for this. What I do is I'm Chief Operating Officer of Exploit Hub. I sell penetration
testing tools and the company is based in Austin, Texas and we're a sub company of a group
called NSS Labs. I am also, that's my, I'm part time with two companies. My other company
I'm with Recursion Ventures out in New York City and I'm the DC office for both of these
companies and we do a lot of red team work, breaking systems and then engineering fixes
for them. And that's what I do full time. I'm an attorney. I have a, you know, I like
software. I'm just getting into hardware engineering type of work and I've been in the hacking
community for about 10 years now so I'm glad to meet a lot of local people here because
I just moved to this area about a year ago so another reason that I'm excited this space
is opening up so I can get to know all of you who have an interest similar to my own.
So what I'm going to be talking to you about is this. One of my projects that I do is being
in the hacking community and also being, I'm an attorney by the way, is I try to work out
very specific work arounds or issues that some of us in the community have when we're
working on research projects. A lot of us do work that's in what we call in law the
gray area. How to define what the gray area is and how to know when you're kind of proceeding
into an area that may be illegal is something that I consult, I talk to people about. One
of the things that I've been researching for the past nine years in fact is the concept
of data havens. Where do you put stuff? If you, if a particular country has restrictions
on some material, some data, where do you put it? And what this presentation is not
going to be about is, I'm not going to be talking about WikiLeaks for an hour. Obviously
this is a very interesting example and I've been following a lot of the news very closely
so I know a lot about the WikiLeaks cases. I have about five slides on WikiLeaks and
I'll be happy to answer questions about it but I'm not doing a whole presentation on
WikiLeaks. I'm doing a presentation on the concept of data havens, where stuff can be
put and the laws associated with that, both civil and criminal.
Might be a resolution issue, looks like it's doing four by, it's doing some kind of weird
stretching with the four by three. Oh it is? Okay. Yeah, cause that's coming up square
up there. Alright, it's still. Yeah, that's odd. Can you see it in the back? You're okay?
Alright, is that? I'm not looking. Alright, that's recursive ventures out of New York
City. This is exploit hub. If you write exploits or want to purchase exploits, come talk to
me. We're not going to, we're sending this up for individual pen testers, small companies,
big companies, governments, whatever. Depending on what you need for exploits, we have them.
My background is, I've been everywhere and frankly my educational background is not as
important to the stuff I do now as the experience that I have. But I have a business background,
I'm an attorney and I also do a lot with CS. Oops, did I just turn it off? Hello? Okay.
I'm a professor, an adjunct professor at the University of Maine. Yes, I fly to Maine to
teach a class one night a week in the computer science department. I love teaching and I
really want to get more people into learning computer science from a hacker's perspective.
That's what I've been hired to teach at the university and it's a lot of fun. I teach
my students to be or at least think like hackers and I'm about to do the same for law students
next year. We need more attorneys who really kind of get it. So I'm setting up one of the
first programs for computer security law at the University of Maine. So we'll begin to
get some attorneys coming out and helping us in our community and in the corporations
in which we work who understand. I also do some car access research. I like car computers
a lot and that's a whole other presentation. But that's part of what I'm bringing here
to the hacker space is we're going to be accessing cars. Actually my father who's here is going
to be presenting after me. He was one of my inspirations for what I do now. Since I was
a kid my dad did Red Team projects. He would be hired to break into places so other people
can't break into places and he'll tell you more about that during his presentation. But
we just co-authored a book with many chapters. A lot of other people have co-authored but
I wrote one on cyber crimes and hacking and he wrote one that's more about like actually
the presentation you're going to see now is related to what he published in security in
2020. I've been featured in Popular Mechanics for my car hacking research. I presented at
a bunch of conferences. Can you guys see the bottom? Is the table blocking it?
Oh we have it jacked up in the back also because of the floor. We can move.
Okay. So I'm not sure. Some of my slides go like down to the bottom of the cell.
Okay. One thing that a lot of us know in this community and when I talk to attorneys is
they don't, some attorneys and people that do more management work for technical companies
there really are no more borders. This is something that I believe that some attorneys
especially and lawmakers have a hard time understanding is that there's no wall you
can build around the internet access that we have here in the US. I'll talk a little
bit about that. China has something that's similar but their internet is set up differently
than ours has been. Ours has been more organic than theirs which has been specifically engineered
for filters and walls. But I'm talking about really how information really can't stay in
just one place where you want it to be. There's some safeguards technically that you need
to take but legally right now the law and legislation is a little bit behind. What we
want to do to try to keep data here in this country is difficult. I'll tell you the DMCA
isn't quite, it isn't doing it. I have a lot of opinions about the DMCA. I'll share some
of that with you. And for those of you who don't know that's the digital millennium copyright
act. Also there are no more secrets. No I, shall I say there, I don't want to get into
a political discussion about WikiLeaks about the secrets. I wrote this presentation and
did a lot of this before the recent events with WikiLeaks. The arrest of Julian Assange.
But some organizations may need secrets. How much I don't really want to debate but the
example I'm trying to show here is how you can get information in and out of places.
And it's very hard to catch this stuff. I mean many months back when I was talking to
some developers for Tor how they were trying to get Tor into some countries where it wasn't,
they wanted people to be able to bypass the filters but they couldn't just put Tor on
people's computers because you couldn't access it over the internet. Developers for Tor
were bringing in what they could inside of coins and examples like this to try to get
some countries using Tor so they can share more information. The synopsis of the presentation
is this is what I'm talking about. Walls, data being able to be moved around quickly
and what constitutes a country. This is changing and I predict in the next 10 years this is
going to be a big change in how we conceptualize your citizenship, where data comes from, where
data is going and actually while it's in transit where the jurisdiction is for whether it's
criminal or civil cases is going to be very difficult as we're seeing right now as the
US is trying to extradite someone from Sweden, well UK to Sweden and then here. It's very
hard to do. And I'll be talking about licensing as opposed to hard intellectual property protection.
