of
people. With the next slide, we can see.
00:34:30.919 --> 00:34:40.149
That the the Operation Bull Run, an
operation Edgehill, as GCHQ called their
00:34:40.149 --> 00:34:44.740
version of it, have an aggressive,
multipronged efforts to break widely used
00:34:44.740 --> 00:34:49.899
Internet encryption technologies. And we
learned an awful lot about what was being
00:34:49.899 --> 00:34:55.929
done to break VPNs worldwide and what had
been done in terms of inserting
00:34:55.929 --> 00:35:01.830
vulnerabilities and protocols, getting
people to use vulnerable prime numbers for
00:35:01.830 --> 00:35:06.750
Diffie Hellman key exchange and so on and
so forth. Next slide, first slide and
00:35:06.750 --> 00:35:11.870
Bullrun and Edgehill SIGINT enabling
projects actively engages the US and
00:35:11.870 --> 00:35:16.310
foreign IT industries to covertly
influence and/or overtly leverage their
00:35:16.310 --> 00:35:20.690
commercial products' designs. These design
changes make the systems in question
00:35:20.690 --> 00:35:24.680
exploitable through SIGINT collection
endpoint midpoints, et cetera, with
00:35:24.680 --> 00:35:28.400
foreknowledge of the modification, the
consumer and other adversaries however the
00:35:28.400 --> 00:35:36.510
system security remains intact. Next
slide, so the insert vulnerabilities into
00:35:36.510 --> 00:35:41.450
commercial systems, I.T. systems, networks
and point communication devices used by
00:35:41.450 --> 00:35:49.160
targets. Next slide. They also influence
policy standards and specifications for
00:35:49.160 --> 00:35:54.270
commercial public key technologies, and
this was the smoking gun that
00:35:54.270 --> 00:36:02.240
crypto war 1 had not actually ended. It had
just gone undercover. And so with this,
00:36:02.240 --> 00:36:08.250
things come out into the open next slide
so we could perhaps date crypto war 2 to
00:36:08.250 --> 00:36:13.190
the Snowden disclosures in their aftermath
in America. It must be said that all three
00:36:13.190 --> 00:36:18.350
arms of the US government showed at least
mild remarks. Obama set up the NSA review
00:36:18.350 --> 00:36:23.810
group and adopted most of what it said
except on the equities issue. Congress got
00:36:23.810 --> 00:36:28.180
data retention, renewed the Patriot Act
and the FISA court introduced an advocate
00:36:28.180 --> 00:36:33.340
for Targets. Tech companies as I
mentioned, started encrypting all their
00:36:33.340 --> 00:36:39.220
traffic. In the UK on the other hand,
governments expressed no remorse at all,
00:36:39.220 --> 00:36:43.450
and they passed the Investigatory Powers
Act to legalize all the unlawful things
00:36:43.450 --> 00:36:47.740
they've already been doing. And they could
now order firms secretly do anything they
00:36:47.740 --> 00:36:56.730
physically can. However, data retention
was nixed by the European courts. The
00:36:56.730 --> 00:37:01.920
academic response in the next slide, keys
under doormats, much the same authors as
00:37:01.920 --> 00:37:08.670
before. We analyzed the new situation and
came to much of the same conclusions. Next
00:37:08.670 --> 00:37:14.620
slide, the 2018 GCHQ
proposals from Ian Levy and Crispin
00:37:14.620 --> 00:37:20.870
Robinson proposed to add ghost users to
WhatsApp and FaceTime calls in response to
00:37:20.870 --> 00:37:25.860
warrants. The idea is that you've got an
FBI key on your device hearing. You still
00:37:25.860 --> 00:37:30.110
have end to end, so you just have an extra
end. And this, of course, fills the keys
00:37:30.110 --> 00:37:34.380
on the doormats tests. Your software would
