 Thank you very much for having the perseverance and the gonadinal fortitude to stick around. At the end of the week you've had lunch and this is the talk that's going to put you to sleep or not. I will ask some questions and I am going to encourage audience participation. I was left ammunition up here so I may have to throw things. I had to give this a title and I put parenthesis around pervasive and the idea of cloaking. How many people in the room have a nick or some sort of handle that they use because they don't want to use their real name? We're going to talk a little bit about why you do that. Actually why do you do that? You don't get caught. Okay so we want to be protected against physical harm, plausible deniability, lawsuits, shorter than typing your own name, man after my own heart. The only problem is that when you create these digital identities you create a chain, a chain of custody. We're going to talk a little bit about that and what that means. First of all the disclaimer. My name is Bill Manning, it is not my nick, that's my real name. If you want to find me you can google me and you'll find five or six other guys named Bill Manning. Make sure you pick the right one. I'm currently employed by Booz Allen Hamilton in their analytics group and these are my opinions. I have not actually had these vetted by the company so hopefully they won't fire me when I go to work Monday. So I look at this as people have digital identities because they want to be in control. You want to control your own identity, your own destiny, I, me, I'm in control. My identity, I'm entitled to privacy and anonymity. I want to be able to be safe from physical harm when I say things that people don't like. I want to do things where I have plausible deniability. I want to be called anonymous. How many of you in here are called anonymous? Everybody raise your hand. You're all anonymous to some degree. So what you have is you have this sort of cloak that you wrap around yourself to hide. And that's what I mean by cloaking is that you hide your true persona and you project another persona out there. Unfortunately in these, in this digital or in this cyber domain it's a chain of trust. You can't unilaterally and independently create an identity and have it meaningful unless you share it with somebody. So the question is how long is your chain? You're going to be tethered to somewhere. So we're going to look a little bit in the back about how these chains were formed with crypto identity. Does anybody remember the crypto wars of last century? What was the result of the crypto wars? Phil Zimmerman. What was the result? The result turns out to be that there were some regulations that says you cannot export cryptography source code outside your country. This was actually pretty much applicable across all countries. Import and export of cryptography was considered bad. It was an artifact of war. It was ammunition and therefore was controlled that way. So there's sort of this blanket you can't do it. After the crypto wars, partly because of Phil Zimmerman and PGP and partly because of the DNSSEC work, those regulations changed. And now it's possible to actually move crypto software around. The problem here is what is this threat to anonymity if you have pervasive cryptography? I mean how many people need to know if you actually encrypt something in the previous talk? I encrypt something with a password and then I want to share that encrypted data. Somebody else needs the password. And then public key, private key kind of get around that, but you have to share. And as soon as you share, what happens to privacy? Anybody build tools to do eavesdropping so nobody knows what's going on? Liars. Or maybe they've already left town, maybe they're the smart people. So the responses are, very briefly, all of the cryptography, all of the crypto was considered prior to about 1998, was considered an artifact of war. And they had the laws. I covered most of this. From the internet perspective, the internet engineering task force, the ITF, has regular meetings. And they had a meeting in Danvers, Massachusetts in the mid-90s. And I remember in that meeting, a guy got up on the podium in his camo and with his M16 and he said, they're going to pry cryptography out of the internet over my cold, dead fingers. Great guy. He's dead now. They didn't pry it out of his fingers. What we have is we have strong crypto for authentication and identification was allowed and encouraged. That's why things like DNSSEC made it out into the world. And even the source for encryption. This little quote here is from the Department of Commerce from February 18, 2000, and it basically says, we throw in the towel. If it's open source crypto, even for encryption, you can send it. You can export it. We can't touch you. This is the general rule, except for some people. And this is where it gets dicey. These are the current regs. If you fall into one of those five categories, right, they can detain you. They can harass you. They can arrest you. Right? And it basically says, if you're somebody we don't like or we're suspicious of, we can hold you. We can make your life miserable. So previously it