I see that in the next 10 years things may be shifting. It's very expensive and very
complicated to enforce patents for instance. If a company needs to sue on a patent it's
at least $100,000 for an American company to defend against it or to suit for another
company. If the model's changed a bit to go from hardcore suing infringers to a licensing
type of a licensing model it's going to make things a little bit different of how we conceptualize
intellectual property and how it is shared. The cyber police are having a difficult time
actually catching up with what's going on. They're going to have to change some of the
ways in which they work as well and I hope that and I have invited members from this
community here to these presentations so they can learn about what we're talking about and
see how from inside they might be able to make some changes within their own organizations.
And there's an interesting thing that I've been following for quite a while. It's not
as expensive as it used to be but the concept of putting a data haven in the middle of the
ocean in international waters really is going to change the way that we conceptualize if
there's a platform built, there are a lot of servers on that platform, how do the other
countries get jurisdiction to get data off that if they want to? And I'm going to be
talking about something I've been finding for a long time, Sealand and Havenco. They
don't exist anymore but that doesn't mean to say that they're not going to, especially
with recent events, how things have changed, that they're not going to be something that
will happen in the future of other platforms and I think it will be.
Alright so I didn't draw this picture. This is Pirate Bay. Pirate Bay drew this and if
you can't see in the back, they have Sealand is right there on the left hand side. They
tried to purchase Sealand which is off the coast of the UK and this is the Pirate Bay
including the lawyers gallows on the far right hand side. This is kind of how they feel some
restrictions of where they're working even within Sweden and Sweden has some very liberal
laws about freedom. I don't want to say freedom of speech because they don't have the first
amendment like we do all clearly but they have concepts of data sharing that's different
than what we have here. So it's become a place where people have put some of their content
and I have too purposely and I'll tell you why when I get to that slide. This is as deep
as I'm going to get into the philosophy of liberty and freedom. The concept of who owns
your property. Is it the country with which you have citizenship? Is it where you have
your servers? Is it freely when information and speech is being exchanged over the internet?
The concept of diversity of opinions and free speech was kind of set by someone who had
a lot to do with the establishment of our country, Mills. All right share openly freely
or not. As an attorney when I started in law school we had no classes on open source and
free software licensing. It was one of these things that they knew existed but attorneys
really had a hard time understanding. Well how can you protect something? How can you
control it if it's something that's open or free? Free was even a harder concept. Free
is in free beer or free is in liberty as Richard Stallman would say. It's free is in liberty.
Now a lot of lawyers are learning and they have to learn about this. I mean I deal with
open source and free software licensing all the time. Those exploits that all of you are
writing that I'm getting. I see chunks of free software and open source code in there.
The licenses still need to be followed and you know attribution at the least for some
of them. And understanding that when we're creating products hardware or software you're
making a choice now that ten years ago really the legal system and attorneys had a hard
time conceptualizing. Why would you want to release something free or open? How do you
make money off of that? And as things I've seen a lot more software move toward open
and free right now at least open. This changes the way in which we conceptualize property
ownership and the data. Where is it being stored? Who owns it? Concepts of sharing.
I mean I have everything up here from like Napster, like old school Napster and well BitTorrent
and open source alliance. Open source and free software are changing the way that we
store data as well and how we share it. So the intellectual property protection industries
really they had a hard time. Like the MPAA, Motion Picture Association of America, recording
industry of America. They're still beginning to change their business models but ten years
after Napster they're still taking people to court over this stuff. And I'm not saying
at least from the traditional copyright sense it was copyright violation when this stuff
was going on at least in the way in which it was being transferred and stored on people's
computers but their business models need to change. And ten years later their models haven't
changed a great deal. All right and this is my son actually in case you can't read the
t-shirt it's a hacker, a hacker in training. Geek is chic. I mean being a hacker is actually
it's I love this community. I love the concepts and the ideas that you all have. I mean you
are coming up with some of the most innovative ideas now that are changing our industry in
ways in which the big think tank corporations aren't catching up. And I like that the ideas
of the cypher punks, the people working on crypto and the cyber punks are really changing
stuff and the wares community for better or for worse has really changed the way that
some companies like big open source, no, no, no, no, no, didn't mean open source, big operating
system type of corporations which will remain unnamed how they're handling responsible
disclosures we give them. So also the concept of what we're doing with social media, what
are you doing right now? This has a lot to do with who owns that information. When you
post on twitter, when you post on facebook, where is that data being stored? Who owns
those tweets, those posts on facebook? The terms of service agreements that where everyone
is fighting over with facebook, the privacy. I mean I believe that we're shifting more
toward a place where sharing and saying hey you know I'm putting my tweets up publicly.
If people access that and they find information about me or about what you're working on it's
a public statement. I put that information out there to share. It's not something that
I can obtain or want my exclusive rights ownership over all my tweets. I've given it up to twitter
and I do that when I sign their TOS or their click through agreement. The nexus between
intellectual property and cyber crimes is pretty much this. Speech contained in the
source code is protected under the first amendment. I hope you know that. This is your speech.
Even though the code per se is not as protected as high as political speeches. Oh you don't
need to answer that phone. You don't need to answer the phone. Just let it ring. Sorry.
Pull the plug. Sorry about that. But the speech that you are writing in your code is protected
as speech. It used to be before I think that case came out in the 1980s. They said well
anyone can write code. It's like that thing with monkeys typing on a typewriter. It can
all come up with. You all know that ten different people can write source code ten different
ways. That's your creative input. It's protectable. It's your speech. And you do get first amendment
protection for that. It's a lower level than political speech which does get the highest.
But the US Supreme Court will uphold the declaration that source code is speech protected under
the first amendment. So if you have that speech, you want to say something, where do you put
it? So there's no place like home. One of the places that I love to watch to see where
people are setting up businesses, economies. I mean I even read a comment that recently
some of the DDoS attacks that were going on were being organized in World of Warcraft.
Some of the command and control structures for the bots are in World of Warcraft. They're
in virtual worlds. The interesting thing about virtual worlds is while law enforcement is
in there, they're trying to see what's going on to catch up with how groups are formed.
