 Okay, so good morning working with everybody to our Closing keynote for the last day of debcom We have jack applebaum as a speaker today. He already gave a Q&A yesterday after the citizen for film and the video team Managed to record it so it will be put up if you miss that one so you can listen to it later. I recommend that but Right, so now it's time for the keynote from jack applebaum. What is to be done and please everybody welcome jack applebaum so First of all, I want to say thank you to everyone for having me here It's really quite an honor to be back at debcom for the last time that I really attended a debcom was in Argentina in 2008 Something like that in Mardo Plata, and it was a really good experience. I spent many years in the new maintainer Q. I think I spent more years in the new maintainer Q than any other Q in my entire life and Debian is a really important community to me And if it did not exist I think a lot of the work that I have worked on in the last many years would not have been possible or it would have Been of much lesser quality. I Say that very lovingly towards other Linux distributions But Debian for me has almost given me everything that I have needed for all of my computing needs So that's really great I sort of wanted to try to do this in reverse because I had the kind of hope that people would ask a lot of questions and for those that came to the It came to the film last night and who asked questions, you know that I can talk for a really long time and I'm happy to do that. Obviously I have 45 minutes or something 45 minutes and 31 seconds So if anyone has any questions before I start which is a little unorthodox for a keynote I'd like to dynamically introduce whatever those questions are into the talk as I go Because I would like the things that I say to be relevant because I have a lot of things that I could say and I had three cups of coffee I'm on my fourth so So if anyone has any questions now about any of this stuff from Citizen 4 Or if you just generally have some direction that you would like to see me go I'd be very happy to hear it now I know that's like exactly the opposite of what you would expect from a talk in the morning but I Kind of didn't just come here to talk I also came here because I wanted to think about different things and I wanted to listen So does anybody have any questions before I start? That went over as well as I'd hoped All right So first of all my work with Debian is very minimal at this point But I have a couple of packages some that I co-maintain mostly with Alika and Holger and it's Usually the case that I use Debian for other things not just for developing Debian And so the main stuff that I've worked on is relating to the tour project And that's helping to enable anonymity for all people on the planet without any exceptions whatsoever and as a journalist as as an Artist and that's like a really weird combination and in Germany they can actually give you a visa for those three things so they did and And so I've been working on a few different things and one of the things is this free software art project And I wanted to sort of show it as an example of something that I am not only proud of but I think is a way to Contextualize the issues of free software that we care about now This is in the museum in Spain called the Reyna Sofia. I'm sorry for butchering that name in Spanish my Spanish is really Not great but this is a small free software powered device running Debian can do Linux and It is a Novena board and the Novena board is made by Bunny Huang and he and Sean who work on this device made essentially This computer for the tour project at one point because we thought we might like a router it has since morphed into a Free software slash open hardware laptop, which is the Novena laptop some of you may be familiar with this But we we took one of these boards and essentially we turned it into a tour relay That was a was a middle node in the Reyna Sofia So what we decided was wanted to have a computer that was in a museum that would create an open wireless network using free software and then you would be able to join that wireless network in the museum and it would route you Dynamically through the tour network, even if you didn't have tour software installed on your phone So in a sense you could visit the museum and have for 15 20 minutes or a month However long you could stay in this museum you'd have access to the free and open Internet So even in places like in Germany where we've also shown this We have essentially Created open Wi-Fi where previously people wouldn't do that and part of the reason they wouldn't do it as they were afraid of liability and We thought that it would be important to try to align institutions with free software Community values and so this piece is called the autonomy Cube. It's in the sort of same spirit of Minimalist sculpture of Hans Hakka. He also did for example a thing called the condensation Cube and this is a sort of systems critique art piece where the entire cycle of condensation fits within this cube so this is the autonomy Cube and The entire idea of autonomy here in theory fits inside of this cube But in reality it only works when it's placed in an institution when it's run in in a network With other people actually using it autonomy can't exist in isolation It has to actually exist together with cooperation and at least in my view and in Trevor's view This is a co-production with Mason Jude and Trevor Packlin and a number of other people So it's a tour relay and it's an open Wi-Fi network routing you through tour. We installed this also at the Let's see the Kunstala in Dusseldorf the bit to bit in the Netherlands There's one at Metro Pictures in New York City. We showed it in San Francisco so we've we have a bunch of these and We're currently working on one for the museum in Oldenburg anyone here from Oldenburg by any chance I guess nobody okay well Oldenburg is a city in Germany that you may have never heard of I hadn't and They're really really fantastic and they have decided that they want to sponsor a four computer version of this So it'll be four Navina boards as an autonomy Cube Essentially creating an open Wi-Fi network for this museum in the city And it's the whole museum and then it will be a 200 megabit tour exit note as well For the city of Oldenburg and thus this actually turns the city into a bastion of free speech on the internet as the art museum is a Bastion of free speech in the physical world and the idea is to join these institutions together where those values meet In a physical space and use art because art is one of the places where we still have free expression in Western society And I mean really free expression and so this piece of art which I'll just leave up for the rest of the talk now It's kind of a reflection on trying to make free software do that and also to give people the ability to bootstrap Against mass surveillance by having these kinds of devices publicly available and openly and freely In spaces that you can visit without suspicion right if you go to your local anarchist