abandon best practice. It would create
00:37:34.380 --> 00:37:39.690
targets and increase complexity and it
would also have to lie about trust. Next
00:37:39.690 --> 00:37:49.310
slide, please. This brings us to the
upload filters which were proposed over
00:37:49.310 --> 00:37:55.990
the past six months, they first surfaced
in early 2020 to a Stanford think tank and
00:37:55.990 --> 00:38:00.960
they were adopted by Commissioner Ylva
Johansson on June the 9th at the start of
00:38:00.960 --> 00:38:05.930
the German presidency. On the 20th of
September we got a leaked tech paper whose
00:38:05.930 --> 00:38:11.650
authors include our GCHQ friends Ian Levie
and Crispin Robinson. The top options are
00:38:11.650 --> 00:38:17.620
that you filter in client software
assisted by a server, as client side only
00:38:17.620 --> 00:38:22.570
filtering is too constrained and easy to
compromise. The excuse is that you want to
00:38:22.570 --> 00:38:28.520
stop illegal material such as child sex
abuse images being shared over end to end
00:38:28.520 --> 00:38:34.210
messaging system such as WhatsApp. Various
NGOs objected, and we had a meeting with
00:38:34.210 --> 00:38:39.580
the commission, which was a little bit
like a Stockholm Syndrome event. We had
00:38:39.580 --> 00:38:43.750
one official there on the child protection
front fax by half a dozen officials from
00:38:43.750 --> 00:38:48.610
various security bodies, departments and
agencies who seemed to be clearly driving
00:38:48.610 --> 00:38:53.191
the thing with child protection merely
being an excuse to promote this lead.
00:38:53.191 --> 00:39:00.360
Well, the obvious things to worry about
are as a similar language in the new
00:39:00.360 --> 00:39:04.730
terror regulation, you can expect the
filter to extend from child sex abuse
00:39:04.730 --> 00:39:10.840
material to terror. And static filtering
won't work because if there's a bad list
00:39:10.840 --> 00:39:15.380
of 100˙000 forbidden images, then the bad
people will just go out and make another
00:39:15.380 --> 00:39:22.530
100˙000 child sex abuse images. So the
filtering will have to become dynamic. And
00:39:22.530 --> 00:39:26.880
then the question is whether your form
will block it or report it. And there's an
00:39:26.880 --> 00:39:32.090
existing legal duty in a number of
countries and in the UK to although
00:39:32.090 --> 00:39:37.310
obviously no longer a member state, the
existing duty to report terror stuff. And
00:39:37.310 --> 00:39:41.840
the question is, who will be in charge of
updating the filters? What's going to
00:39:41.840 --> 00:39:50.750
happen then? Next slide. Well, we've seen
an illustration during the lockdown in
00:39:50.750 --> 00:39:55.230
April, the French and Dutch government
sent an update to all Encrochat mobile
00:39:55.230 --> 00:39:59.450
phones with a rootkit which copied
messages, crypto keys and lock screen
00:39:59.450 --> 00:40:04.460
passwords. The Encrochat was a brand of
mobile phone that was sold through
00:40:04.460 --> 00:40:11.001
underground channels to various criminal
groups and others. And since this was
00:40:11.001 --> 00:40:18.119
largely used by criminals of various
kinds, the U.K. government justify bulk
00:40:18.119 --> 00:40:24.160
intercepts by passing its office targets
and equipment interference. In other
00:40:24.160 --> 00:40:28.600
words, they brought a targeted warrant for
all forty five thousand Encrochat handsets
00:40:28.600 --> 00:40:33.400
and of ten thousand users in the U.K.,
eight hundred were arrested in June when
00:40:33.400 --> 00:40:39.680
the wire tapping exercise was completed.