When you purchase a piece of property in Second Life, you have a right to that because you've
paid for it, but that still belongs to Linden Labs which is the organizer. They own Second
Life. So you're kind of, you sort of have a lease on property in there. One of the first
online virtual world terrorism examples took place in Second Life. A group purchased land
on an island that belonged to Linden Labs and then they blew it up. They blew it up
by creating very disruptive code that destroyed that island. No one could get there. No one
could leave. It caused a lot of havoc, but it was a very fascinating example of where
you're going into other realms and you can have some speech. You can say what you need
to say, but when it moves to something like this where you're destroying, you know, you
bought that island, but it belongs really to Linden Labs. Likewise, the way this works
in the real world example that I'll discuss is even if you have an offshore platform,
depending on how that platform is connected to actually the continental shelf and how
close it is to offshore, is that really your platform even though you're purchasing the
materials? What if you put stuff on there? How do people access it? How does the government
say, hey, we have a subpoena. We have a warrant we want to serve. What would, how does this
happen in Second Life is something that they're still working out. I mean, they're still chasing
the IP addresses to find people. They're still serving Linden Labs and other types of organizations
like this with subpoenas for information about account and users. But as you know, it's
not particularly difficult to set up anonymous user names, accounts. Anonymity is not, it's
not impossible to do online. But what's hard for the government, the government enforcement
to really get a hold of is how do they find who is there, who owns this property, who did it?
And they're catching up because technology so far has been way ahead of law enforcement
and legislation and the attorneys for the companies that work for these companies. But
actually, yesterday I had lunch with an attorney who, his focus for, he works for a very big
law firm here in the DC area. I mean, it's internationally huge. They have a practice
group focus just for virtual worlds. I mean, if you got your e-gold stolen, you go to them,
they'll help you get it back. I mean, that's just, I love that idea that even the big law
firms are beginning to catch on that this is where stuff is happening. Strict intellectual
property laws. This was, this did not actually become law, but it could have. And for those
of you in the back who can't read it, US Attorney General Gonzalez proposed criminalizing
attempts to infringe intellectual property in order to meet the global challenges of IP
crime with the intellectual property protection up to 2007. I'm really glad this did not
become legislation, but it almost did because all of us, we should really keep an eye on
what legislation is coming down the pipeline because once it's passed, it's almost impossible
to undo later. I'm working on changing and actually trying to augment the digital lending
copyright act now, but it's extremely difficult. Before this stuff gets passed, get involved.
As the hacking community really, we need to not let some of, we don't need another DMCA.
This would have been even worse. It was criminalized, not for profit, illicit copying with no evidence
of actual copying. That's really ridiculous. I mean, I'm glad these are some of the reasons
it didn't become law, but it was close. And when we have a US Attorney General recommending
this, I would like to think that he didn't really understand how it would affect the
industry, how it would affect our projects. But some of these things like create a new
crime for life imprisonment for knowingly using pirated software. That's a big deal.
Permitting more wiretaps for privacy investigations and increase the penalties under the DMCA,
the anti-circumvention measures. Right now under the DMCA, fair use is kind of a, it's
dying. As an academic, as a professor, I have DMCA issues almost every single day that I
teach because I have to think is this code or this encryption that we're reverse engineering
or we're talking about breaking. Is this, can I talk to students about my research?
Can I publish it? And I actually, every time I have to catch myself and think, am I teaching
people to break the anti-circumvention measures so we can learn how to design them better?
Yeah, sometimes I can't talk about it and I can't publish. I still can't publish some
of my car research, which is academic, but it's not fair use because of the DMCA. So,
and here is the DMCA. There's a group downtown in D.C. called Public Knowledge and they're
working on amending the anti-circumvention measures for the DMCA and I'm working on the
takedown notices aspect of the DMCA through case law that is in federal courts right now.
EFF is assisting us with the case. They're not lead attorneys on the case. We are, but
we're very grateful to have some of that help. The DMCA criminalizes creation and sharing
of copyrighted material obtained by circumventing technological measures, DRM. So that's what
I'm talking about. For example, in some of the car computer access projects that we do,
even if the crypto is like a simple challenge response, tiny key, challenge response, unlimited
number of times, if we do that to get to what's running on your car that you've purchased,
that you have something like a black box more or less that's running on your car if it's
newer than 2001. You don't know what data is that storing. It can be accessed by law
enforcement but with a proper warrant. So it's not something that can just plug into your
OBD2 port and take it. But you can't see that code. You can't talk about it if you have seen
that code and you certainly can't publish about it. That's one of the problems we have with
the DMCA and the hacking community. And one of the reasons why the provision that I actually
have been challenging is the takedown notices as well. I've had to move some stuff to Sweden
for a case we're doing. And I presented about that at Black Hat last summer because we just
had so many issues with the DMCA. My clients were not breaking the law. It was speech.
They wanted the speech here in the US and they couldn't do it. So we put something in
Sweden and it's happening. And since then we haven't had takedown notices as frequently
because we said, you know, take your US DMCA takedown notices to Sweden and see if PRQs
can respond to them. And I think you know the answer to that. We're not obstructing justice.
We're just, hey, if they want to file an international case to silence speech that's
being done in Sweden, they can. It's not easy to do right now. That may be changing in the
future but not at the moment. And this is what we were getting around. One of my students
at the university created a website and we're, the particular case we're doing, and I won't
mention names although it is in the federal court right now. You can look it up. You can
watch my presentation if you want from Black Hat last summer. But we gave up our Safe Harbor.
My student has an ISP. We do hosting and it's in California. The Ninth Circuit in California
generally is good for these cases, better than here. So we have servers and the company
does a lot of operations in California. We gave up the Safe Harbor provisions and said,
okay, sue us. We're not taking down the material that you're telling us is copyright infringement.
And so the person suing us is a medical professional, in fact, in this area. And we, our clients
for the ISP and the hosting company have a website that we're critiquing his skills,
some of the stuff that he did. People have died from some of his medical procedures.
And whenever someone would post a website saying, hey, my child died from that, we'd
get slammed with DMCA takedown notices. Hundreds. I mean, they just would keep coming. Every
seven days, the statutory period, we take the website down, put it back up, we get another
DMCA notice over and over again. And that's when we said, we can't change the law. We're
fighting this in court with the pro bono attorneys like myself, which it's extremely time consuming.
We're moving everything to Sweden. And since we did, the website has been up 100% of the
time and we have not had any more problems. And I don't look at this as such as we're
not fighting the war with, you know, music and copying movies. This is speech about people
who say, I don't agree with what you're doing or your practice. And we couldn't say it in
the US because the DMCA prevented us. We moved it. And so we gave up our safe harbor provision.