squat You may attract attention if you go to the local art museum you might not So we wanted to make sure that everyone had access to this So this this for me touches on The issue of autonomy obviously, but this is fundamentally a core part of free software Which is self-control? informational self-determination and Essentially the ability to control the means of production with your own computer or the means of reproduction of information as it were So this autonomy aspect is also very important in a journalistic context Because it turns out that if you're working on things that you need to release in a very specific way you need certain Basically, let's call them operational security Constraints to be met and so one of the things that we have found is that using for example almost exactly this computer And in some cases exactly this computer for something completely different Is that you can use it as a normal Debbie and operating Platform so you can use this boot Debbie in and you're actually good to go with a free software computer Where you can pull the flash card out and do verification on it So to that extent I Found that using very specific pieces of hardware will get you some Part of the way towards having actual self-determination of information and the ability to do what I might call Non-adversarial forensics This is a very important term if someone steals your computer or if someone breaks into your computer They can do what we would call adversarial forensics They want to use your data against you and potentially they want to tamper with that data Or they want to tamper with the programs on on your computer or in memory in some way and what we In some of the work that we've done as journalists and as artists Trevor has actually worked actually on not only this kind of art stuff But he also helped work on Citizen 4 So he is a tails user as well as a Debian user as is Laura and other people That we worked on these things with we need you to make sure that these systems that we're using They have some sort of consistency when we turn them off and turn them back on again We're back to a new starting place if you replace the tails disk per sample if it were to be compromised And for that there's a whole bunch of things that either needed to be done or that we had to work around And so part of what I'm hoping to express today is a Lot of positive intention and very happy thoughts, but also some constructive criticism So I'll start with this which is if you install Debian by default You have a woefully insecure setup by default you have NFS and a Vahe as an example That really stand out and what I was kind of hoping to suggest is that we might consider that People who don't understand Debian Don't understand what that means and as a result people who install this software Don't realize that the place that they start is in a place that is already vulnerable to mass surveillance Broadcasting their machine's name potentially Allowing for people if there were a single bug in the NFS utilities not to suggest that there are but if there were to be a single bug These people might be susceptible to it and people like Glenn Greenwald and Laura Poitras for me What's important is making sure that those kinds of people are safe by default so of course when I installed Debian I do a whole bunch of different things one of those things isn't you know getting rid of a Vahe which is actually significantly more difficult than you might think and Like on many levels There's like many different things that you can do that are not correct And only I think two things that you can do that are correct that leave it in place But it doesn't actually harm you anymore And of course removing things like NFS Installing things like UFW that's a sort of baseline just to have a normal Debian system And once you're at that point you can then go a little bit further to customize it So for example a GR second-abled kernel for those of you that are following along at home drink It's a it's something which takes a lot of effort to actually do But it's of course possible to do it and what I would suggest is that we might consider that if we have these as options for example when an install is done we Actually do this set of things by default that is enable UFW remove any listening services and treat the network as hostile By default that that actually moves forward the baseline for everybody's security and people who know otherwise can actually take the steps of Changing the way that the system works in order to meet their needs which may be Not so worried about say network surveillance It may be the case that they're not so worried about Authentication or any sort of other useful security properties and that's of course they're right But users who do not understand these things should actually have secure and private defaults And when we have secure and private defaults we increase everybody's actual autonomy in my opinion and what we found was that You know preceding and things like that of course work But it still takes specialized people and what we want is to make it universal and that means that it needs to be in the Default and that of course is a question of a whole community making that kind of decision to focus on those kinds of things So I want to sort of put put two concepts forward and one of them is that the network is hostile in really strange ways So for example, not having TLS HTTP S as it were Debian mirrors is actually a problem But not because the data isn't authenticated But because the way that systems of mass surveillance work is that they actually look for in many cases strings and use those strings as Targeting information which is then used to trigger particular activities. So let's say that you are downloading a new version of open SSL Or let's say that you're downloading a new version of apt or something like this It's possibly the case that because there is no crypto between you and the package repository someone will be able to do an exact Fingerprint of the thing that you are doing and be able to in fact exploit exactly that client before it is updated So when there's a known security bug you would in fact be Automatically updating your packages in a reasonable way and the machine could get automatically compromised This is I think a very key problem and in this case. It's not that someone couldn't run a hostile mirror It's that we believe or I believe anyway that not every single mirror will be hostile and at scale Some people will be able to protect themselves So there's a theory that the sort of perfection is really what we need to achieve But what I think we need to think about is just how to achieve a sort of mass adoption that makes it economically infeasible For attackers to do that kind of stuff So that's a very straightforward and simple thing which is that everything Debian does by default Should be connecting to services that are encrypted and if you want to do a man in the middle attack on your own systems to be able To inspect traffic or understand what's happening. We should of course support that but by default It