Now, again, this appears to ignore the
00:40:39.680 --> 00:40:44.450
laws that we have on the books because
even our Investigatory Powers Act rules
00:40:44.450 --> 00:40:48.710
out all interception of U.K.
residents. And those who follow such
00:40:48.710 --> 00:40:52.950
matters will know that there was a trial
at Liverpool Crown Court, a hearing of
00:40:52.950 --> 00:40:59.369
whether this stuff was admissible. And we
should have a first verdict on that early
00:40:59.369 --> 00:41:05.270
in the new year. And that will no doubt go
to appeal. And if the material is held to
00:41:05.270 --> 00:41:09.820
be admissible, then there will be a whole
series of trials. So this brings me to my
00:41:09.820 --> 00:41:17.050
final point. What can we expect going
forward? China is emerging as a full-stack
00:41:17.050 --> 00:41:21.700
competitor to the West, not like Russia in
Cold War one, because Russia only ever
00:41:21.700 --> 00:41:26.760
produced things like primary goods, like
oil and weapons in trouble, of course. But
00:41:26.760 --> 00:41:30.690
China is trying to compete all the way up
and down the stack from chips, through
00:41:30.690 --> 00:41:35.690
software, up through services and
everything else. And developments in China
00:41:35.690 --> 00:41:40.850
don't exactly fill one with much
confidence, because in March 2018,
00:41:40.850 --> 00:41:45.400
President Xi declared himself to be ruler
for life, basically tearing up the Chinese
00:41:45.400 --> 00:41:50.280
constitution. There are large-scale state
crimes being committed in Tibet and
00:41:50.280 --> 00:41:55.240
Xiniang and elsewhere. Just last week,
Britain's chief rabbi described the
00:41:55.240 --> 00:42:03.991
treatment of Uyghurs as an unfathomable
mass atrocity. In my book, I describe
00:42:03.991 --> 00:42:09.280
escalating cyber conflict and various
hacks, such as the hack of the Office of
00:42:09.280 --> 00:42:15.100
Personnel Management, which had clearance
files on all Americans who work for the
00:42:15.100 --> 00:42:20.710
federal governments, the hack of Equifax,
which got credit ratings and credit
00:42:20.710 --> 00:42:25.560
histories of all Americans. And there are
also growing tussles and standards. For
00:42:25.560 --> 00:42:32.840
example, the draft ISO 27553 on biometric
authentication for mobile phones is
00:42:32.840 --> 00:42:38.080
introducing at the insistence of Chinese
delegates, a central database option. So
00:42:38.080 --> 00:42:43.480
in future, your phone might not verify
your faceprint or your fingerprint
00:42:43.480 --> 00:42:50.440
locally. It might do it with a central
database. Next slide, how could Cold War
00:42:50.440 --> 00:42:56.550
2.0 be different? Well, there's a number
of interesting things here, and the
00:42:56.550 --> 00:43:00.960
purpose of this talk is to try and kick
off a discussion of these issues. China
00:43:00.960 --> 00:43:06.120
makes electronics, not just guns, the way
the old USSR did. Can you have a separate
00:43:06.120 --> 00:43:13.600
supply chain for China and one for
everybody else? But hang on a minute,
00:43:13.600 --> 00:43:20.220
consider the fact that China has now
collected very substantial personal data
00:43:20.220 --> 00:43:25.300
sets on the Office of Personnel
Management, the US government employees,
00:43:25.300 --> 00:43:32.360
by forcing Apple to set up its own data
centers in China for iPhone users in
00:43:32.360 --> 00:43:39.270
China, they get access to all the data
for Chinese users of iPhones that America
00:43:39.270 --> 00:43:44.750
gets for American users of iPhones, plus
maybe more as well. If the Chinese can
00:43:44.750 --> 00:43:50.690
break the HSMs in Chinese data centers as
we expect them to be able to, Equifax got
00:43:50.690 --> 00:43:56.960
them data on all economically active
people in the USA. care.data gave them
00:43:56.960 --> 00:44:02.390
medical records of everybody in the UK.
