Lofty IdealsThe Nature of Clouds and Encryption

Sean Whalen - @SeanTheGeek

DisclaimersThe views and opinions in this presentation are my own, and may not represent those of my past, current, and post-apocalyptic employers.This presentation will include details of legal theories and cases. However, I am not a lawyer.

Information ownersThe person, persons, or entity that created the information

Pre-cloud Information was stored by the people who owned and maintained it The location of data was clear If you wanted access to large amounts of data, or sensitive data, you

had to be physically on site VPNs made remote access easier, but it usually still required specific

employer-owned hardware, and a fast, stable connection

What changed? Virtualization revolutionized the scalability of data centers Mass outsourcing of architecture Ubiquity of broadband and mobile devices The expectation to be able to work or play whenever, wherever, on

whatever device we want VDI – A full virtual desktop streamed anywhere (e.g. Citrix, VMWare

Horizon) BYOD – Bring your own device Web/mobile apps and services

Cloud threats1. Misinformed cloud users/customers2. Opportunistic, financially motivated criminals3. Malicious or incompetent cloud providers4. Espionage from various competitors, governments, or government

sponsored attackers5. “Hacktivists”

Pros• Scalability• Accessibility• Reliability• Cost

Cons• Visibility• Flexibility• Trust• Privacy

What is “The Cloud”?• Office365, Google Apps,

Dropbox, ServiceNowSoftware as a Service (SaaS)

• Salesforce.com, Google App Engine, OpenShift

Platform as a Service (PaaS)

• AWS, Azure, Google ComputeInfrastructure as a Service

(IaaS)

Location, location, location! Clouds can and do span around the globe, crossing many

jurisdictions When you upload data to a cloud service, where does that data go? If a company in owned in one country, hosts servers in another, and

has customers from many other countries, whose laws apply? Under what circumstances?

EU Safe Harbor Allowed many US companies to store EU citizen data on US servers,

as long as they self-certified adherence to seven privacy principles aligned with EU privacy and data protection laws

Implemented in 2000 Invalidated on October 6th 2015 by the European Court of Justice,

which concluded that the self-certification scheme was not in keeping US companies honest

Replaced by the EU-US Privacy Shield agreement on February 2nd, 2016, which has already started to face new legal challenges

In response, Microsoft has made arrangements to have EU data hosted by Douche Telekom, which will likely start a new industry trend

The Third Party DoctrineA United States legal theory that holds that people who voluntarily give information to third parties—such as banks, phone companies, internet service providers (ISPs), and e-mail servers—have “no reasonable expectation of privacy.” – Wikipedia

It allows government agencies and law enforcement to request and use data from any of these third parties without a warrant. In response to public concern, many third parties have created their own policies that require a warrant for detailed sharing of customer data, based on the Fourth Amendment to the U.S. Constitution.

Encryption Makes the internet and cloud services viable

iPhone encryption – DoJ v. Apple A federal judge issued an order under the All Writs Act

at the request of the DoJ, compelling Apple to write and digitally sign custom software for the suspect iPhone that would: Disable the automatic wiping that might occur after a number of bad

passcode attempts Disable any delays between attempts Create a method of attempting passcodes in a rapid, automated way,

providing access in minutes Apple appealed by stating that the order:

Would violate its First and Fith Amendment rights by compelling speech Would cause an unreasonable burden Would set a dangerous precedent

Apple’s appeal Judge Orenstein granted the appeal on the grounds that:

The government’s request fails to satisfy the requirements of the All Writs Act

The government's request fails to satisfy the needs of judicial discretion Congress has already clearly defined what can be required of

telecommunications companies Congress considered legislation that would have authorized such a

request, but did not pass it, thus neither explicitly allowing or prohibiting such a request

Accepting the government's interpretation of the All Writs Act would likely render it unconstitutional, based on the separation of powers in the branches of government

Politicians and encryption“I would hope that, given the extraordinary capacities that the tech community has and the legitimate needs and questions from law enforcement, that there could be a Manhattan-like project, something that would bring the government and the tech communities together…” – Hillary Clinton“In extremis, it has been possible to read someone’s letter, to listen to someone’s call, to mobile communications. The question remains: are we going to allow a means of communications where it simply is not possible to do that? My answer to that question is: no, we must not.” – David Cameron“[Apple CEO] Tim Cook is living in a world of the make believe. I would come down so hard on him—you have no idea—his head would be spinning all of the way back to Silicon Valley.” – Donald Trump