would make sense that we simply have strong crypto for all of these things now There are some places where this is lacking So for example NTP is just a woefully insecure protocol from an era when you had to slide down a Brontosaurus to use your fax machine and This is necessary for secure clocks But it is not sufficient and we need to think of new ways to solve these problems that are usable without having to set a key Or do something one of the packages that I have in Debian is called TLS date. It's the so-called secure Like our date like program and it has a another program called TLS date D Which is a daemon that runs and it connects to sadly a Google service which supports Sending the clock through the TLS date channel, which is part of the protocol And this is actually used by Google Chrome OS to set the clock every single time a Google Chrome OS device comes online This is not a replacement for NTP But it is a good start for being able to have at least secure network time to the one second accuracy Resolution or so I don't think we should ship that by default in Debian necessarily though that would be really fantastic I do think we should consider how we might go about treating the network as hostile while still having some semblance of actual Usability so in the case of TLS date you will be able to set a clock securely but there's a trade-off which is the resolution of time and We need to think about how to revamp core protocols like NTP, but that's actually even bigger than the Debian project But nonetheless, I think we have to think about that and if we imagine that we would audit a default Debian system We would see a lot of stuff that leaks out under the network Which is not encrypted or not authenticated or potentially is processed by a program which runs as a route And that's a really big problem Although some of these programs are Moving in the direction of being sandboxed or not running as route We should I think consider that as a just a general priority that when something runs as route It's a really juicy target one of the saddest piece of free software that runs as route that I've seen is DHCP clients There are even in some cases patches for some DHCP clients which for various reasons were not accepted upstream and as a result the DHCP Clients which are shipped in many links distributions today still run as route Even though there was free software written to fix them to no longer run as route and in some cases They are contained with things like app armor, but this just isn't enough in my opinion So we should look to make sure that everything that touches the network is also not run as route and this is something that For some of the work that we did we actually changed we actually changed the way some of these programs worked Right now I'm working on a DHCP client with Dan Bernstein And one of the one of the goals is actually to make it so that it doesn't require raw Socket capability and it turns out that it's really easy to do this in Linux by just turning off the The path filtering the reverse path filtering in the kernel And so you don't actually need to be route and you don't actually need to have raw sockets And you just need to be able to generate a few packets and then to parse them and then you can have a really like basically privilege free DHCP client and if we were to imagine setting that as the goal actually getting there is really easy technically It's very simple stuff. It's just not necessarily It's not necessarily a big priority I would say so one of the other things that I found myself doing is Jailing programs to make them either harder to exploit or to compartmentalize those programs such that they If they were exploited they would be significantly harder to leverage to compromise the rest of the computer So I've used a little tool called mini jail which is part of Chrome OS as well And this allows you to write a sort of policy file of sec comp filters So you can say this this calls allowed with this argument and you just have a text file And then you run the program and it can set things like namespaces and you know remount file systems and things and essentially act As in a knit for the program And then of course combining that with app armor. So for example, there's a program called ricochet and I recently Sandbox this with mini jail It has an app armor profile so that it can only read a very small set of files on the disc And I actually then wrap that with expo, which allows me to essentially have screen in X windows Which also means that if the program were exploited it couldn't be used as an easy key logger well actually In the computer that I'm using so it's it's actually running on this computer But the X window that displays on my screen is an expert client and the expert client is also jailed with app armor And it's also the case that it's jailed with mini jail So even if you could exploit it to some degree, I think it's pretty good The main problem though is that I still have an X server that is running as root and that is not a fantastic thing And of course, it's possible. I think highly likely that there's some bugs in X so Right, there was a like a kind of a funny story many many years ago I was auditing pigeon which is a pre software chat client some of you guys might use and I found that there was a Png that was malformed that you could feed the pigeon it actually would cause the X server to sig-severs root even though pigeon itself Was jailed with app armor so we have to think about how we containerize things because there are these unintended or completely obvious things in retrospect That are really really quite dangerous But so that whole container process that I just mentioned using mini jail and app armor and extra it's actually a total nightmare so the the the cost of this is that somebody adds a feature to the software and All of a sudden that the mini jail profile doesn't work or app armor Complains or it breaks something or expo doesn't draw tooltips correctly and the entire screen is like really wedged in some strange way And better is a framework which is being developed by some people from subgraph called Oz where it basically automates all of this stuff And the idea is to integrate sec comp policies app armor Expr name spaces and the rest of this stuff and you write a single policy and this is installed on your system and In the future. There'll be some policy editing tools And some profile writing tools and then that actually allows you to run things in containers And I think we should work to containerize basically all of the applications that we need and to make them the sort of least authority or the least Privilege principle which I believe would be easier and would actually make it significantly more difficult to exploit some of these programs But to that to that end the programs themselves need to have hardening so that the packages when they're actually built They have like for example stack smashing protection turned on address sign sanitizer or a sand the sort of GCC or clang support for uninitialized behavior or you be saying Actually turning on