1
99:59:59,999 --> 99:59:59,999
... wanted to be able to use

2
99:59:59,999 --> 99:59:59,999
Thunderbird and GnuPG together with Tor,

3
99:59:59,999 --> 99:59:59,999
and so we thought:

4
99:59:59,999 --> 99:59:59,999
oh, it would be really easy, I bet,

5
99:59:59,999 --> 99:59:59,999
to configure Thunderbird to work with Tor

6
99:59:59,999 --> 99:59:59,999
- hah - so a new Free software project
was born.

7
99:59:59,999 --> 99:59:59,999
It's a really simple thing, but basically

8
99:59:59,999 --> 99:59:59,999
it's just a package
that hooks it all together.

9
99:59:59,999 --> 99:59:59,999
So a lot of people were using Thunderbird

10
99:59:59,999 --> 99:59:59,999
and TorBirdy, and GnuPG, and Tor,

11
99:59:59,999 --> 99:59:59,999
and Debian, together for email,

12
99:59:59,999 --> 99:59:59,999
combined with Riseup as an email service.

13
99:59:59,999 --> 99:59:59,999
So it's a literally a real peer to peer,
Free software driven set of things,

14
99:59:59,999 --> 99:59:59,999
actually, that made it possible.

15
99:59:59,999 --> 99:59:59,999
[question]:
So one thing I never understood about this

16
99:59:59,999 --> 99:59:59,999
process was exactly how the documents were
handled, and maybe that's because nobody

17
99:59:59,999 --> 99:59:59,999
wants to say, but, you know, did you leave
them on a server somewhere and download

18
99:59:59,999 --> 99:59:59,999
them, hand them over to people, and who
took what where, and how do you...

19
99:59:59,999 --> 99:59:59,999
in case I need to do something really
dangerous with a load of documents,

20
99:59:59,999 --> 99:59:59,999
what's the best way of doing it?

21
99:59:59,999 --> 99:59:59,999
[laughter]

22
99:59:59,999 --> 99:59:59,999
[Jacob]: Hmm!

23
99:59:59,999 --> 99:59:59,999
[audience member]: It's a good thing
this isn't being streamed.

24
99:59:59,999 --> 99:59:59,999
I'm sorry, what?

25
99:59:59,999 --> 99:59:59,999
There was a voice from god,
what did she say?

26
99:59:59,999 --> 99:59:59,999
[audience]:
I said good we aren't streaming tonight.

27
99:59:59,999 --> 99:59:59,999
Oh yeah, so hello to all of our friends


28
99:59:59,999 --> 99:59:59,999
in domestic and international
surveillance services.

29
99:59:59,999 --> 99:59:59,999
Well, so I won't answer your question,

30
99:59:59,999 --> 99:59:59,999
but since you asked the question,
it's my turn to talk.

31
99:59:59,999 --> 99:59:59,999
So what I would say is that...

32
99:59:59,999 --> 99:59:59,999
if you want to do clandestine activities

33
99:59:59,999 --> 99:59:59,999
that you fear for your life for,

34
99:59:59,999 --> 99:59:59,999
you need to really think about
the situation that you're in

35
99:59:59,999 --> 99:59:59,999
very carefully.

36
99:59:59,999 --> 99:59:59,999
And so a big part of this is
operational security

37
99:59:59,999 --> 99:59:59,999
and a big part of that is
compartmentalization.

38
99:59:59,999 --> 99:59:59,999
So certain people had access
to certain things,

39
99:59:59,999 --> 99:59:59,999
but maybe they couldn't decrypt them,

40
99:59:59,999 --> 99:59:59,999
and certain things were moved around,

41
99:59:59,999 --> 99:59:59,999
and that's on a need to know basis,

42
99:59:59,999 --> 99:59:59,999
and those people who knew,

43
99:59:59,999 --> 99:59:59,999
which is not me - I don't know anything,
I don't know what you're talking about.

44
99:59:59,999 --> 99:59:59,999
Those people knew, and then you know,

45
99:59:59,999 --> 99:59:59,999
it'll go with them to their grave.

46
99:59:59,999 --> 99:59:59,999
So if you're interested in being the next
Edward Snowden,

47
99:59:59,999 --> 99:59:59,999
you need to do your homework

48
99:59:59,999 --> 99:59:59,999
in finding people that will be able to do
the other part of it, let's say.

49
99:59:59,999 --> 99:59:59,999
But just in general, I mean

50
99:59:59,999 --> 99:59:59,999
compartmentalization is key, right.

51
99:59:59,999 --> 99:59:59,999
So it's not just for AppArmor profiles.

52
99:59:59,999 --> 99:59:59,999
So you need to think about
what you want to do.

53
99:59:59,999 --> 99:59:59,999
And I mean a big part of this
is to consider that the network itself

54
99:59:59,999 --> 99:59:59,999
is the enemy, even though it is useful
for communicating.

55
99:59:59,999 --> 99:59:59,999
So all the metadata that exists
on the network

56
99:59:59,999 --> 99:59:59,999
could have tipped people off,
could have caused

57
99:59:59,999 --> 99:59:59,999
this whole thing to fall apart.

58
99:59:59,999 --> 99:59:59,999
It really is amazing, I feel like you know

59
99:59:59,999 --> 99:59:59,999
two and half, three years ago,

60
99:59:59,999 --> 99:59:59,999
when you talk about Free software,

61
99:59:59,999 --> 99:59:59,999
and you talk about the idea of
Free software,

62
99:59:59,999 --> 99:59:59,999
and you talk about issues relating to
autonomy and privacy, and security

63
99:59:59,999 --> 99:59:59,999
you have a really different reception now
than you did then,

64
99:59:59,999 --> 99:59:59,999
and that's really what it took

65
99:59:59,999 --> 99:59:59,999
to turn the world half a degree,
or something,

66
99:59:59,999 --> 99:59:59,999
or a quarter of a degree or something.

67
99:59:59,999 --> 99:59:59,999
So I'm not going to tell you about
detailed plans for conspiracy,

68
99:59:59,999 --> 99:59:59,999
but I highly encourage you to read about
South African history,

69
99:59:59,999 --> 99:59:59,999
in particular the history of
Umkhonto we Sizwe.

70
99:59:59,999 --> 99:59:59,999
They are the clandestine communications
group for MK,

71
99:59:59,999 --> 99:59:59,999
or rather the operation who lay inside of MK,

72
99:59:59,999 --> 99:59:59,999
which is Umkhonto we Sizwe,

73
99:59:59,999 --> 99:59:59,999
and they are sort of with
the African National Congress,

74
99:59:59,999 --> 99:59:59,999
and those people have published so many
books about the revolutionary activities

75
99:59:59,999 --> 99:59:59,999
to overthrow the apartheid state.

76
99:59:59,999 --> 99:59:59,999
If you read these books, especially
the book "Operation Vula"

77
99:59:59,999 --> 99:59:59,999
and "Armed and Dangerous"
by Ronnie Kasrils

78
99:59:59,999 --> 99:59:59,999
they give you some idea about
what you need to do

79
99:59:59,999 --> 99:59:59,999
which is to compartmentalize,

80
99:59:59,999 --> 99:59:59,999
how to find people to do various tasks,
specific tasks,

81
99:59:59,999 --> 99:59:59,999
how to work on building trust
with each other, what that looks like,

82
99:59:59,999 --> 99:59:59,999
how to identify political targets,

83
99:59:59,999 --> 99:59:59,999
how you might use things
like communications technology

84
99:59:59,999 --> 99:59:59,999
to change the political topic on,

85
99:59:59,999 --> 99:59:59,999
and the discussion in general.

86
99:59:59,999 --> 99:59:59,999
And I think the best way to learn about
these things is to study previous people

87
99:59:59,999 --> 99:59:59,999
who have tried to do that kind of stuff.

88
99:59:59,999 --> 99:59:59,999
And the NSA is not the apartheid regime of
South Africa,

89
99:59:59,999 --> 99:59:59,999
but there are still lessons
to be learned there,

90
99:59:59,999 --> 99:59:59,999
so if you really want to know the answer
to that, also Che Guevara's manual

91
99:59:59,999 --> 99:59:59,999
on guerilla warfare is very interesting,

92
99:59:59,999 --> 99:59:59,999
and there's a lot of other books like that.

93
99:59:59,999 --> 99:59:59,999
I'd be happy to talk about it
with you later.

94
99:59:59,999 --> 99:59:59,999
And I have nothing to do with anything
that we may or may not have done.

95
99:59:59,999 --> 99:59:59,999
[laughter]

96
99:59:59,999 --> 99:59:59,999
[question]: Do you think there is a chance
that things may get better

97
99:59:59,999 --> 99:59:59,999
for example I know that publicly,
some programs were not extended

98
99:59:59,999 --> 99:59:59,999
but I don't know what is happening
in the background

99
99:59:59,999 --> 99:59:59,999
so maybe it's the same thing
but they are pretending that it's not

100
99:59:59,999 --> 99:59:59,999
How do you see this?

101
99:59:59,999 --> 99:59:59,999
[Jacob]: Well I think a couple of things.

