 So I wanted to start with uh uh uh I'm gonna go kind of fast cause it's only a 20 minute talk and it's action packed. I wanted to start with a sort of general presumption which is that it's frustrating when technology there's no transparency but it's not made public. And I'll I'll start with the example of breath analyzers uh back in the mid 2000s who cops would be pulling people over making them blow in a tube and using that to make a decision as to whether or not to make an arrest. And people thought well what if there are problems with the breath analyzer? Why should we trust it? Why was the really probable cause for an arrest here? And indeed eventually some enterprising people got their hands on the source code for intoxilizer and found out that it did have some real problems. And and might yield some false positive results. And anyone who remembers the 80s will remember the clipper chip uh endeavor when the government just said hey I know what we'll do. We'll hold onto the one true key for all encryption and you guys can have your own keys but we'll be able to just kind of back door that. And this is a an idea with a just a built in fundamental flaw uh should be pretty obvious to everyone here. But anytime you hear just kind of trust us we know what we're doing. That's what gets gets me riled up. And so what I'm gonna talk about is a series of tools that are are were developed for for surveilling um peer to peer networks and they are not made public and the government just says just trust us we know what we're doing. And and because they're not public I haven't seen them. I don't know anyone who has seen them unless they are a sworn agent and they won't talk to me about it. Uh and so the inferences that I'm gonna show you here are made from just reading dozens and dozens of search warrant affidavits when they describe how the thing works and what it does. And so we can make some deductions about what it actually what it actually does. And that's where we're headed. Um so surveillance is fairly pervasive these days. Um there's a law that says you probably shouldn't install an untappable phone system. Um we've got uh the NSA metadata call collection or call metadata collection stuff where they we realize that content uh analysis is fun but traffic analysis can be just as fun. Uh and and surveillance is also pretty secret we usually don't find out about it until there's a leak and everyone gets in the press and heads roll. And there's more than just surveillance going on. Surveillance by surveillance I mean just passive collection of information. But we see now some more invasive uh efforts as well. And there's a series of cases right now the playpen series of cases which some people in the room I'm sure are familiar with where the government embedded uh some malware that opened a side channel. People would browse to a website using Tor. The government operated that website for a while and implanted some some malware that opened a side channel and would leak the the user's public IP address back back to the government. So uh that's not just surveillance that's actually changing things and and you might need a warrant for that. And some some cases are getting tossed for that reason but by far not all. And we know that the government is collecting exploits that's not been a secret at all. So one of the questions that we have to ask ourselves is where is the boundary between just good old fashioned aggressive investigation of crime and violating people's rights and you know sort of taking things one step too far. So that's the prologue let's get down to it. Um when I talk about peer-to-peer networks I mean things like BitTorrent, Nutella, Aries or eDonkey or whatever they call it. Um these have been around for a long time. Uh the Nutella variant of the tool that I'm talking about was in use at least as early as 2009. I don't know if anyone really uses Nutella anymore but I'm sure the tool still exists. Um and these are generally the tools that I'm talking about are generally forks of open source software. So there's been a uh a tool developed you know like microtorrents or whatever or um fex that's one of the ones. And some enterprising software developer says I'm gonna make my own version of this that does some extra stuff. So they they make use of aspects of the peer-to-peer protocol that are normally obscured from the user. They're they're below what the user sees and they add in some features that would not really be of interest to ordinary users and we'll talk about what those are. So who develops these? Well one guy, the the the tool for the Aries network was developed by this one person, Joseph Versace. He's a he's a Canadian law enforcement uh programmer and analyst. There's a there was a collaboration between the CS departments at a couple of universities and some police departments that produced uh roundup which is kind of the most best known of these tools. Um and it's based on the the fex uh Nutella client and there's a a a version of it for BitTorrent as well. So they're developed by you know normal folks, academics and so forth. And they make new uses of some existing features. So for Nutella when you do a search when you get a query hit it comes back and it includes the SHA one hash value of the files that the search hits are. So this is a nice quick easy way to identify if you happen to have a database of files that you knew nobody should possess uh you could just quick see do these hash values match and then you'd instantly have good targets for investigation. Um and Nutella also has a feature called swarming where if if I admit that I'm sharing a file I will also try to tell you about all the other people I know about who are sharing that file so that you can grab it from multiple peers and it doesn't all have to come from me. And then you can directly uh browse peers as well not just do searches but once you've found someone who is a Nutella client you can just go and query them and and get a list of uh what files they have regardless of whether your search turned up those files or not. So that's those are you know kind of interesting features if you were an investigator that's kind of fun. Um on BitTorrent we have a couple other things there are what are called tracker messages and this tells which peers are interested in which torrents. So if somebody is looking for something you might be able to detect them on that basis. Um and when they connect for downloads or when they acquire new segments they'll um clients will send out some announcements of what segments they've got so they can immediately begin participating in the sharing. Remember the whole idea of BitTorrent was that bandwidth is asymmetrical we can