those things has some performance overhead, but for the most part. I think it's Clearly outweighed by the fact that if you have a web browser It's the most likely vector into your computer if you have a DHCP client It may be the most likely vector into your computer if it was an old version of ISC DHCP For example, just setting the host name to a command that you'd like executed was enough to get a remote route on most people's computers that ever use the software and if we Compartmentalize that software we can actually say well We will never find all of those bugs But we can mitigate to a large extent the actual impact that those bugs can have and so that kind of Compartmentalization is actually quite straightforward if we were to decide that it was worth doing So my suggestion here is that we do that Pretty straightforward. It's a lot of work, but it's totally worth doing and it will actually reflect very well on a lot of the other things that are being done so Moving down this list to actually make exploitation harder I think that it's extremely important that we focus on things like having GR sec and packs so that it actually becomes the case that it's much more difficult to exploit say memory corruption vulnerabilities and When you were to combine combined GR second packs with Oz It's the case that it's really hard to exploit memory corruption vulnerabilities And if you were able to you have extensive logging that shows you what has happened Which gives you the ability to perform forensics on your own machine So so called non adversarial forensics so you can sort of step backwards in time And I think those things are actually doable today if you want to spend about five hours Or if you have a fast computer unlike me If you know, maybe like an hour or two Compiling this stuff and installing this stuff but then you have a problem which is you've made a bunch of custom software on the machine and you've you know installed this and you change the system and Unless you're very careful You won't have a record of all of this software And if someone was able to successfully tamper with the machine or just in memory change some software by exploiting something It would be I think extremely difficult to know I mean you can't necessarily get a reproducible build of that kernel. Maybe in the future So you won't know if the kernel has been tampered with on disk So you need to create your own process and then that process has to be perfect essentially Maybe you just copy all the files somewhere else and put them on a USB stick or burn them to a DV And you don't think about it again But what we should potentially consider is that that's a use case Which is taking your system offline and verifying it to make sure that it hasn't been tampered with so this would again be a Non-adversarial forensics process which would allow you to know that your system was in a pristine state making that easy to do So easy to do that. It's in fact done by default as an install log Would be very helpful potentially now There's some like time overhead for install information But I think we should consider that that would be a useful thing So when someone comes and says hey I'm a journalist working in the repressive regime of the United States of America and I've had my house searched and I think they touched my computer Right now you could hire someone maybe to help you with that process but even if they follow all of the Steps that which we would like for a proper Debian install They may not be able to easily verify or we not may not be able to easily verify everything that is on that system And we should aim for being able to verify all of those things so that we can basically do differential analysis and see that some of those things have in fact been changed But many of them are not at least for what's on the disk When we start to get into the territory of hardware it becomes extremely difficult, right? We have the x60 with x61 and the s-series of these we have the x200 laptops We have basically no free software powered computers that allow us to verify all the chips even in the x60. We have an open Let's say Idea of how the renaissance chips for the embedded controller work, but we don't have a free software embedded controller yet And even if we did have a free software controller It's not clear that everyone has the correct hardware to be able to dump it and to verify it So we need to move towards again this non adversarial forensic way of doing analysis on our machines and not just on the disks And the data on the disk themselves, but that said we can Compartmentalize some of these things down to smaller bits So for example with Debian having an encrypted disk on Machines potentially by default would allow us to make sure that we have a very small set of things that need to be looked at Which is the boot record as well as like an in at Rd or some sort of slash boot? Unless you're lucky enough to have a big flash chip where you can put you that all of that in your in your core boot payload and then essentially being able to boot that Being able to boot another disk to verify that means you have a very small set of things that you need to verify And so sure to the firmware substitution attack on your drive You'd actually have the ability to see that your system was safe to boot again But of course there really is this firmware and this really is a serious problem and the BIOS and the EFI of most systems I think are something that are problematic So we need to think about how to verify that so I can imagine that at install time One thing that we might do on some systems is actually dump those things and store them on the system So that if you were to you If you were to think you were compromised you'd have an encrypted disk you could mount on another machine and Then you'd be able to dump this other machine that you started with and actually verify that information But sort of moving to a slightly different topic Yeah, I wanted to suggest also That it is possible today that every single Debian system that gets installed can have a sort of like free the equivalent of a Free domain name pretty soon. We're gonna have an RFC that will Certify dot onion as being part of the special names registry, which means it'll be reserved and I can won't be able to sell it And so if you install today the tour package made by weasel here in the front row And comment out two lines or uncomment two lines from the config file You'll get what's called a tour hidden service and these tour hidden services essentially allow for end-to-end anonymous communications Now there are some trade-offs with this But in short what it means is that if your computer is on the internet and tour is able to connect to the network and bootstrap You'll then with those two lines being uncommented if you also have a corresponding service like SSH or a web server or something You'll have a name and you'll be able to connect to that name in tour browser on other systems that use tour and In my case on almost every Debian system that I use I basically uncomment those two lines and install SSH with SSH