And this bulk personal data is already
00:44:02.390 --> 00:44:08.470
being targeted in intelligence use when
Western countries, for example, send
00:44:08.470 --> 00:44:13.640
diplomats to countries in Africa or Latin
America or local Chinese counter-
00:44:13.640 --> 00:44:16.870
intelligence, people know whether they're
bona fide diplomats or whether they're
00:44:16.870 --> 00:44:22.210
intelligence agents, undercover, all
from exploitation of all this personal
00:44:22.210 --> 00:44:26.220
information. Now, given that this
information's already in efficient targeted
00:44:26.220 --> 00:44:31.970
use, the next question we have to ask is
when will it be used at scale? And this is
00:44:31.970 --> 00:44:37.390
the point at which we say that the
equities issue now needs a serious rethink
00:44:37.390 --> 00:44:43.830
and the whole structure of the conflict is
going to have to move from more offensive
00:44:43.830 --> 00:44:49.540
to more defensive because we depend on
supply chains to which the Chinese have
00:44:49.540 --> 00:44:55.460
access more than they depend on supply
chains to which we have access. Now, it's
00:44:55.460 --> 00:45:01.190
dreadful that we're headed towards a new
Cold War, but as we head there, we have to
00:45:01.190 --> 00:45:05.950
ask also the respective roles of
governments, industry and civil society,
00:45:05.950 --> 00:45:14.040
academia. Next slide, please. And so
looking for my point is this. That is Cold
00:45:14.040 --> 00:45:18.860
War 2.0 does happen. I hope it doesn't.
But we appear to be headed that way
00:45:18.860 --> 00:45:23.680
despite the change of governments in the
White House. Then we need to be able to
00:45:23.680 --> 00:45:31.010
defend everybody, not just the elites. No,
it's not going to be easy because there
00:45:31.010 --> 00:45:35.270
are more state players, the USA is a big
block, the EU is a big block. There are
00:45:35.270 --> 00:45:39.650
other players, other democracies that are
other non democracies. Those other failing
00:45:39.650 --> 00:45:45.210
democracies. This is going to be complex
and messy. It isn't going to be a
00:45:45.210 --> 00:45:50.310
situation like last time where big tech
reaches out to civil society and academia
00:45:50.310 --> 00:45:55.930
and we could see a united front against
the agencies. And even in that case, of
00:45:55.930 --> 00:46:00.550
course, the victory that we got was only
an apparent victory, a superficial victory
00:46:00.550 --> 00:46:06.410
that's only lasted for a while. So what
could we do? Well, at this point, I think
00:46:06.410 --> 00:46:10.960
we need to remind all the players to
listen. But it's not just about strategy
00:46:10.960 --> 00:46:15.800
and tactics, but it's about values, too.
And so we need to be firmly on the side of
00:46:15.800 --> 00:46:21.470
freedom, privacy and the rule of law. Now,
for the old timers, you may remember that
00:46:21.470 --> 00:46:29.520
there was a product called Tom-Skype,
which was introduced in 2011 in China. The
00:46:29.520 --> 00:46:34.470
Chinese wanted the citizens to be able to
use Skype, but they wanted to be able to
00:46:34.470 --> 00:46:38.290
wiretap as well, despite the fact that
Skype at the time had end to end
00:46:38.290 --> 00:46:44.520
encryption. And so people in China were
compelled to download a client for Skype
00:46:44.520 --> 00:46:50.450
called Tom-Skype. Tom was the company that
distributed Skype in China and it
00:46:50.450 --> 00:46:55.070
basically had built in wire tapping. So
you had end to end encryption using Skype
00:46:55.070 --> 00:47:01.240
in those days. But in China, you ended up
having a Trojan client, which you had to
00:47:01.240 --> 00:47:08.240
use. And what we are doing at the moment
is basically the EU is trying to copy Tom-
00:47:08.240 --> 00:47:13.440
Skype and saying that we should be doing
what China was doing eight years ago. And
00:47:13.440 --> 00:47:17.540
I say we should reject that. We can't
challenge President Xi by going down that
00:47:17.540 --> 00:47:21.970
route. Instead, we've got to reset our
values and we've got to think through the
00:47:21.970 --> 00:47:27.600
equities issue and we've got to figure out
how it is that we're going to deal with
00:47:27.600 --> 00:47:32.570
the challenges of dealing with non-
democratic countries when there is serious
00:47:32.570 --> 00:47:40.620
conflict in a globalized world where we're
sharing the same technology. Thanks. And
00:47:40.620 --> 00:47:52.230
perhaps the last slide for my book can
come now and I'm happy to take questions.
