SHMOOCON 2013 ROUNDUP
Well another Shmoocon has come and gone. While much fun was to be had I could not help but notice that there was a definite theme going on in talks this year both on and off the stages. That theme was just how much we are all being screwed by the legal system today as well as how much damage could be done to anyone at any time because the laws are either being abused or are ill suited to apply to the crimes that people are being charged with. In many cases the talk this year centered around fundamental rights granted by the Constitution that are steadily being eroded or tossed out the window because the word cyber has been placed in front of the charges.
With stories like the DHS’ right to search any of your hardware within 100 miles of the border to seizures of domains without having to produce a reason why we should be talking about it. Frankly we should be doing more than just talking about it we should be assailing the government with questions and attempting to protect our rights. Unfortunately what we have seen is that even trying to protect our rights cannot be done easily without a great amount of money and time while lawyers bill you many hundreds of dollars an hour. Without money we have pretty much no hope of changing the laws even with the likes of EFF trying to do so.
This conference just seemed to show that we are realizing these things more overtly because of late the law has been making some rather harsh decisions against the innocent as well as the guilty. For me though, when I see misdemeanors turn into felonies because they are compounded together in order to have a bigger win in the press and to further a career I see the scales of justice as being broken. The realization, which we all have but we put away to lead our daily lives and keep our heads down is that the law only really serves those who have money. The more money you have, the more malleable you can force the law to be.
The Law Won’t Protect You:
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
It seems that since 9/11 the 1st and 4rth Amendment have become trite in some ways to the government. From the moment that GW Bush said you better watch what you say to today’s full blown surveillance state we have seen these fundamental rules be put aside by the government. Sometimes this is overtly but mostly it is done in muted ways that people are not paying attention to. The instance of the DHS’ right to search any hardware you have within a 100 mile radius of the border is part and parcel to this idea that they can do whatever they wish in the name of anti terrorism. A review of the privacy record for DHS generated a report that once really read shows they had no issue with this and thought that it was not a privacy issue whatsoever.
Evidently, the 4rth Amendments statement on reasonable search and seizure is moot if some $10.00 an hour security guard feels that I am an imminent threat with that laptop. I guess though that’s just par for the course in a world where warrant-less wiretapping is the vogue and approved by the government even though they were mandated by law to get things like FISA warrants to do so. It’s interesting to note just how quickly the government was able to re-jigger the laws around that in their benefit to allow for this as well as say rationalizing torture too. It’s all a matter of who’s got the juice and the legal teams to wordsmith language to allow what they desire to become the rule of law. It seems today that the laws to protect you are just platitudes and if you believe in them you are deluding yourself to some extent.
The Law’s Allow Over-Reach and Companies Like Microsoft Are Abusing That:
Another talk by @theprez98 was about how Microsoft in particular but also the government were seizing domains inside as well as trying to outside the country. The cases where Microsoft has been taking liberty with the law surrounds the C&C’s for malware like Zeus. These takedowns make the news and Microsoft get’s a boost for being the whitehat here but in fact they are using their great wealth to manipulate the law in their favor to carry out these extra jurisdictional actions. What it amounts to is a private company seeking approval from a judge to carry out actions that the police really should be but are not.
In the case of the Zeus takedown they seized assets and domains of not only the botmasters but also innocent victims in the process. The same has happened with the government taking down domains under seal. This means that the collateral damage (aka other peoples sites that had nothing to do with this to start) end up losing their data, have no real means of seeking redress (sealed means secret) and in the end lose money and time because they happened to just be in the way. Of course lest we also forget that if their site happened to have some content that may be considered illegal in some way, then they too could be charged in another case because suddenly their data is considered “plain view” This means that since the government could see it even without a specified warrant they could then act upon it.
Microsoft has been prosecuting these cases with more frequency as they keep citing earlier cases that they won approval from the judge to prosecute and thus case law is made. This precedent makes it all the more possible for any other company to make the same case and as such more searches and seizures could happen by companies and not the law enforcement community. I guess my question then becomes how long until the government privatizes the “net police” ideal and places it in the hands of the likes of a Xe? Will we have letter of digital marque as well one wonders as it becomes more expedient for private companies to police things on the internet.
The Government Is Ill Equipped To Handle Technology and Create Law:
A second talk that focused on the law and how poorly it is equipped to deal with modern technological issues was presented by the EFF at Shmoocon. This talk focused on two cases, the first being the case of Aaron Swartz. Aaron took his own life recently and many believe that it was prompted by the judicial over-reach against him in the JSTOR case. While Aaron did a couple things that could warrant misdemeanors the prosecutors in the case concatenated them change these into felonies. In the end the releases by the prosecutors were claiming that Aaron could go to prison for 35 years after downloading too many documents from JSTOR.
In Aaron’s case as in Weeve’s the interpretation of the 1984 CFAA (Computer Fraud and Abuse Act) allows for quite a bit of abuse and no substantive changes have been made to that law since it’s inception. As such the law is out of date and ill equipped to apply to much of anything that can happen today. Of course in the case with Weeve this is plainly shown because the data was publicly available and no escalation of privilege was carried out to get it. The access of the ATT data was as easy as tying in a URL yet ATT has made this a federal case and Weeve the target of some pretty hefty jail time as well as fines.
