 Hey everybody! So just some like things before we start. We have two people here who are wonderful and have mics. We're recording this. We're gonna put it on the sites and everything so that it's available. And if you have questions please feel free to like wave and point and I will make sure to get a mic to you throughout the presentation. This is a pretty broad kind of overview of technology and how the internet works. As such it's only as useful as the questions I get. I know this stuff and therefore I'm gonna miss like all the important bits. All the little things that actually make it kind of weird or difficult or confusing. I already had that experience and so if you do have questions please stop me that's what makes it actually a kind of an interesting conversation and worthy of recording. If you don't if you have a question that you think isn't worth asking I'm more than happy to answer it after the fact actually I work right upstairs but if you ask it here it'll be you know recorded for posterity and all that jazz. So I'm Seamus I work at the Open Tech Institute upstairs and we're gonna be talking about how the internet sees you using some graphics and some conversation. So the first thing I want to start with is getting to the internet. We're going to talk all the way about using crazy tools and talking to websites and all of that stuff but before I go even to talking to the internet I want to talk a little about your phone, your laptop, your anything with a wireless device and how it's shouting. In fact, every device you use that has wireless isn't just talking to the routers around it or to the devices you connect to. It's actually shouting out in this beacon. It looks a lot like a donut actually but I can't draw on 3D mainly because wireless antennas suck it talking upwards. So also why if you have a router underneath your desk and you're wondering why you never good connectivity even though you're right there it's because they can't talk up. Well they can just really badly but so all these devices have this big bubble around them that's just shouting out everything that they want the world to hear and so when you're trying to talk to a router for instance and you're on your laptop your laptop has to have the router in its bubble and you have to be in the routers bubble. The wireless routers here in the office you'll notice are like really powerful almost all routers you actually talk to are really powerful and they should have this huge beacon which is why it's so annoying when you're like I have one bar why can't I talk to this router it's because of course you can see the router it's giant it's shooting out all this energy and your phone is this tiny little device just screaming at the top of its lungs trying to talk back and I can't see it so that's why like two or three bars you actually start talking again you start getting connectivity even though you can see all these hot spots. So what is your phone and device actually shouting about? It's shouting about a lot of things. The first thing the most important thing is it's shouting out its name which looks really weird and we'll get to that but it's also shouting out every place you've ever connected to a Wi-Fi hotspot. So anytime you said oh yes save this place I'm gonna go back to my little pony club or murky coffee or my psychiatrist's office or the lambda lambda house if you like the nerds movie any place you've ever been it's shouting on hey are you around have we talked before and to give you an idea about that name again every device has a unique name there are 200 chemists born every year and I have a pretty weird name so it gives you an idea of just how unique that MAC address you use is that name is actually two parts you every name on your device tells you who made that device so in this case this is Apple's vendor manufacturer code and it's a series of numbers act in fact actually you'll notice those letters here too they wanted to count all the way up to 16 but they didn't want to use multiple digits so they just tacked on a bunch of letters on the end so you get to 10 and they're like a b c d and so you actually have this giant number here including these letters which identifies the exact wireless chip in your device and never has there been a single wireless device that has the same name as another now this is stamped on at the factory when they actually make your wireless chip it doesn't mean you can't change it after the fact but it is actually stamped on your chip from the very beginning and you'll see here Apple has this vendor manufacturer number which means they have 16 plus million possible chips they actually have a couple more vendor manufacturer numbers that they use each with its own 16 million chips so they have four billion four hundred sixty-two etc etc etc possible unique IDs for the devices and this is just Apple's this gives you an idea of every phone every computer you ever used to connect to the internet has its own special name and so these devices are shouting out their name every 15 to 60 seconds depending on the device this isn't standardized you know one device may shout it out three times a second one may shout it out 20 times a second but as you walk down the street it's saying I was here here's my name I was here here's my name please someone listen to me and connect me to the internet and that's cool but sometimes it's not cool so this Seattle Police Department built a mesh network which if you know what I do upstairs as I build mesh networks over to OTI work on the commotion project which we won't actually be talking much about this is their only little mesh section here and they built this mesh network in their waterfront area the reason they built it is that bunch of cameras down there so they want to provide connectivity to all the devices all the police cars and the like that were in that area and also provide free connectivity to people who are wandering throughout the streets and so people were a little concerned because the police department setting up this giant communication grid in one of the poorest areas of Seattle and so covers this entire area of Seattle here by the way which if you know Seattle this map is still probably not very helpful it's a really tiny snippet but it's the best I could find and they look just like this little tiny box on telephone poles what we found though was because a person has this bubble about 150 to 300 feet that's for a cell phone by the way and that's outdoors good weather not a ton of walls and bricks and other devices causing interference it should actually be noted that Wi-Fi like radio waves are the only well named term in science because they actually work like waves where if you throw a pebble in the water and another pebble right next to it they kind of even each other out kind of ruin the wave and you don't get a good splash you wave if you whoa my god John I'm sorry John's a big guy so they do cancel each other out when you have a bunch of them around each other so the more Wi-Fi in an area the worse it becomes so what Seattle police was doing was they're putting these antennas up and they're actually watching the shouts of everybody who walked by all of a sudden this entire neighborhood was keeping track of everybody who walked by where they had been and what they're shouting up to a thousand locations for every MAC address you're not connected you're not touching this network in any way you don't even know it's there but as you walk through the waterfront they're going hey there's that person we saw shouting yesterday as you walk on by and so it led to this really interesting thing where they could say well this MAC address walked by my telephone pole and then at this time they walked by again and we had a camera that time so now we know what their face looks like now they're doing a bunch of other stuff and it actually got temporarily temporarily suspended but that gives you a good idea of why it's so important that your device is shouting all the time now it's also incredibly important because you need to have it shouting to be able to walk into your house at the end of the day and have it automatically connect in your emails to download and everything to work immediately and to jump on and start watching Netflix without having to like type in your password again and so we're going to talk about that right now but it's also really important to know that these devices shout constantly as we walk around so before I go on to how we actually use the shouting greaty could you pass your awesome you're on it so when you register your device with your personal name and everything that's kind of the extra link between then being able to connect the random device number with the person who's walking to all these spots exactly now as we're going to look at here that MAC address is only used locally so we never shoot that to Google we never send that MAC address we have a better address because the MAC address is your name we use what was called an IP address sadly they're both called addresses which is actually your like local address it would be like 1899 here which tells people who you're actually connected to on the internet but when you do register a device you are directly connecting it to your name or its name great right behind you thank you like in your wireless list of all of the places that you've been in the past or you know often I'll say yes remember this one if you were to basically tell it no don't remember me is that is that a functional out functionality that covers you or kind of makes you invisible well so I wouldn't so you're still going to be shouting at your MAC address most likely this isn't something that is required or standardized in some way with like wireless companies and people who make phones and laptops so each one will behave a little bit differently there's a lot of really great well I think they're really interesting some others might not articles and research studies of what happens when you put your phone in airplane mode for instance we should turn all of this off what happens when you say don't remember an access point we should turn a lot of this off but it is kind of one of those role the dice depending on if the guy who wrote the software for that specific phone thought it'd be useful or not for some other purpose that he was thinking of to make you constantly shout out your MAC address another reason you might constantly want to shout out your MAC address and the access point name is sometimes you have an access point that doesn't actually broadcast back because just as we're shouting out the access points are also shouting out here I am like you know let's talk let's get you on the internet as soon as possible so there's a lot of weird fun edge cases that geeks like that require you to shout out a lot and so the geek who made your device probably wanted to make sure that edge case was covered so it really is kind of a per device thing anything else before we move on I just wanted to what happened with that Seattle case they suspended it because there were civil liberties groups that were like what what and were there any I mean in New York I got really up in arms about this on the on the high line there are there are cameras all over the place on the high line there are cameras down the street there are cameras and by the time you come into the cameras view I mean by the time you can read that this is a New York City you know I'm a PD camera then you're already in its view I have a huge issue with that but in this situation where there are even signs up where they were saying like oh by the way this wireless network and if you connect to it it means this and can you give us more details I'm just asking where my point is saying that there we go well so let me who I selected everything that's okay there we go apparently I'm horrible at this there we go so the Seattle Police Department contracted out to Aruba networks Aruba does mostly things like you know when you go into malls they do the same technology to see where you shop and what your shopping patterns are so they can keep track of you they do it in Mega Mart selecting Walmart's doing this right now so Aruba does these kind of networks all the time to track consumers so the Seattle Police hired Aruba but then wouldn't tell the City Hall or the people what the contract stated in fact even after