keys And this means that no matter what happens no matter how many gnats or firewalls are in between if I'm able to get on the internet It is the case that That machine will become reachable, which is a really nice feature And so what I would propose is that you could give away at Debian install time an opt-in option where people can choose to have that So this is almost the exact opposite I think of having NFS Right you have the possibility of connecting to a secure service, which is fully authenticated But also anonymized and is reachable for the whole world any for every single person And so then things just work now there's some trade-offs there and one of them is that it's not exactly in the DNS It's in fact exactly reserved to be out of the DNS But it does work and it will allow for you to have reachability for that computer system if it is on the internet So it's a humble suggestion, but the keys are free and there's no central registry So it's really with the ethos of Debian. I feel it's a peer-to-peer network and it's peer-to-peer naming system And it works and it's secure in the sense that it's a cryptographic key So as long as you control the private key you have the ability to do what you like with it Which includes being a part of that tour hidden service network There's another project. I'd like to sort of talk about that. I think is very important. It's called the GNUK I don't know if Nebe is here Hello, great One of the problems that we encountered when working especially on the Snowden files is that if your computer is compromised It's basically game over if the attackers are any good Everyone's always worried about the pre-exploitation and exploitation states That's like they pop the web browser and then they're into the computer and people sort of stop talking about it at that point And what we need to do is to continue the discussion And so to continue the discussion what happens next is they exfiltrate your data and it doesn't matter if you're using Tails if they've popped your web browser, they send the data out over over tails over tour no problem That's a real problem. So what we need to actually move towards is open hardware and free software Devices that actually store cryptographic information like a secret key or an SSH key or a GPG key of some kind And then we need to be able to fabricate those in diverse locations around the world We need to be able to x-ray the boards to make sure that they're the same We need to be able to verify and actually audit the software that runs on it And so it turns out that there exists a person who did exactly all of this work And so these devices exist and it's not the GNU PG token that G10 sells the Werner Cox Company though I use those devices and I think they are good I worry that zeit-control the company that makes it or potentially Through no fault of their own there could be some sort of bug That stuff is very hard to audit and is significantly more difficult to actually acquire Right now the the the FST o1, right? Yeah Yeah, the FST o1 is a device which is essentially a GNU PG smart card but written all with free software all with open hardware and I think that we need to basically adopt these in the free software community So that every single person has the ability to improve their tokens and also has the ability to see that their token works As is expected and we don't support proprietary companies who try to get developers to sign non-disclosure agreements, right? Non-disclosure agreements are non-free binding things that cause lots of problems And we should not have anything to do with them if we can help it and in this case We can't help it because the base work actually allows that and creates that possibility So I think I would really encourage everyone to basically support his project because I think it's very important and combined with Debbie and it makes for Basically a system where you can do certain things and have certain cryptographic properties And even if someone can break into your computer, even if they get past your sec and packs They get past address sanitizer and app armor or whatever else Once they're in they still have this barrier, which is the physical barrier where that best they can use it as a crypto oracle So we should really I think work to support those things and if you're a Debian developer that has a cryptographic key And it's sitting bare on a disc. I would really encourage you to just load it into one of these devices They cost about what 25 euros or something like this and It will make it so much harder to compromise Debian as a project Which moving along is sort of coming towards a really big concern that I have Which is when we were basing a lot of our work on using Debian I worried that one thing that could happen would be that someone would try to coerce Debian developers and potentially into uploading a bad package or potentially they would break into the system and steal a key which would allow them to sign Something that could be used and combined with the the fact that we don't actually have and then crypto for absolutely everything We do it would be possible to fingerprint particular users and it would be possible to do a bunch of nasty stuff and The security that we base things on what actually just fall apart So I think we need to look at deterministic building of software so that we can verify that things in the archive are correct And there's a lot of work being done by the deterministic build team I think a few people here in the room work on that if you could raise your hand So I just want to highlight that you raise your hand like for so that more than I can see it Thanks. Um, I want to highlight that work because I think it's very important One thing that we need to also consider and think about is probably this It's good for many reasons and it solves many problems But we also need to do analysis about how it might fail for example when the x2 exploit for SSH was written Does anybody remember this? there is a remote exploit in SSHD and you could break into basically every system on the internet one of the things you had to do in order to use That exploit not that I did but if you looked at it you could see this Was you need to find the memory offsets and In order to do that you had to look at every single distribution of SSH and Even though you had a remote route exploit if you had compiled things a little bit differently At least that off the standard off the shelf standard exploit kit wouldn't work Now when we move to reproducible builds, it's not clear to me that we make that problem better I think we actually make it significantly worse So for example, we distribute the Torr browser as part of the Torr project as a reproducible build on Linux And the memory offsets are basically all the same for everybody and this is a firefox fork So you have a lot of problems to begin with and then you have one set of memory offsets Now when you do binary distributions anyway, you always have this problem But when an entire operating system moves in that direction and many operating systems start to move in that