Give2WBAI.org. There's a great selection of plays, events, discussions, concerts, movies. I'll definitely find something. All I have to do is click on the header that says tickets. I'm saved! Happy birthday, sweetie! That's Give2, the numeral 2, WBAI.org, and click on the header that says tickets. And you are listening to radio station WBAI New York. It's just about 7 o'clock. In fact, I think it's exactly 7 o'clock. And that means it's time for Off The Hook. The telephone keeps ringing, so I ripped it off the wall. I cut myself while shaving, now I can't make a call. We couldn't get much worse, but if they could they would. Von Diddley Bond for the best, expect the worst. I hope that's understood. Von Diddley Bond! Give2WBAI.org Give2WBAI.org Give2WBAI.org Give2WBAI.org Give2WBAI.org Give2WBAI.org That is Off The Hook. Emmanuel Goldstein here with you on this Wednesday evening. Joined tonight by Rob T. Firefly. Good evening. And Kyle. Hi, I'm here. Do I sound a bit low to you? I sound a bit low to me. Yeah, I hear like... You hear that staticky type noise. A little air noise or something, but that's fine. There's nothing I can do about it. You're present. I think you're in the mix. That's good enough. And that's it. That's all the people that are here tonight. I kind of like it this way. There's no Bernie. Bernie's on assignment. Other people just are doing other things. And here we are on this August day, just the three of us. But it's not going to last because we'll be joined by a special guest in just a little bit. But first, before we do that, I'd like to focus on a couple of stories. First of all, good evening to both of you. How do? Well, we were starting a story last week. We didn't get a chance to really go into it because we had another discussion that we couldn't seem to stop. So we have so many interesting things to talk about. But in this particular case, we were talking about a quote-unquote computer hacker from Birmingham in England who has been named as the number three on the United States kill list of key ISIS operatives. Now, the reason I find this story interesting is because when you look into it, when you study what is actually going on here, there is nothing that would warrant being assassinated, as U.S. authorities apparently are publicly saying they wish to do to this guy. Junaid Hussein fled to Syria back in July of 2013 and is now believed to be one of the leading hackers of ISIL, ISIS, whatever you wish to call them. And U.S. officials, as we've mentioned, have reportedly said there is an intense desire to assassinate him. We did not give out his Twitter account last week and we're not going to do it again this week because nothing worse than being assassinated is being hounded by annoying people on Twitter. Hussein was jailed in 2012 for stealing the personal information of Tony Blair and posting it online. I think that's why they really want this guy. He's 21 years old. He's from Kings Heath. He escaped to Syria two years ago while on police bail. He's on the terror organization. He's listed as the terror organization's most accomplished hacker. That's actually a title. Most accomplished hacker of ISIS. Hussein has targeted America, has posted threatening messages and propaganda videos. Guys, just raise your hands if you see anything in there that warrants assassination so far. He's number three. Number three to other people that are definitely on the list, like Jihadi John. This is the guy who beheads people on video. And the leader, the supposed leader of the entire organization, Abu Bakr al-Baghdadi. They're higher on the list, but he's number three. This guy is on Twitter. This guy is a hacker. John was British too, right? I think so. I believe so. He had a British accent anyway. Right, right. There was a lot of talk about that last year. The U.S. authorities actually say that they believe he's behind the online radicalization of at least one of the two gunmen who opened fire at that Prophet Muhammad cartoon shenanigan that was taking place in Texas back in May. Remember that? I do. People tried to open fire on a bunch of, I consider them idiots. But the fact is what they were doing was much worse, but it was done very awkwardly and badly. Now they think, the U.S. authorities think that he was somehow behind the online radicalization. How does online radicalization work? Is that like taking an online class or something? It can't be there in person. So you get radicalized online, you get a little certificate or something, you're now radicalized. I'd like to know. A little badge for your website? Well, it's how easy, you just basically make contact with somebody on, I guess, Twitter, because that seems to be the tool of choice lately, and then all of a sudden you're deemed radicalized and a threat and open to assassination. But in this particular case, this guy supposedly is out there radicalizing people. It's serious stuff, but when they have sentences like, Hussein is identified as the main suspect in the hacking of Twitter and Facebook accounts belonging to U.S. Central Command, it's hard for me to really see this guy as the kind of war criminal you have to go after. You've got to show me something a little bit meatier than that. Yeah, and you would think, when the authorities want to announce, okay, there's somebody out there that we would very much like to murder, usually they're willing to attach a whole list of truly, truly terrible things to hold up as examples of why we should let them go murder this person. And you have people like the other one who was beheading folks. Okay, that person was murdering people, so to teach him that that's not a good thing to do, we should go murder him, okay, that's what they want to