was nobody can do it. Now it's, if we think you're suspicious, you can do it. What's going to trigger the U.S. government's suspicion? Right? Well, that's one side. Let's move on to this next thing. There is a thing called NISTIC, and it has to do with trusted identities in cyberspace. This is a aspirational document from the White House that says, privacy and anonymity are important. They are core principles of this document. We think everybody in the United States is entitled to anonymity and privacy, except there has to be a trusted third party. Right? Previously the United States did this, and they did this with a project called Clipper, which was you have to give your keys to the U.S. government and trust them there, take care of you. Right? If I'm doing this wrong, throw something at me. Yes, you. You know this. No, no, no. Someone further back. So that was called Clipper, and basically people kicked at this, and they said, your ESCO policies are not sufficient, not good. We don't really want this. And so the government backed off, and now they're coming back, and they're saying, let's try this again. And this time you don't have to use the government, you just have to use somebody that we trust, right? And a few people looked at this, and they said, wait a minute, this is a national ID. And they came back and said, no, it isn't. Not really. It's not a national ID because there are a bunch of people in this ecosystem that we're going to create, and they're going to be the ones that hold your keys. They just have to meet our guidelines, whatever those guidelines happen to be. Right? And then everything will be hunky dory because we have these organizations, services, devices, individuals that can trust each other because we have these third-party authoritative sources. This morning's talk with Whitfield Diffie and Moxie, Moxie is really hot on this idea about these trusted authoritative sources. It's a little fuzzy on how that works, and we'll see that there's some problems there. The end result is if we've got this ecosystem defined by the U.S. It's kind of barren because there's only a few players that are actually going to meet potentially what the regulations require for a trusted third-party. It really boils down to who vouches for you. In real-world space, the people that vouch for you, how many people have got a passport? People have a driver's license, work ID, work badge, school ID, right? All of those institutions vouch for you, right? That's your nation state, the nation you're in, the state you're in, the organization you work for, the school that you attend. All of those things vouch for you, and they assemble this little chain that says that's really who you are, right? It's a pile of this together. Phil Zimmerman took a slightly different approach, and I think we see some of that in this community, which is that circle of friends. Who do you hang out with? Who do you share things with? Who do you swap keys with? And then there are a few people who do self-assertion. I don't really need anybody else. I don't need to have anybody tell me who it is. I am Prince. I am Madonna, right? Self-assertion, important people really want to do that by themselves, and the sociograph really says, you can do this. From a NISTIC expectation, whatever they pick as trusted third parties have to meet their guidelines, which are not defined. The question becomes one of, can bottom-up groups become approved NISTIC-branded, if you will, parties? I don't know. And so the idea here is that self-assertion is right out unless you are actually really famous anyway. The problem here is that aspirational document for NISTIC doesn't actually have the backing of any regulation, and this is where the trusted third parties break down. Does everybody use the same rules for keeping your private data? Do you have any rights to manage the data that you've been given, or that you're giving to somebody else? Can you control the distribution of that data? Do you have any feedback? Is there any sort of watchdog agency over the folks that manage your identity? How do you do this transient trust problem? And how do we have this idea about having meaningful voice in the development of policy for this stuff? None of that's really there yet. Those are open questions. So I look at this and I say, well, wait a minute, there's already an ecosystem out there that manages identity, and it's pretty robust, and it's got all this good stuff. So what the US government's really talking about is that we're going to approve this little corner in the lower right-hand side. That's going to be our little domain of trust. What happens if you're outside of the US? You've got a whole other part of that ecosystem that you can wander in and still not have a problem. So if I'm a multinational corporation, if I'm based in Bangalore, India, do I care about mystic and I don't do business in the US? Probably not, but I do care about tracking my employees, and it's probably associated with whatever regulations are inside India about managing digital identities. Similarly, if I'm in South Africa or if I'm in Taiwan or Japan, so if I'm outside, am I either a nation state or I'm