And that's why the concepts of data havens, it's not a totally, it's not a concept that's
very foreign to freedom. I mean, the concept of saying, hey, we're going to form our own
group, our own community and do our own thing. It does have some purposes, just like, I can't
get into discussion particularly about it, but there's some aspects to sharing information
that you have or someone may have that needs to be said or get out there to help other
people. So US versus European copyright laws. I had to consider this. Excuse me. I have
a bit of a cold, so I don't sound too bad. But European copyright laws, I had to consider
some of this. When we put our boxes in Sweden, just to figure out, well, what requirements
would it take when they, you know, if someone did come from information on our computer?
They have a copyright directive and the electronic commerce directive of 2001. This is for the
EU countries, that is. Britain, or okay, the UK has something that is a little bit frightening
to me and it's not full law yet, but it's getting there. It's kind of affectionately
called the cut them off copyright enforcement. Excuse me. So the way it works is if your
ISP gets takedown notices similar to our DMCA, which is not what they have over there, but
it's similar, they can just cut off your internet access and they'll do it. It says here that
the copyright holder can collect IP addresses of alleged infringers. The account holders
of those IP addresses will be identified via court orders. So it's not just like your ISP
is running over your information, but court orders are, well, how shall I say this? They're
not always the highest bar of getting that information. It's not the most difficult thing
to do to get a court order. And the ISP will handicap, like cut your connection almost
down to nothing, or cut off your internet access completely. And depending on how your
court case goes, when you do go to court for this, they could cut off your internet access
for your name or your house or whatever for six months to a year or just forever, it seems
like. They will block portions of IP addresses and this is nothing new to people who work
in IT. When I was in United Arab Emirates doing this presentation actually for BlackHat
Abu Dhabi, we did some interesting tests. We tried to see if we could access any sites
in Israel. We could not. And we were warned actually beforehand, if you mess with their
firewall, if you mess with stuff at the conference, they won't help us. So we just did some testing,
but we didn't go beyond that. But they're blocking destinations in the UK that potentially
they could under this law, such as Pirate Bay. Italy is doing this as well. And there
are other countries that we consider to be similar to the US to have the type of free
speech type of sharing of information. But when you block stuff like Pirate Bay, one
of the questions that the court looks at is does this site substantially infringe copyright?
Well, that can be a subjective question because there are a lot of things on Pirate Bay that
are not violating people's copyrights. You have a band, you want to put your song up,
go put it up on Pirate Bay. That's your choice. But to say that you can't do that because
someone else might do take some big band in the US that has a lot of copyright in their
music and doesn't want it on Pirate Bay limits what you can do. And of course, here is Pirate
Bay. I have a whole slideshow about Pirate Bay pictures that I talk to my students a
lot about this because some of them don't know that in the US if you do get some copyright
material off Pirate Bay, it can cause you some problems. I mean, we and the one of the
labs that we have at the university, this is one of the IP addresses or the we the addresses
that we block is students going to Pirate Bay. And I think that filters like that are
kind of unfortunate because it doesn't let people to choose to do non infringing stuff
with it. It just says if you go there, you're bad. And that's that's pretty, pretty broad
blanket to throw over some of this stuff. Because some of my students are putting their
code up there for people to check out and use for free. I mean, there are a lot of people
accessing it. But so it's a good way to get your work out there. But I've done some work
on Pirate Bay. What's interesting is, as you may know, the the political party the pirate
the pirate party came before Pirate Bay and their servers and all that. But these are
some of their objectives, which are I thought I'd put up here for you to consider promoting
global legislation to facilitate the emerging information society. And for copyright, they
claim that today's copyright system is unbalanced. And that's why they do some of the things
that they do. I love this picture. If you can't see it, it's an iPod. And it says filled
with tons of music from the Pirate Bay. And it's actually the back of an iPod. Private
ization monopolies are one of the society's worst enemies, hence the position that patents
are obsolete and should be gradually abolished. There is in the past five years in the US
we've been talking about changing patent law is very slow. It's happening very slow. But
I mean, we're trying to change some of the ways that software patents are handled here.
But they're just saying, well, they're going to do something more radical. And as a political
party, this is one of this is their platform. And for privacy, they say that all attempts
to curtail these rights of privacy must be questioned and met with powerful opposition.
Hence their position that anti terror laws nullify due process and risk being used as
repressive tools. And again, this is not to say that I agree with everything from the
Pirate Bay, but this is these are this is what the political party has done. And as
a result is a place where they want to go. I mean, where do you go when you're not welcome?
Where do you go when you're the Pirate Bay? And you're being told you need to move your
stuff out of Sweden or if they are told that? Well, you can move your websites or links
potentially of that may potentially have infringing material. Yes, you're sorry. Yeah, okay, go
ahead. You ask question. Yeah.
Okay, so the question is for those who couldn't hear or if it's if it's being recorded, you
don't actually upload a big chunk. I mean, your whole file isn't going up on Pirate Bay
on a centralized server that you can access the information. It's metadata. And it's really
it's how to get to that information. And sometimes it's broken up into pieces around around the
world really, which is fascinating. They are facilitating in the way that the Swedish government
has had issues. Now get to the criminal case in just one moment is that they're facilitating
access potentially infringing material. And because they're providing the the the gateway,
it's like it's a gateway. I hate to make that analogy, but the gateway to get that information.
That's why that's one of the reasons why the government is having in Sweden a difficult
problem with this. And because they are on and really the backbone for the internet access
that they do have a lot of computing resources in Sweden. That's how the government's been
able to get jurisdiction over what they do is their stuff is in Sweden, a lot of their
computers that do find you know, set the metadata metadata, they are there. Some countries have
fewer restrictions on internet access and content hosted within their countries. For
example, if any of you have lived in South America, their laws are very different than
ours. Does that make it okay for you to take material here, whether it's infringing or
it's speech that may not be particularly popular and put it in South America? That's really
the essence of the research I'm doing in this question is how it's not just a question of
law, but it's ethics and also logistically, this is hard to do. It's expensive. It can
be. In fact, South America, one country so far publicly has announced that they will
take WikiLeaks and they will host the servers, some of the servers for WikiLeaks and actually
welcome Julian Assange and that's I believe that's Ecuador. And they're making a statement
that they don't agree with all the policies that we have here in the US because their
laws are different. And how the US gets jurisdiction over that, I mean how would we say no, we're
not going to do that or if you have someone in Ecuador that we want to extradite for criminal
procedures, criminal process, it's difficult. Oh yeah, so this is the computer. I showed
this, I didn't use this particular computer in Abu Dhabi because it's very old, I love
it, it's breaking, but I use Tor for a lot. And I'm sure everyone in here knows what Tor
is so I don't really need to go into a lot of detail about it, but it's an anonymizer.
