 Hello. Great that you're all here. It is very crowded in this room. I didn't expect that. I think that is a big hooray for how politics and technology are more and more things you can say together in one sentence without getting weird looks. So my name is Sasha. As some of you know, I do stuff on the internet. And in the next 25 minutes, I hope to give you a bit of an overview, actually, of the things that have happened since the summer of 2013, what has not happened since then, and what I think should happen. As it's only 20 minutes, I will probably, ha ha. This is where technology fails. I will probably miss some things or under or over represent some things, but never mind. We will have big five minutes of discussions afterwards where you can get back on me for that. So let me start with a short introduction of myself. I'm one of the co-founders of Greenhost, that is a Dutch internet hosting provider based in Amsterdam. We work a lot, and I work a lot with civil society groups and NGOs. And as such, I have some close experience on how people deal with surveillance, both on and offline. Not only technically, but also socially and more important, so also psychologically. In a way, I feel that most of my work is actually trying to translate between the tech and other fields. The idea for this talk has been running through my mind for a long time. And I hope and think that this might be the right time. The title of this talk, Long War Tactics, is actually a reference to the closing keynote that was given by Dimection at the first noisy square at Ohm in 2013, just after the first Snowden revelations came in. And of course, just after or at the end of Ohm, which had, as some of you might know, some controversy of its own. To lightly touch upon that, for those who do not know it, the concept of the noisy square village was first conceived after some disagreement around Ohm and sponsorship, to a point that, for instance, CCC decided officially not to be present at Ohm, at which moment a group of people, including myself and organizations, decided that it would be great to have a bit more of a political voice and accommodate for some more focus on that by trying to house a specific space for that. It must, of course, be said that this, of course, only worked through the support of the main Ohm organization, be it sometimes reluctant, but most of the time actually enthusiastic. So looking back, I see that since then more self-organized stuff is happening. Stuff is organized like Camp Zero, Backbone 409, interference, and even noisy square returned at some other places, be it not as oppositional as it has been before, but more as a safe place within a safe space for like-minded tech activists. So to get back to a dimensions talk, that addressed some of the most pressing issues around the surveillance state, the surveillance state, and people, agriculture, and technology. Most incomplete, not in order and out of context. I think the main things are you cannot be apolitical because then you are aiding just the status quo. Put the user and their environment in the middle. The tool is part of the systems, and tactics are needed. Be nice and do not fight each other. There is a thing called institutional logic, and you should know about it. Surveillance is not a zero sum game, but it is more economic in nature. Well, just by pointing out these five things, I think you can already see that in the past two years. We didn't succeed in taking all those things really too hard. And so I'm wondering, did we get any further in these fields? Did our tactics actually work? So as for being political, I think that we've not only seen a raising number of hacking events that were addressing the political stronger than ever before. We can also see, for instance, that the political track, at least in my perception, at Congress has been bigger every year since the past three years. On the other hand, we must be careful. The fact that it is the case does not say that things are completely well. Congress might be bigger every year as well. That might feel good. But not so many of us, as a reference, the yearly Dutch household fair gets about 200,000 visitors a year. So another thing is, I think it is important to note that we should, as tech activists, be very aware that we do not separate ourselves from that larger hacker community that is already not so very large, as I just pointed out. So I think it's great that our initiatives, like a noisy square, as long as the point is to have interaction with the whole community at large. But we should be very fearful to go beyond the point in which you have a conference within a conference or people not talking to each other. OK. So a last point on this that I want to make is that I think if we speak of a war, a war should be fought on many levels. So it shouldn't only be the tech. It shouldn't only be the political. It shouldn't only be the legal. It should actually be on all those points. And all those points are actually maybe not equally, but they're all needed to actually get us a step further in getting away from this, this surveillance state. So looking at the bigger picture of the internet, I think it would be good to also dive a bit into tech. There has been happening a lot in the field of technology that is related to what we're here for. So I don't think we're here yet to live the cypherpunk dream. We don't have accessible crypto for everyone. Actually, we're more at a point, still more at a point where we're living the cypherpunk's nightmare and are only trying to mitigate that a bit. On the other hand, the last year has been very interesting. We saw some bugs with OpenSSL, then some bugs with OpenSSL. And there might also have been some bugs with OpenSSL. Well, but after being a hard-blad and shell-shocked, there were, of course, some other security issues like with web applications like the root kit with CMS functionality at our office is known as Drupal. And with Xenhypervisor. The most interesting, however, I found about this year was that we saw the emergence of the pop star bug, the bug with the sexy name, which I think helped a lot with the widespread pickup in the media because CVE something dash something dash something is apparently only sexy in very, very, very small circles. Some other things happened. I am not an actual user, nor am I actually very fond of WhatsApp. But their cooperation with whisper systems to include better end-to-end encryption I think is an important step. We need mainstream apps that are used by large groups of people for other reasons than having military-grade security. Because that is the way to make stuff safer for everyone because then that traffic also doesn't stand out or even installing a certain app on your phone doesn't stand out in the crowd or at the border crossing. On the usability front, oh, by the way, this is not a WhatsApp endorsement. Use text secure. On the usability front, mostly we're still at