say, all right. But this person, if all they've got on him is that he's radicalizing people online, he's, what, he's communicating with people online, he's chatting with people. No matter what you're saying, is that something that is really something that you could reasonably punish by killing someone? We were accused last week of radicalizing people. We were. On the air. And that, to me, seems a lot more dangerous than online because, well, you never know who you're talking to online. Yeah, it's just, I think we're being tested here. I think we're being given a little more leeway to kill people. First, kill people who kill other people. Kill horrible, savage murderers, et cetera, et cetera. Then kill people who, I don't know, cause all kinds of financial distress. Then kill people who steal. Then kill people who insult you. Then kill people who think wrong. It's basically making the criteria a little less and less each time until we're like, yeah, of course, kill these people because it makes sense and we've done it before. I did find something else, though, so maybe this is enough. Since he arrived in Syria, Hussein has threatened to raise the ISIS flag over 10 Downing Street and the White House and also to empty British bank accounts to fund terrorism in the Middle East. Right there. Yeah, you've got to kill the guy. A flag. Wow. But he wants to empty British bank accounts. He wants to do this, which means that it's possible that he can do it, which means he might as well have done it, which means we've got to punish him, which means we should kill him to prevent him from doing it in the first place. So we not only have a flag. He has announced that he would very much like to take other people's money, which what else do people do? It's just how does this get so far out of control? You know, the other thing that gets me, there's another story that I find kind of interesting about UK parents getting the power to cancel their children's passports if they're afraid that their kids are going to go and join ISIS. If they think their kids are about to travel to Syria or Iraq to join the Islamic State, they will be able to apply for their child's passport to be canceled. David Cameron announced this in a speech setting out his five-year counter-extremism strategy, and I guess if he's worried about teens and pre-teens becoming terrorists, that's right up there and all the other important things that need to be done. Cameron said that parents would, in effect, have the right to cancel the passports of their children under 16 to prevent them from traveling to war zones. Were kids 16 and under able to just travel by themselves anywhere they want? I always assume that you have to have some kind of guardianship of some sort to hop onto a plane or something like that. Do we know how it is in this country? In this country, usually it's the parents who will go out and get a passport for their children or not, depending on whether or not they want to bring their kids somewhere. But yeah, I'm not aware of a bunch of 14-year-olds running around and getting on planes and going to Europe or whatnot. Yeah, I think you can make arrangements, but I think guardians have to do that. I don't think underage kids can buy tickets independently. I've never heard of it. It seems like overkill. It seems like this would already be covered by something. Yeah. I don't know how many parents have their kids saying, I'm going off to Syria, but no, I won't join ISIS, I promise. I'll be back by next week or something. But could you keep paying my cell phone bill? Yeah, there might be some extra texting. I don't want Wi-Fi. But Cameron went on to say a bunch more, which I think is the real story here. The prime minister stressed the extent to which Islam had come to be used as a cover for violent extremism, as he argued that the state had a right to side with moderate Muslims in what he described as a battle of ideas. He said there was a need for difficult cultural conversations over issues such as honor-based violence and female genital mutilation. I'm not quite sure how that entered into the conversation here. In a speech at a school in Birmingham, the prime minister said Britain was a successful, diverse society, but had to confront a tragic truth, that there are people born and raised in this country who don't really identify with Britain and feel little or no attachment to other people here. Those people, of course, being the House of Lords. There are other basic things that we could be talking about here with this story, but I find it all to be really kind of bizarre and weird. For one thing, they just arrested a couple from Mississippi yesterday who were accused of trying to travel to Syria to join ISIS. I have to wonder, if you decide you want to go to Syria to fight against ISIS, is that illegal? What if you tell people, I'm going over to Syria to battle these evil people, and I promise I won't join the other side. Is that okay? The other thing I don't get is how are these people being arrested for going to Syria? Why don't they just go to another country and then go to Syria? Then they don't get arrested in places like Mississippi, which seems awfully bizarre. I think that their itineraries, the countries they are ending up in, would point to an attempt to cross the Syrian border, or they're just hoping the sheer volume they'll be able to slip their itinerary through. I think that's pretty safe to presume is going on there, but I'm not entirely sure. I think that people will not be looked at the same way. If you're going over there independently to fight independently against some perceived terror group without any kind of organization, I think it's going to be looked at with a lot of suspicion. I