direction What have you done? I think we made exploitation easier, but we made binary substitution attacks harder But I think that with address-based randomization with ASAN Ubisan and other things like this we can actually still make exploitation significantly harder and we can make binary substitution attacks Significantly more difficult. So it's not it's not lose-lose But I think we just kind of need to think about what that would look like by writing some intentionally vulnerable software And then seeing how hard it would be to exploit for example Now I have about I think eight minutes or something before I have to stop and so I'll stop Pretty soon after making a couple more points and then we can take some questions But I wanted to encourage packaging a few things one of those things is Ricochet, which is a peer-to-peer instant messaging client that uses to our hidden services It has most of the build hardening stuff that That I've been mentioning and it's it works today. It's server free and the buddy lists are on your computer I'm actually pretty impressed by it. It's an experimental system and it uses Qt or Qt, I guess It's pretty nice despite that fact or because because of that fact depending on how you look at it And it's very useful There are a couple of other programs which a lot of people on Debian tend to use especially journalists that I work with And one of them is Tor browser and there exists a program called Tor browser dash launcher, which is in contrib That's a very useful useful package For the most part it would be even better though if it was just Tor browser Properly and that we package Tor browser by default because this is a it is a maintained long-term Firefox fork and it is the case that it's reproducible by default It's a very useful thing to have and would be nice if that was just in Debian Some people are working on these things if you'd like to help I think I can help coordinate with you or you can Reach out to those people directly Additionally, there are a couple of other useful things that I think we need and one of them is a jabber client That actually has a OTR by default Enabled and on so that when people chat by default they're opportunistically secure and safe one of the properties OTR gives you is a thing Called forward secrecy, which means that if someone were say performing dragnet surveillance on the whole internet Let's say that that's happening Then it would be the case that When they see your chats It would be encrypted They'd have to do work to try to break it It's possible that in the future OTR is 1536 bit prime will not be good enough, but it sure seems good enough today last December we actually disclose what are called FISA intercepts That's where the US government targets people for various different reasons and we saw that they could not decrypt OTR sessions Which was great in my opinion Maybe not for those specific people, but it was great for validating the mathematical protections that things like OTR provide So I think we should actually have a jabber client that does that But we also need to think about typesafe programs as well. It's not enough just to have crypto We need to actually make it harder to exploit. So there's a thing called XMPP client, which is sort of the ed of jabber clients Like it's that's actually perhaps too forgiving. It's a little harder to use than ed I mean it has some tab completion, so it's not that bad But if you've ever used it you understand what I'm talking about It's literally line by line and you tab complete people's names and someone will talk to you And if you type in a response you're talking to someone else completely potentially So packaging stuff like that I'll probably package that in the near future because everybody needs ed of XMPP clients But it has a pure go OTR implementation, which I think is all right. It probably has some problems But it's potentially better than using something like lib purple which has Incredible amounts of problems and in the future it will get better But it's still good to have diversity and one of the things that we should consider is not just diversity of the software itself But how the software is written and distributed and so having some stuff in Golang is nice because people still myself included Do not know how to write and see safely and that's a problem and people who think they do are probably wrong And you can check by looking at the CV count for their software project the CV account is often not zero Another useful piece of software is pond and this is a delayed Messaging system, which is a little bit like email But it's all over Tor hidden services and you can send files with without really a lot of metadata almost no metadata One of the things is that you can create your own pond servers with your own file attachments We designed a key exchange method for it, which is called Panda and Panda is a Design that I came up with in discussions with Adam Langley That essentially allows you to do a forward secret key exchange, but it also allows you to discover information So when you meet with someone we call it pond bonding we couldn't come up with a better name But when you pond bond with somebody You essentially give them a shared secret and this is used as part of an encrypted key exchange and that actually Encrypts part of a Diffie helman and then the actual data that you send such as it like a private group key along with your addresses That's actually encrypted with a symmetric cipher And that data is Encrypted with a key which is part of a Diffie helman and so the Diffie helman needs to be encrypted And that's what the phrase is for and and that phrase only needs to last for a very short period of time And even if someone guesses that phrase at some point you say you use like banana Ram a ding dong as the passphrase not a super great passphrase But it only needs to last for five minutes. So that's actually maybe an okay passphrase Then you've done the Diffie helman. You've downloaded this hypertext. You've done a key exchange You've done the discovery and you're actually finished now You're bonded up and you have a system where there's no spam because you have to have a group private key to be able to inject messages Into people's cues and so it's actually a little bit different than email I would really encourage looking at it and especially helping and if you're interested in helping to package it It could be quite useful and then sort of finally and generally tour as a project has a lot of pluggable Transports that I think we could use help with in terms of packaging and the main reason is that I think that we are moving Towards a world where there's a lot of censorship and surveillance And it would be nice if Debian had a tour for bootstrapping in every even if it's not running Available for every person in some way maybe installed on the system if they need it Matt would tie it together nicely with having an end-to-end reachable hostname That kind of stuff I think takes us towards a future where we're more resistant to metadata surveillance Where it's harder to exploit the computers