102
99:59:59,999 --> 99:59:59,999
In general I think what happened, not just
with this movie but with all of these things

103
99:59:59,999 --> 99:59:59,999
is that in inspired hope,

104
99:59:59,999 --> 99:59:59,999
and the hope is very important,

105
99:59:59,999 --> 99:59:59,999
but hope is not a strategy for survival,
or for building alternatives,

106
99:59:59,999 --> 99:59:59,999
so what it has also done, is that it has
allowed us to raise the profile

107
99:59:59,999 --> 99:59:59,999
of the things which actually do
make it better.

108
99:59:59,999 --> 99:59:59,999
For example ridding ourselves of the
chains of proprietary software

109
99:59:59,999 --> 99:59:59,999
is something that's a serious discussion
with people that wouldn't have previously

110
99:59:59,999 --> 99:59:59,999
talked about Free software
because they don't care about liberty,

111
99:59:59,999 --> 99:59:59,999
they care about security.

112
99:59:59,999 --> 99:59:59,999
And even though I think those are
really simliar things,

113
99:59:59,999 --> 99:59:59,999
previously they just thought we were just
Free software hippies,

114
99:59:59,999 --> 99:59:59,999
in tie-dye shirts

115
99:59:59,999 --> 99:59:59,999
and while that may be true on the weekends
and evenings

116
99:59:59,999 --> 99:59:59,999
or with Bdale every day
[laughter]

117
99:59:59,999 --> 99:59:59,999
I think that actually does make it better

118
99:59:59,999 --> 99:59:59,999
And it also changes the dialogue, in
the sense that it's no longer reasonable

119
99:59:59,999 --> 99:59:59,999
to pretend that mass surveillance and
surveillance issues don't matter,

120
99:59:59,999 --> 99:59:59,999
because if you really go down the
rabbit-hole

121
99:59:59,999 --> 99:59:59,999
of thinking about what the security
services are trying to do

122
99:59:59,999 --> 99:59:59,999
it becomes obvious that we want to encrypt
everything all the time

123
99:59:59,999 --> 99:59:59,999
to beat selector-based surveillance
and dragnet-based surveillance.

124
99:59:59,999 --> 99:59:59,999
It doesn't matter if something is authenticated

125
99:59:59,999 --> 99:59:59,999
You could still trigger some action
to take place

126
99:59:59,999 --> 99:59:59,999
with these kinds of surveillance machines

127
99:59:59,999 --> 99:59:59,999
that could for example drone
strike someone,

128
99:59:59,999 --> 99:59:59,999
and so it raises that.

129
99:59:59,999 --> 99:59:59,999
And that gives me a lot of hope too,

130
99:59:59,999 --> 99:59:59,999
because people understand the root
of the problem,

131
99:59:59,999 --> 99:59:59,999
or the root of many problems

132
99:59:59,999 --> 99:59:59,999
and the root of some violence
in the world, actually.

133
99:59:59,999 --> 99:59:59,999
And so it helps us to reduce that
violence

134
99:59:59,999 --> 99:59:59,999
by getting people to acknowledge
that it's real

135
99:59:59,999 --> 99:59:59,999
and also that they care about it

136
99:59:59,999 --> 99:59:59,999
and that we care about each other.

137
99:59:59,999 --> 99:59:59,999
So that really gives me a lot of hope,
and part of that is Snowden

138
99:59:59,999 --> 99:59:59,999
and part of that is the documents

139
99:59:59,999 --> 99:59:59,999
but the other part of it is that..

140
99:59:59,999 --> 99:59:59,999
I don't want to blow it up and make it
sound like we did something

141
99:59:59,999 --> 99:59:59,999
like a big deal,

142
99:59:59,999 --> 99:59:59,999
but in a sense, Laura, Glen, myself
and a number of other people

143
99:59:59,999 --> 99:59:59,999
were really not sure we would ever be able
to travel home to our country

144
99:59:59,999 --> 99:59:59,999
that we wouldn't be arrested.

145
99:59:59,999 --> 99:59:59,999
I actually haven't been home
in over two and half years,

146
99:59:59,999 --> 99:59:59,999
well, two years and three months
or something

147
99:59:59,999 --> 99:59:59,999
I went out on a small business trip
that was supposed to last two weeks

148
99:59:59,999 --> 99:59:59,999
and then this happened

149
99:59:59,999 --> 99:59:59,999
and I've been hear ever since.

150
99:59:59,999 --> 99:59:59,999
It's a really long, crazy trip.

151
99:59:59,999 --> 99:59:59,999
But the point is that that's what was
necessary to make some of these changes

152
99:59:59,999 --> 99:59:59,999
and eventually it will turn around

153
99:59:59,999 --> 99:59:59,999
and I will be able to go home,

154
99:59:59,999 --> 99:59:59,999
and Laura and Glen will be able to travel
to the US again.

155
99:59:59,999 --> 99:59:59,999
Obviously, Julian is still stuck in the
Ecuadorian embassy

156
99:59:59,999 --> 99:59:59,999
Sarah lives in exile in Berlin,

157
99:59:59,999 --> 99:59:59,999
I live in exile in Berlin,

158
99:59:59,999 --> 99:59:59,999
And Ed is in Moscow

159
99:59:59,999 --> 99:59:59,999
So we're not finished with some of
these things

160
99:59:59,999 --> 99:59:59,999
and it's also possible that we are,
the set of people I mentioned,

161
99:59:59,999 --> 99:59:59,999
the state we're in, will stay that way
forever.

162
99:59:59,999 --> 99:59:59,999
But what matters is that the rest
of the world

163
99:59:59,999 --> 99:59:59,999
can actually move on and fix some of
these problems,

164
99:59:59,999 --> 99:59:59,999
and I have a lot of hope about that.

165
99:59:59,999 --> 99:59:59,999
And I see a lot of change, that's the
really big part.

166
99:59:59,999 --> 99:59:59,999
Like I see the reproducible build stuff
that Holger and Lunar are working on.

167
99:59:59,999 --> 99:59:59,999
People really understand the root reason
for needing to do that

168
99:59:59,999 --> 99:59:59,999
and actually seems quite reasonable
to people

169
99:59:59,999 --> 99:59:59,999
who would previously have expended energy
against it,

170
99:59:59,999 --> 99:59:59,999
in support of it, so I think that's
really good.

171
99:59:59,999 --> 99:59:59,999
And there's a lot of other hopeful things.

172
99:59:59,999 --> 99:59:59,999
So I would try and be as uplifting
as possible.

173
99:59:59,999 --> 99:59:59,999
It's not just the rum!

174
99:59:59,999 --> 99:59:59,999
[question]: Near the end of the film
we saw something about another source.

175
99:59:59,999 --> 99:59:59,999
I may have been missing some news
or something

176
99:59:59,999 --> 99:59:59,999
but I don't remember anything about that
being public.

177
99:59:59,999 --> 99:59:59,999
Do you know what happened to them?

178
99:59:59,999 --> 99:59:59,999
[Jacob]: As far as I know any other
source that was mentioned in the film

179
99:59:59,999 --> 99:59:59,999
is still anonymous, and they're still free.

180
99:59:59,999 --> 99:59:59,999
I'm not exactly sure because I was not
involved in that part

181
99:59:59,999 --> 99:59:59,999
but I also saw the end of the film

182
99:59:59,999 --> 99:59:59,999
and I've seen a bunch of other reporting
which wasn't attributed to anyone in particular

183
99:59:59,999 --> 99:59:59,999
So the good news... there's an old slogan
from the Dutch hacker community, right?

184
99:59:59,999 --> 99:59:59,999
"Someone you trust is one of us,

185
99:59:59,999 --> 99:59:59,999
and the leak is higher up in the chain of
command than you"

186
99:59:59,999 --> 99:59:59,999
And I feel like that might be true again,
hopefully.

187
99:59:59,999 --> 99:59:59,999
I think that guy has a question as well.

188
99:59:59,999 --> 99:59:59,999
[question]: Part of the problem initially
was that encryption software

189
99:59:59,999 --> 99:59:59,999
was not so easy to use, right?

190
99:59:59,999 --> 99:59:59,999
And I think part of the challenge
for everyone

191
99:59:59,999 --> 99:59:59,999
was to improve on that situation
to make it better

192
99:59:59,999 --> 99:59:59,999
so I'm asking you if you've observed
any change and to the rest of the room

193
99:59:59,999 --> 99:59:59,999
have we done anything to improve on that?

194
99:59:59,999 --> 99:59:59,999
[Jacob]: I definitely think that there is
a lot of free software

195
99:59:59,999 --> 99:59:59,999
that makes encryption easier to use,

196
99:59:59,999 --> 99:59:59,999
though not always on free platforms,
which really is heart-breaking.

197
99:59:59,999 --> 99:59:59,999
For example Moxie Marlinspike has done
a really good job

198
99:59:59,999 --> 99:59:59,999
with Signal, Textsecure and Redphone

199
99:59:59,999 --> 99:59:59,999
and making end-to-end, encrypted
calling, texting, sexting,

200
99:59:59,999 --> 99:59:59,999
and whatever apps,

201
99:59:59,999 --> 99:59:59,999
sext-secure is what I think it's nicknamed

202
99:59:59,999 --> 99:59:59,999
and I'm very impressed by that,
and it works really well

203
99:59:59,999 --> 99:59:59,999
and it's something which in the
last two years

204
99:59:59,999 --> 99:59:59,999
if you have a cell-phone,
which I don't recommend

205
99:59:59,999 --> 99:59:59,999
but if you have a cell-phone,
and you put in everyone's phone number,

206
99:59:59,999 --> 99:59:59,999
a lot of people that I would classify as
non-technical people,

207
99:59:59,999 --> 99:59:59,999
that don't care about Free software
as a hobby or as a passion

208
99:59:59,999 --> 99:59:59,999
or as a profession.