the point where the inmates are running the asylum, although they're not programming visual basic anymore. But there are changes coming. I see a movement in the direction of having more research towards users, actually co-developing with users or for some developers, like just sitting in the room with the user. And those are great things that really helps. On the other hand, we should also not overdo it. I think some applications at this point are at this point so much broken that it doesn't really help to try to do ethnographic research in how users perceive that interface different in the Middle East. We should probably first try to fix the interface in the first place. As for instance, with Skype, nobody usually asks that question. And I can assure you that that is used a lot over here. Still, in our discussions, I think we are far away from looking at security in a more holistic way, as the user interacting with its environment doing a task, which it wants to finish. We also forget that mass surveillance and the NSA and the CIA and other agencies, like GCHQ, and some would say Tor, but I think that's another discussion. That's a joke, by the way, are not usually the main perceived threats to people. And probably in a lot of situations, not directly into their threat profiles. So I think we should watch out to say, well, you're fucked anyway. We can't really fix this because now we have a secure operating systems, but we actually still own your hardware. And oh, now we have open hardware. But who is running that plant and is the stuff on the silicon? Well, actually the thing that I send out as the chip design. So I mean, and we can even go deeper because then we have the machines that make the chips and the machines that make the machines that make the chips. So as another person once said, it is basically turtles upon turtles all the way down. So for instance, let's look at, let's say, Assyrian media activists. Assyrian media activists, for instance, in Aleppo, is in a situation where a computer is a tool to get a message out. And not necessarily an easy tool to get a message out, but because you need all these kind of things. You need the internet, which means that you need electricity, which means that it also helps if you're not shelt at the same time, et cetera. So that is a very complex situation in which, oh, use this much slower, hard to use app, and you will be more secure, a thing that anyone will buy in at such a point. So we really should look at the whole picture and how we can fix it. So a digital security tool that is not the tool to always do the job, and is not part or integrated with the tactics to do the job or with the workflow of a person doing the job, will not be used or it will be used in the wrong way and be unsafe in that sense. So there are other bad things. Endpoint security is actually worse than ever. Not only activists, but also intermediaries and geos have been targeted, for instance, by the Assad regime, using spearfishing and as such, getting rootkits on their computers and listening to their Skype logs and other things. And Skype logs also means history for months or years. So even the first ISIS attribute to malware has been reported on. So this is for a lot of people a more serious problem than those more abstract, but still for other people, very real threats of surveillance by the NSA. So endpoint security is still a big problem. But on the other hand, numerous efforts are building more capacity towards better usable products. A lot of times there might be an overemphasis on general purpose computing, I think. There's a lot on let everything work on everything. A mentality still that I think is really nice with general purpose computing. But on the other hand, it is great if we have tools that can actually do a very small task and don't have the attack surface of a CPU. And don't get me wrong. You don't have one CPU in your laptop. You have a CPU. You have a chip that does your network. You have a chip that does yours, your keyboard. You have all kinds of chips that are random purpose computing chips that you can write nice firmware for. So sometimes less is more. And I think sometimes we should more live up to that and see if we can separate things more. Talking about separation, we also saw a movement to more two-factor. Two-factor all the things, right? It's very important. Google has started with popularizing two-factor authentication and also opened up some middleware to make sure that other people or to make sure that there becomes a new standard for two-factor authentication that is actually usable outside of the enterprise but also for normal people. And I think this is really important. It is also important, like it or not, that Google did it. Because Google did it, it is a broad solution used by a lot of people that give some traction and that actually can change something. So what you should do is implement that in all your server apps anyway. So two-factor all the things on the other end. So enormous amount of key material is actually not on the user's computer but is actually on websites, our private keys for SSL certificates are keys for DNSSEC or other stuff. And those keys should actually also all be stored on two-factor devices. At the same time, we don't have a two-factor device yet that we can actually open up. We need that black box of which we know the content. We need that two-factor device for operators that actually does what it does and not the stuff that is created by government contractors at the two-factor devices that are put into providers and other spaces. There are luckily some projects on the way. Most notably, people are working on using the Novena board for that. That's Randy Bush and others. And they're currently housed at cryptec.is. So if you want to fund something before the end of the year, go to their website. It's cool stuff. So we talked about turtles, turtles, turtles, which brings me to the next point. And that is we can't fix it because security is not an has never been in any way a zero-sum game. I, of course, do not have to tell you that absolute security does not exist. What exists is an economy of security where costs play a significant role on all sides of the equation. So let's shortly revisit economics and politics. So there is this thing called institutional logic. That means as soon as you start an institution, it will, at some point, start to fight for itself separately of the reason for which it first came into place. It would change their mission. It would change their structure. It would do everything to not get less power, but get more power. Sometimes that works into our advantage. For instance, the European Court of Human Rights is a very good example where this kind of institutionalization actually led to a lot of good changes in European law. Sometimes and a lot of times it is not to our advantage because it means that institutions that were a long time ago actually