upload we can download things way faster than we can upload them generally speaking and so we want to share large files what we'll do is everybody shares segments of the files or you know you share the whole file but we'll grab segments a segment from here and a segment from there and a segment from here and that means we can download multiple things while we're only uploading you know whatever our upstream bandwidth is. Uh and then there's something called pure exchange which is kind of like the the swarming feature for Nutella so this is these are the features that it exploits on on BitTorrent and then we add in some features as well um known file lists so a database of known files of interest so that we can quickly determine when we see search query results whether they are things that we want to be investigating. Uh IP Geolocation are these dufuses in our jurisdiction so before we spend a whole lot of time investigating something can we at least tell if we would have the power of arrest over these people. Uh single source downloading this is uh we don't want to find out we don't want to swear out a warrant and go and rouse someone out of bed and seize their computer only to find out that they only had the first three segments of an 80 segment torrent uh we want to know that they have the whole thing and so that means we have to download the whole file from them. So this is completely antithetical to what BitTorrent is designed to do. Uh we're gonna instead of grabbing things from all over the place we're gonna grab them from just one thing and that's so that's a it's not really a subversion of the protocol but it's a use other than what it was designed for. And then fake file sharing also uh we'll get throttled if we're not sharing anything. Uh and if we share the right kinds of things we might attract people into connecting to us. Am I doing something funny with the micers? Okay I'm okay? All right. Um so we we we we we don't want to actually be distributing contraband so we're not going to actually do that but we're gonna announce that we have it to share to see who will connect to us and also so that we don't get throttled. Uh so it looks like we're sharing and we don't get um taken out of the out of the network. Finally we'll have the ability to tag individual clients that we connect to and that's we're just gonna be more on that later but that's a pretty interesting thing. Can I identify at some point down the road that this was the you know the client that connected to you know that I connected to and downloaded from. That'll be that would be an important piece of evidence uh and we'll talk a little bit about how that works. Um so what they're gonna do these tools is impersonate regular old peers on the network. They're gonna engage in activity designed to attract connections whether they're doing searches uh or or um announcing what they've got. Uh they'll do queries of their own to find things of interest. They'll inspect the systems that they connect to to look at as much as they can in the shared areas. They'll perform those single source downloads and they log their activity. And this is the game plan right? We'll we'll the the investigators will go make themselves a a good log of what they did and what they found and they'll use that as the basis for obtaining a warrant. Alright so um if you were accused of a crime on the basis of a log file you might like to know is that log file a reliable source of information? You know does it work? Uh and so people over time attorneys have tried to get their hands on these tools because they wanna know how does it work? What does it do? And they are uniformly rebuffed. Uh nobody's to my knowledge ever succeeded in that quest and there have been times when a court has ordered the court has sided with the defense attorney and said yeah um law enforcement cough up this code or give them access to a working instance of it or something and uh the case will get dropped. So they'd rather do that than burn their source. And this is a curious thing uh because on the one hand they say there's nothing interesting about these tools. They're just simple forks of regular open source software. Uh anyone could make this. It's not a big secret. And yet they'll go to great lengths to preserve the secrecy. And reason number one that they give is it would divulge our database of you know naughty files. Uh and first off uh I think the software developers in the room just snickered because who embeds a database in the software that they're distributing? There should be two separate things so that you can update the database without having to distribute a whole new build of the code. So it's probably not exactly that. I don't think the database is literally part of the software. But the reason that they give is if we do this everyone who wants to trade illegal materials would just go and flip one bit in them. And then all of our hash values wouldn't be uh any good anymore. And while that's true it works that's a two way street. It wouldn't be any good for the people who are sharing either because they'd not they would not know if you were out on the internet and everybody you know claimed to have different files. If the hash values didn't match how would you know you were getting segments of the same file? So that reason is a little bit shaky to me. Um but even if everyone did flip in their files that would be so disruptive to the trade of contraband. Maybe you'd want that result anyway. Okay. The code must remain secret. Reason number two it would disclose the undercover investigators. And here I think they're speaking kind of metaphorically. The the metaphor that they use is well you know if we had um someone buried deep undercover in a drug cartel we would use information that they gave us and that's okay there's nothing wrong with that. We wouldn't identify that person unless and until we absolutely had to. Um well this isn't quite like that I don't think. Uh but it but it's interesting. So I I can think of two possibilities. And they both revolve around the idea that we don't want one law enforcement agency inadvertently targeting agents of another law enforcement agency going out on the on the network and and seeing oh these guys announced that they're sharing all of this stuff let's go pick on them. So possibility number one is that nodes know about one another. There's some either central database or or a list that's published of who's using this software and that that way you can identify your friend on the network and you don't go and pick on them. Um this also is probably not part of the software itself but maybe the software contains the the means of obtaining that list or something and