209
99:59:59,999 --> 99:59:59,999
You see their names in those systems

210
99:59:59,999 --> 99:59:59,999
often more than some of the
Free software people,

211
99:59:59,999 --> 99:59:59,999
and that's really impressive to me,

212
99:59:59,999 --> 99:59:59,999
and I think there's been a huge shift
just generally about those sorts of things

213
99:59:59,999 --> 99:59:59,999
also about social responsibility,

214
99:59:59,999 --> 99:59:59,999
or people understand they have a
responsibility to other people

215
99:59:59,999 --> 99:59:59,999
to encrypt communications,
and not to put people in harm's way

216
99:59:59,999 --> 99:59:59,999
by sending unsafe stuff over
unsafe communication lines.

217
99:59:59,999 --> 99:59:59,999
So I think in my personal view it's better.

218
99:59:59,999 --> 99:59:59,999
But the original problem wasn't actually
that the encryption was hard to use.

219
99:59:59,999 --> 99:59:59,999
I think the main problem is people didn't
understand the reason

220
99:59:59,999 --> 99:59:59,999
that it needed to be done

221
99:59:59,999 --> 99:59:59,999
and they believed the lie that is
targetted versus mass surveillance.

222
99:59:59,999 --> 99:59:59,999
And there's a big lie, and the lie is
that there is such a thing

223
99:59:59,999 --> 99:59:59,999
as targeted surveillance.

224
99:59:59,999 --> 99:59:59,999
In the modern era, most so-called
targetted surveillance actually happens

225
99:59:59,999 --> 99:59:59,999
through mass surveillance.

226
99:59:59,999 --> 99:59:59,999
They gather everything up, and then they
look through the thing

227
99:59:59,999 --> 99:59:59,999
they've already seized.

228
99:59:59,999 --> 99:59:59,999
And of course there are targetted,
focussed attacks.

229
99:59:59,999 --> 99:59:59,999
But the main thing is that the abuse of
surveillance often happens

230
99:59:59,999 --> 99:59:59,999
on an individual basis.

231
99:59:59,999 --> 99:59:59,999
It also has a societal cost.

232
99:59:59,999 --> 99:59:59,999
I think a lot of people really
understand that.

233
99:59:59,999 --> 99:59:59,999
It's probably because I also live in
Germany now for the last two years

234
99:59:59,999 --> 99:59:59,999
but I feel that German society in
particular is extremely aware

235
99:59:59,999 --> 99:59:59,999
of these abuses in the modern world

236
99:59:59,999 --> 99:59:59,999
and they have a historical context
that allows them to talk about it

237
99:59:59,999 --> 99:59:59,999
with the rest of the world, where the
world doesn't downplay it.

238
99:59:59,999 --> 99:59:59,999
So this is how other people relate to
Germany

239
99:59:59,999 --> 99:59:59,999
not just about Germans relate to
each other.

240
99:59:59,999 --> 99:59:59,999
And that has also been really good
for just meeting regular people

241
99:59:59,999 --> 99:59:59,999
who really care about it,

242
99:59:59,999 --> 99:59:59,999
and who really want to do things.

243
99:59:59,999 --> 99:59:59,999
So people's parents email me,
and are like

244
99:59:59,999 --> 99:59:59,999
"I want to protect my children,

245
99:59:59,999 --> 99:59:59,999
what's the best way to use crypto
with them?"

246
99:59:59,999 --> 99:59:59,999
You know, things like that.

247
99:59:59,999 --> 99:59:59,999
And I didn't every receive emails like
that in the past

248
99:59:59,999 --> 99:59:59,999
and that's to me is uplifting
and very positive.

249
99:59:59,999 --> 99:59:59,999
[question]: A quick organisational question.

250
99:59:59,999 --> 99:59:59,999
Right now we're live-streaming the Q&A.
Are you comfortable with that?

251
99:59:59,999 --> 99:59:59,999
[Jacob]: I don't think in the last three
years I've ever had a moment

252
99:59:59,999 --> 99:59:59,999
that wasn't being recorded.

253
99:59:59,999 --> 99:59:59,999
[laughter, applause]

254
99:59:59,999 --> 99:59:59,999
[question]: If you're fine with it, moving on...

255
99:59:59,999 --> 99:59:59,999
[Jacob]: That's fine, just don't do it
when I'm trying to sleep.

256
99:59:59,999 --> 99:59:59,999
[question]: I was wondering why Laura
and you ended up in Germany

257
99:59:59,999 --> 99:59:59,999
because what you said about people in
Germany might be true

258
99:59:59,999 --> 99:59:59,999
but I'm really ashamed about my Government
and how they dealt with ????

259
99:59:59,999 --> 99:59:59,999
and they are doing nothing for this.

260
99:59:59,999 --> 99:59:59,999
[Jacob]: The reason that we ended up in
Germany

261
99:59:59,999 --> 99:59:59,999
is that I'd been attending
Chaos Computer Club events

262
99:59:59,999 --> 99:59:59,999
for many years

263
99:59:59,999 --> 99:59:59,999
and there are bunch of people that are
part of the Chaos Computer Club

264
99:59:59,999 --> 99:59:59,999
who are really supportive,
and good people,

265
99:59:59,999 --> 99:59:59,999
who have a stable base,
and an infrastructure.

266
99:59:59,999 --> 99:59:59,999
The German hacker scene has this
phenomenon which is that

267
99:59:59,999 --> 99:59:59,999
it's a part of society.

268
99:59:59,999 --> 99:59:59,999
So there are people in the CCC who will
talk with the constitutional court

269
99:59:59,999 --> 99:59:59,999
for example,

270
99:59:59,999 --> 99:59:59,999
and that creates a much more stable
society

271
99:59:59,999 --> 99:59:59,999
and those people were willing to help us.

272
99:59:59,999 --> 99:59:59,999
They were willing to hold footage,
to hold encrypted data.

273
99:59:59,999 --> 99:59:59,999
They were willing to help modify hardware.

274
99:59:59,999 --> 99:59:59,999
There was a huge base of support where
people, even if they had fear,

275
99:59:59,999 --> 99:59:59,999
they did stuff anyway.

276
99:59:59,999 --> 99:59:59,999
And that support went back a long time.

277
99:59:59,999 --> 99:59:59,999
And so we knew that it would be safe
to store footage for the film here.

278
99:59:59,999 --> 99:59:59,999
In Berlin, not in Heidelberg, but here
in Germany.

279
99:59:59,999 --> 99:59:59,999
And we knew that, of course,
there were people that would be helpful.

280
99:59:59,999 --> 99:59:59,999
In the US there's a much bigger culture
of fear.

281
99:59:59,999 --> 99:59:59,999
People are afraid of having their houses
raided by the police,

282
99:59:59,999 --> 99:59:59,999
where there's lots of detainments at the
borders,

283
99:59:59,999 --> 99:59:59,999
where there's lots of speculative arrests,

284
99:59:59,999 --> 99:59:59,999
journalists that are jailed,

285
99:59:59,999 --> 99:59:59,999
so the situation was not to say that
Germany was perfect.

286
99:59:59,999 --> 99:59:59,999
I revealed in Der Speigel with three other
journalists that Merkel was spied on

287
99:59:59,999 --> 99:59:59,999
by the NSA.

288
99:59:59,999 --> 99:59:59,999
And it's clear that the Germany government
was complicit

289
99:59:59,999 --> 99:59:59,999
with some of this surveillance.

290
99:59:59,999 --> 99:59:59,999
But in a sort of pyramid of surveillance
there's a sort of colonialism

291
99:59:59,999 --> 99:59:59,999
that takes place.

292
99:59:59,999 --> 99:59:59,999
And that the NSA and GCHQ are at the top.

293
99:59:59,999 --> 99:59:59,999
And the Germans are little bit below that.

294
99:59:59,999 --> 99:59:59,999
The thing is that there's not a lot you
do about that.

295
99:59:59,999 --> 99:59:59,999
And so even though we revealed this
about Merkel,

296
99:59:59,999 --> 99:59:59,999
it's not clear what she should do.

297
99:59:59,999 --> 99:59:59,999
It's not clear what anyone should do.

298
99:59:59,999 --> 99:59:59,999
But one thing that was clear was that
if they wanted to break into our houses

299
99:59:59,999 --> 99:59:59,999
they would do it in a way that would
cost them a lot politically.

300
99:59:59,999 --> 99:59:59,999
It would be very public.

301
99:59:59,999 --> 99:59:59,999
The last time someone raided someone
working with Der Speigel

302
99:59:59,999 --> 99:59:59,999
was in 1962 during the Speigel affair,

303
99:59:59,999 --> 99:59:59,999
and some ministers were kicked out.

304
99:59:59,999 --> 99:59:59,999
You may have seen recently the
Landersverrat thing

305
99:59:59,999 --> 99:59:59,999
with Netzpolitik.

306
99:59:59,999 --> 99:59:59,999
The charges against them now
have been dropped.

307
99:59:59,999 --> 99:59:59,999
That would never happen in the
United States.