00:47:52.230 --> 00:47:58.460
Herald: Yeah, thanks a lot, Ross, for your
talk. It's a bit depressing to listen to
00:47:58.460 --> 00:48:09.510
you. I have to admit let's have a look.
OK, so I have a question. I'm wondering if
00:48:09.510 --> 00:48:15.369
the export controls at EU level became
worse than UK level export controls
00:48:15.369 --> 00:48:20.660
because entities like GCHQ had more
influence there or because there's a harmful
00:48:20.660 --> 00:48:26.619
Franco German security culture or what it
was. Do you have anything on that?
00:48:26.619 --> 00:48:30.890
Ross: Well, the experience that we had
with these export controls, once they were
00:48:30.890 --> 00:48:38.260
in place, was as follows. It was about
2015 I think, or 2016, It came to our
00:48:38.260 --> 00:48:43.800
attention that a British company, Sophos,
was selling bulk surveillance equipment to
00:48:43.800 --> 00:48:49.330
President al Assad of Syria, and he was
using it to basically wiretap his entire
00:48:49.330 --> 00:48:54.080
population and decide who he was going to
arrest and kill the following day. And it
00:48:54.080 --> 00:48:58.530
was sold by Sophos in fact, through a
German subsidiary. And so we went along to
00:48:58.530 --> 00:49:06.870
the export control office in Victoria
Street. A number of NGOs, the open rights
00:49:06.870 --> 00:49:11.880
group went along and Privacy International
and us and one or two others. And we said,
00:49:11.880 --> 00:49:16.480
look, according to the EU dual use
regulation, bulk intercept equipment is
00:49:16.480 --> 00:49:19.950
military equipment. It should be in the
military list. Therefore, you should be
00:49:19.950 --> 00:49:25.330
demanding an export license for this
stuff. And they found every conceivable
00:49:25.330 --> 00:49:34.100
excuse not to demand it. And it was the
lady from GCHQ there in the room who was
00:49:34.100 --> 00:49:38.280
clearly calling the shots. And she was
absolutely determined that there should be
00:49:38.280 --> 00:49:44.040
no export controls on the stuff being sold
to Syria. And eventually I said, look,
00:49:44.040 --> 00:49:47.260
it's fairly obvious what's going on here.
If there's going to be black boxes and
00:49:47.260 --> 00:49:51.110
President al-Assad's network, you want
them to be British black boxes or German
00:49:51.110 --> 00:49:55.960
black boxes, not Ukrainian or Israeli
black boxes. And she said, I cannot
00:49:55.960 --> 00:50:00.830
discuss classified matters in an open
meeting, which is as close as you get to
00:50:00.830 --> 00:50:06.840
an admission. And a couple of months
later, Angela Merkel, to her great credit,
00:50:06.840 --> 00:50:12.640
has actually come out in public and said
that allowing the equipment to be exported
00:50:12.640 --> 00:50:16.440
from Utimaco to Syria was one of the
hardest decision she'd ever taken as
00:50:16.440 --> 00:50:21.770
counselor. And that was a very difficult
tradeoff between maintaining intelligence
00:50:21.770 --> 00:50:27.470
access, given the possibility that Western
troops would be involved in Syria and the
00:50:27.470 --> 00:50:33.300
fact that the kit was being used for very
evil purposes. So that's an example of how
00:50:33.300 --> 00:50:38.280
the export controls are used in practice.
They are not used to control the harms
00:50:38.280 --> 00:50:44.330
that we as voters are told that they're
there to control. Right. They are used in
00:50:44.330 --> 00:50:49.940
all sorts of dark and dismal games. And we
really have to tackle the issue of export
00:50:49.940 --> 00:50:55.980
controls with our eyes open.