where it's harder to find the computers and the details about them to exploit them and potentially with a little bit more openness like with a binary transparency Project tied together with reproducible builds It becomes extremely difficult to target people without leaving behind information that allows you to catch them and to improve the system So I think that almost entirely covers everything. I wanted to talk about And I have a few minutes left. I think for questions. So thank you very much Thanks a lot first question Thank you very much for the talks and my question resonates more probably with yesterday's movie and beginning of your talk We shouldn't forget that believe it's not just white and black, right? We don't have governments only to survey us, right? So they're trying to solve real problems how to limit those parasites in our society, right? Who also kind of benefit from our existence by you know trafficking guns human trafficking all that stuff by Improving our not just by improving our privacy, but by creating those technological advances We are helping those as well, right? So it's kind of vicious circle or a backfire always and in your talks I haven't spot a single note of that other side, right? Which we are also fostering those illegal activities right, so how we as society could Develop techniques maybe just you know civil awareness how we could help actually our governments Which are created by us right to fight this evil Actually evil side. Thank you So I think it's a totally valid question and I hear it quite often and I just want to echo I think that there are people who use free software for bad stuff I've met police officers for example that commit acts of police brutality, but they use computers Serious problem. I don't know how we deal with this criminal element in our society Right, if you've ever been to a protest and you've been beaten up by a cop You know what I'm talking about Right, there are people who in theory are part of society, but in practice They do things that are outside of society. So how do we deal with that? I actually think that what Debian is doing is the correct thing Which is you make free software that is not purpose limited so that every person without exception has software freedom And that has some downsides and one of the downsides is that the US military will use free software to kill your family members If you are in a country where there is a war and you are declared as the enemy I Think that sucks, but maybe if we design Debian in a way that makes it very difficult for them to do metadata Data analysis, they will be less likely to use computers as the vector for targeting you for a drone strike for example So there is incredible terrorist activity relating to war mongering especially if you look at Afghanistan and Pakistan and Iraq and what you'll find is that Surveillance is actually used to enable war now in the case of the Iraq war We killed somewhere between a hundred thousand and a million people That's a lot more than al-Qaeda has ever managed to kill actually So if we talk about it terrorism as bad guys or people running guns remember that the US State Department runs guns Right remember that the US military Bombs children that the Israeli military bombs children in Gaza What we want to do is improve everyone's situation and potentially that can help us to reduce the total amount of war and suffering in the World trying to pick sides in that I think where we would add a back door or where we would pretend that somehow Bad guys won't get these protections bad guys won't get these protections. It's a total disaster It's a failure and instead what we should do is try to enable every person and to enable their liberty Actually raises them above the position where they are well They would want to take those actions the exception being really militarized governments actually I don't know how we solve that problem But I do think that we shouldn't do it will we harm every person else Using Debian or other free software projects, and so of course there are downsides of course There are cases where surveillance is useful for example when we look at HSBC or other drug trafficking banks It would have been really great if we'd been able to take those banks down for their illegal activities Those are you know, that's an international criminal conspiracy and they got away with it but probably your ability to organize against those banks will be Significantly better if you have free software that protects you those guys are gonna have that protection whether or not you want them to or not in fact and I'm glad that you have faith in your government, but I have almost no faith in my government So what I would like is to build a transnational system where we respect each other's human rights And that's reflected in the software that we use and reflected in the processes where we treat each other is equal not based on National let's say where you were born versus where I'm born whether or not we have universal rights Debian is a universal operating system which in recognizing Universality actually suggests that we should think about other things like universal human rights And I really think it's important to not ever sacrifice that because that principle Is I mean that's a hard one principle especially in the 20th century and in the 21st century. That's true as well So we really I would really encourage you to think that the net positive Output of this is in fact good for all of humanity even though some cops who beat up protesters may use free software Even though some militaries may bomb women and children in in in war zones We will be better off with free software for every person and we will be better off securing communications And reducing the attack service for all the people on the planet even though some of those bad guys will use free software So there was a question from IRC Where is it? Yeah, do you know about the built-in security features in system d which allow to lock down services using second filters remove access to files Networks etc. Is that on your list of things or are you working with that? I I do know about that I mean, I think this is a religious war that's about to start I yeah, you're over it I That's great So all right, I'll declare I'll declare which camp I'm in I think system D is a really good idea and it solves a lot of problems that we have had and it adds some new problems But one of the problems that it solves is the ability to actually have Reliable services that are restarted and that are compartmentalized from outside of the service in a non-hackish way That becomes a supportive part of the operating system and for all of the downsides that come with system D I suspect that if we really drill down and focus and compartmentalize Software as part of the base system. It will be seriously difficult to exploit and to gain a foothold in those free software systems One hopes and I'd like to actually see You know system D essentially I don't want to say take over the world But I'd like system D's security properties to be the de facto go-to place