308
99:59:59,999 --> 99:59:59,999
We would not be safe.

309
99:59:59,999 --> 99:59:59,999
And I still, for my investigative
journalism,

310
99:59:59,999 --> 99:59:59,999
and my work with Wikileaks,

311
99:59:59,999 --> 99:59:59,999
and my work with the Tor project,

312
99:59:59,999 --> 99:59:59,999
I wouldn't even go back to the US,

313
99:59:59,999 --> 99:59:59,999
because there's no chance that if they
wanted to do something to me

314
99:59:59,999 --> 99:59:59,999
that I would have any constitutional
liberties, I think,

315
99:59:59,999 --> 99:59:59,999
and the same is true of Snowden.

316
99:59:59,999 --> 99:59:59,999
You just won't get that fair trial.

317
99:59:59,999 --> 99:59:59,999
And we thought at least here we would
have ground to stand and fight on.

318
99:59:59,999 --> 99:59:59,999
And it's exactly what happened,
and we won.

319
99:59:59,999 --> 99:59:59,999
[question]: This is also about the fear
stuff that you talk about

320
99:59:59,999 --> 99:59:59,999
which is in the very old days we used to
put red words in the end of every message

321
99:59:59,999 --> 99:59:59,999
to make sure that it would be hard to find
the actual subversive message

322
99:59:59,999 --> 99:59:59,999
among all the noise.

323
99:59:59,999 --> 99:59:59,999
And you can think about the same thing
here.

324
99:59:59,999 --> 99:59:59,999
Should we build our systems so that
everything gets encrypted all the time?

325
99:59:59,999 --> 99:59:59,999
[Jacob]: So I have a lot of radical
suggestions for what to do,

326
99:59:59,999 --> 99:59:59,999
but I'm going to talk about them tomorrow
in the keynote mostly.

327
99:59:59,999 --> 99:59:59,999
But to give you an example,
if you install Debian,

328
99:59:59,999 --> 99:59:59,999
you can give someone the ability to log
into the machine

329
99:59:59,999 --> 99:59:59,999
over a Tor hidden service for free.

330
99:59:59,999 --> 99:59:59,999
You get a free .onion when you add two
lines to a Tor configuration file.

331
99:59:59,999 --> 99:59:59,999
We should make encryption not only easy
to use but out of the box

332
99:59:59,999 --> 99:59:59,999
we should have it possible to have
end-to-end reachability and connectivity,

333
99:59:59,999 --> 99:59:59,999
and we should reduce the total amount
of metadata, to make it harder for people

334
99:59:59,999 --> 99:59:59,999
who want to break the law, that want to
break into computers.

335
99:59:59,999 --> 99:59:59,999
We should solve the problem of adversarial
versus non-adversarial forensics

336
99:59:59,999 --> 99:59:59,999
so we can verify our systems with open
hardware and Free software together.

337
99:59:59,999 --> 99:59:59,999
And there's a lot to be done,
but the main thing to do is to recognise

338
99:59:59,999 --> 99:59:59,999
that if you have the ability to upload
to Debian,

339
99:59:59,999 --> 99:59:59,999
there are literally intelligence agencies
that would like those keys.

340
99:59:59,999 --> 99:59:59,999
And we have a great responsiblity to
humanity as Debian developers

341
99:59:59,999 --> 99:59:59,999
to do the right thing: to build open
systems,

342
99:59:59,999 --> 99:59:59,999
to build them in a way where users don't
need to understand this stuff.

343
99:59:59,999 --> 99:59:59,999
There are a lot of people in the world
that will never see this film.

344
99:59:59,999 --> 99:59:59,999
And we can solve the problems that this
film describes largely with Free software.

345
99:59:59,999 --> 99:59:59,999
And we can do that without them knowing,

346
99:59:59,999 --> 99:59:59,999
and they will be safe for us having
done that.

347
99:59:59,999 --> 99:59:59,999
And if we can do that, the world will be
a better place, I think.

348
99:59:59,999 --> 99:59:59,999
And I think the world is a better place
because of the efforts that were

349
99:59:59,999 --> 99:59:59,999
already done in that area, that made this
possible.

350
99:59:59,999 --> 99:59:59,999
The Tails project made it so that a bunch
of people

351
99:59:59,999 --> 99:59:59,999
who were good at investigative journalism,

352
99:59:59,999 --> 99:59:59,999
but absolutely terrible with computers,
were able to pull this off.

353
99:59:59,999 --> 99:59:59,999
And that is entirely the product, in my
opinion, of Free software.

354
99:59:59,999 --> 99:59:59,999
And a little bit of Laura and Glen, but
I'd say a lot of Free software.

355
99:59:59,999 --> 99:59:59,999
[question]: How many people do you think
NSA has

356
99:59:59,999 --> 99:59:59,999
working within the Debian community?

357
99:59:59,999 --> 99:59:59,999
[laughter, applause]

358
99:59:59,999 --> 99:59:59,999
[Jacob]: Well, I looked in the Snowden
archive about that actually.

359
99:59:59,999 --> 99:59:59,999
[laughter, applause]

360
99:59:59,999 --> 99:59:59,999
Yeah. And as far as I can Debian is not a
high priority target for them.

361
99:59:59,999 --> 99:59:59,999
I mean they write exploits for all sort
of stuff

362
99:59:59,999 --> 99:59:59,999
but I never found any systematic attempt
to compromise or harm the Debian project.

363
99:59:59,999 --> 99:59:59,999
But obviously there are people who are
paid by the NSA to infiltrate communities,

364
99:59:59,999 --> 99:59:59,999
and that's why we have to open transparent
processes

365
99:59:59,999 --> 99:59:59,999
so that if those people behave badly,
we have an audit trail.

366
99:59:59,999 --> 99:59:59,999
We won't ever stop that kind of stuff,

367
99:59:59,999 --> 99:59:59,999
but what matters
is that people do good things.

368
99:59:59,999 --> 99:59:59,999
It doesn't matter who they do bad things
for as long as we can correct those things

369
99:59:59,999 --> 99:59:59,999
and/or catch them and stop them before
it happens.

370
99:59:59,999 --> 99:59:59,999
But as far as I know there are only a
couple of people that have ever

371
99:59:59,999 --> 99:59:59,999
been associated with the NSA in the
Debian community.

372
99:59:59,999 --> 99:59:59,999
But I think we shouldn't get paranoid
about it,

373
99:59:59,999 --> 99:59:59,999
but we should just be prudent about our
processes,

374
99:59:59,999 --> 99:59:59,999
because there are lots of intelligence
services around the world

375
99:59:59,999 --> 99:59:59,999
that do not like the values of a
universal operating system,

376
99:59:59,999 --> 99:59:59,999
so I don't think it's super-important to
look, but I did actually look,

377
99:59:59,999 --> 99:59:59,999
very specifically for a whole bunch of
people in the Debian community

378
99:59:59,999 --> 99:59:59,999
to see if any of them also were being
paid by the NSA

379
99:59:59,999 --> 99:59:59,999
and I didn't find any serious thing that
raised concern,

380
99:59:59,999 --> 99:59:59,999
and if I did, I would have...

381
99:59:59,999 --> 99:59:59,999
I mean, there were lots of things I found
in the archive that I immediately

382
99:59:59,999 --> 99:59:59,999
notified security teams about.

383
99:59:59,999 --> 99:59:59,999
Where I worked along with many other
people to actually fix those things.

384
99:59:59,999 --> 99:59:59,999
And one of those things, if we had found
them, like infiltrators in Debian,

385
99:59:59,999 --> 99:59:59,999
I absolutely would have just told people
about.

386
99:59:59,999 --> 99:59:59,999
The problem is that a lot of the
journalists don't want to do that

387
99:59:59,999 --> 99:59:59,999
because there's a ten year felony
where you go to prison -

388
99:59:59,999 --> 99:59:59,999
a federal American prison -

389
99:59:59,999 --> 99:59:59,999
if you reveal the name of an agent.

390
99:59:59,999 --> 99:59:59,999
So there's a tension there,

391
99:59:59,999 --> 99:59:59,999
but I think that there's something
to be said,

392
99:59:59,999 --> 99:59:59,999
if they're actually actively harming the
community

393
99:59:59,999 --> 99:59:59,999
and they're committing a crime,

394
99:59:59,999 --> 99:59:59,999
I think there's something to be said
about that.

395
99:59:59,999 --> 99:59:59,999
So if I found that I think it would be
worthwhile,

396
99:59:59,999 --> 99:59:59,999
but just so you know, there's this
high cost.

397
99:59:59,999 --> 99:59:59,999
So if there were people in the agency
now,

398
99:59:59,999 --> 99:59:59,999
because they say that we used Tails, and
Debian, and they wanted to subvert it,

399
99:59:59,999 --> 99:59:59,999
there's a really really high bar for
punishment.

400
99:59:59,999 --> 99:59:59,999
Which suggests that maybe people
won't tell you.

401
99:59:59,999 --> 99:59:59,999
So we need to sort of bank on the fact
that we'll never know,

402
99:59:59,999 --> 99:59:59,999
but we don't need to know, as long as we
have good processes

403
99:59:59,999 --> 99:59:59,999
that would catch bad behaviour.

404
99:59:59,999 --> 99:59:59,999
And that's one of the strengths of Debian.