think you're going to have a lot of difficulty. I think you have to be involved with some sort of... That's why you don't tell them you're going over to that particular... It just seems like they're really not thinking this through. They're not their brightest bulbs in the bunch. Maybe it's best that they do go over there and not succeed at what they're trying to do because they sure can't cover their trail very well. I'm very much intrigued by what Cameron said about British kids growing up and not feeling attached sufficiently to Britain or not being patriotic enough because I have some friends from the UK and other parts of Europe who have all said to me the same thing when they've come over here and visited, which is that one thing that blows them away about this country is how flag-wavingly patriotic everyone is expected to be with the American flag everywhere and politicians basically have to wear a flag pin on their lapel when they do appearances. You can't not do that now and all this stuff. I've had that described to me as various levels of unsettling by people from other countries and now it looks like they're being accused of not being sufficiently patriotic in the UK by Cameron. To take this as a sign that maybe you shouldn't be letting your children travel or maybe they're going to go to Syria and join the wrong side... Or just talk to people online. Or just talk to people online. You never know who those people might be. I think if we have a conversation where we know how to back up what we believe in and understand why we believe what we believe in, you shouldn't have to worry about these things. You shouldn't have to worry about your kids suddenly snapping and joining a terrorist group. But it's being put out there almost to the extent of child pornography or something. This is right around the corner. You have to curtail your rights to protect yourself against this evil. It's just the same basic strategy again. Our children are being preyed upon, therefore X. And we must do this and so on and so forth and let these various freedoms go. Or have more control over adolescents or people that are not actually full legal adults yet. Right. And so on. Absolutely. Yeah, they might find themselves the subject of the wrong kind of communication from somebody that maybe you want to kill for communicating with people. I think these stories are really difficult to talk about because there are a couple different layers of what's going on and then it's very specific to this is going on because in relation to terrorism or this is going on in relation to geopolitical turmoil and so on. I think if you interchange some of the stuff and the scenario was different, it was about something else or for something else that people were leaving. If it was to go to Disneyland to be radicalized or indoctrinated. That does happen. I think you need to be as weak to be indoctrinated by Disney. It's a different kind of radicalization, but it does happen. And maybe weak is harsh, but you have to be as susceptible to that kind of instruction. If anything we've said tonight has radicalized you, if you feel you're on the verge of radicalization, let us know first before you do anything dramatic. OTH at 2600.com. Write to us here at Off The Hook and we'll talk you down from that. Or at least listen. Maybe you can convince us that radicalization is the way to go. I don't know. But it just seems like this has really gotten so far out of hand that it's well into the realm of absurdity. Hey, we have an update on the petition for Edward Snowden. I'm going to get our guest on the phone. Why don't you guys discuss this? Okay. Yeah. They've been on whitehouse.gov. They've had the system in place for people to post petitions for whatever they like. And if they get a certain amount of signatures, then the White House is supposedly supposed to respond to them. Okay. There were multiple petitions, I remember, a couple of years ago in favor of pardoning Edward Snowden. This is one of them. It was published on June 9th, 2013. We petition the Obama administration to pardon Edward Snowden. Edward Snowden is a national hero and should be immediately issued a full, free, and absolute pardon for any crimes he has committed or may have committed related to blowing the whistle on secret NSA surveillance programs. That got 167,955 signatures. Now, recently, within the past couple of weeks, the White House has published their response two years later. And here's the response. And I'll read this in its entirety and then we can talk about it. Sure. Official White House response to pardon Edward Snowden. Thanks for signing a petition about Edward Snowden. This comes from the White House. This is an issue that many Americans feel strongly about. Because his actions have had serious consequences for our national security, we took this matter to Lisa Monaco, the president's advisor on homeland security and counterterrorism. I already know where this is going. Here's what she had to say. Nope. As the president said in announcing recent intelligence reforms, we have to make some important decisions about how to protect ourselves and sustain our leadership in the world while upholding the civil liberties and privacy protections that our ideals and our constitution require. Of course you do. Instead of constructively addressing these issues, Mr. Snowden's dangerous decision to steal and disclose classified information had severe consequences for the security of our country and the people who work day in and day out to protect it. If he felt his actions were consistent with civil disobedience, then he should do what those who have taken issue with their own government do, challenge it, speak out, engage in a