City Hall said hey come here and give us like we want this data like you work for us they wouldn't give up the data so it got leaked we don't know who leaked the information to leak the whole contract that's when this quote actually came out which says the software is a location engine that calculates associated and unassociated devices every 30 seconds by default the last thousand historical locations are stored about a specific user whether they're connected or not and I believe is actually a quote about another one of their products that is using the same like software platform so the assumption is this when this happened the police chief as a courtesy suspended work on this project so City Hall could talk about it so from the last I heard and I haven't looked into it in the last week or so this is actually just happened about a month ago the last I heard it was as a courtesy suspended so there's we don't actually have or I don't have and you should look up after this and tell me any knowledge about if this is going to continue going forward if it's actually gonna get shut down it is literally just paused at the moment that answer your question China and I don't think there were signs I mean they were so close about it they wouldn't let City Hall look at the contract so let's actually look at what happens when this works correctly when you act oh sorry great yeah I was just wondering if you are connected to a hotspot does your device still beacon out its name to other hotspots or is it just saying I'm with this one until I disconnect I believe it is still beaconing out to other hotspots that's why if your hotspot goes down you can connect right to another one I don't know about specific software though again as I said it's it depends on the software that you're using on your phone or on your computer it's really a hard question to say decisively about each individual device also the reason why that number of 150 to 300 feet was such a broad range because it matters how much energy you put into an antenna and a radio and all of those kind of fun facts yes it is yes it is that's my boss everyone everything I know so let's actually look at this working correctly you'll see up here at the top left this is just your data this is what we're focusing on today so when you actually connect you shout out that beacon and you ask for your hotspot by name in this case it's hotspot and the hotspot will shout back that it has found you you are connected or you're not connected yet but you're gonna start connecting and then you'll shout out yes here I am here's my MAC address is one last final confirmation and then it will give you back an association ID which fun fact just a part of your MAC address they're just lazy and only want to use part of the MAC address from that point on you use this association ID to connect your router I'm gonna keep hitting that thing and you ask for this IP address that we talked about now and it's gonna stop right here because we're gonna talk about IP addresses in a second the interesting thing to note is all of this seems to happen in like five packets and these are very I mean they're literally quotes here they're like spoken this is like a 14 message long interchange a lot of the things we're gonna see today that we're gonna we're gonna do this kind of visualization of the network a couple times it's always gonna be pretty short compared to the actual like verbosity of computers they love to talk they love to talk a lot they send a lot of really small inane messages over and over again just to check in fact every time it talks it does this like back and forth thing to just make sure hey you got that I got that I sent it did you get it so this is all when you actually look at the the actual standards in the packets it's much more kind of obscenely verbose we're gonna skip a lot of that today but I promise you you're not missing anything important if anyone who is on the team or knows otherwise mentioned like oh there's actually we're missing this one thing please shout out because I did try my best to condense this and if we're missing something that's vital I would love that's why I invited you guys that and because you're awesome but so yeah let's uh let's talk a little bit about that address so we know our name now that's our MAC address right that's this number right here that has a bunch of colons in it it's six octets long we also have this IP address it's four sets of numbers long and it works just like your home address it's not geographically based but if we kind of flub a little bit it works a lot like this you have a large region of people it doesn't have to be United States it could be people who work for IBM and they get this first number this is like the country you live in it's actually kind of backwards from the normal way we do addressing after that you go over one letter and any subset of those groups those people like California here an amazing warm state today gets the next set of numbers from there a place like San Francisco my hometown best city in the world would get another smaller set of numbers and then finally you end up at your actual router if any of you guys are connected to Wi-Fi right now you'll find if you look at your number you'll have these three numbers in the front will all be shared by everyone connecting to the same router that we're on this last number will uniquely identify you this is your unique address on the internet right now this number right here routers are kind of selfish they like to pick number one they like number one because they're number one and actually if you want to see if you can talk to the router that you're in right now you can type in your address and change that last number number one you might actually get a little web portal for your you know wireless router saying hey log in and change the settings and see who's on the router right now in fact that's a lot of what I do for living is that little web portal right there on the promotion team so let's take that connection we made with the router before knowing what we know about what we're doing with the router is getting an address and talking to the internet is actually secured a little bit because the fact that we're beaking out every bit of information about ourselves where we live on the internet and what we're doing isn't very secure especially when you're in a coffee shop when you're even I think actually the guest account here isn't secured you just typing a little password that means everything you say every email you send it's all in the clear it's all plain text so if I sat here on my computer which I would never do because it's illegal where's the camera you can actually see every little bit of data that's traveling through the network so there are two ways and sadly they're bad acronyms I said the only real good term in science and computers is radio waves one is wired equivalent privacy which is not equivalent to wired privacy at all and the other one is Wi-Fi protected access this set of slides is actually known as never ever ever use web unless you don't want any security at all so we're gonna briefly cover why this first one that wired equivalent privacy it sounds like weep and why WPA is better and why it works why you can feel comfortable connecting to your router why kind of internet security as a whole works the principles we learn here about WPA are gonna keep going as we talk about other security later throughout this presentation so let's first talk about why web sounds like weeping so the internet and all of its communication is sent in the smallest chunks possible we call these little packets and so an email might be four or five little chunks of data saying here's the beginning of the email part one of four part two of four part three of four part four four with web it takes about 40,000 of these to have a 50% chance of breaking it to give you an idea of what that's like that's about a minute of actively just shooting random data at the device or it's about a 13 minute YouTube video so if you watch YouTube for 13 minutes that's ignoring all the traffic of you shouting back and forth and connecting to your router and sending you know give me all these advertisements and all the other stuff if you just had that video downloading 13 minutes later if you're using web someone could who is just watching could figure out how to get in and and start to actually see your traffic so we don't like web and you'll notice none of New America's routers or OTI's routers upstairs use web we all use WPA and the reason we use WPA or WPA 2 which is the second greater awesome reversion but I they're actually both pretty great so don't worry if you only have WPA 1 is that the best method for getting around this is to either hope that the device the router or the thing you're connecting to has another flaw like it's broken some other way or to just read it every single book in the dictionary or every single word in the dictionary and that's the wrong button so there was a cute graphic as I'm saying Ardvark you missed it was great also feel free to stop me at any point by the way oh hey Gretta nice I'm glad I said that good yeah so my question is when you say with web that the observer can see your traffic what exactly do they see well so before they break the traffic right but when it's still encrypted what they're actually seeing is they're seeing the conversation between you and the device you're talking to has a front part a lot like the address on an envelope and they see a bunch of gibberish which is essentially the conversation itself the internals of that over time they see this exchange happening back and forth they can start to figure out what the password that you guys have you are using with each other is once they have the password they can go back and read everything that was in that old conversation again essentially make it plain text again you give her the mic sorry but is the old conversation like what your computer is saying to the other computer so it's sort of like all those back and forth messages or is it also like the contents of your also the emails and stuff yeah if web is broken or if any security connection is broken or flawed in some way so that the content can be opened you are actually opening up the internal like actual conversation with the internet itself but the bits about you talking to the router all that's happening in the clear and actually when we get past this slide a couple slides later when we start looking at those network visualizes again that we just looked at all the text up here at the top right that was all white when we start to actually secure things in some way or another I'll turn it all green so we can actually watch as different parts of the conversation are open that first conversation with the router or router when you're not using any security or when you're using broken web which to be you know like that's you still have to try to break web by the way without someone else's tool I could never break web but like when you are having those conversations almost all of the conversational parts of it like here's who I am here's where I'm going hey you know do you know where this guy lives things that we consider metadata is almost always open and in the clear that by the way that's what the NSA is collecting is all that stuff that's kind of in the clear like who I am who I'm talking to what time I'm talking to them what language I speak what my browser looks like what computer I'm using what else yeah it's it's pretty much everything except for the exact thing is like what the observer sees is like that metadata interspersed with plain text like regular language if you're looking at the package that's encrypted you get all that metadata in plain text and it's actually like this thing colon you know your name colon and then your MAC address your address colon your IP address and we're gonna talk a lot about headers and a few slides but the idea is that all that stuff has to be very clearly written and has to be in a standard format so that it can be easily parsed by computers and then all your actual content once all that's done it says beginning persons content like Greta's stuff here colon and then gibberish if you're using encryption or if you're not it's just that raw data and then it's interspersed over five or six or forty thousand packets if you're watching