It's not crypto, it doesn't, you know, you can't protect everything with crypto just
with Tor because it doesn't do that. But it anonymizes where you're coming from and where
you're going with like a hop in the middle, it's an onion router system. And there's some
countries that they read that they're saying don't use Tor, you're not allowed to use Tor.
Well here in the US, not a huge but a significant percentage of Tor is actually law enforcement
here in the US. And they love and they hate Tor at the same time. They have a very hard
time finding out where, you know, Tor addresses are coming from, extremely difficult. But
on the other hand, they use it for their research as well for the same reasons. The example
that I found of when the US government started using Tor credit quite a bit was the FBI was
doing an investigation to bust a child porn ring. They had their, really the internet
access for that division was in the FBI's building in Quantico. So when their agents
got online posing as children or as purchasers shared, people who will share child pornography,
all the child porn ring had to do was really look up and they went around to find hey,
that's the FBI, that's okay, we're gonna oust those people as agents and their whole
organization was destroyed. Then they started using Tor and now it's changed. So I like
to think that they are putting money into Tor as well, anonymously or not, because they
use it, I saw some statistics at Jake, one of the developers for Tor, Jake Appelbaum
gave me that 25% of Tor traffic every day is law enforcement. We love it and hate it
for the same reasons. But when you have stuff in other countries, offshore platforms, if
you're, well, besides Tor being slow and people have given presentations on that, that's
one of the ways in which a lot of access can be done and if you are accessing material
that's illegal in the country, for instance in Iran, if you're trying to access stuff
about, well, even in China, the books that are on that, what they call the yellow list,
if you want to read them on Amazon, I mean, you gotta use, they're using Tor and Tor is
hard to access actually in China right now because the government's caught onto it but
there are other ways to do it with proxy servers. And this is the last portion of my presentation
where I'm gonna be talking about land-based data havens, Iceland, Sweden and the Netherlands.
So there have been recent advancements with stuff that's going on in Iceland. They're
gonna have, and it's not here yet, they're gonna have one of the most broad laws about
freedom of sharing information and freedom of speech. Their laws are going to be the
most generous in the world and they are, that haven't quite been passed yet, last time I
checked. But what's interesting is one of the people who has been really into changing
the laws in Sweden to make it a place where it will be a data haven is the guy that's
taking Julian Assange's place as interim director of WikiLeaks. His name is Kirsten, I can't
pronounce his last name, I feel, I'm very sorry about that but if you look it up, he's
going, he's an investigative reporter. So reporters care a great deal about how to share
some of this information. He's been with WikiLeaks for a while but he's in Iceland and he's
got a lot to do with this new law that's coming and will be coming into effect in Iceland
soon. Sweden and the Netherlands are also places where they have very generous laws
about information sharing. However, Sweden is, while their laws do say that, there's
some technicalities and I won't, I don't want to get into the details of Julian Assange's
case but while he, they're not picking him up on these laws about information sharing,
it's on something else and that's one of the issues that they're having right now with
WikiLeaks clearly. But they've already moved some of their servers to Iceland and I don't
know if we have internet access yet, do we have wifi up? No, okay. I'm not going to be
able to show you the video for this but I'm going to, I know a little bit about how their
servers are set up in Sweden just through public records, information that I've found
for research purposes. But what's interesting is they have a whistleblower protection law
and this is initially why WikiLeaks set up their stuff in Sweden. Is if you are whistleblowing
on information from government entities and this, what they'll do is they will protect
that information if it stays up and the servers, Swedish authorities will not take down a site
that is protected unless the servers can be seized in conjunction with criminal allegations.
However, the interesting thing is Assange, when he initially released the helicopter video
that we all know of that I saw for the first time at Hackers on Planet Earth this summer
in July after Jake's presentation is, he may not have filed in time for that which is, which
is pretty curious. When he realized he needed to file and you do need to either be a citizen
of Sweden or a resident of Sweden, he, his residency at the time was pending so they
were holding on to that protection for Assange. Now that his residency has actually been
denied, his residency application, he's, as soon as that happened he was looking for a
new place to go and to go possibly to take the servers as well because they would then
be vulnerable because perhaps it hasn't been tested yet because like I said he's been picked
up on stuff other than the whistle blowing protection that they have in Sweden. But he
was denied residency in Sweden October 18th and that's when a lot of the other legal actions
against Assange started really picking up. Wikileaks is somewhat underground although
they have two server locations. One of them that is, this is Bonhoeff and I'm not going to be
able to show you the video unfortunately but I have the link in my presentation. You can
go to it, take a look at it. But way before the Wikileaks stuff started a group I think from
this area actually did a tour of different kinds of places to store data and this is an
interesting one. The pirate party is in there, Wikileaks is in there and they share
resources. They don't say this is the purpose but it does increase the difficulty the US
must undertake to seize and access the Wikileaks servers. But the assertion is, is that
the servers are in a bunker 98 feet underground in the mountains outside of Stockholm. It was
built as a bomb shelter in 1943 and there are a lot of other data havens that are like this.