405
99:59:59,999 --> 99:59:59,999
There are very few operating systems,
I think,

406
99:59:59,999 --> 99:59:59,999
and just in general Free software
communities,

407
99:59:59,999 --> 99:59:59,999
that are as diverse, and committed to the
openness and the Free software nature

408
99:59:59,999 --> 99:59:59,999
of this kind of a project,

409
99:59:59,999 --> 99:59:59,999
and so it's very important to state that.

410
99:59:59,999 --> 99:59:59,999
But I do think one of the things that will
happen in the future at some point

411
99:59:59,999 --> 99:59:59,999
is that you'll start to find people in the
Debian community that are pressured

412
99:59:59,999 --> 99:59:59,999
by other people to do bad things

413
99:59:59,999 --> 99:59:59,999
so we need to set up processes that will
stop that,

414
99:59:59,999 --> 99:59:59,999
to create an incentive for that
not happening.

415
99:59:59,999 --> 99:59:59,999
But it's really tough,

416
99:59:59,999 --> 99:59:59,999
so I think that openness, transparency
and accountability are the ways that

417
99:59:59,999 --> 99:59:59,999
we can combat that, because otherwise
we won't really be able to solve it.

418
99:59:59,999 --> 99:59:59,999
But don't be paranoid, is the other thing.

419
99:59:59,999 --> 99:59:59,999
They really are out to get you,
so be prepared.

420
99:59:59,999 --> 99:59:59,999
[laughter, applause]

421
99:59:59,999 --> 99:59:59,999
[question]: I'm just wondering how trust
was established

422
99:59:59,999 --> 99:59:59,999
because I'm just realizing that
this community,

423
99:59:59,999 --> 99:59:59,999
for you to verify your public key and even
fingerprint is like,

424
99:59:59,999 --> 99:59:59,999
you have you produce your passport,

425
99:59:59,999 --> 99:59:59,999
so I'm wondering how Laura managed to
exchange her keys with Snowden

426
99:59:59,999 --> 99:59:59,999
and make sure that they were really
talking to the right person.

427
99:59:59,999 --> 99:59:59,999
[Julian]: Well, they had a whole sort of
dance for doing key exchange.

428
99:59:59,999 --> 99:59:59,999
I think it was a little bit luck, and a
little bit transitive trust,

429
99:59:59,999 --> 99:59:59,999
there's a little bit of the web of trust,

430
99:59:59,999 --> 99:59:59,999
and it worked pretty well.

431
99:59:59,999 --> 99:59:59,999
I mean, I don't think that the key-signing
stuff that Debian does is anything close

432
99:59:59,999 --> 99:59:59,999
to what they were doing.

433
99:59:59,999 --> 99:59:59,999
They just wanted to make sure that the
keys they had were the right keys,

434
99:59:59,999 --> 99:59:59,999
and that they weren't compromised,

435
99:59:59,999 --> 99:59:59,999
and that then they would change things.

436
99:59:59,999 --> 99:59:59,999
There was a point in the movie where they
said:

437
99:59:59,999 --> 99:59:59,999
"let's disassociate our meta-data
one more time"

438
99:59:59,999 --> 99:59:59,999
And what that means is they changed all
of the identifiers that are visible

439
99:59:59,999 --> 99:59:59,999
to the network, new keys, new email
addresses, new Tor circuit, etc

440
99:59:59,999 --> 99:59:59,999
and this is like a key consistency thing,

441
99:59:59,999 --> 99:59:59,999
where they had the right key to begin with
and the continued to rotate over new keys.

442
99:59:59,999 --> 99:59:59,999
This is also sometimes called TOFU.

443
99:59:59,999 --> 99:59:59,999
This is, I think, weaker than the
web of trust,

444
99:59:59,999 --> 99:59:59,999
but a lot easier for people to do, and
very easy to explain,

445
99:59:59,999 --> 99:59:59,999
and it worked out pretty well.

446
99:59:59,999 --> 99:59:59,999
It doesn't scale really well, but it has a
separate good side

447
99:59:59,999 --> 99:59:59,999
which is the web of trust explicitly names
a web of co-conspirators.

448
99:59:59,999 --> 99:59:59,999
And so you don't want that feature.

449
99:59:59,999 --> 99:59:59,999
It's useful for something like Debian;

450
99:59:59,999 --> 99:59:59,999
it's not useful for clandestine
conspiracies to commit

451
99:59:59,999 --> 99:59:59,999
investigative journalism.

452
99:59:59,999 --> 99:59:59,999
[laughter]

453
99:59:59,999 --> 99:59:59,999
Lots of questions, this is great.

454
99:59:59,999 --> 99:59:59,999
[question]: Somebody working on Tail told
me that the NSA has a file on every DD.

455
99:59:59,999 --> 99:59:59,999
Is that true, do you know?

456
99:59:59,999 --> 99:59:59,999
[Julian]: Okay, so when you balance your
check-book,

457
99:59:59,999 --> 99:59:59,999
just to answer your question in a really
strange way,

458
99:59:59,999 --> 99:59:59,999
when you balance your check-book,
or you balance your bank account,

459
99:59:59,999 --> 99:59:59,999
and you think this is how much my rent is,
this is how much food is,

460
99:59:59,999 --> 99:59:59,999
this is how much I have to spend on some
new hardware,

461
99:59:59,999 --> 99:59:59,999
you think about money in an
individual way.

462
99:59:59,999 --> 99:59:59,999
But if you think about is as a state, the
way a state thinks about money.

463
99:59:59,999 --> 99:59:59,999
They don't balance budgets the same
way that you do.

464
99:59:59,999 --> 99:59:59,999
They think about long-term investments
very differently.

465
99:59:59,999 --> 99:59:59,999
They have other people's money.

466
99:59:59,999 --> 99:59:59,999
It's a whole different way of managing it.

467
99:59:59,999 --> 99:59:59,999
And the NSA is not the Stasi. So it's not
that you have to worry about whether

468
99:59:59,999 --> 99:59:59,999
they have a file on you, or every Debian
developer,

469
99:59:59,999 --> 99:59:59,999
but rather there exist some laws in the
United States that say

470
99:59:59,999 --> 99:59:59,999
for cyber-security purposes, you don't
have constitutional rights

471
99:59:59,999 --> 99:59:59,999
and based on your accent, you weren't
an American anyway,

472
99:59:59,999 --> 99:59:59,999
and you aren't in America,

473
99:59:59,999 --> 99:59:59,999
so you don't have any rights at all,
anyway, according to them.

474
99:59:59,999 --> 99:59:59,999
They're just allowed to do whatever they
want to you,

475
99:59:59,999 --> 99:59:59,999
up to and including murdering you, with
the CIA.

476
99:59:59,999 --> 99:59:59,999
That's what they do with drones; that was
at the very end of the movie.

477
99:59:59,999 --> 99:59:59,999
So it's not that they have a file on you.

478
99:59:59,999 --> 99:59:59,999
It's that they have giant databases full
of information on all of us,

479
99:59:59,999 --> 99:59:59,999
and then when they're interested in you,
pull up all your data,

480
99:59:59,999 --> 99:59:59,999
and associative data,

481
99:59:59,999 --> 99:59:59,999
and then they use that, and sometimes
they use it to target you,

482
99:59:59,999 --> 99:59:59,999
to break into your machines,
or to find people to exert pressure on,

483
99:59:59,999 --> 99:59:59,999
or to do psychological manipulation on.

484
99:59:59,999 --> 99:59:59,999
All that stuff, they do all of those
things.

485
99:59:59,999 --> 99:59:59,999
And so it's not that they have one file
on you.

486
99:59:59,999 --> 99:59:59,999
Though maybe, it depends, if you work on
a critical package like the Linux kernel


487
99:59:59,999 --> 99:59:59,999
they might be more interested in you
than if you work on something else.

488
99:59:59,999 --> 99:59:59,999
I don't want to denigrate anyone's work,
but they have very specific focuses,

489
99:59:59,999 --> 99:59:59,999
and so they definitely are interested in
being able to compromise systems, right?

490
99:59:59,999 --> 99:59:59,999
And so you may also have file, but it's
really the meta list that's the new way

491
99:59:59,999 --> 99:59:59,999
of thinking about it.

492
99:59:59,999 --> 99:59:59,999
And in some senses I think that's actually
scarier, because they just hoover up

493
99:59:59,999 --> 99:59:59,999
everything, all across the whole Internet,

494
99:59:59,999 --> 99:59:59,999
and things that are interesting, then
they have them.

495
99:59:59,999 --> 99:59:59,999
And depending on what interesting
things are there, they maybe

496
99:59:59,999 --> 99:59:59,999
put those in a database that lasts
for ever,

497
99:59:59,999 --> 99:59:59,999
or maybe it's just around for 30 days,

498
99:59:59,999 --> 99:59:59,999
or maybe its full content for 9 days,
or something like that.

499
99:59:59,999 --> 99:59:59,999
And then of course if you are a person of
interest

500
99:59:59,999 --> 99:59:59,999
they do do the same stuff that the Stasi
does,

501
99:59:59,999 --> 99:59:59,999
they do that Zersetzung stuff, if you're
familiar with this German term,

502
99:59:59,999 --> 99:59:59,999
disintegration, they do that kind of
stuff, along with JTRIG, from GHCQ,

503
99:59:59,999 --> 99:59:59,999
so they harass people, blackmail them,
do all sorts of really nasty stuff.