started with a totally different idea or very much smaller and with a very specific task now become bigger and bigger and bigger and bigger and at some point become more and more and more self conserving. So and that is also the case with some parts and that's also the case with some parts of government, of course, and especially with things like security agencies who will always want to have more budget and more power and more control. So what we should do is make sure that we support the right institutions because sometimes we're just not big enough to win the fight on our own. Sometimes we have to find the enemy of our enemy and befriend them for a while, of course, because it's always important to know when to back step them. So we should bend the rules or if we can actually rewrite them. We should also do the following. We should change the narrative because the narrative is now like cyber security is all about like nation states and warfare and cyber war and I don't know what kind of crap, which is real. But in a way, it's not so real as in that it is cyber real because usually people, if people talk about cyber, they mean I don't know what I'm talking about. But so we should change this narrative because there's a lot of money that is lost at this point and that money is lost with companies and other institutions. But there's a lot of money lost by companies who get hacked, cannot release films. I don't know if stuff happens apparently. But which I think could only be an economic game for some movies. But in the end, it means that what we should do is try to emphasize that narrative, the narrative that we need to secure people. We need to secure the endpoint. We need to secure the endpoint because that is where we actually lose the most. This is where people, their identity gets stolen. This is where trade secrets are stolen. This is where people own banks and other stuff that is actually the core of the current infrastructure. And I'm not necessarily, I mean, you can think about society as we are, as it is, as you want. But in any way, I think it would be good to look at where we can look at where we can actually change this economic narrative in a way. Or this narrative about surveillance and security in that security equals freedom. And security equals this kind of like my ability to have privacy on my equipment and my ability to not get hacked as a business. And also the ability for people to communicate in a secure manner. So I think that is a very important narrative. And it's also a narrative that already has friends. Because security firms and antivirus software companies are already making a lot of money. So it is easy for people to see that this narrative actually works. So go to your local politician and tell them that this is the way in which they should end. Or in which they should add to the cyber debate. Another thing is why not engage with venture capitalists? Those are the people that make that finance that crappy applications that are insecure and hit us all the time and make us think like, oh, shit. Why are you using that? Why are my friends, my non-tech friends using this? Why? Why? Please, kill me. But so maybe we should engage with those people because that's a small group to look at. And they might see that if they change a bit of their strategies that we might have better effects on this. OK, so another thing is adopt a journalist. Or a parliamentarian, or a judge, or a technologist if you're any of the other categories. Let's not say that we're here with all techies in the room. I think we're a mixed audience. So but do it because that really, really, really helps in letting people understand and also helps in getting people saver, especially with journalists. The internal debate, I apparently only have five minutes left, which was your question time. But I have a few things that I want to say to wrap stuff up. I will be available afterwards for questions at the noisy square upstairs and debate as well. So internally, unite, be open, listen. Also, don't think that white hats exist. They don't. Not such a thing as a white hat. Because a white hat is, I mean, should someone be a self-proclaimed white hat? Then there are enough people who can say that a person is not a white hat because I think there are a lot of people that think they are a white hat that are hacking people's computers for governments. They're working for the government, right? So they're white. So everybody is shades of gray. There might be black hat hackers, but that's another discussion, I think. And so in the end, I think we should also know that freedom of expression is not a free card to be an asshole just because you can. So please don't. Do not save others. Help others to save themselves as much as they can, because otherwise you will never build societies where people have agency, and you will be needed more and more. And you're not scalable. You're only with a few of you, and so am I. So another thing is, and the last thing I think is, you can't save others or try to help save others. If you don't save yourself first, so please have a cup of tea at the quarter to a tea place at the top floor any time you need a bit of self-care. And also take care of each other because this, especially if you're a tech activist, it can be quite a hard time every now and then because you're at the point where you realize that this is a very long, long, long, long war, and we can only win battles every now and then. So then the how you can help. Co-design with users. They're here. They're everywhere. They're users. They're friendly most of the time. They want to use your stuff. So educate users. If you're talking to them anyway, team up with that journalist, I think I made that point. Let's all help to improve laws. Push for more secure standards. I don't have to tell you which the standards are. I don't have to tell them why they're all problematic, but still we have to push for them. So challenge your management. I know that not all of you is working on their own projects. Some people have a day-to-day job. You are important for your organization. So if you can do something within your organization to actually help push for any of the other things or just make the world a slightly better place, maybe just host a tour exit note or something else, that is a great step. And you can do it. Also, don't trust me for having good ideas. I don't have any. These ideas are all copied from others. So please have your own great ideas and share them with everyone, including me, please. So that was actually it. The last slide I wanted to show you was Tachnir Square. I can only show it shortly, I think, because it's sad. I didn't see it, but it's at Getty on the bottom, so I will remove it from the slides I upload. But it was Tachnir Square. And that was just to remind you that revolutions, in the end, do not take place in silent circles. They take place on noisy squares. Thank you. Thank you very much.