a YouTube video and each packet has that little address stamp on the top did I totally miss the point of your question I did didn't I yeah this is like this please so I'm just trying to think if it's if it what it looks like to the observer like to me if you looked at the information that's in a streaming video or something it wouldn't look like anything when you're just looking at like packets from the outside right but like are you saying that it looks like if somebody sends you an encrypted email or a signed email and it has like their signature and then it has plain text and then it has more like gibberish do you know what I'm saying like I don't know what a YouTube video would look like to an observer like because it wouldn't look like the actual content no it would look a lot like this and excuse pretend you saw see none of this there we go so the top part not it wouldn't look like anything like this and we'll talk in more depth it would actually be a series of values and then like or like tables and the responses there would be one of these I would say something along the lines of JavaScript YouTube video beginning and it would tell you what you're looking at so that in this case it would be the browser will understand oh this is a video I should play it as a video if I were looking at those packets individually in like a text editor like in word or and you know on my computer it would look like gibberish but when you collect enough of them you go oh here's the beginning here's the first packet in the last packet run these as a video and then all of a sudden it I mean it is a video it's encoded as a video it would look as a video but this is the header this is the top part in fact this is the top part of a geeky social media site I use called github and so this this tells you everything that you need to know this is actually what I tell the server here so it's slightly flawed this isn't exactly the headers you're interested in these are actually I think I pulled everything but the cookies here but the idea is that you have all these fields and values that let the browser know or in case the person watching your traffic that you know the malicious actor know what exactly is they're seeing or there you know is below as well as a number that says this is packet four of 300 this is packet one of 28 yeah this is what you were getting to or not but is there a moment in that stream of information where something comes across and it's like password to open outlook colon you know Lisa Grunze 579 and then and it's actually just written out there and then the next is you know here's the full content of that email yeah that all of those things are in this stream it's not that they're kind of hidden under some sort of other code yeah so this right here this this first number there it is user session and then gh session these are what we would call my session keys these are the password to login as me there's a program called fire sheep many years back so we used to not use HTTPS for all the websites some people still don't we hate them and HTTPS is basically a secure way of connecting to a server before you exchange data and so these what we call like a session cookies they're essentially the password to log in as you so what fire sheep did was say go sit in a coffee shop turn on our program and wait when someone logs into Facebook we'll grab their session key out of the air and you're logged in as whoever's sitting near you in the coffee shop and then you post fun things on their page this is why Facebook like getting your account hacked used to happen so often like every other day someone's account would be hacked like my Facebook stream was all just 14 year olds making jokes about people's accounts they hacked was because it's so easy to steal this password this user session out of the air because again it's all mostly English text being passed around I think it's almost all ASCII text that the internet uses to use these headers so that means that you can just say see everything all this data that's being any bubble that you know Venn diagrams with my bubble of my computer if you see the word password or session key or Facebook print that out to my screen or try to use it to log into Facebook steal that top part the address header put it on a packet from me and send it and see if we can log in so it's incredibly easy if you're monitoring this traffic and all computers do actually is monitor for traffic that says their name and ignore everything else they still hear in fact those whole people who are trying to make it easier for computers to ignore other devices because they're hearing all this and processing it and tossing it away and hearing and tossing and hearing and tossing but there's the only thing that's stopping them from reading the data that they see being beacons around them is a fact they're told to ignore it and I think next time I do this and I'll do this again in America we'll actually watch some live traffic and we'll we can we can definitely do that that's a very easy thing to do and we can actually look at some some more like in-depth data cool oh one more let's do it so what does the stream look like if you are connecting or HTTPS let me show you so before I tell you what the stream looks like I'm gonna tell you how the stream gets actually secured because that's important mainly because I'm gonna ignore this stream we're gonna see a lot of secure communication in this presentation in fact from this point on we're gonna see a lot of it it's gonna keep happening and I want to make sure that there's an understanding of why it's secure before we just say it is secure and the reason is because of my favorite word in the entire computer science language just nonce and nonces are the greatest one because a nonce is a made-up random word you'd use for a singular purpose stolen directly from English if you want to make kids shut up you use supercalifragilisticexpialidocious and a spoonful of sugar if you want to securely connect to another device use a one-time number they use a one time number you shout at each other and because you entered a shared password when you connected to the hotspot today when you come into the work and you log on you type in a password because you both share one piece of knowledge this like password that you have and then you exchange these random bits of information you can create a new password without knowing what each other's passwords are that is only for that one time you connect so every time I open my laptop to a WPA access point or when I use HTTPS and this is used in a lot of these systems what we actually do is we have this exchange tons of packets and in that exchange we create a whole new password in fact two passwords one for each of us the other one doesn't know so what's cool about that is it means when you use WPA as opposed to the web we were talking about earlier what you're actually doing is creating a new password every time you talk to that router every single time you communicate you create a new password which means it's that much harder for someone to monitor your usage of that hotspot so when I go home and connect to my access point every night it creates a new password and so they have to actually like break my password every new time I connect makes it incredibly hard to actually break these passwords so that's why nonsense are so awesome and only allowed to be said like not so before we actually show you the nonce thing I know that's a it's a big concept to put in two slides one with my poppins any questions before we go on to actually look at it okay oh yeah the weakness is that's just a simple cipher and that once you break it I have to use a microphone so you say I'll be the break I'm assuming it's just a simple cipher and that once you've broken it you can basically just go back and read everything right so it's like we're passing information we just shipped every letter five letters over once you've got it you've got everything exactly it's just like the note you passed in eighth grade where you make up your fake little password and once you've broken that cipher you're done I guess kind of want to stay on Mary Poppins it's like my favorite slide so we're gonna see that exact same communication we saw before with our laptop and our hotspot it's gonna start the same way our laptop shouting out for the hotspot and I mind you it's already been shouting its name and all that information before it talks to the hotspot the hotspot then comes back and says yes you found me tag you're it and things get a little bit differently now we shout our knots and knots is a little bit bigger than this but this works for now the hotspot shouts back a different knots again we're exchanging random numbers and it also sends this weird chunk of text we call it an integrity code this is the second most important part about security it's not just you have to have a really strong encrypted standard where you know that they could never break in our life you actually have to know that you're talking to the right person in this case the wireless hotspot and so authenticating that this is the same conversation even if you're using your crazy new password is really important and so what they're doing when it shouts back that integrity code that gibberish that it shouted back is what it's actually done is taking your entire conversation and shoved it into this mathematical function that always produces the same output if any of you have ever made sausage if you shove the same meat and things into a sausage grinder in the same way the sausage is always gonna look the same it probably won't look like that hopefully I won't don't eat that sausage but it will always look the same if you shove a different set of meats and spices in a like hmm yeah that's Ed Central I did that for you guys because you said you were gonna come to this space this says nothing about the quality of Ed Central it should not be grinded please do not do this with Ed Central or the California Civic Innovation Project but you'll note the sausages look completely different now mind you this is really obvious when Ed Central is way blue and they have a lot of really like yellows and greens the cool thing about the way you do this mathematically is that even if you have two messages that look almost identical two pieces of information that are almost identical but one little piece unlike a sausage grinder which grinds from the very beginning to the very end and outputs that whole chunk of content the meat that you put in it the way these functions work is they actually run it through multiple times for every new character new piece of data that it finds so it creates an entirely different sausage or in this case integrity code if you change one small bit you leave out one period you don't put the tab in right it's gonna look dramatically different and they don't come out as sausages they come out as that gibberish number we saw before and so these are actually called one-way hash functions and I wanted to actually do like hash like a diner but I it was it took forever for me to get like a quarter of one done so I went with sausages either way unless anyone has any questions we're gonna keep going on and finish the WPA conversation so we already started it so I'm not gonna make us redo that whole conversation the four packets we did so we're gonna start right at the not shouting and this time our laptops nicer about it and the hotspot responds again with the knots and also our our sausage here our hash or integrity code to let the laptop know that this conversation is the the correct one now this keeps going back and forth for a ton of packets each time adding the last message into that integrity code and sending it to make sure the entire content everything they ever sent is the same and once it's done everything is encrypted the Mac address request or the sharing of the Mac address the association ID the IP address all of this is encrypted between the laptop and the client in fact actually the association ID is not encrypted I realize that's totally wrong so that little bit right there is not encrypted because that's actually how the laptop in the router talk again it's those the third and fourth chunks of that Mac address a to CD you can see it right here that bit is not encrypted that's actually the part that header we were talking about that