504
99:59:59,999 --> 99:59:59,999
And they do that also, so both of those
things.

505
99:59:59,999 --> 99:59:59,999
So again, I don't think you should be
paranoid, you should encrypt your stuff,

506
99:59:59,999 --> 99:59:59,999
and help people do the same,

507
99:59:59,999 --> 99:59:59,999
and know that in a democratic society with
a secret political police,

508
99:59:59,999 --> 99:59:59,999
the right place to be is in their
database, right?

509
99:59:59,999 --> 99:59:59,999
You should be proud of being surveilled
by them,

510
99:59:59,999 --> 99:59:59,999
it means you're doing the right thing.

511
99:59:59,999 --> 99:59:59,999
[laughter, applause]

512
99:59:59,999 --> 99:59:59,999
Nonetheless, we should stop them.

513
99:59:59,999 --> 99:59:59,999
[question]: I'm curious about your views
about Snowden actually coming out

514
99:59:59,999 --> 99:59:59,999
and saying he was the whistleblower,

515
99:59:59,999 --> 99:59:59,999
because I know, when he came out,
I had some fierce discussion

516
99:59:59,999 --> 99:59:59,999
with friends about it, so I wanted to know
what you thought about it.

517
99:59:59,999 --> 99:59:59,999
[Jacob]: What do you mean came out?

518
99:59:59,999 --> 99:59:59,999
[question]: He said I'm Edward Snowden,
I'm the whistle-blower, here I am,

519
99:59:59,999 --> 99:59:59,999
instead of just being anonymous the
whole way, just sending files to people.

520
99:59:59,999 --> 99:59:59,999
[Jacob]: Well, I think the main thing is
that it's about control of

521
99:59:59,999 --> 99:59:59,999
your own narrative, right?

522
99:59:59,999 --> 99:59:59,999
I mean if we could have done everything
here anonymous, and gotten away with it,

523
99:59:59,999 --> 99:59:59,999
would that have made the same impact

524
99:59:59,999 --> 99:59:59,999
in getting other people to come forward
even if they maintain their anonymity?

525
99:59:59,999 --> 99:59:59,999
So I think that what Snowden did, what'
beautiful about it,

526
99:59:59,999 --> 99:59:59,999
is that he basically did enough,

527
99:59:59,999 --> 99:59:59,999
where he could then survive.

528
99:59:59,999 --> 99:59:59,999
Our job now for the most part, a very
good friend told me,

529
99:59:59,999 --> 99:59:59,999
he's a little bit of a fatalist, he said:

530
99:59:59,999 --> 99:59:59,999
your job, Laura's job, Glen's job,
Snowden's job, your job now is

531
99:59:59,999 --> 99:59:59,999
just to survive.

532
99:59:59,999 --> 99:59:59,999
That's all that you need to do now.
You don't need to do anything else.

533
99:59:59,999 --> 99:59:59,999
You should go do other things, like
drink a glass of wine, relax, be happy,

534
99:59:59,999 --> 99:59:59,999
have a nice life, but just survive,

535
99:59:59,999 --> 99:59:59,999
so other people can see that you do the
right thing, you couldn't have done more,

536
99:59:59,999 --> 99:59:59,999
you did enough, and you lived through it.

537
99:59:59,999 --> 99:59:59,999
And so Snowden coming out and telling us
all of these things, I mean,

538
99:59:59,999 --> 99:59:59,999
there are really powerful people saying
he should be assassinated, right,

539
99:59:59,999 --> 99:59:59,999
hung by the neck until dead, was what one
of the CIA people said.

540
99:59:59,999 --> 99:59:59,999
So he probably could have continued to be
anonymous for a while,

541
99:59:59,999 --> 99:59:59,999
but imagine if the NSA had got to reveal
his identity.

542
99:59:59,999 --> 99:59:59,999
How would that have been framed, what
would the first impression have been?

543
99:59:59,999 --> 99:59:59,999
I think they called him a narcissist, and
they called him all these terrible names.

544
99:59:59,999 --> 99:59:59,999
And it didn't really stick, because he
basically said "come at me bro',

545
99:59:59,999 --> 99:59:59,999
I'm ready, and you can do your worst,
but you can't get rid of the facts,

546
99:59:59,999 --> 99:59:59,999
so let's talk about the facts."

547
99:59:59,999 --> 99:59:59,999
And I think the timing of how he did that
is good, because he really cared

548
99:59:59,999 --> 99:59:59,999
about the issues, but he also recognized
that it was a matter of time,

549
99:59:59,999 --> 99:59:59,999
the NSA police went to his house, they
really bothered his family,

550
99:59:59,999 --> 99:59:59,999
they've done that with my family as well,
other people's families have had trouble.

551
99:59:59,999 --> 99:59:59,999
So I think think it's tough, because I
think he probably would have liked to have

552
99:59:59,999 --> 99:59:59,999
been able to not have that happen, but 
there comes a point at which

553
99:59:59,999 --> 99:59:59,999
you're the person who has access to all 
that information

554
99:59:59,999 --> 99:59:59,999
and they're going to figure it out.

555
99:59:59,999 --> 99:59:59,999
No amount of anonymity, I think, will
last forever, but it can buy you time.

556
99:59:59,999 --> 99:59:59,999
He got exactly the amount of time
he needed.

557
99:59:59,999 --> 99:59:59,999
The really sad part about him coming out
in public when he did, though, was that

558
99:59:59,999 --> 99:59:59,999
he got stuck in Russia, because my
government cancelled his passport.

559
99:59:59,999 --> 99:59:59,999
I think mostly for propaganda reasons.

560
99:59:59,999 --> 99:59:59,999
Because in the United States, we denigrate
all things relating to Russia.

561
99:59:59,999 --> 99:59:59,999
And there are lots of problems with
Russia,

562
99:59:59,999 --> 99:59:59,999
and especially with Vladimir Putin,

563
99:59:59,999 --> 99:59:59,999
but at the same time that seems to be the
only country that was willing to uphold

564
99:59:59,999 --> 99:59:59,999
his fundamental liberties.

565
99:59:59,999 --> 99:59:59,999
I went to the Council of Europe, and to
the European Parliament,

566
99:59:59,999 --> 99:59:59,999
to the German Parliament, to the French,
sort of to the French Parliament,

567
99:59:59,999 --> 99:59:59,999
they didn't really want to meet with me,
but also to the Austrian Parliament,

568
99:59:59,999 --> 99:59:59,999
and to a number of other places,

569
99:59:59,999 --> 99:59:59,999
and everyone said, oh, we would really
live to help anybody who needs help,

570
99:59:59,999 --> 99:59:59,999
oh it's Edward Snowden, never mind.

571
99:59:59,999 --> 99:59:59,999
[laughter]

572
99:59:59,999 --> 99:59:59,999
And so though I have a lot of critiques
on Russia, the propaganda aspect of it

573
99:59:59,999 --> 99:59:59,999
was very damaging for him to be stuck
in Russia,

574
99:59:59,999 --> 99:59:59,999
but on the other hand, he's still alive,
and he's still mostly free.

575
99:59:59,999 --> 99:59:59,999
And they recognized his right to
receive asylum.

576
99:59:59,999 --> 99:59:59,999
So there's a lot of trade-offs to think
identifying one's self,

577
99:59:59,999 --> 99:59:59,999
and if you were thinking about being
the next Snowden,

578
99:59:59,999 --> 99:59:59,999
or helping the next Snowden, or helping
Snowden, or something like that,

579
99:59:59,999 --> 99:59:59,999
you really have to think that, you really
have to think this out many steps ahead,

580
99:59:59,999 --> 99:59:59,999
and it's easy to stay, oh he should have
just stayed anonymous and

581
99:59:59,999 --> 99:59:59,999
nobody would have figured it out,

582
99:59:59,999 --> 99:59:59,999
but that's very clearly not planning the
case that they do figure it out,

583
99:59:59,999 --> 99:59:59,999
and then they're going to be in control
of the narrative,

584
99:59:59,999 --> 99:59:59,999
and in that case, I think you are better
off to do what he did,

585
99:59:59,999 --> 99:59:59,999
and he did so quite reluctantly.

586
99:59:59,999 --> 99:59:59,999
He's not an egoist, or an narcissist,
he's actually a really shy guy

587
99:59:59,999 --> 99:59:59,999
from what I can tell.

588
99:59:59,999 --> 99:59:59,999
I don't know exactly what conversation
you and your friend had,

589
99:59:59,999 --> 99:59:59,999
but I would suspect that the notion is
that people are more powerful

590
99:59:59,999 --> 99:59:59,999
when anonymous.

591
99:59:59,999 --> 99:59:59,999
And that is true sometimes,
but not always,

592
99:59:59,999 --> 99:59:59,999
and it's important to remember that
the anonymity technology is there

593
99:59:59,999 --> 99:59:59,999
so you have a choice, not a requirement.

594
99:59:59,999 --> 99:59:59,999
And that choice is sometimes
counter-intuitive,

595
99:59:59,999 --> 99:59:59,999
but I think he did the right thing in
this way, and I wish that my government

596
99:59:59,999 --> 99:59:59,999
had done the right thing by him as well,
but they did not.