They're bomb shelters but this one's interesting that they're able to get a lot of internet
connectivity and a lot actually. But it was turned into a bunker in case of nuclear war during
the 1970s. From what I understand from the presentation it's also hardened which is kind
of cool. They have some shielding so if there is nuclear war the servers probably will be
fine down in there. But it's been used by the internet hosting company Bonhoeff. It's
protected by 30 meters of rock, steel doors, backup generators and when you watch the video
sorry I can't show you in the first five minutes. I mean this place is immense. They have a
and it's also very well funded. They have a conference room that's kind of like a floating
glass room. It looks like just from Superman or something. It's very beautiful. But Net
Craft showed that the site, oh Wikileaks as we know now but back when I started doing these
presentations we knew it was being mirrored somewhere but we didn't know where. One of
those mirroring sites is most likely here actually in Reston, well Reston, Virginia. One
of their tweets showed that and people started doing some research and yeah indeed it looks
like at the Equinox facility Wikileaks is having their servers mirrored here in this area. No
one knows quite by whom but it's clearly here. But when they do the mirroring there were some
cases including with mirroring sites. There was an interesting case within the hacking
community, 2600 where Eric Hurley was mirroring DECSS and the court held that he was, I mean
you still could not mirror. If DECSS is for cracking encryption for predominantly copyright
infringement purposes that really pissed off the courts and it pissed off the corporate
attorneys for the MPAA. So Wikileaks is being mirrored here. That is not a solution as most
of you in the room know to jurisdiction hopping. If the stuff is here and you're mirroring it,
what's going over that server? You can get jurisdiction as soon as it touches here in the
US. That's one of the reasons why the state of Virginia has very, that's sounding really
bad. Okay. I'm not sure how this microphone system even works. Okay. This is this. This
will be not this. Let's turn that off for a second. Maybe a volume adjustment. I'm thinking
we're getting feedback maybe? Yeah. All right. I turned it down too low. Do we hear? Batteries
in the back? Well, I have it on, if I push it all the way forward and it's mute. Do we
have anybody who knows about technology? I couldn't. This is not an assumption. It was
volume. Maybe it wasn't. I think I hit people. Okay. It's fine now. All right. Who knows
what that interference was? All right. I was stating that Virginia has very strict cyber
crimes laws because when, and I know there's some employees here from AOL, which is when
AOL was a very, very big company and a lot of the internet access came through the pipes
really here in Virginia, the tubes shall we say. Virginia decided that they wanted
jurisdiction over a lot of cyber crimes laws. So we have very strict and encompassing
cyber crime laws and ways in which you can get jurisdiction over this here in the US.
So if I, is there a camera? Is it the battery? Okay. I'm just, I'm not going to move. I'm
going to stand right there. Yeah. I'm not going to move at all. Okay. So Virginia wants to
get jurisdiction over this stuff. It's coming through here and that's one of the ways they
do it. If I was WikiLeaks, I wouldn't have put stuff in Virginia, but I'm not. So, so
good for them. I'm not, here's the video. I can't show you because I don't have internet
here, but it's a, it's really good. Okay. So one, another way that I've seen stuff in
Data Havens used to get a difficult time getting jurisdiction. If you mix your code, your
speech, whatever it is with political speech in most countries, one of the things that
they do, and I know that Pirate Bay has already done this, they're mixing in the content
for WikiLeaks with the political speech. So when there are proper warrants, well, equivalent
warrants and subpoenas in Sweden issued, they, the law enforcement has to go through and
pick out kind of like a blind eye to the political stuff for the Pirate Party. And that was a
very interesting way in which they have made it harder to get jurisdiction over the content
that WikiLeaks is sharing. Another way, which is interesting, and I won't get into too much
detail about this because I think, I don't want to take up too much, I mean, much more
time than I have with the presentation, but scatter and recombine. I have a theory and
it's just a theory that I have about insurance file. If you have a file that you want to,
even if it's protected with your Jewish encryption, which insurance file is, it would take a long
time. I know, I'm sure the government agency is working to break that crypto, but a way
in which would be creative to take that is break the real insurance file up into many
pieces scattered around the world and cryptographically kind of protect those pieces. When a
certain event occurs, have a centralized server through which all of those pieces come
together and are decrypted and there is whatever file or content that you're trying to, you
want to protect. So this is one of the reasons I have this theory is that WikiLeaks has more
than one server location inside Sweden. This is all public. There's one outside of Stockholm
that's in someone's, I think, personal residence. They have a really big server there. And
why would WikiLeaks need such a huge centralized server? So we did a little bit of analysis
and we're thinking about the idea of taking a big file. And again, I'm not just playing
what WikiLeaks is or what they've done. I don't want to get into that, but taking a
big file, breaking it apart, you'd need kind of a big server perhaps to take all those
pieces upon command and put them back together and to decrypt them particularly.
Strategies for distributed data storage. I'm going to skip that slide, but I want to get
to the jurisdiction hopping. This is something that happened with Sealand and HavenCo with
jurisdiction hopping. As I mentioned in Virginia, as soon as the data touches a server in the
U.S., they have some jurisdiction over that. Where it came from, what it is, they're going
to try to decrypt it if it's something that they care about. So what we've done with a
case that I have is what's called jurisdiction hopping. I got tired of the illegitimate,
I mean, violation of the DMCA take down notices, so I put the stuff in Sweden. I'm not
obstructing justice. That can be, you know, the person, the doctor here who had issue with
this speech could go to Sweden and file. He didn't, but he could. And maybe it was more
expensive for him that it would have been serving us and people here or in California,
but it's legal. We did it. And that's how jurisdiction hopping is done. I know that,
in countries such as in UAE, some people have talked to me saying, hey, they have a file,
some information that they put in other countries. Battery? Okay, I'll just keep going. So one
of the things that they've done is they put it here in the U.S. The U.S. has protections
that they don't have over there. So they put it here on a server, they pay for the service,
they use Tor to get to and from the site, and they cryptographically protect any information
that's going between the stuff here in the Abu Dhabi or Bahrain or wherever they are.
And it works that way. And that's one thing that's hard for law enforcement is to kind
of, or for government in Iran or overseas to get jurisdiction to capture that stuff
and figure out exactly who it's from, where it's going. It's like it's a tunnel, really.
Offshore platforms. In 2000, it took about $2 million to set up Haven Cohen Sealand.