address section on there so we've connected to a router what's up great so so why does it use the third and fourth bits of the Mac address supposed to the end at some point some geek somewhere was like these are the most important bits of the Mac address they they're supposed to ensure randomness because it is the last chunk of the manufacturers number so like the apple has three sets of digits and then your device has three sets of digits so the idea was is that those two bits of digits will make sure that no two devices on the same hotspot are ever gonna have the same address because the last two bits of the manufacturers number ensure that the manufacturer is unique and then the first to ensure that it's the you know act it's the most changing it's not the most unique digits you know it's basically rolling the dice on hoping not too many people buy iPads but yeah that's what I do it's supposed to be guaranteed to be the most unique to sets of numbers as opposed to using the whole Mac address any more questions before we move on because we've got a whirlwind tour coming this is actually we're gonna start getting all of a sudden our graph is gonna get a lot bigger and real quick because now we're bringing in the internet and the first thing you know about the internet is that no one wants to type in those giant Mac address or IP addresses we talked about before even though you have them I'm sure that probably only well all the geeks I work with here in this room could find their IP address the next like 30 seconds usually what we do and we use the internet as we type in Google.com we don't type in its full fledged address and the way that works is through the system we call the domain name system which is essentially just who do I ask to find out who Google is today the reason this has become so important recently is that now with the cloud which is essentially just you can put your website on 80 to 3000 different computers you have to be able to find the certain computer that Google is actually today because he could be anywhere and Google is actually not just one Google on one computer it's actually Google on like thousands of computers all over the world so who's the closest Google today and the way you do this is you ask your router when you're connecting to Google and you say where's Google is who I want to talk to and what the router does is it asks these domain name servers where Google is and the way that those servers get Google's address is every day and every website all over the world including new america.org actually has a specific set of two different servers that talks to you and every time it changes the dress it goes to these two places and says hey here's where I am today just so you know and in case you go down here's where I am today just so you know to these two different servers we call these content servers or authoritative servers and so these guys I know we're getting in the weeds we'll get back to the fun stuff soon I promise these authoritative or content servers their entire job is just to tell people where Google is or in this case my site.com which I looked up yesterday and has actually told like a domain name buying site and I should have changed this to like my website but yeah so I do not endorse my site.com I don't unendorse them either I just don't know who they are really but so these servers only job is for you to talk to them and say hey where is this site today and so down the line you ask your router your router doesn't know it asks the next computer in line all the way to my site.com which seems like a ton of traffic that doesn't need to happen. Luckily they're pretty lazy and so what they do is anytime you ask for a site you just write down oh that's where Google was today that's what we call your cache you know when you clear your browser cache and your history deletes itself what it actually is it's not just the history of the names of the sites it's also where their address was last time you talked to them and so that allows you even if your router doesn't know to be able to go to Google next time without having to do that whole query of where's Google today and getting all that information back and so this process actually happens not just for your cache your router may it's optional have a cache of its own and then the next server up the line all the way to that authenticated server at the very end. This means the IPs like you know ISPs not IPs ISPs or newamerica.com if everyone here goes to newamerica.org every day the router here at new America may not want to have to have that request and all that traffic going through its network that it doesn't need right we have to spend all that time downloading videos of cats here right we work hard so what it does it saves that address and says oh no here I got it for you don't you don't have to go ask about that and so let's actually look at how that works Josh great he's doing all the work here Andrew thanks I just wanted to note a little bit about and stop me if you're going to cover this but the like how DNS actually finds the servers that supposed to ask about where it's supposed to go which is that the top level domains like.com.net and and all of those they have their own DNS servers they're called the roots or the root DNS servers of which I think they're only like nine in the entire internet I mean they're actually made up of a whole bunch of different redundant servers but they form the whole name service route and so at some point once you get to like your ISPs DNS server they just have the all of the addresses for those servers hard coded and then they go and ask like the.org root where is new america's name servers and sort of works its way up from the right hand side looking up like where all the servers are and all of that is what's eventually cash so they have to go and ask the root all the time and the reason for that was that originally DNS was supposed to be this incredibly hierarchical system where you'd have these really long like us and then I L and then something and something and so it would be very distributed and that just didn't end up happening because it wasn't very popular everyone want.com and so now it's actually really flat which is why there's only nine servers that run all the DNS for the internet. Yeah although it is only by convention that we use those servers there have been alternate routes that people have stood up before and like I said those nine servers are actually like highly distributed server farms that are not just like one box in somebody's closet but is actually like a giant set of machines acting as a single server. Except for .org which actually is in my closet it's a weird story we'll get to that though. So let us look at the simplified version oh no we won't let's not look at the simplified version yet Grady what can I do you for? So who is it actually that that runs the DNS servers and how are they paid for and maintained? Sorry go ahead I apologize. Who actually is in charge of the DNS servers and how are they you know maintained and decisions made? So it is a series of corporations and I know ICANN had a big part in figuring out who these organizations were I think most of them are US based organizations. I know that .com and maybe .net are run by Verisign. I forget who runs .org I mean it varies they're not all the the same companies and then the there are a whole bunch of other companies that are registries that control like sort of sets of the servers that tell where to find other DNS servers and so that's who you register with. It's all it's not a formalized it's all like all of these companies have arrangements between each other that you know are not it's not according to technological standards it's all kind of like is a shady cabal of different organizations which is actually how most the core of the internet is operated. And it should be pointed out that there's an organization called ICANN which is the international corporation for sign names and numbers they have an ombudsman site the ombudsman runs their own site and blog I would read that blog it is the like most tell-all soap opera blog you've ever heard about geeks fighting and yelling about things it's the best one of them quit a couple years back because he was done with it because you're not listening to the people it is so juicy and wonderful so if you actually want to know how this shady cabal works and what total like caddiness happens in the underpinnings of the internet it is the best blog ever I love it so I would highly recommend ICANN's ombudsman blog who just handles all the internet trash that happens. So I feel like this is we're not going to even do it justice now because we've gotten the actual full definition of how DNS works but just no no this you went way more in depth I love it so that first conversation is encrypted but the instant you leave your hotspot the incident passes your message along even though you have WPA installed your conversation asking for a new america.org is with your IP address that's all open because your hotspot and you made a secure connection with each other you didn't make a secure connection with the entire internet by using WPA that's only local so all of this by the way white is unencrypted it's open it's clear it's readable is in the open it's just this one last this one last jump which I forgot to make green in this slide which is actually encrypted between you and your hotspot so when you ask and this is you by the way where is new america.org in your DNS request that's all in the open including your address the way that you're known now through the internet which is the address that your router gave you earlier and so is the response by the way new america.org is not at 42 18 233.65 I made that up and in fact I shouldn't have made that up there's like a whole set of numbers that are just for examples but they all look alike so it was totally hard to see on the screen so don't go I mean go there I don't know who's that probably don't go there I don't know who that is but so this is kind of the first important part is that that DNS conversation you have with the servers and like where is this person that's not encrypted even when you use HTTPS which we're going to cover in a second to encrypt your internet conversation it's between you and the person you finally want to talk to you requesting that person is almost always going to be in the open and so that changes a lot of the way that you can be secure or even more importantly anonymous on the internet because those requests out to the world saying I want to go to shamus2e.com which is all go to it's great site those are all open in the clear it's just that when we start using encryption and start using more secure tools in a minute those conversations only encrypt the or encrypt the data that you're going to be having between them Andrew could you grab Gretta and Mike trying to help you out Grady and make Andrew hate me hi shamus how's it going okay so my question is when you say they're in the clear or they're out in the open to whom and how and where because it's no longer like the hypothetical person sitting at the coffee shop observing your traffic right so the internet the global internet I have Danielle come up in this talk actually she's way better version than me is essentially a series of cables fiber optic cable going from your house to the local internet hub we call it the last mile device right so it's like a giant router that's owned by whoever your ISP is like Comcast and then that is streamed through another cable up the line to another router owned by someone will say it's Comcast again and then from that to a huge router which is totally not owned by Comcast for what we call it we call the last mile backbone and these are giant fiber optic cables that go the entire length of America under the oceans and then throughout the rest of the world this is why in Egypt they had those guys with hatchets who are like diving to cut those cables those are literally the backbones of the internet that's how we talk to sites and send emails throughout the world so you when you when I say they're open in the clear it would be your hot spot router can see everything you send that's in the clear the router owned by Comcast and mind you the path to even my local Comcast is four or five routers actually my neighborhood has one a couple