for these kinds of things So that when we're doing any service, not just a system service, we can have certain things restart Debug them automatically in useful ways gather information And so I'm very supportive of that and for example Leonard Potter I think is the person I spoke to at the system D project. He Not Harry Potter That's not nice Harry Potter is not as good at system D programming I Showed him that there was a keystroke Kind of our key injector device. So some forensics people when they steal your computer Right before they steal your computer. They plug in this USB device It's called a mouse jiggler and it keeps the screen from locking So I showed this to these guys and I told them. Hey, here's the IDs. I put them online Could you add to system D the ability that when someone plugs in this mouse jiggler? It automatically locks all the screens instead of keeping the screens unlocked and they added that and pushed it out to system D I don't think anybody noticed that Except for maybe the forensics guys the first time they plugged it in So, yeah, we were responsible builds. We're closing a loop where some Build demons or developers machine could be compromised and they will send bad things to the world without even noticing I'm and we it's great. I'm starting to worry about the next step, which is oh you developer I'm going to surrender you of we've taught her so you will compromise your own package and I'd like to Know what what should we switch to like mandatory review of any packages that have like popcorn of a thousand or something Yeah, I don't know about mandatory review, but I think that you're right So in the political strategy that we need to consider for the work that we're doing and there is a political component right free software is fundamentally a political thing and the Debian project is probably one of the best organized most transparent political Organizations I've ever seen in my life actually and I mean it's really impressive I mean the new maintainer queue is a painful hazing process, but it is a it was at the time a useful hazing process I still have scars from it But if we if we think about it reproducible builds are one step down the line and doing code review is another step down the line and from that things like Binary transparency or another thing down the line and so on and so forth, right? So we need automated QA tools to look over the entire archive of binaries if we can for both reverse engineering purposes But also we need to have source code review And I don't know if it's a thousand people installing it with popcorn or something like this Like it's not entirely clear to me what that threshold is but having easy to use easy verified open transparent systems Like for example the Garrett tool where people do code review is really really useful When you can make it as low a friction experience as possible I think that that actually is a better thing and we should aim towards that it should be possible to look at a package very easily This is actually something there's been a lot of progress made on But to be able to look or to upload a deb and have it like tell you where Everything is what the git repo is what the hashes are That would be fantastic, and I think that if we can do mandatory source code review That's great. If we just have the ability to do that at all. It would be a really good start Where it's somehow integrated into the workflow So combine that with the non adversarial forensics and you really have a you've made a lot of progress It becomes the case that it's much easier to backdoor the BIOS or the embedded controller or some chip than Debian Debian is no longer the weakest link And I think that that would be powerful and I think it will also be helpful to people especially if they work on free Software in places where they might be coerced It's definitely the case that I think if you live in the United States That you at least in theory have good constitutional protections But in practice you might get a secret letter that orders you to do a thing And I don't think it's reasonable to expect people to destroy their lives So I think what we need to do is change the incentive so that if someone is forced that we catch them and Actually, if possible, we should continue to support them Right when people are forced we should not punish them and that's another important thing So we should try to make sure that we can find out when bad things are happening and continue to be a strong community that pulls tighter together As opposed to being pushed further apart right so like no name-calling or threatening or anything bad like that But just work to support and assume good faith about that And I think a code review system like that would really help and I hope that that was you volunteering to build it Lunar So we have time for one last quick question. I guess So you mentioned Aparma several times during your Talk, but not SE Linux even once is that deliberate? So we have time for another question I mean maybe the answer is I think that Aparma works today and it's not very good Compared to some other things, but I think that it's much better than nothing at all And we should move on that and migrate as we go and Aparma does have some useful constraining policies So I think they're good, but I would prefer to have much more fine-grained control One thing that really worries me about Aparma for example is that you can limit network activity But only in the sense that you're allowed to create a TCP connection or UDP Socket of some kind and it would be nice if you could actually without using the firewall have defense in depth But nonetheless, I think it's good and it's deployed today, and I use it on a bunch of deviant systems And that makes me quite happy SE Linux it's not bad and Just because the NSA touched it created it audited it funded it and so on that doesn't necessarily mean it's bad Right, they have some good people like the people that clean the toilets at the NSA are probably also fantastic And we shouldn't blame them for the transgressions of other people But I am super skeptical of it and also if it's not really easy to use if it's not standard I feel like we don't have enough eyes on it, but it may be fine right a lot of other distributions use it So I don't think we should not use it, but I do think Aparma works today So we should consider continuing to use it and to extend it while we are using that and we should continue to do More things like that and we shouldn't just pick one We should pick many so system D plus app armor or mini-jail and app armor or SE Linux or these kinds of things We should try to figure out how to actually Limit the way that our systems can be compromised and limit the the compartments that are compartmentalized down to security Domains and actually use them so something is better than nothing would be the best way to enter that. Yeah Yeah, happy to Thanks, so we have to cut it now at times over but um Jake is happy to take more questions I would say it's nice outside over there. Just convene and talk to him. Thank you. Thanks everybody