H: Yeah, yeah. There's a lot a lot to do.
00:50:55.980 --> 00:51:03.800
And now Germany has left the EU, UN
Security Council. So let's see what
00:51:03.800 --> 00:51:13.000
happens next. Yeah. We'll see, Ross.
Anything else you'd like to add? We don't
00:51:13.000 --> 00:51:19.350
have any more questions. Oh, no, we have
another question. It's just come up
00:51:19.350 --> 00:51:24.510
seconds ago. Do you think that refusal to
accept back doors will create large
00:51:24.510 --> 00:51:35.300
uncensorable applications?
R: Well, if you get large applications
00:51:35.300 --> 00:51:41.619
which are associated with significant
economic power, then low pressure gets
00:51:41.619 --> 00:51:51.450
brought to bear on those economic players
to do their social duty. And... this is what
00:51:51.450 --> 00:51:56.520
we have seen with the platforms that
intermediate content, that act as content
00:51:56.520 --> 00:52:00.220
intermediaries such as Facebook and Google
and so on, that they do a certain amount
00:52:00.220 --> 00:52:08.510
of filtering. But if, on the other hand,
you have wholesale surveillance before the
00:52:08.510 --> 00:52:13.690
fact of End-To-End encrypted stuff, then
are we moving into an environment where
00:52:13.690 --> 00:52:19.200
private speech from one person to another
is no longer permitted? You know, I don't
00:52:19.200 --> 00:52:24.490
think that's the right trade off that we
should be taking, because we all know from
00:52:24.490 --> 00:52:28.780
hard experience that when governments say,
think of the children, they're not
00:52:28.780 --> 00:52:32.090
thinking of children at all. If they were
thinking of children, they would not be
00:52:32.090 --> 00:52:36.280
selling weapons to Saudi Arabia and the
United Arab Emirates to kill children in
00:52:36.280 --> 00:52:41.850
Yemen. And they say think about terrorism.
But the censorship that we are supposed to
00:52:41.850 --> 00:52:47.880
use in universities around terrorism, the
so-called prevent duty is known to be
00:52:47.880 --> 00:52:52.280
counterproductive. It makes Muslim
students feel alienated and marginalized.
00:52:52.280 --> 00:52:57.480
So the arguments that governments use
around this are not in any way honest. And
00:52:57.480 --> 00:53:01.810
we now have 20 years experience of these
dishonest arguments. And for goodness
00:53:01.810 --> 00:53:05.550
sake, let's have a more grown up
conversation about these things.
00:53:05.550 --> 00:53:11.700
H: Now, you're totally right, even if I
have to admit, it took me a couple of
00:53:11.700 --> 00:53:24.660
years, not 20, but a lot to finally
understand, OK? This I think that's it, we
00:53:24.660 --> 00:53:31.230
just have another comment and I'm thanking
you for your time and are you in an
00:53:31.230 --> 00:53:36.680
assembly somewhere around hanging around
in the next hour or so? Maybe if someone
00:53:36.680 --> 00:53:41.860
wants to talk to you, he can just pop by
if you ever if you have used this 2d world
00:53:41.860 --> 00:53:45.260
already.
R: No, I haven't been using the 2d world.
00:53:45.260 --> 00:53:50.590
I had some issues with my browser and
getting into it. But I've got my my
00:53:50.590 --> 00:53:55.380
webpage and my email address is public and
anybody who wants to discuss these things
00:53:55.380 --> 00:53:59.740
is welcome to get in touch with me.
Herald: All right. So thanks a lot.
00:53:59.740 --> 00:54:04.195
R: Thank you for the invitation.
H: Yeah. Thanks a lot.
00:54:04.195 --> 00:54:07.800
rC3 postroll music
00:54:07.800 --> 00:54:43.050
Subtitles created by c3subtitles.de
in the year 2020. Join, and help us!