a multinational corporation, the US rules are only a part of the landscape that I have to work in. And then there are these people that I call hobos. I hang out or used to hang out with a lot of people who spent more time on airplanes in more different places and had multiple passports from many different jurisdictions. Who do they report to? I don't know, right? Which rules do they follow? And it really boils down to who are the trusted third parties, trusted by whom? Do you trust your government? Where's your hand? Do you trust your government? All in favor? Say I. All against? Say I. I trust my government to not have my best interests at heart most of the time. You can put it on a T-shirt, I'll take 10% off the top. And then there's this idea of self-identification. I told you or somebody else told you, the program told you, my name was Will Manning. Am I really? How do you know? Right? So there's this idea about trusted by whom. There are, if there was a trusted third party and this woman had given her digital identity, her credentials, her secret keys to this trusted third party, would the U.S. Department of Justice be asking these questions? Does anybody know what this is going on here? Right? Would they, I mean, basically what they're doing is they're saying, we want a trusted third party and we think that probably one of the rules of being a trusted third party under our program is if there's a warrant, you have to give us somebody else's data that they've escrowed with you. Do I want that? I don't know. Maybe. Maybe not. You don't want that. You really don't. You don't want me to hand over to my fed buddy over here. Yeah. I mean, you don't want me to hand that data over to them, right? Just because you told me something? Don't give it to me. If I don't have it, I can't give it to somebody else, right? So from a law enforcement perspective though, they have some real legitimate reasons for tracking people and identities and stuff, right? That if there are multiple digital identities and you hand them out to intermediaries who manage that stuff for you, you're making their job a little bit more difficult. Because then they have to correlate and data mine many, many more sources of data to try and actually track the patterns that identify you, but they'll do it, right? And then there's this other part that we haven't really talked about much, which is market forces. If I'm going to become one of these trusted intermediaries, I'm going to become this notary unless there's some explicit provisions for me to not share your data. I'm going to collect this big database and the first thing I'm going to do is I'm going to go to my board of directors and say, see, we've got all of these clients. They're going to go, how do we monetize this data? They're going to want me to sell the data either individually or in aggregate to other people so we can make more money. And so what I'm doing now is I'm actually creating a two-faced thing. I talk to my people that say, register with me. You can trust us. And out the other side of my face I'm saying, look at all this nice, interesting, aggregated data that talks about people that use this service, right? That's a false sense of security on the part of users because I think I'm protected, but my intermediary, my trusted third party, isn't, right? So they're going to collect my data. They're not going to tell me about it. And they're going to commoditize that data with aggregates with everyone else. Just for grins, what if somebody collected all the data for all the attendees at DEF CON and sold that, right? Bad idea, right? And then there are always, and this came up this morning again, is the budget trusted identity or trusted identity ecosystem provider. We're going to hold your personal identity, your data, your shot, 10, 24-bit keys using high security. Actually, it's kind of like high security. We're over here. You're over there. We're going to put it in this nice little digital locker. We're going to protect it with really, really strong security. Wrote 13. My dog can decrypt, wrote 13, and my dog is dead, all right? We're going to put it in an Excel spreadsheet on this XP-connected cluster directly connected to the internet for $20 a month. What a deal, right? So the real problem is, is that when you actually see the emergence of multiple providers, people wanting to be your trusted third party, there's no regulation, no information about how these people should operate and protect your data, right? There's nothing. That still needs to occur, right? So I'm going to ask the question. Is anonymity analog or digital? Where digital, I mean, is it binary? Am I either anonymous or am I completely exposed? Or is it more of an analog thing? I can show you a little bit, but I'm going to show these guys more, right? Which is it? We have a vote for analog. All in favor of analog, say, I. Why are you raising your hands? Can't you follow instructions? Digital, binary, OK. Both. How is it both? Why not? OK, so what I'm telling you is that I have exposed to you a couple of bits of information about myself. My employer, my name, and the fact that I'm sitting here at DEF CON. I have given you