constructive act of protest, and, importantly, accept the consequences of his actions. He should come home to the United States and be judged by a jury of his peers, not hide behind the cover of an authoritarian regime. Right now he's running away from the consequences of his actions. We live in a dangerous world. We continue to face grave security threats like terrorism, cyber attacks, and nuclear proliferation that our intelligence community must have all the lawful tools it needs to address. The balance between our security and the civil liberties that our ideals and our constitution require deserves robust debate and those who are willing to engage in it here at home. Now... That's some new speed. That's like the Ministry of Truth. First of all, we've spoken about this very, very often in the past, and I think you guys know the answer to this, but what would happen if... What would happen if Snowden came back and faced the consequences of his actions? Yes. Would he be tried by a jury of his peers? No. Would he have any chance at all, basically, of facing a fair trial and answering for what he actually did versus what it represents? No. No, I tend to think so as well. Not in a million years, I don't think. All right, so what happens now? What happens now is absolutely... I don't think anything happens as a result of this. I think the White House has basically put out a bunch of talking points that really don't mean anything, most of this. I mean, I read this thing, and I don't know what most of it says. It's very general. Yeah, it's very general. There are a lot of words that don't mean anything, and there are a lot of words that are patently false, like the concept that he could be fairly judged by a jury of his peers if he came back and faced the music. This talking point has been used by Secretary of State Clinton and other people to say, well, if he did the right thing, then he should face the consequences for doing the right thing. But because he would basically face a lot of the sort of consequence that Chelsea Manning had faced, which is non-public trials, just being locked away, being made to disappear, being made an example above and beyond anything that he actually did. And yeah, I don't think that the White House is being very ingenuous here. Yeah, yeah, yeah, exactly. I think the comparison is adequate to Chelsea Manning because that's the perfect example. I hear we have a guest. Let's move on. Yes, well, we're going to have a guest in a second. But first, I'd like to let people know not to panic because we have some—actually, we only have a couple of people, really, that have been writing to us, but they've been writing to us about 25 times, saying that our SSL certificate has expired and, oh, my God, it's the end of the world and we can't trust you anymore. Yeah, folks, we know about this. If you go to our site, if you go to our show and try to download, you might get a message saying that our certificate has expired and you have to click an extra couple of buttons and you might get a warning saying that this site is not who you think it is. Well, it probably is who you think it is. Probably. I can't say for sure. I never could say for sure. But what happened was this. We basically signed up for a cert, a certificate. It's hard to explain exactly what this is, but your URL has—instead of HTTP, it has HTTPS, meaning you're using SSL, it's encrypted, and somebody cannot eavesdrop on your session. You might ask what difference does it make? You're listening to a radio show that's public anyway. Point is you want your privacy, and it's something that we do support. What we don't support, though, is what has increasingly become nothing short of extortion because there are these companies that charge you, and they charge you a fair amount of money. Some of them charge you literally thousands of dollars. Some of them charge you much less than that to basically vouch for you and say this is the site you think it is. And why do we say that? Because we're trustworthy, and you can believe us. I'm oversimplifying it. I'm probably not even understanding it properly. But I saw one person describe this online, and I think this is my favorite way of describing it. It's basically like the coolest kids at the party saying, this dude is legit. When a browser asks them about you, you pay for those cool kids to accept and talk highly of you. If you want them to say this dude is totally epic instead, well, then you just spend more money. That's really what it comes down to. That's really it. There are these companies that charge you much more than other companies, and if you get your certificate from those companies, the ones that you pay more for, then people really trust you. If you get it from the companies that don't charge as much or that may be provided for free, oh, my God, can you really trust them? If you do the worst possible thing and sign your own certificate, that's completely a horrible thing as well because how do we know to trust you when you're saying that you're trusting yourself, error does not compute, etc., etc. What's ironic, though, and this is the final irony here, is that the company that we paid to have this, to have this cert for, we didn't give them real information. They don't know anything about us. They really don't know, and we don't know anything about them either, to be honest. We don't know who these people are. We don't trust them, but the world trusts them, and the world says, yes, if you say 2600.com is legit, then we believe you. If 2600.com says they're legit, I can't be sure because, well, who are they paying to tell the world that they're trustworthy? I know. I'm probably annoying a lot of people by saying it in this oversimplistic