There is no magic solution“I suspect the answer is going to come down to how do we create a system where the encryption is as strong as possible, the key is as secure as possible, it is accessible by the smallest number of people possible for a subset of issues that we agree are important.”– President Obama at SXSW 2016That’s not going to work. Why? How valuable would such a key be? Priceless Who would want to steal such a key? Every hacker ever. Especially the same

kinds of people who stole the HR and security records of every federal employee and job applicant, a breach that many consider to be more damaging than the Snoden leaks, especially when combined with other stolen data.

Would there be temptation for abuse? Defiantly

Encryption is global, and here to stayCountry Open Source Proprietary Unknown Grand TotalUnited States 101 202 1 304Germany 46 66 112United Kingdom 18 36 54Canada 15 32 47France 25 16 41Sweden 10 23 33Switzerland 6 19 25Australia 5 16 21Netherlands 9 10 19Italy 7 11 1 19Russia 8 9 17Unknown 8 7 15Finland 4 5 9Israel 1 8 9India 1 8 9Japan 3 5 1 9Czech Republic 2 6 8Austria 1 7 8Seychelles 0 7 7Spain 0 7 7Grand Total 270 500 3 773

A Worldwide Survey of Encryption Products, Feb 2016, v 1.0Schneider et al.

Outlawing strong encryption only hurts the good guys It’s true that recent advancements in consumer technology have made

it easy for anyone, including criminals, to use unbreakable encryption. However, the underlying technology has been around the world for

decades. Trying to force everyone to use weak encryption will make everyone

who uses it extremely vulnerable, disrupting trust in the internet and global commerce. It will criminalize anyone who values their privacy and security, and make little difference in the ability to read the communications of real criminals.

If a criminal knows (like everyone would, given the press) that the lawful encryption is weak, but that unbreakable encryption can be had with a bit more effort and knowledge, the choice is obvious.

Revisiting the Third-party Doctrine“More fundamentally, it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties. This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks.”

Associate Justice Sonia SotomayorConcurring Opinion, United States v. Jones

Supreme Court of the United States January 2012

Google knows where you were last year…and then some

Operation Arora A series of advanced attacks on Google by actors in China that took place throughout the second half of 2009.

It resulted in the theft of some Google source code, and limited access to metadata of two Gmail accounts belonging to Chinese human rights activists.

Subsequent investigations found dozens of activist accounts with suspicious activity, not from this attack, but likely from malware and/or phishing campaigns against the activists themselves.

Responsibility for the security of information ultimately rests with information owners Know what data is being sent to cloud services, how much, and how often Know the practices, policies and, procedures of your service provider Research the security of a service before using it

Telegram, WhatsApp, and Snapchat are not secure Leverage your own security controls, in addition to those of your providers

Use your own encryption methods to secure data before it reaches the cloud Use open source. end-to-end encryption whenever possible (e.g. Signal for mobile,

GnuPG for email and data at rest, and OTR and ZRTP on Jitsi for secure IM, voice, and video for desktops and laptops)

Use multi-factor authentication where available (Pretty much every major cloud service now)

Multi-Factor Authentication• Passphrase• PIN

Something you know

• Card• Token, Phone

Something you have

• Fingerprint, iris, voiceprintSomething you are

Cloud services are only as secure as the devices that are used to access them Always install up-to-date patches for your OS, browsers, browser plugins, and office suites If you use Windows

Upgrade to Windows 10 (its free), and be sure to configure the privacy settings to your liking You should turn off Wi-Fi Sense

Install Microsoft EMET Avoid free third party AV like Avast and AVG. Windows 10 comes with free AV that is quite good,

assuming you follow safe computing habits like these Remember: Malware is increasing for Mac, Linux, and, mobile devices too Don’t download or install freeware, shareware, pirated software, cracks, keygens, or warez Use separate passwords for key accounts (e.g. OS, Wi-Fi. Email, banking, social media) Limit third party app access to your accounts Never loan or borrow devices, storage media, or credentials

Interested in technology, the law, and your rights?Check out https://eff.org/

Questions?@SeanTheGeekSean@SeanPWhalen.com PGP Key ID: 2DD0EA48