It was plainly seen in the presentation by EFF that the current laws are outdated and that the law makers are not very clueful on how things work today in a digital world. In a way one can infer that they like it this way because it leaves much more for interpretation and misuse but I don’t want to be too dark here. I guess I will just stick to the theory that they are all old and really do consider the internet to be a series of tubes. Either way unless we force change on this and get them to change the laws to reflect reality we all are subject to wrongful if not over prosecution because the current ones are too open to abuse by prosecutors seeking to make a name for themselves.
We Need To Know Who You Are So No Pseudonyms Allowed:
Evidently it’s also too hard for the government to know who’s who so there are pushes on to have a “Real ID” on the internet as well as AFK. Another talk at Shmoocon was about the idea of identity and how companies like Facebook as well as the government are seeking to apply rules on “Persistent ID” Since the lawmakers find technology so hard to understand and privacy is an antiquated idea they just seem to think that foisting a persistent ID on us will make it all better. Since you have persistence, you won’t do anything like troll anyone online will you? Sure, that’s going to work swimmingly don’t you think?
I am constantly surprised by these people and entities that seem to think that privacy is dead or that it is not needed. The reason people take up pseudonyms is because they wish to speak their mind not only to commit crime. In fact they are likely to really be afraid that the act of speaking their mind may in fact be a crime. You can see this going on in various countries today with authoritarian or theocratic governments. I myself have been taken to court over things I have said as well as have been warned not to rock the boat for fear of more litigation or other negative repercussions. I guess then that the 1st Amendment is just a piffle right?
Out of all of the talks this one scared me the most. This movement to mandate identity online is more venal than any talk of the government trying to erode the 2nd Amendment to me. Why you ask? Because this is something that the governments as well as corporations can get past people’s cognitive dissonance as opposed to taking their guns away. Just how much privacy have we already lost today with the likes of Facebook and others online? How much of your PII data circles the globe in databases showing connections to who you are, where you are, and what you buy? Think about it in the context of linked databases and you can start to see where I’m going here. We have already given up a lot so what’s the big deal in getting a drivers license on the net huh?
I guess the most astounding thing though to me is that the government as well as Facebook think that this will in fact end pseudonym use. If they try then those really seeking to be anonymous will just use someone else’s ID right? The person intent on doing so will just fabricate or steal another ID and thus the waters will be muddied once more. It is galling though that in today’s world we have entities like Instagram that want you to take a photo of your government issued ID to verify who you are and send it to them online.
The Military Leaders Are Old and Do Not Understand The Technology:
Finally, I learned that the leaders of our government and the military on average tend to not understand “internet” I know shocking huh? A talk given at Shmoocon on cyberwar “Hacking As An Act of War” was enlightening to some in the room but for me it was status quo. The fact of the matter is that the people running the wars are old. Those actually prosecuting it are young though. As Mark Hardy said in his presentation “Once the older generation is out of control, the younger generation will be better able to make the changes needed to fight the next war online” and I’m paraphrasing there but the sentiment is true.
The same goes for the policy makers where this is concerned as well. The paradigms have changed but those in charge have not nor have they tried to keep up with what’s going on. How many times have we all seen pieces in the news where some senator somewhere says something that clearly shows they have no clue what they are talking about? Now imagine that you are someone who’s an expert on that subject. All you can do is hang your head and walk away. I personally have tried with Senator Droopy Dawg to no avail to get across to him that his arguments are only crying wolf instead of being substantive and clued in. Of course nothing came of my trying, not even a response. …Even when I was nice about it.
Now consider the prosecution of war with a digital aspect. Mr. Hardy gave us some great information on the Tallinn manual as well as insight into NATO’s ideas on how to classify and prosecute the laws around digital or 5th domain warfare. At times they seemed to just be out of touch with reality but at least they are trying. The issue though is that this is all Terra Nova and the people trying to assess it are still locked into ideas that pre-date the internet. It’s akin to taking George Washington and placing him in the middle of a firefight in Viet Nam. I should think that George is not going to last long as a warfighter in such a scenario because he lacks the comprehension of the weapons of war for that era.
In other words we are screwed.
Overall Shmoocon was a good time. Much more for the LobbyCon that was constantly going on than most of the presentations though. It was enlightening in many ways to talk to others about what was going on not only technically but moreover their concerns about the same issues as I have laid out here. We live in perilous times where the law and internet are concerned. Our ideals of privacy are at risk as well as our rights according to the Constitution. We are increasingly living our lives within the medium of the digital and yet we fail to see the machinations going on to spy on us with more regularity and impunity.
We are abdicating our privacy as well by allowing companies to keep have our data because we don’t read a EULA and encrypt our transmissions. In so many ways we will be the ones to blame when our data us used against us because we did not carry out the due diligence to protect it. We should not trust in Twitter to protect those conversations we have in DM because their EULA says that nothing you do there is private. … Even a direct message outside the Tweet stream. We need to either say no to these services or force them to change their EULAs to allow for some privacy. Failing that we need to protect ourselves with crypto. The question then becomes, as was intimated to me on a couple occasions this weekend, “Just how long until crypto becomes regulated as a munition again altogether?”
It’s a brave new world kids, best start paying attention.