blocks over has one my neighborhood one goes down they try to reroute my traffic to one the next neighborhood over and so it's actually a bunch of routers leading up to this backbone and then all the way to the website I'm going to go to and then down a bunch of routers to its actual you know the server upstairs that holds the website and so for instance in a trip from me to New America which I live like a 20 minute walk away there are about eight routers eight devices the reason I said Comcast is they're the guys who have most of my routers and so I keep watching them and seeing how they change their traffic and stuff because I'm a geek but so yeah so there are eight routers between me and New America so that means because we're 20 minutes away the amount of devices you're touching is a lot and the NSA scandal one of them was that at the very top level these big backbones there was they were tapping those which means that since all your traffic is pretty much hitting those backbones you are getting that traffic was able to be intercepted because it's if it's traveling on the wire or hitting those routers it would be in the clear so but the they would have to be intercepting the routers not the wires the wires or the routers so fiber optic is beams of light and so what they would do is they would actually split the light beam into two light beams so it would keep traveling down the pipe and then be split into another beam it's way easier because you know they work for the government to just go to the like AT&T or whatever and connect it right before the router or right after the router probably before the router you don't want Comcast stuff mucking with your you know data but if you're a bad guy or you're they saw in Europe that was the EU I think it was they had a bad like they had a bad actor it was just some guy who worked at the routing company who just mirrored all the data for a bunch of EU muckity mucks people who are important in political figures so the like the routers are the best place to do it because it's already sorting all that data and the pipe comes you know to the dig holes for the pipe so like they come out of the ground it's way easier than like having to dig a hole and put all your stuff there just wanting to clarify is that in the vast majority of setups I've seen the actual hotspot is going to when you go out past the hot spot the IP address it's telling you is its IP address not the one assigned to your laptop so talking to the internet there's a thing called natting which the dress translation funnily enough that was not who answered that question and so the idea is that a lot of times what routers do okay to make it easier is they actually tell the entire internet their address you're talking to you're talking to me here and so you and all the 20 other people on this router would have the exact same address according to the internet this is kind of awesome for some sort of student pseudonymity pseudonymity it also is kind of scary for false positives and this is where surveillance sometimes breaks down kind of in the theoretical form is that if they're you're at a coffee shop and you're suspicious because you throw a lot of protests against meatloaf because it's the devil and someone else the hotspot is actually like a real solid terrorist who's doing bad things and looks up the recipe for a bomb and you're all your traffic is being captured without some of the techniques we're going to talk about in a minute about the fingerprints that your browsers leave behind and cookies and the like if you're both using a somewhat anonymized device all of a sudden it lumps you into the same category so it's a very important note that yes a lot of routers and even ISP sometimes will do this thing called matting what they'll say the address that you're talking to is just me for dozens or hundreds of people it is kind of this fun double-edged sword which I was going to avoid entirely so thanks for bringing that up so if it's using network address translation and your hotspot sends out a request to Google and their request comes back the answer comes back with the router's IP address how does it know which associated client to actually send the data to I'm gonna answer that with sockets ports and stop it no the routers have complex ways of figuring out what traffic like what streams of traffic it's dealing with so does your computer actually like you know it's very good at keeping track of single connections to the internet and so the router is doing a much more kind of complex version of that I don't want to get too deep into the weeds on this because I do want to make sure that we get through the whole presentation sorry to like totally avoid your question so we now know who we're talking to after an hour no so we're now did I yeah I did it right so now let's look at actually we have the address we know who we're talking to and we want to actually talk to newamerica.net because that's who pays me also because the great site you guys should all go there wonderfully built beautiful and so the conversation happens very similar to that DNS conversation we had before we say New America at this address I'm an English-speaking Mac user running Chrome and can I have your site and then it gets passed along hey this person wants your site here's the address the ISP which is a series of computers has an English-speaking Mac user he's using Chrome he wants your site the reason it does this by the way is so that it knows to send you the right sites they have multiple sites to send like for tablets it then sends you back the website and that cookie we talked about before which we're gonna actually go in depth on right now it says hey here's the website and here's some little bits of information so we can keep track of you and so that gets sent all the way back to you I think that's the end of this bit yeah so let's talk about so when you encounter and these are usually old websites but a site that says like only compatible with Internet Explorer we might have one of those here at New America is it so is that what happens there is that like it tells you that are you about to explain this that I told you right now I'm gonna just let you go back to that then good work shows thank you so websites use when you request anything on the internet and actually when you request anything using a lot of things like email in that header you send you'll send what we call a user agent string and that's basically just a fingerprint of your device what I mean by that is it tells the program or whoever's talking to you here's the application I'm using to view this using Internet Explorer for instance and I'm also using this browser well that's the application if the application isn't a browser it'll tell you the type of browser it'll tell you the operating system it's on in case it doesn't isn't compatible with the website and also any extensions you have in the browser that may muck with the experience right this is all about giving a good browser experience now I have three here I have Chrome Firefox and Internet Explorer and I'm gonna look at these really quickly just to show you why this is such a ridiculous system these days Chrome is a Mozilla product though no it's a Google product and it's it's running on Windows but it's also Chrome it's also Safari it's weird because it's totally not any of those well it's Chrome the Mozilla is Mozilla and that's great but Internet Explorer is also Mozilla which is totally not right that's weird oh it's untrusted too which is totally truthful so what happened was back in the day when the internet was new like 20 years ago they actually every time a new feature came out people would build the website for that feature and say oh well only Firefox has this so I'm putting you have to be Mozilla or only Safari has this so I have to use Safari and what happened was browser started appending on to themselves the names of other browser types that they supported because it was too hard to get everyone to change their websites when I could just change it in my browser and so over time user-aided strings are a complete mess pretty much useless don't really help at all except they're really great for getting a fingerprint of your browser so that when you're behind that that knatted device that Nat was talking about you actually have your specific operating system your specific browser the language you speak that's part of that header that we send along you also tell them any extensions you have installed them what any other application you're using to use the internet so all of a sudden these are these little bits of information about you that you append to everything you send just in case a website you know might not support JavaScript so if we go back and look at that packet again all of that is sitting over here in that header and this is what a header looks like this is actually what most your data looks like when you're not securing it it's a postcard it's all in the open you have your data here and you have your header here it's not as pretty obviously there's no cool stamp and it has all those cookies it also has the language in that user agent string we just covered and your address of course and then here are those cookies and I realized it's totally small so I'm gonna I'm gonna read these to you just so you get an idea this is a social networking site for geeks where we share code and it in this little header when it talks to me I send it from my computer my user session string and my github session string the name of the program to say here's where I am I've been using your program here's where I am you know I saved this thing I'm on this person's page I'm you know I just did this other thing so make sure you show it in my feed much like Facebook would ask you that you're this person at this time and you look at this video it has this really fun one called spy user which is the last user I looked at which is totally messed up that they keep track of that and send it in every packet I send James has been spying on sadly I'm narcissistic so that's actually my name there it talks to some unique identity identifiers about myself and finally this really fun one down here which are these strings that I keep that are about me that I send to Google Analytics so Google provides for free to a bunch of websites this tool called analytics it's great it says here's where the user came from here's where they've been here's their individual ID you can track how often they come to your site and we'll do all the work for you and so every time you talk to a site that has this which is most sites on the internet you have a little unique fingerprint which I've changed here by the way gets in with a login is me all this information is falsified yeah I see you guys all everyone on this side of the room and so it has things like who where I came from who I am uniquely on the internet what my last site was viewed as what link took me to this page all this information that creates a really long-term view of me on the internet without even being on Google it's a thing I store on my computer and just kind of throw up every time someone asked for it some of these are called super cookies and if you're logged into Google there's all sorts of other fun super cookies they have I wasn't logged into Google at the time so yeah so that's the header information is not just who I'm talking to when I'm talking to them what I want from you it's also a bunch of information that I store the cookies when you clear out your cookies on your computer that little tidbits information to make my user browsing experience better oh wait can we get a mic I'm just struggling to keep up here so this is a packet of information that is going to be sent from my personal laptop to any website I visit like New York Times comm or Tyson foods comm yes and their server will have this information and anybody who can surveil the routers or cables has the information yes why don't you click I may have broken it anyways so we'll ignore that I broke it yes the idea is that when you send any information to any site that site can tell you when you send me a request make sure you give me these other things as well and your computer might your browser itself might also just send some other information that always sends your language that you speak is one of those so if you have internationalization