manner. This is a good time, though, to introduce Seth Schoen from the Electronic Frontier Foundation. Seth, are you with us? Yes, I am. How badly did I mangle that explanation? Not too bad. Okay, all right. That's better. Now, you guys, you're the chief technologist over at EFF. Is that correct? I'm a senior technologist. All right. We have a lot of us technologists floating around here these days. That is true. You certainly do, and that's amazing. But you guys are part of a new project called Let's Encrypt, which is, I believe, debuting in about a month or so. You want to tell us about that? Yeah. Sorry about the schedule, by the way. There's been a slip in the schedule, so I'm sorry to break the news about that. Oh, tell us. Tell us the news. It's slipping back for full public availability to November now. Oh, boy. Okay, so there might be some more people that are upset at us. I'm sorry about that. Well, the important thing is to get it working properly, but tell us what Let's Encrypt is going to do. We're going to have a certificate authority, like the ones that you were just talking about, with a couple of differences and a couple of similarities. The similarities are that the browsers are going to accept it. So we're going to be in that cool kids club, as you put it. So the browsers won't show the errors. They'll say your connection to this site is fine. One difference is that we're not going to charge money for the service, and we're going to completely automate the process. And as a result of automating the process, we're not going to have a lot of incremental costs for each certificate that we issue. That's something. Go ahead. Sorry. It's going to be a nonprofit. So we've got some sponsorship mostly from industry, some individual donations. And because of the lack of marginal cost, we're able to do the engineering work, buy the hardware, put things in place. That part can be kind of complicated, kind of expensive, kind of bureaucratic, as you were alluding to. But then there's almost no cost whatsoever to us for each new certificate that we give out. So there's no reason, operating on a nonprofit basis, that we have to charge people. So we're not going to charge the end users at all. So that leads to my question then about the existing companies charging an arm and a leg for these certificates, and not only charging every year, because they have to renew every year. And for some reason, if you don't pay, suddenly you're not trustworthy anymore. Are the costs that they're passing on to various websites and companies and people, are they legitimate? I guess there are two ways of looking at that. One way of looking at it is that it is a pretty lucrative business, and it's a business with a very low marginal cost. So the most famous fortune that came from this business is Mark Shuttleworth's fortune, the space tourist, the founder of Ubuntu. He became wealthy starting a certificate authority and selling these certificates to people, to the extent that he was able to go to space as a space tourist, and also to the extent that he was able to create the Ubuntu operating system. I heard somebody say that if you feel bad about spending all this money on your search, just feel good that you were able to send this guy into space. Yeah. I mean, good for Mark Shuttleworth that he was able to go up there, I suppose. It can be a very lucrative business to be in. It can be very profitable. On the other hand, there are a lot of startup costs. There are a lot of fixed costs at the beginning if you want to set up one of these certificate authorities. You don't just put up a server somewhere and start giving them out. There's the bureaucratic element, which has come in for a fair amount of criticism, that you have to go through a lot of auditing and you have to pay a lot of auditors to come and look at everything, and you have to have a lot of policy documents and a lot of rules and procedures in place. And that adds cost for sure. Whatever you think of what people are getting from that bureaucracy, it's expensive to go through it. And the other thing is you have to buy things like hardware security modules. So you don't want people to steal the private keys from the certificate authority. So instead of just putting them on a hard drive of some server, you get one of these fancy devices that's a highly tamper-resistant device that issues digital signatures but can't export the private key. And those are expensive too. And so there are these hardware requirements, there are these engineering requirements, there are these bureaucratic requirements to get the infrastructure in place to start doing the certificate authority thing. Once you've done that, depending on what you're verifying or not verifying, you mentioned the people who gave you your certificate didn't really verify anything much. They don't really know who you are. And that I think is one of the sort of misconceptions or legacies that's out there where a lot of people assume these people must be verifying everything. They must be checking and confirming everything. And the common business practice is exactly what you experienced, that they don't necessarily know your identity. They don't necessarily know who you are. What they're vouching for is a very specific and technical thing in most cases, which is just about your cryptographic key and your control of the domain name, which is not the same as your identity in the ordinary sense. They don't necessarily know where you live. They don't necessarily know where your office is. They don't necessarily know your legal name. They've just checked this specific thing that the browser needs. And that kind of check can be automated and it can be cheap. So you're