nothing else, right? I haven't given you my date of birth. I haven't given you my mother's maiden name. I haven't given you my social security number. I haven't given you my private keys. I haven't given you my credit card information, my bank account number, any of that stuff, right? I've only given you two bits of information, exposed a little bit. Other people over here know more about me than that, all right? So I think it's kind of a continuum when you think about anonymity. You cannot be completely anonymous, I don't think. And the real kicker for me here is that we are known by the company we keep. I can try and be anonymous, but unless I'm actually using something like Route 13 where I have plausible deniability, all right? If I'm using strong crypto, I'm trackable. Or my strong crypto is trackable. And as soon as you can track me, all you have to do at one point in time is to correlate that digital identity with me, and then you've got my entire history of what happened. And I have no longer any sort of plausible deniability. This is a weakness with people using strong crypto. And then there's this question, what does it mean to be or to remain anonymous? In the 1930s, there was a cartoon called Betty Boop. Anybody remember Betty Boop? That would be the old school people. Remember Betty Boop, right? And Betty Boop had one of the things in 1930, actually, in 1929, there was a character that emerged called Mysterious Moes, which turned out to be an artifact that frightened the socks off of this poor lady and everybody else, including the guy who was running it. It turns out it was a fabricated identity that nobody really knew anything about. And so if we attempt to be anonymous or attempt to maintain our level of privacy, you need to be a little bit worried because sometimes those things can turn on us. And at the end of the day, the problem is how do you manage your digital identity and trust chains? Can you do it alone? How much information have you shared with others and can you be assured that they haven't shared it with other people? And how do you revoke information that's bad? Help me, give me an answer. I'm sorry? Whatever I put out there is out there and I can't recover it, right? You know what's scarier? Whatever you put out there about me is non-recoverable. And you may be lying through your teeth about me and I have no idea, right? So there's this whole idea about actually being able to manage the digital identities that you create. And I don't know that we should create too many. So I'm gonna start wrapping up here. The digital identity or identity ecosystem or online persona or however you wanna call it, all of those things map back to meet space identity where existing law and rule applies. I'm sorry, John Perry Barlow, there is no independence in cyberspace. It all maps back to meet space. Then that would be a admission that I attended the California State public schools when I was little and I didn't spell check. Please feel free to correct the spelling errors, all right? So nobody is really isolated after this stuff. You are all, at some place, you're grounded in a rule of law. And everyone, to some degree or other, is partially cloaked. Nobody knows everything about you. Conversely, everybody is partially exposed. Somebody knows something about you. Maybe many people. I hope that no one goes and knocks on my parents' door and asks them about me because they're gonna get all kinds of stories about how I was as a little boy. I don't want those stories getting out. The point being is that there is a trail. Everybody leaves a trail. The more you work in the digital space, those trails are actually more persistent than the ones in real world. Because nothing is ever really erased or gotten rid of. There are always copies around some place. And people make money going and investigating those trails. Additionally, if you build tools to try and hide yourself, those tools will be distributed. If they ever show up on the internet, they will get copied. And they will be used contrary to your interests. This is a war of escalation. The more we try and hide, the more people try and uncover what we're doing. And they use the same tools against us that we use against them. So the advice here is to choose your traveling companions wisely. Be very comfortable in who you trust with your digital identities. Anchoring this back to NISTIC, it's still being formulated. There are some discussions going on. And it's not too late to influence the outcome, particularly when it comes to the sets of regulations that are going to describe and regulate these trusted third parties. So if people in this community want to influence what the US government is likely to do, it's an opportunity to do that. And it really boils down to, this is something I mentioned this morning, is the idea of influence ripples. As soon as you do anything, it affects somebody else. And that affects how they interact with other people. And so your influence, the things that you do online, ripple out and affect a larger and larger community. And you cannot recall that information. So it's important to be very careful in what you do. And that's my presentation.