or translation on your website I can send you the correct language it tells them what kind of browser in case something is weird in your browser that other browsers support but your browser doesn't and then any information it asks for so these Google super cookies they basically tell the websites oh if you use our tool you can just request this thing from the browser and it'll give it to you and we'll use that to tell you what that person's doing on the internet and where they came to your site from and where they went from your site and how long they were there yeah and we covered this yeah so let's actually get secure we're there we're starting to actually be secure here and so any questions about cookies and headers and that kind of fun stuff we're getting out of packets almost entirely now so sorry so you said it mentioned browser extensions so if you downloaded like for a fire file if you download fire sheep would your browser announce that every website that you're visiting I believe it's there's a way to append an extension onto a browser like a user agent string I don't think every extension necessarily appends its identity on the agent string I haven't done a ton of how that like appending happens like research I just captured some packets for myself and so that was those are not my computer by the way again falsified data I want to be in that and found a Windows machine but yeah the answer is I don't know exactly no so we're gonna start talking about securing your connection the same way you did with your router to a website using HTTPS right here a couple things I am not gonna show that handshake again that we did before where we like sent the nonces and we like that little dance because it takes forever and you guys have been being so awesome and patient and letting me babble at you for so long so we're gonna skip that part but I promise you it happens and in fact it's the first thing that happens once you're about to start that connection you make a very similar handshake process sending nonces creating a secured connection with this device the HTTPS server and secondly if you want to use this really cool encryption tool it's somewhat complex to do what you want to do is append an S to the HTTP when you request a site that's it I was just kidding it's it's really simple to do this to check the site has HTTPS there's also a group called the electronic frontier foundation the EFF and they make a browser extension called HTTPS everywhere I highly recommend it because what it does it says anytime that you could use this that we've seen this site use HTTPS we'll try to append it and just redirect you directly that site which means you don't have to go around appending SS to everything it makes it a much easier process and exists for a ton of browsers so I highly recommend doing that if this is of interest to you but let us actually look at what HTTPS looks like so you remember that past this hotspot here in the earlier conversation this whole link between the hotspot in New America essentially the entire internet could see all your content after that handshake which I don't show here all of a sudden that content is gone well it's not gone it's just encrypted mind you the address that the hotspot announces is still out in the open the header information a lot of it is still out in the open the user agent string and like so there's like levels of header information including cookies and that sort of stuff a lot of that is actually encrypted but the address like where it's going where it's coming from you obviously can't send packets on the internet without knowing where you're going so that is one unencrypted bit this is where we start to get kind of in the weeds about packet structure and so I'm gonna try to avoid that just to give you an idea that when you use HTTPS what you're doing is you're saying I want my data the content of my communication with this source to be encrypted and hidden now mind you the name as we talked about earlier that's almost never gonna be shouted out to the internet they don't use that for addressing on the internet you don't no one needs your MAC address so it pretty much stops at that hotspot whoever you're directly connecting to us as a unique identifier for your device among other devices so that you can kind of differentiate who you're talking to so we've gotten secure let's get way secure these are this is what we call a VPN or a proxy there's a lot of techs up here most of the joke but the idea is is that that one last bit of information that we didn't have secured before which was the address we're talking from a virtual private network or a proxy system does what it sounds like it does it proxies your identity pretend it lets you use someone else to pretend that they're you you can get these for as low as like five bucks you can get them internationally you can get them nationally and what it does it actually creates I think my clickery thing's broken John is there another clicker thing I can use oh no I just selected everything wait I got it I got it I just had the mouse outside the screen I apologize turns out I have a little mouse too so the reason we liked HTTPS was that it actually took our data which is all ones and zeros because that's the best way to send data apparently and it wraps it in a sheath encrypts it and all encryption does it makes you can't read the data inside of it now the cool thing about VPNs virtual private networks and proxies they take that already wrapped chunk of data because we're all using HTTPS now right we went to shame's presentation we're totally stoked all the time everywhere and it wraps it in another layer of encryption so what you've done is you've taken already existing gibberish and made it gibberish or gibberish shit anyways it's it's very very encrypted and not only that what's like it becomes even cooler is that you over here are gonna connect in the secure encrypted pipe to the person who you paid five dollars a month or in my case my work computer and the secure pipe and then it will then connect to the thing you want to connect to and it won't just connect the thing you want to connect to as you it'll actually change who it's connecting from now it won't change your cookies because it can't fake cookies for you it won't change if you log into Google it's still gonna know that you're logged into Google or Google would hate these everyone would it sends all the content the same but it changes the address it comes from so when you're using another type of secure communication with the website like if you're using Google Mail and HTTPS your connection with Google Mail will be secure and only Google will know that it's you who's using Google Google in the NSA now apparently will know that it's you who's using Google and so it adds this layer of kind of pseudo pseudo anonymity I can never say that word I say it all the time and what's cool about this is that it creates kind of a tempo not temporality where is it when you're not in the space you're at it removes you from your local locality it pushes you somewhere else wherever your VPN is and does create a sustained connection there so for instance I used to have one in Iceland so shameless always in Iceland so it's still your data it's still your traffic your usage patterns are the same but it's coming from Iceland and it's secured between you and Iceland now I used a big VPN farm that's usually who sells them so what I would do is I'd be one of hundreds of people using this giant set of computers and coming out of it would be hundreds of streams of data going all over the world so that's why I say again it's pseudo anonymity you're not fully anonymous you're still connecting directly there's a connection between you and your server over there in Iceland or here there's good ones in France as well and then out from there are a bunch of connections of all the people who are using them so for instance almost every day everywhere I go I'm at work because that's where my VPN is today as I use the one here at work so before we go into look at a VPN it's again one of those fun complex topics any questions yeah I've got a couple one is just a this has been super helpful on so many levels and I just want to make sure that very last point that I'm understanding what you said there which is that because I'd always assume that proxies or others would make things more difficult for me because it wouldn't remember my like you know that wouldn't remember the cookies it wouldn't enable me to kind of get around as easily so you're saying that that's not the case that that that wouldn't happen okay and the second question which is that's very good to know I should point out if your VPNs out of country and you want to watch a YouTube video that's only available in America you won't be able to okay if your VPNs in England and the Olympics are on though very interesting given that we are no longer Comcast family that actually is very good to know for next month I don't know how my daughters are gonna watch the Olympics otherwise okay so here's my next question though so to me this VPN stuff is always meant that you kind of really have to presume a lot of trust in the VPN right I mean and especially if they're in other countries and you don't know necessarily who could at some point sees control of what's in that so how do we have any kind of feeling of trust or security around those VPNs so as I said I use the one that we set up here at work that is a big and really important question statement just like when you're using a wireless hotspot at a coffee shop even if it's a cure with that wireless hotspot it's still watching all your traffic choosing a VPN is like choosing a barber it's really important I know I've made that mistake badly recently as you can all see it's it's a vital like it is a really important thing to do and so I'll be more than happy afterwards there are a lot of people in the circumvention tech space who keep giving me recommendations so I have this like kind of ephemeral list and I'd be more than happy to kind of like actually start marking down some of the VPNs that people trust and why they trust them there are definitely a lot of companies where you just have to know about them kind of do an audit of who they are what they believe in what they're they're saying but it is a funnel for all your data the best way to get a person like everything that you do is to be your VPN because all of a sudden all your traffic no matter where you are in the world to go through them that's an incredibly important point thank you so I have to say that short version it's basically it's a social decision right like it's people you trust so it's not it's actually I mean there are some of it that's technical but some of it is actually a social decision wait people people computers no yeah no it is it is very much so a social decision oh sorry yeah very very quickly and I'm sorry because I missed the beginning but so the benefit of VPN is it gives you the pseudo anonymity you're coming from Iceland but if I'm not using that and I'm just using the new America server whatever can can the outsiders tell my distinct identity because it kind of sounded like the footprint of my specific laptop stops at my hotspot so it depends on how the router works does new America do netting guys you do we know they do yeah so at new America they use this thing called natural address translation or netting which means all the traffic in America comes from one address to the internet as a whole your coffee shop may give you a specific address specific IP address that it shows the internet but here in America specifically no they it has one common kind of pool of addresses for everybody which is if we find that address we should look at Wikipedia for that address and see all the edits we've made inside the office that's a fun task for another day but it'd be fun oh sorry yeah please is there I mean because I think like I know that I could turn to you guys in the office and say like what's a good VPN but in general people would not probably have that resource where could people look for this social capital I found my first VPN by reading a bunch of blog posts about bad VPNs I literally searched for like what VPN not to use and like just searched for a couple hours and found a bunch that were like these ones are horrible these ones are horrible and like