What this is, and I have a picture of it here, but it's a platform in the North Sea off the
shore of the U.K. And it was a former gunnery post in World War II. It was a pirate radio
station and later became a location platform for computers. And the guys who set it up,
Avi Freeman and Ryan Lackey, are fantastic cryptographers, the best I know in the hacking
community, in fact. That's where it is, and that's what it looked like. And I believe
in a period of time they had about 15 to 20 people actually in there. And those pylons
that go down into the water, that's where the computers were hosted. When they gave
their first interview to Wired magazine in 2000, they said that they filled those rooms
with argon gas. Not just because it was to protect the computers or keep them running
hot, but it was from running, the service from running too hot. But it was for, really,
so if they got raided either by pirates or by, I think they specifically said by any
government entity that didn't like them, it would be hard to do. They actually had to
put on gas, go in to take the servers out. And then later he said, and they do have this,
they have a very large room with a lot of guns. And when you claim you're your own country,
that you have, the U.K. and the U.S. has no jurisdiction over your stuff, the guns and
weapons you have in that room, the stuff that I have read and talked to Ryan about them
having were pretty extraordinary, like missiles. I mean, it was a big deal. They had to
actually defend themselves from real pirate pirates. And I'm not talking about copyright
pirates. I'm talking about the guys with the guns on the boat that are like, we want your
platform, we're taking all your computers. And the prince was kidnapped by pirates, taken
somewhere to Norway, I don't remember. And somehow he fought the pirates, made his way
back to the platform, took the platform back over by force, ousted the pirates and took
it back. So the guns were not just for protecting against the U.S. government or the British
Navy showing up with their big ships and their huge guns because they would not make it
still. We have more firepower than they do. But it was kind of a statement that if you
come to get our stuff, we're going to fight before it. And he initially said, if you get
close to taking it, we're just going to go down with it. We're going to blow the place up
and it's rigged with explosives. He later said, that's really not the case. We're really
not going to go down for your stuff, sorry. But this was after the company had folded.
This is the principality of Sea Land. They still are there. Okay, now the hackers and the
cyber punks are not there. But the people who are there is the king, the queen, and these
are the Bates family. They've been there since the 60s as pirate radio operators and the
prince is still there. And he's probably in his like 40s or 50s right now. But they're
still there and Havenco the company is not. But anyway, they say they don't respect or
take any subpoenas or warrants. Although after September 11th, they did send a statement to
the U.S. government saying, if there is some type of terrorism that you think is going
through the computers here, we will work with you on that. But up until 2001, that was not
they publicly stated that wasn't the case. And there's Ryan Lackey and their slogan for
that Havenco the company was the free world just milliseconds away. And that's an aerial
view of it. It's not very big. And this is a view inside. If you listen to Ryan Lackey's
presentations about what it's like to live in that place, it's really quite fantastic.
Fantastic in the sense that, I mean, they're like 15 guys living in this tiny place for
like three months at a time. And if you fall into the North Sea, like you're blown off the
platform, you have something like less than five minutes to be fished out or you die. So
it is a very hostile place to set up a data haven. But in some sense, it was that was part
of the threat. They have their own currency. They have their own stamps. They have their
own passports. And actually, when Ryan came to present at hackers on planet earth, this
must have been like six years ago, maybe eight years ago, he had a sea land passport on him.
And he does not use that when he comes through JFK. I think that would be it would be held
up in customs for quite a while. Because obviously, the US does not recognize this as being a
sovereign nation. They have autonomous contract. Their contract was pretty much like as long
as it's not illegal, it's not child porn. You can put anything on your computers. It's like
a don't ask, don't tell policy though. If they don't find it when they're upgrading their
stuff that you're a terrorist or doing something like child pornography, they won't actively
look for it. But if they find it, they'll take your stuff and keep your computers. Those
were the laws of Havenco. Oh, and there's the prince on the left hand side. Prince Roy, I
believe is his name. And that's Ryan on the right. This is interesting. It took a while to
dig to find this. But this is the world where when this platform was built, this is what it
looks like. This is what is a problem for them claiming that they're a sovereign nation. If
you look at the bottom, that is a boat. The way that this thing was built is it was built to
be a platform that wasn't actually physically connected to the continental shelf. And I'm
not going to get international law of the sea and all that. But it's sitting on the
seabed. It was a boat that was dragged out and really sunk. And then the top part stayed
up above the water and they put all the guns on it for World War II. An international law,
international jurisdiction, for an island to be an island, it depends on how it's fixed to
the continental shelf. Well, here's one of the things that the UK is saying, this is our
thing we built. When I talked to you about what do you own, this is ours. We brought it out
there, we sunk it. You're just squatting on it. And they took it under something similar to
what we have here in the US called adverse possession. In the US, if you squat on your
neighbor's land and your neighbor cannot be the government, because the government this
never works for, it just legally doesn't work. But if you squat on your neighbor's land,
and I think in Virginia it's up to 22 years, you're openly doing this, notoriously doing it,
you put up a fence, you build a house, you live there, you will own it. You can go to court
and take possession of that piece of land after 22 years. So if you find your neighbor, like
their fence is encroaching on your property, get them to move it because they could own it
after 22 years, so don't be lazy about it, or you'll end up like this. Alright, so the UK
was lazy and now they're kind of having issues with the Bates family out there, who are still
out there, but Ryan is somewhere in the Middle East and Avi Friedman is still doing some
interesting crypto work. International jurisdiction over HavenCo, one of the things when the
International Digital Money with Copyright Act came out, there was this big thing that people
were going to put all their content on HavenCo's servers. Well, you can imagine one of the
weaknesses if you set up your own island somewhere is how do you get internet access that's fast
enough, especially with all the data that we transmit now, I mean video, I mean how do you
do that over HavenCo? They had a single cable under the ocean that they had laid to supply
the internet access for HavenCo. The problem is when the UK says, okay you're done, ISP, we
have all the warrants here, just shut off their internet access. If you've spent thousands to
get your stuff out there, that's really vulnerable. They were going to do a satellite uplink,
but that's really slow, especially back in 2000. So they didn't really have a backup. So if the
UK decided we're going to commercially cut off your internet access, your data haven is pretty
much dead. So what happened to HavenCo? You can get Ryan Lackey's perspective. He gave a DEF
con and Hackers on Planet Earth presentation about this. It was really financial what killed it.
Ryan and Avi spent, well as some of us may have done in 2000 to support a startup company.