that list really should remain secret. We that that's a legitimate secret. Um but I don't think that's it because from time to time they will give you the log file and that contains their IP address in it. So that that doesn't really make a lot of sense. So the other possibility is there's something distinctive in the way the tool does its initial handshake. So when the when the two peers connect when two peers connect they'll exchange some information usually uh it'll have a globally unique ID or something like that that it exchanges and there might be something unique in that handshake that would identify this as a non-traditional uh peer to peer client. And I think that's a pretty likely guess. And I'll talk a little bit more about that because this is how the the tagging feature works. Alright so we have some problems with not being able to look at the software and one of them is just the reliability of the software. Does it ever erroneously make a report? Well it's quite common I can tell you from my own experience consulting with attorneys. It's quite common that investigators when they go and they seize a computer they don't find the files that they say they downloaded from that computer. That happens well over half the time. There are two explanations for this possible. Uh one is the files weren't there in the first place and the report is wrong. And the second is um they don't usually execute their warrants until months after they did the initial download so the file is just not there anymore. Uh and that that's probably pretty likely. But uh what we don't know is how many warrants have they obtained and executed that didn't result in an arrest. We don't see those. That's stuff that never makes it across an attorney's desk. And so we don't know. So we don't know if they're false positives. We don't know it's the tool's false positive rate. And that I think is a worrisome thing. And there are other conditions under which it malfunctions. Well I'm here to tell you that software has bugs. And I mean we wouldn't even have this conference if that weren't true. He's shocked. This is the first he's heard of it. Um I can't imagine why we should think this particular software has less bugs than any other. And it might be useful to know what they are. And there's been no review of this. Um the government just says yeah it works. The next problem is the standard for obtaining a warrant. In order to obtain a warrant you're supposed to establish probable cause that a crime might be committed. And this isn't technology by definition this isn't technology that's in the hands of the public. There's a really interesting case from the turn of this century uh Kilo or Kylo I'm not sure which it is versus United States. Where the uh the feds used forward looking infrared radar to visualize what was going on inside of a house. And the supreme court said you needed to get a search warrant for that. You can't just uh you can't just do this. This is stuff that's outside of what the public could could have. They can't it violates their reasonable expectation of privacy. Um and I think that's the case here too that nobody thinks that there's a tool out there that does this. And it's not in our hands. We can't examine it. We can't see it. Um and again this is where the government trots out this. Well this is just modified open source software. Any user could do the same thing. Well that's farcical. Maybe any software developer could. But most users are not those. But it sort of raises the the supplementary question. How would we know we were doing the same thing? If we can't see the tool to begin with. Yeah maybe we could. Right? Maybe we could write any kind of software but how would we know it works the same way that the government one does. Um and that brings us also to tagging. Right now there are when you're using these tools there are shared areas on your computer. So folders are just full of things that you're willing to share on the peer to peer network and then there's the rest of your computer which is supposedly off limits. When the way the tagging works is in that initial handshake the the law enforcement software will submit a blob of data that's going to get written to a log file. In in Nutella that's the clients dot met file. The list of clients that the thing is connected. Uh that's not in a shared area of the computer and it contains now a blob of data that the government wrote and then later when they come and look through the log they'll say yep this is the one we wrote it's encrypted with our our our key. Uh so is that something you should have to get a warrant for? I don't know. Uh that's an unlitigated um question right now or there's been litigation but we haven't gotten a sensible result. Uh the next thing is what are the chances you're going to find a judge who's able to tell whether these statements are reliable that how IP addresses can be connected to subscriber identity how peer to peer networks work um how a government tool based on open source software works. Judges don't know this. They just get a 20 page warrant for David and they say uh okay a sign. Uh because they don't have a choice. It's it's that or conduct a really serious investigation of their own and it's not going to happen. Another thing is who's qualified to testify about how these tools work in court? You usually see the investigator who operated the software come and say this is what I did on this and such a night but that person can't really explain he's that person is trained in how to use the tool but doesn't necessarily know the inner functioning you know that the that the developer of the tool would know. Um so I I think testimony ought to require more than just knowledge about which button you click to make the single source download happen. And then of course again software ha having bugs it might be exploitable uh to a a really enterprising person um you know these things we know there's Java based stuff, there's .NET based stuff, there's you know the the clients that the the tools are derived from. Any bug that those have this probably has too. Um and it may have its own bugs too of course. Uh and and one of the things that we've got here is the exploitation would probably go undetected because of this lack of transparency that we've got. And because it's mostly not used by security professionals it's mostly used by investigators and they might just not even notice if their software crashes in a funny way one day. All right um I have I think about one minute left uh I would uh yeah okay I have one one uh so I could do like a question if somebody's got one. No? All right well thank you very much and thanks for coming to my talk. See you again soon.