made my Venn diagram and found the one that was outside like the example they used over and over again these days I said I use the work one but and also anyone in new America you feel free to come upstairs to our offices and I'll be more than happy to help you find one after today because I'm gonna do my list today but the best resource okay so I was going to say that I don't know if they've kept it up to date but there's a blog called Torrent Freak that follows like the bit torrent community and they of course care a lot about VPNs and about privacy and so they at least a couple of times have posted kind of a cross section of a number of commercial VPN providers well I mean like governments have VPNs for their employees the same way that like we set up a VPN for like OTI to use for stuff but it wasn't like so there are lots of VPNs but there are commercial VPN services that you can buy service from if you don't have like you know if you're in if for whatever reason you don't have or don't want to use like your company's VPN or the VPN that your friends set up somewhere whatever I don't know if they kept it up to date but that was that was a good list Greta Jordan Georgia Griffin you pass that mic back so just keeping in mind like you know Sita's paper about people using public libraries and the advice from the FTC that those people should use VPNs and like I think everybody except one person that was polled on the library steps said that they had no idea what a VPN was I mean as a policy issue where would people be able to look for that information because I really doubt they're gonna read a bunch of blogs Jordan then Georgia so what the one thing I was gonna say is I think most people's introduction to a VPN is through like if they have a job where they're so this is something that is actually a valid like educational point that is not been explored that much and that's sort of what Greta is talking about and it's also really common that universities have them set up mostly for employees but if you've ever been affiliated with one you can usually keep your account with that university and use that so like I regularly use my grad schools VPN or OTIs but there's and then like I would use when I used to work for an evil company I didn't like using their VPN because it also meant that we were restricted in what we could do when we were connected to it but they would actually set it up and a lot of corporations do this where if they provide you with a laptop you can only use that VPN connection to even get to the internet so it's a very common thing that people actually have really restricted hardware within corporations and can only connect to via that commercial VPN that is controlled by their employer so it's actually like that's a it's a big way of how people experience the internet and don't always know so I mean this is just showing my ignorance here right but VPN when I think about it through like my husband's company or whatever when he had always logged into his VPN I've thought of it as a virtual private network basically just I don't know why I put the word virtual in there but basically that's why I was thinking it was for his company I wasn't imagining it as a kind of a proxy network to be able to kind of mask where you came from but it's the same thing yeah he's literally inside the building on on the internet when he uses that VPN the signal is coming from inside the house so like when I use ours here at the office I am coming from our server upstairs I can when I use the internet I get one of our IP addresses everything is happening as if I'm in this network this private network virtually Jordan you still got anything to say are you good Griffin do you want to if you're coming outside looking in and you're trying to find a VPN one good thing to do is actually go to like technology nonprofits online sometimes they actually have recommendations but you know there are also groups like Rise Up or May 1st the VPN that I use is called is from an organization called Autisticie which is basically the Italian Rise Up and they do a lot of tech activism around the world and offer free VPNs to people who are involved in that but to go back to Josh's recommendation I've actually used some of the VPNs that were listed on TorrentFreak and they go through every year and say okay well what are the most popular VPNs and then they go through and really dissect the their privacy policy and they ask them additional questions and see where they stand on user privacy and if they're secretly selling the data or something like that it tends to come out but just to return to the question of policy for a second is it just me or does this seem like an area that's really ripe for someone like us to do something about you know like how people who have to use public internet connections can find VPNs okay it's not just you there's a guy named Jabari I can't remember his last name he does a series of courses called encrypt the hood the idea being I know it's adorable but they're really cheap and they're offered I think at the Georgia Avenue Economic Development Center's offices the idea being that they're getting to folks that are marginalized to let them know that they could be they need this as well and here's why so awesome so here is that same and again this is all the same example you can see a lot of the same text here but that first communication is slightly different because your first set of traffic is actually encrypted to this VPN provider so you and your laptop and the ISP have this packet that gets sent saying VPN provider here's this date I want ISP please send me the VPN provider and the difference here is that when the VPN provider receives this packet it then resends it I am an English speaking Mac user running Chrome can I have your site both its address as opposed to yours now mind you inside that packet is still your user login your name your email you're sending but the communication between New America and the VPN provider is unique in that it sends its own address so for when you're viewing the internet that's not loginable when you're reading blogs possibly not doing Google searches it becomes much more secure and kind of anonymizing than otherwise also I'll point out the really cute animations I have on the router hot spot just while we're here understand and then this also goes to the most the policy stuff you're talking about Greta in terms of what kind of advice even right now I'm sitting here thinking okay wait a second all right HTTPS HTTPS everywhere I need to figure that part out then there's this other things VPN thing and I should kind of make sure I'm finding a trusted one here's some places to go and I got to make sure that the place I go to find a trusted one or trusted places to go and I gotta find trust friends I trust tell me about the trust place just to find out about but back to the HTTPS part like what if just more people were getting smart about HTTPS in the first place do we still need to be thinking about this VPN part so what HTTPS does is it creates a secure connection for your data essentially a secure system I mean it wraps your data in an envelope but the front of that envelope still says your name and your address the VPN is essentially sending it to a remailer in the old-fashioned way and then post VPN there's like the uber cool VPN that all the hip geeks use and it's called Tor and it consists of a VPN with a bunch of different layers which is why it's like a parfait because of the layers or an onion but that's the easy joke because that's their logo so unlike the VPN which as we saw before wraps our HTTPS traffic which we're using now right in a wrapper what tortas that actually wraps it in three different wrappers and more than that those three wrappers are the three different onions on the internet and I'm gonna kind of briefly explain why this is so cool because what they do is you make your first wrapper your first bit of data and on that envelope you say I want to write a letter to the green computer from the white onion and you address it to the orange onion then you go take that shove it another envelope and say white onion I have a message from green onion to orange onion and you shove it an envelope and then to the green onion you say green onion please connect me to white onion what happens at the end is the green onion gets this envelope from you it knows who you are and it says oh this is for the white onion and it so it unencrypts this and says oh a letter for white onion and sends it to white onion so the green any knows who you are and who the second devices the second device though now receives an envelope that says I have a letter to orange onion from green onion says nothing about you this middle onion this white onion here has no idea who you are or who's getting this package nor does green onion know who's getting the package or who the third devices all of a sudden we've created this completely unknowing party here who just knows that somewhere in this network of different proxies that network of VPNs that these two other VPNs sent me a letter and it's totally encrypted and I have no idea where it's going or what it's doing except for this orange guy and this green guy here and when he sends the orange onion who unencrypts his little chunk because you've encrypted it to each individual person in these layers you're wrapping these layers of encrypted data the final onion opens us up and goes oh hey white onion wants to talk to this green laptop he has no idea who green onion was he has no idea who you were all he knows is the endpoint and then right here is the Wild West of the internet unless you're using HTTPS or some other fun tool this is just using the internet and because we're using this tour crazy proxy system you're using the internet somewhere in the world probably Europe because a ton of these guys in Europe you'll pop out and turn on Google and it'll say like something in French or Russian if you're in Russia or Spanish and Brazil or upside down in Australia and it just throws you out into the wild internet and your data is sent from there so just like a VPN has you spouting your data out from that endpoint toward us the same thing but it bounces you around so much and every time you turn it on it gets you to a different endpoint so it ends up actually happening is you no longer have that oh well they're connecting to this VPN every day and then this traffic's coming out of that VPN and over a period of days it's a lot easier to find out who you are or at least where you're coming from tour is a tool used by activists all over the world and other people who care about their identity and not having it associated with their traffic that allows you to pretend you're somewhere else in the world it also allows you to get around blocks like I can't watch the Olympics or my government is filtering my blog and the like and so it very deeply removes you from your local you know kind of place your local place in the world now mind you there's a ton of context around how it's secure and I'm not going to say that tours fully secure in fact there is no tool on the internet or in the world that is fully secure for any use case and I don't I think I've kept you guys a long time and I'd love to do a deep dive into tour at some other point where we can actually really talk about why tour is cool and like what we can do with tour but I want to allow for my last slide allow for it had me and it was pretty out of beard so I want to give an opportunity for questions here at the end and if you guys would like we can do another session that goes really deep in the tour but I'd love questions about tour now as well just I just wanted to raise two points about tour quickly one is that the that it's a tool that gets around the how do you trust your VPN provider because they have like they're the only ones who know who you are kind of thing because well because tour doesn't know who you are like the first tour router knows who you are but doesn't know what you're doing and none of the others know who you are so and and that set of three is random every single time that you connect to the network so it gets around like tour doesn't know who you are or what you're doing and there's no central control of the tour network really so it gets around the how do you trust your VPN provider problem and also if you really