597
99:59:59,999 --> 99:59:59,999
[question]: So there are lot of questions,
do you want to keep going on,

598
99:59:59,999 --> 99:59:59,999
shall we get in a little Mate?

599
99:59:59,999 --> 99:59:59,999
[Jacob]: I would love some of that rum.

600
99:59:59,999 --> 99:59:59,999
I think I have to GRsec, right?
GRsec kernel.

601
99:59:59,999 --> 99:59:59,999
And then rum appears. Rum as a service.

602
99:59:59,999 --> 99:59:59,999
[applause]

603
99:59:59,999 --> 99:59:59,999
I'm really happy to keep taking questions,
because to me, what I want is

604
99:59:59,999 --> 99:59:59,999
for every person in this room to feel
a part of this, because you really are.

605
99:59:59,999 --> 99:59:59,999
A lot of the people I've met in this
community really inspire me to action,

606
99:59:59,999 --> 99:59:59,999
and it's important to understand that
really, it would not have been possible

607
99:59:59,999 --> 99:59:59,999
without Debian.

608
99:59:59,999 --> 99:59:59,999
For example debootstrap - really important
tool, right?

609
99:59:59,999 --> 99:59:59,999
With weasel's packaging of Tor, it allowed
us to have bootstraps of things,

610
99:59:59,999 --> 99:59:59,999
it allowed us to build things,

611
99:59:59,999 --> 99:59:59,999
and using Free software really was
helpful,

612
99:59:59,999 --> 99:59:59,999
so if you guys have any questions at all,

613
99:59:59,999 --> 99:59:59,999
really each and every person that helps
with Debian should just know

614
99:59:59,999 --> 99:59:59,999
that you are a part of that,

615
99:59:59,999 --> 99:59:59,999
and I'm just happy to talk for as long as
you want, basically,

616
99:59:59,999 --> 99:59:59,999
to answer all of your questions,


617
99:59:59,999 --> 99:59:59,999
except the ones that put me in prison.
Thanks.

618
99:59:59,999 --> 99:59:59,999
[laughter]

619
99:59:59,999 --> 99:59:59,999
[question]: I just wanted to make a quick
note about the question

620
99:59:59,999 --> 99:59:59,999
"do they have a file on me?"

621
99:59:59,999 --> 99:59:59,999
From all I've read so far, it's just that
they're doing the thing

622
99:59:59,999 --> 99:59:59,999
that is in the commercial world called
"big data".

623
99:59:59,999 --> 99:59:59,999
[Jacob]: Yep. Absolutely.

624
99:59:59,999 --> 99:59:59,999
Oh boy. GRsec again?

625
99:59:59,999 --> 99:59:59,999
[orga]: it's not rum, but it's Bavarian
whisky.

626
99:59:59,999 --> 99:59:59,999
[Jacob]: Oh boy. It's going to be a
heavy morning tomorrow.

627
99:59:59,999 --> 99:59:59,999
I saw another couple of hands.

628
99:59:59,999 --> 99:59:59,999
[question]: I was just wondering if
that you noticed throughout this

629
99:59:59,999 --> 99:59:59,999
that you think we could improve in Debian
to make the next people's lives easier.

630
99:59:59,999 --> 99:59:59,999
[Jacob]: Oh my god, I'm so glad you asked
that question, that's so fantastic.

631
99:59:59,999 --> 99:59:59,999
I'm going to talk about that tomorrow
in my keynote,

632
99:59:59,999 --> 99:59:59,999
but let me tell you about one that I have.

633
99:59:59,999 --> 99:59:59,999
I revealed a specific document about a
wifi injection attack system.

634
99:59:59,999 --> 99:59:59,999
It's a classified document, it's a
top secret document,

635
99:59:59,999 --> 99:59:59,999
for a thing called nightstand, and what
nightstand is,

636
99:59:59,999 --> 99:59:59,999
it's basically like car metasploit,
it's a wifi injector...

637
99:59:59,999 --> 99:59:59,999
cheers!

638
99:59:59,999 --> 99:59:59,999
Danke schön.

639
99:59:59,999 --> 99:59:59,999
It's a wifi injector device...

640
99:59:59,999 --> 99:59:59,999
Whew, jesus!

641
99:59:59,999 --> 99:59:59,999
[laughter, applause]

642
99:59:59,999 --> 99:59:59,999
[orga]: Tonight's whisky sponsored by
drunc-tank dot org.

643
99:59:59,999 --> 99:59:59,999
[Jacob]: So this wifi injector device,
what it does is it basically is able to

644
99:59:59,999 --> 99:59:59,999
exploit the kernel of a device by sending
malformed data over wifi.

645
99:59:59,999 --> 99:59:59,999
Now I have a series of photographs, so
all of us.. not all of us, but most of us

646
99:59:59,999 --> 99:59:59,999
used these speciallly modified X60s where
we removed the microphones, soldered??

647
99:59:59,999 --> 99:59:59,999
down things on the PCI bus,

648
99:59:59,999 --> 99:59:59,999
we removed, like, firewire, really
modified it, flashed coreboot onto it,

649
99:59:59,999 --> 99:59:59,999
flipped the read pin so it was only
read-only,

650
99:59:59,999 --> 99:59:59,999
so you couldn't easily make a BIOS
root kit and make it persistent,

651
99:59:59,999 --> 99:59:59,999
we booted TAILS, did all this stuff,

652
99:59:59,999 --> 99:59:59,999
often we could boot to RAM so that
once the machine was powered off

653
99:59:59,999 --> 99:59:59,999
basically it would be done, so if someone
kicks down your door,

654
99:59:59,999 --> 99:59:59,999
you just pull the power out,

655
99:59:59,999 --> 99:59:59,999
and you don't have a battery, and
when the power fails you have an

656
99:59:59,999 --> 99:59:59,999
instant kill switch.

657
99:59:59,999 --> 99:59:59,999
So things that are in TAILS that are 
really useful include this

658
99:59:59,999 --> 99:59:59,999
wiping the kernel memory package
which I hear is being packaged for Debian

659
99:59:59,999 --> 99:59:59,999
soon, which is very exciting.

660
99:59:59,999 --> 99:59:59,999
Because everyone should have access
to that so we can tie it into something

661
99:59:59,999 --> 99:59:59,999
like GNU panicd or these other things.

662
99:59:59,999 --> 99:59:59,999
But one thing I kept having problems with
is this wifi injection device,

663
99:59:59,999 --> 99:59:59,999
I'm pretty sure, was very close to my
house.

664
99:59:59,999 --> 99:59:59,999
There was a white van outside, it was
vibrating a bit like there was a guy

665
99:59:59,999 --> 99:59:59,999
walking around in it,

666
99:59:59,999 --> 99:59:59,999
and then all of sudden, an X60 here,
an X60 here, and an X60 here,

667
99:59:59,999 --> 99:59:59,999
just booted into TAILS, not doing
anything at all, but on the wifi network,

668
99:59:59,999 --> 99:59:59,999
kernel panic, kernel panic, kernel panic.

669
99:59:59,999 --> 99:59:59,999
All the same kernel panic, all the
same memory offsets,

670
99:59:59,999 --> 99:59:59,999
in the Appletalk driver of the stock
kernel for TAILS.

671
99:59:59,999 --> 99:59:59,999
I think I filed a bug upstream with TAILS
at the time,

672
99:59:59,999 --> 99:59:59,999
but this is just incredible because
it's clear that all the crap

673
99:59:59,999 --> 99:59:59,999
in the default Debian kernel that you
really want for your 1992 Apple network

674
99:59:59,999 --> 99:59:59,999
makes operational security really hard,

675
99:59:59,999 --> 99:59:59,999
and one thing that would be really great
would be a GRsec enabled kernel...

676
99:59:59,999 --> 99:59:59,999
[applause]

677
99:59:59,999 --> 99:59:59,999
Yes, have to drink.

678
99:59:59,999 --> 99:59:59,999
But as an example, we built different
custom machines, and one of the things

679
99:59:59,999 --> 99:59:59,999
that we did for some people and in some
circumstances was

680
99:59:59,999 --> 99:59:59,999
to build GRsec enabled kernels.

681
99:59:59,999 --> 99:59:59,999
And I'm not going to drink again.

682
99:59:59,999 --> 99:59:59,999
So we built those kernels

683
99:59:59,999 --> 99:59:59,999
[audience]: Which ones?

684
99:59:59,999 --> 99:59:59,999
[Jacbob]: Yes, exactly, those ones.

685
99:59:59,999 --> 99:59:59,999
And that was work which creates a problem
for a bunch of reasons.

686
99:59:59,999 --> 99:59:59,999
When you build custom kernels, and
you only have a few people

687
99:59:59,999 --> 99:59:59,999
that can build those kernels,

688
99:59:59,999 --> 99:59:59,999
you actually build a chain of evidence of
who helped who.

689
99:59:59,999 --> 99:59:59,999
And if that was stable, normal package,

690
99:59:59,999 --> 99:59:59,999
that people could install in a Debian
pure blend,

691
99:59:59,999 --> 99:59:59,999
then it would have been easier to do that.