They put it on their personal credit cards. So when the Prince decided they weren't going to
quite pay them back, the company folded. So it was really over something financial, not something
legal. And in 2008, Prince Michael declared that he would never sell the micro nation to anything
like Pirate Bay. Pirate Bay did make an offer. They wanted to buy it and they said no. So right
now actually they've had two fires on sea land within the past five years and it's almost like
a death trap if you're caught in there. So who did they call? This is one of the things you don't
want to do if you're setting up your own country and claiming you're a sovereign nation. They called
the British Navy to come help them put the fire out and they did. And I believe the British Navy
billed them and I would advise if sea land wants to claim their principality, you pay that bill
because you're not a citizen of the UK. The other downside that's been happening for a long time is
everyone there has, in the UK they have socialized medicine. What happens when you're like a
card carrying member of a socialized medicine country, you have your health insurance card,
you're a citizen. And the Bates family is, they are covered by their socialized medicine plan
there. So weakness there for talking about your own micro nation. All right, next step. So from
what happened in 2000, the next step is going to be this. And I see this happening. It sounds
still science fiction as the picture seriously suggests, but there are people with a
seasteading institute out of San Francisco, the same group that funded PayPal. PayPal was created
initially to kind of get around a lot of the regulatory issues with U.S. banks. And PayPal is
something that we use, not for that reason, but for Exploit Hub because they handle a lot of
stuff, but it was initially set up to kind of get outside of one nation, one country saying your
bank is physically located here, we're going to take jurisdiction over all the transactions there.
PayPal still obviously buys by U.S. laws, but it was set up to be something sort of autonomous
from the regular banks. So anyway, seasteading is interesting. And someone has suggested that
for $2 million and a bunch of recycled bottles you can set up an island. And of course the first
groups that said we're going to do it, I mean, guess what? Guns, computers, and women were the
reasons that people were going to set this up in the middle of the ocean. So this is going to be a
challenge. And what did someone say? Is that a problem?
That's my dream land.
Well, if it's your dream land, this is going to be interesting. In the future, just like you have
your character perhaps on Second Life and it's what you want it to be, you belonged in groups and
World of Warcraft and all that, perhaps in the future we'll have some kind of citizenship in the
country in which we were born. But maybe our work and personal and social and whatever affiliations
will be on some offshore platform somewhere where we have all of our computers, which kind of
compromise. I mean, this is kind of my home, my laptop is. And I travel a bit, but everything that
I do that's important is here. And if you take that to an offshore platform, maybe that is going to
be your next country or your group affiliation. But international cyber criminal cops without
borders, this is something that the U.S. government is working on is to make it easier for the FBI
and other law enforcement agencies here in the U.S. to work with Interpol, sharing information,
resources and people to try to make sure that the platform that's set up with giant stinger missiles,
well, it's going to be an interesting question. Is it something that we want to support or something
that in international waters they're going to go as far as changing international law of the sea
and takes an international effort to do? It's not just something the U.S. can say, we're going to
say all the oceans are ours. It's not going to happen. And that's why stuff's going out there.
And that's why it's going to be very hard for international cyber crime, cyber cops to kind of
do what they do. So kill switching the internet. I'm going to skip this part in the essence of
time, excuse me. But I don't believe it's possible we can do that here in the U.S. unless we set up
a whole new structure of how the internet is set up. In the U.S. it's more organic. In China, on
the other hand, the way their internet access was set up, there are about 12 choke points, more or
less, a handful of choke points in China's network. But kill switching here in the U.S. is not
going to happen. If the government sets up their own type of internet structure, which they've
been talking about doing, especially for protected computers, that's a different issue. But for all
of us, if they say cut off all internet access for Northern Virginia because there's a huge attack
coming out of here, attacking here, we may be cutting off some of our important access for
computers for the military as well. We just don't really know what's going to happen. One of the
projects we're doing here at the hackerspace is we're setting up a cyber war simulation type of
thing. We're going to play around with this here in the space on a black hole network, of course, to
see what we can do with it. But one example, and there are some others with affiliations with
Latvia in this room, I do know that, but Latvia was cut off from the internet, I mean, an entire
ISP. And a researcher said this may be one of the top European centers of crap. And so there are a
lot of malware, malicious sites, attacks, botnets coming out of Latvia because they're not as strict
with what goes over their ISPs over there. So setting up something that's bulletproof or how to
get to where Zeus bot making software is being shared is hard to do. And so Latvia just said,
okay, we're just cutting off a lot of people in Latvia just because we can't control what's going
on. I think it was Zeus, in fact, that they were having issues with over there. I'm going to
skip that protecting cyberspace as an asset. China may be the only country that has the ability
with the great firewall to do what some politicians are talking about of kill switching the
internet. All right. So just wrap up here. An island of hackers, cyber punks or techno geeks,
you take your pick. Maybe in the next 10 years, we'll be able to decide really what communities,
just like this hackerspace, just like the hackerspace movement actually internationally. The
group with which we have our friendships, our social and even business networks may be more so
than we're US citizens. Maybe it'll be like we're participants in unallocated space, reverse
space. And if geographically and physically that type of place is offshore and you can get to
it, that's going to be an interesting new concept of liberty and freedom and where you call
home. So in a world in which laws are defined by IP addresses or GPS coordinates only, lawyers
and cyber police are playing catch up and will remain to do so if they stay steeped in
traditional criminal intellectual property laws. Our society, our organization has changed as a
hacking community. We are ahead and they're playing catch up. And we need our legislators to
understand that some things need to be changed to help law enforcement catch up with some of
the bad guys, however that may be defined. But property ownership gives the future citizen a
way in which he can be his own island. So just like Voltaire, you may be able to digitally be
your own island. And in fact there's some places now where you can do that. So whether you share
your stuff or you set up like a super intellectual property group on another island, it doesn't
matter. It would be nice that we'd have the choice to do some of that. So anyway, that is my
presentation on international cyber law and jurisdiction. I'm on Twitter a lot. My email
address, exploit hub, recursion ventures, my email address is up there. If you want to reach me,
that's a good way to do it right there. And I have an office in D.C. but actually right back
there in the corner behind that door is my office for exploit hub. Yeah, there we go. Thank you.
I think it's William. Exploit hub, recursion ventures and my law firm. So if you're in here
working on some projects and you want to know, gee, am I going, is what I'm doing legal, come
find me. I'm going to be here. And that's it. Thank you very much.
Thank you.
Thank you.
All right. We're going to take a five minute break and we're going to bring up our next speaker.