want slow data you can use multiple like you use more than three onions in your tour connection but you'll never watch YouTube again the the second point I want to mention is that although there is no secure tool like you said and it's same as true for tour and there are a lot of trade-offs with tour and also like that last hop is through the open internet and it's still like your data so if you are you know if you use tour to log into Google like Google still knows that you logged in it still knows that it's you and so that's like you can still share identifying information over a tour connection however like tour is pretty notable lately in that there is a leaked memo from the NSA that this is basically like they can't break it or have not been successful in breaking it as far as anyone knows that the best that they could do was like exploit a problem in the version of Firefox that was distributed with the tour browser and it was an old version so I was like the best that they could do so it is notable that the NSA hates tour yeah it's the best we have yeah Greta everywhere how you doing James so I would this has been so helpful thank you so much I really learned so much and yeah for me although tour is interesting what I would love next time is a greater understanding of like what that traffic looks like and how it's exploitable like what are the harms and I think you know again thinking in a sort of policy and field context that's the information that will be like super helpful for me and talking to people about their privacy and their behavior online cool if there are no more oh no need to be quick this is what we're here for thank you so much for doing this is totally awesome I hope you do so much I say that understanding about 5% of it but I'm gonna watch it later but um so quick question though like I am let's say I'm not that concerned if the NSA is reading everything I'm not that worried about government surveillance I'm more worried about third parties like companies hackers whatever I'm just wondering all this stuff you're talking about is the primary reason to avoid government surveillance or are there other reasons you'd want to use it as well to those third parties and who include the companies that you have subscriptions with like Google and Yahoo and YouTube and no I'm more worried about like as a journalist like companies I'm writing about hacking into my stuff to know what I'm doing or or third party people who really hate what I'm saying hacking in and disrupting or figuring out what I'm doing that kind of thing then you can stop probably before tour I would still suggest a VPN I definitely would use HTTPS being hacked is a lot about strong passwords and I know we do security talks as well OTI has done a couple of these and half wide we'd be more than happy to do more actually that gentleman sitting next to you is the guy who runs the security talks so a lot of that is about kind of individual security a strong password use the way that you handle your emails and how you log in to certain things and what you click on and what you download but a lot of this is more about you know as you were saying what is being passed over the wire and so a lot of it is what is that router see that hot spot and you know everyone who's in that cafe with you if you're not using some sort of secured connection as well as what it what can anyone see along those wires would be governments so if you are worried about a government when you went to it some other country and we're doing a story then all of a sudden these tools become much more valuable and this is actually not stolen I wrote it but it is converted from a talk I did for journalists where that is countries are more focused on as the possible people who want to see your data I just have one quick question I know at the very beginning you're talking about the difference between WEP and WPA for personal home use I'm assuming that when you purchase a router from a provider like Comcast or someone like that that they that that is it's on the box okay it'll be like WPA security with such-and-such bandwidth usage but it'll say one of those three letters and so then you're like first step and then from there you use HTT or HTTPS and then a VPN yeah if you if you're buying a router for your house make sure it has WPA and yeah and turn it on also make sure you change the default passwords not only on that WPA access point but also the router has a password to get in and I can't tell you how often I've moved in with new roommates and been like what's past the router I don't know and been like admin and all of a sudden here I am in my home router and can change all the passwords and I mean I'm a wireless geek so it's great so I'm like I'm actually gonna modify some settings here this is horrible and load open source software on this device you know it's great for me but it's also great for any other person who might want full kick because if you can get into the router itself that not the access point password but the router password which barely has changed you can then just say also make sure you send all the traffic that goes to this router to this address as well just to mirror it so that I know what's going on and this household so that's what I would do is the first thing is get a router that has WPA at your home and then change those two passwords to something strong and awesome doesn't be awesome but you know I find they're easier to remember if they're awesome yeah lots of threes in it though and if you're connecting to something a wireless point it should say that like you can get that information you without logging into it right yeah you're like a display information they'll be like yeah it'll say what it's using also if it's not physically you or a router it'll say what type of which of those two tools it's using mm-hmm so your devices know and so you can actually like pick and choose based off that I'm curious if anyone knows what Amtrak's... is it WPA, WEP? yeah I don't think it uses it uses a login screen like a like a portal but I don't believe and I can check right here I don't believe that it actually uses any sort of security when I'm on Amtrak I use my VPN here at work so that my so like that connection is secured well I mean whether or not they know that I'm there they can't read what I'm sending because it's secured to work and then I'm using works internet... so who watches Amtrak's traffic like I mean who what I'm just... not me but anyone who's on Amtrak who wants to... so don't do my bills while I'm going up to New York I'm first or send any emails so of course the old NSA director got in a conversation with a journalist about the leaks on Amtrak so don't do that either but yeah I mean you're basically shouting everything when you use wireless... so is this a public policy issue than any publicly funded transportation system like Amtrak should be using WPA at least? yeah totally well I mean you know from my perspective I hope I would also like that if any publicly funded Wi-Fi was not actually back sponsored by a company we could do that too because I mean like in New York all the public hotspots are actually like you get 30 minutes free and it's run by a company so on top of the fact that you like the security is not there there's like multiple layers of that's a good public policy conversation on multiple levels whether it's encrypted or not in some way I'd also like to point out that most public transit systems and you know most anywhere you go that's just public free or included Wi-Fi is filtered on Amtrak you actually can't go to if you wanted to download tour while you're on the train you can't do it because it's it's something that will get around their filter so they block it by default even though it's a non-profit company so just be aware of that totally different topic the remember the scandal with the Green Party politician in Germany who yeah was that that was about his cell phone pinging towers right and so he got he requested that information from the cell phone company yeah so that was the first thing you were talking about with the well kind of so the same way we do it with hotspots we also cell phones do that by default because that's how you get your calls that's why you know you don't have dropped calls and stuff every all the time is because cell phones can find you and they go oh he's he's leaving my area does anyone else got him and so they triangulate you so there's always three towers who know where you are or more so the what I was talking about in the first bit with the Mac address cell phones actually use their own addressing scheme that identifies your phones they can bill you and track you and make sure you get good calls the Mac address is just the Wi-Fi so it's just your wireless device the cell phone signal is actually a bigger bubble surrounding your Wi-Fi bubble so your Wi-Fi bubble is this kind of not small it's you know 150 feet or not and then there's this giant cell tower I don't know what the radio cool bubble looks like for cell signals but I'm assuming it's something like that as well that surrounds it just to add to the thing about the phone and what your phone is beaconing one of things to remember though about smartphones is when you register say your Android phone with the market they're associating that with your Google ID which they're using to track you around the internet but Android phones also store that information along with your Mac address and send that along with hot spots you connect to back to Google so there is so somebody that that information is being broadcast from your smartphone just not it's not being beaconed out via the wireless signal it's being surreptitiously sent to Google through other internet channels when it gets the chance opportunistically yeah so all your apps have their own data pass and we said though connect to the website over HTTPS your Twitter client may not use HTTPS your phones as it was collecting your geographic data and where you are and what you're doing for Google may not use HTTPS your insert any app here X Y or Z may not be using secure communication and just like your traffic here it's using your internet connection to finish you know those calls and some of it may be over your 3G link to the cell tower but some of it also may be over Wi-Fi around encrypting access points especially public access points it's too complicated to think to get into here but I just wanted to touch on that there's a broader question of that's not just about every access point should be encrypted and locked down and everything it's more about being aware of the level of security that you have because I think that there are definitely like strong negative usability things for walking down public Wi-Fi where and that's there's there are very good reasons that most public Wi-Fi things are open and it's to make it as easy as possible for as many people as possible to connect to and that doesn't mean that things like SSL and other stuff aren't still in effect to protect your connection to a certain extent with your email server and things like that and that furthermore there's like some interest in making it easier for people to share their wireless access through like having their their access point provide one network that secure for their own traffic that separate from an unencrypted network that is you know has some portion of unused bandwidth and is open for other people to use to that isn't with without some concerns because of some of the reasons that were cited around like whether if someone used that for illicit traffic if that could be tracked back to you but that has potentially broad like public benefits and so just sort of touching on the fact that there's a broader conversation about that is not just like walk down absolutely everything the open wireless movements website and I think it's open wireless movement net is a great place to get a little bit information about exactly what Josh is saying here which is the dramatic impact that having a bunch of closed-down wireless access points all over the place can do for connectivity for people who possibly can't afford it from home or when you're walking your dog or you know the like also I hear mesh networks are great at providing local connectivity in these kinds of situations is that it awesome thank you all so much for coming I really appreciate it