692
99:59:59,999 --> 99:59:59,999
We built a lot more sandbox profiles for
various different things,

693
99:59:59,999 --> 99:59:59,999
we built some transparent TOR-ification
stuff,

694
99:59:59,999 --> 99:59:59,999
and that required a lot of bespoke
knowledge,

695
99:59:59,999 --> 99:59:59,999
and it required a lot of effort that a lot
of people did not have,

696
99:59:59,999 --> 99:59:59,999
because they had a different set of
skills,

697
99:59:59,999 --> 99:59:59,999
and it's good to have a division of
labour,

698
99:59:59,999 --> 99:59:59,999
but having that kind of stuff built into
Debian by default, making a

699
99:59:59,999 --> 99:59:59,999
Debian installer that could do that,

700
99:59:59,999 --> 99:59:59,999
and also verification, would be great,
right?

701
99:59:59,999 --> 99:59:59,999
So I wrote some custom scripts 
where I could look at a TAILS disk,

702
99:59:59,999 --> 99:59:59,999
or a Debian install,

703
99:59:59,999 --> 99:59:59,999
and know if it had been tampered with.

704
99:59:59,999 --> 99:59:59,999
And it would be nice if there was just
a disk you could boot that did

705
99:59:59,999 --> 99:59:59,999
verification of an installed system

706
99:59:59,999 --> 99:59:59,999
very very easily, so easily that
Glen Greenwald could use it.

707
99:59:59,999 --> 99:59:59,999
I love Glen, I saw that very politely,

708
99:59:59,999 --> 99:59:59,999
but what I means is it needs to be
easier than that,

709
99:59:59,999 --> 99:59:59,999
because Glen at least knows that he
he a reason to need it.

710
99:59:59,999 --> 99:59:59,999
And so that was something that we really
needed help with.

711
99:59:59,999 --> 99:59:59,999
And we spent a lot of time on that.

712
99:59:59,999 --> 99:59:59,999
And there are lots of other little things
like that,

713
99:59:59,999 --> 99:59:59,999
and I'll talk about some of those things
tomorrow,

714
99:59:59,999 --> 99:59:59,999
but one of the really big problems is
hardware,

715
99:59:59,999 --> 99:59:59,999
which is that you cannot buy a modern
Intel CPU which doesn't come

716
99:59:59,999 --> 99:59:59,999
with a backdoor any more.

717
99:59:59,999 --> 99:59:59,999
And that is a huge problem, and I'm not
sure that the answer is to use ARM.

718
99:59:59,999 --> 99:59:59,999
It seems like the answer is to use ARM.

719
99:59:59,999 --> 99:59:59,999
But that's only if assume that ARM didn't
just add a backdoor that's obvious.

720
99:59:59,999 --> 99:59:59,999
So we really need to think about how to,
in moving forward,

721
99:59:59,999 --> 99:59:59,999
how to have easy to use, easy to buy
on the shelf, Debian hardware,

722
99:59:59,999 --> 99:59:59,999
available everywhere, all the time,

723
99:59:59,999 --> 99:59:59,999
so you can just go and buy this thing and
verify it in some way

724
99:59:59,999 --> 99:59:59,999
with some other machine,

725
99:59:59,999 --> 99:59:59,999
to know that you would have the right
thing.

726
99:59:59,999 --> 99:59:59,999
And to that extent we didn't have X-rays
for a lot of the circuit boards,

727
99:59:59,999 --> 99:59:59,999
so that made it very difficult to know
if when you buy something,

728
99:59:59,999 --> 99:59:59,999
it's been tampered with.

729
99:59:59,999 --> 99:59:59,999
I'll talk about some of that stuff
tomorrow,

730
99:59:59,999 --> 99:59:59,999
but basically, Debian does a lot of stuff
right,

731
99:59:59,999 --> 99:59:59,999
and that is also worth mentioning.

732
99:59:59,999 --> 99:59:59,999
There's so many things that just work
out of the box, that just work perfectly.

733
99:59:59,999 --> 99:59:59,999
So the main thing is to keep the
quality assurance at the level,

734
99:59:59,999 --> 99:59:59,999
or to exceed where it is right now.

735
99:59:59,999 --> 99:59:59,999
Because it actually works super super
well.

736
99:59:59,999 --> 99:59:59,999
The exception being for very specific
targetted attacks,

737
99:59:59,999 --> 99:59:59,999
the kernel attack surface is pretty big,
and pretty bad, I think.

738
99:59:59,999 --> 99:59:59,999
And also, we rebuilt some binaries in
order to..

739
99:59:59,999 --> 99:59:59,999
sorry, I'll get to you in a second.

740
99:59:59,999 --> 99:59:59,999
We rebuilt some binaries to make sure
that we had address space randomisation

741
99:59:59,999 --> 99:59:59,999
and linker hardening, and stack
canary stuff,

742
99:59:59,999 --> 99:59:59,999
and for some stuff lately we've been using
address space sanitizer,

743
99:59:59,999 --> 99:59:59,999
so it would be really great if all the
hardening stuff was turned in,

744
99:59:59,999 --> 99:59:59,999
if there was PAX plus GRsec as a kernel.

745
99:59:59,999 --> 99:59:59,999
[audience]: so the specific problem with
GR security is that they don't really

746
99:59:59,999 --> 99:59:59,999
want to work with distros.

747
99:59:59,999 --> 99:59:59,999
So we could have a Linux kernel package
with GR security applied,

748
99:59:59,999 --> 99:59:59,999
but it wouldn't have any of the other
Debian patches.

749
99:59:59,999 --> 99:59:59,999
[Jacob]: So I talked with Brad Spender
about this,

750
99:59:59,999 --> 99:59:59,999
and I'm so glad that you said that,

751
99:59:59,999 --> 99:59:59,999
because what he said was that, as far
as I can tell, he's totally interested in

752
99:59:59,999 --> 99:59:59,999
helping Debian with this but thinks that
Debian is not interested.

753
99:59:59,999 --> 99:59:59,999
He actually runs a kernel building
service where they actually do

754
99:59:59,999 --> 99:59:59,999
individual kernel builds, and I think
you'd be interested,

755
99:59:59,999 --> 99:59:59,999
and when I told him we'd love to have
this in TAILS, he said

756
99:59:59,999 --> 99:59:59,999
what patches do I need to include in GRsec
to make sure that it'll work?

757
99:59:59,999 --> 99:59:59,999
And he offered to do the integration
into the GRsec patch if there are not

758
99:59:59,999 --> 99:59:59,999
too many things.

759
99:59:59,999 --> 99:59:59,999
So I think what we should try and do
is build a line of communication,

760
99:59:59,999 --> 99:59:59,999
and if it costs money we should find a way
to raise that money,

761
99:59:59,999 --> 99:59:59,999
I'll put in some of my own personal money
for this,

762
99:59:59,999 --> 99:59:59,999
and I know other people would too.

763
99:59:59,999 --> 99:59:59,999
[distant audience]: I will.

764
99:59:59,999 --> 99:59:59,999
[Jacob]: Great.

765
99:59:59,999 --> 99:59:59,999
So securedrop, for example, part of what
they do for their leaking platform,

766
99:59:59,999 --> 99:59:59,999
if you go to the intercepts website,
you wan to leak them a document,

767
99:59:59,999 --> 99:59:59,999
they actually use free software
everywhere, but there are a few things


768
99:59:59,999 --> 99:59:59,999
they build specially, and one of those
things is a GRsec kernel.

769
99:59:59,999 --> 99:59:59,999
So the people at first look, that helped
make this movie,

770
99:59:59,999 --> 99:59:59,999
and that work on securedrop,

771
99:59:59,999 --> 99:59:59,999
they would probably also,

772
99:59:59,999 --> 99:59:59,999
I'm not committing them, I don't
know that they would actually do this,

773
99:59:59,999 --> 99:59:59,999
but I think they would really like it if
that was in there,

774
99:59:59,999 --> 99:59:59,999
and I think it we could find the community
will to do that,

775
99:59:59,999 --> 99:59:59,999
I know I would volunteer and other people
would,

776
99:59:59,999 --> 99:59:59,999
I know that dkg in the back would love to
help with this, I would that ???

777
99:59:59,999 --> 99:59:59,999
who is just totally behind funding this
work, right?

778
99:59:59,999 --> 99:59:59,999
I thought that you were there to protect
my civil liberties, buddy.

779
99:59:59,999 --> 99:59:59,999
But I really think that it's possible
that we could do this,

780
99:59:59,999 --> 99:59:59,999
and I definitely think Brad, the author of
GRsec,

781
99:59:59,999 --> 99:59:59,999
I think he would really love it if Debian
shipped GRsec.

782
99:59:59,999 --> 99:59:59,999
And it doesn't need to come by default,

783
99:59:59,999 --> 99:59:59,999
but if it was possible to just have
it all, that would be great.

784
99:59:59,999 --> 99:59:59,999
Maybe we could have an affinity group
where everyone who is interested can

785
99:59:59,999 --> 99:59:59,999
meet sometime tomorrow and we could
talk about doing this.

786
99:59:59,999 --> 99:59:59,999
I would love to have that conversation.

787
99:59:59,999 --> 99:59:59,999
Who are you?

788
99:59:59,999 --> 99:59:59,999
[audience]: Ben Hutchings.

789
99:59:59,999 --> 99:59:59,999
[Jacob]: Oh, nice to meet you!

790
99:59:59,999 --> 99:59:59,999
[laughter, applause]

791
99:59:59,999 --> 99:59:59,999
That's awkward.