in this situation where you have to spend a lot of money up front and then it doesn't cost a lot to do the thing over and over again. That's amazing to me that you guys are doing this. And it represents a certain amount of honesty too because, like you said, it's a very lucrative business. It's easy to make a fortune just I guess kind of scaring people into feeling they have to do this in the first place. Now you said that industry was involved in this in addition to the Electronic Frontier Foundation. Who else is part of the project? So we have the folks who are doing a lot of the engineering work with us, and these are all folks from other nonprofits. And so in particular, Mozilla and the University of Michigan are the folks who have put together the technical and organizational part with us. And then our sponsorship has come especially from Akamai and from Cisco, and we have some other sponsors also. Wow. Have you gotten a reaction from some of these other existing companies or the community in general? I think for the existing certificate authorities, the most that I've heard is a sort of, well, I hope they plan to follow all the rules. I don't think it's very good news necessarily for the low end of the market, for the people who aren't verifying people's names and identities and so on. In other words, they're saying basically, we're watching and we'll be right here to tell you you're doing it wrong. Yeah, I think that the existing certificate authorities will want to make sure that we're dotting our I's and crossing our T's and so on. The EFF has done this wide range of work in all these areas of the electronic frontier. What led the EFF to take on this project? So we have a project that we've called Encrypt the Web that's been going on for a couple of years, originated by our chief computer scientist, Peter Eckersley, who's off at the CCC camp right now in Germany speaking about Let's Encrypt. And it begins tomorrow, yes. Yeah, that should be a fun event. I'll be out here in San Francisco, but jealous of all the folks who are getting to go out to Germany for that. Yes, us too. And the idea of the Encrypt the Web project is that it's very dangerous to have all of these communications unencrypted in plain text, and that that's been the default for a lot of the Web for as long as the Web has been around. And every now and then we get some kind of hint that this is actually very dangerous, very risky to not have encryption on your communications. You know, at DEF CON there was the tradition of the wall of sheep, where if people would log into a site and they didn't have an encrypted connection, someone could see that on the network with a packet sniffer. It would just appear going by. And people would record that and they would put it up on the wall and say these people might want to change their passwords. Yes. And so I think a lot of folks from the tech world and from the security world and from the hacker world really sort of knew that at some level. Like, you really ought to have an encrypted connection when you log into things. And I think a lot of other people didn't really have the same sense about why that mattered. And this encryption for websites, the HTTPS encryption, which is also called SSL or TLS because we like acronyms a lot. It became very associated with credit card numbers, which I think was a big mistake. You know, the credit card industry and the nascent online shopping and e-commerce industry in the 90s said, oh, people aren't going to want to shop online unless there's some kind of security. And so they invented all these measures and they really associated them for people with credit card numbers and said, don't type in your credit card number unless you see the lock in your browser. Yes. Because your credit card number has to be protected and has to be encrypted. And I think that proved to be really kind of a narrow vision because credit card numbers aren't very secret. Like, you go to a restaurant maybe and give your credit card to someone you don't know who takes it off into another room. Yes. It's not the most secret and the best protected thing that there is. And a lot of the anti-credit card fraud has been done really in other ways, not necessarily by keeping the number secret. Whereas we have all these things like e-mail and messaging from person to person that can be very private and very sensitive and that didn't end up by tradition getting that same kind of protection and that same level of protection. And we still meet people who say, why do I need SSL on my website? I don't have credit card numbers. Meanwhile, they may have something that's very private that people really care about, but it's not credit card numbers. And it hasn't quite sunk in that there are more sensitive and private things out there than credit card numbers. One of the things that I think really went a long way to showing people that website connections ought to be encrypted was this program called FireSheep. Do you remember when that came out a few years back? I do remember the name, but could you tell us something about what that was? Yeah, it was sort of like the do-it-yourself-at-home version of the Wall of Sheep from DEFCON or maybe do it in your office or do it in your college dorm. It was a very, very easy-to-use tool that would let you listen in when people on your Wi-Fi network logged into sites like social media sites. And then it would copy their cookie, if the connection was unencrypted, into your browser. Wow. And when their cookie got copied into your browser, if you went to that site, the site would typically recognize you as logged in as them. Okay. And so that could be done against Facebook and it could be done against Twitter and it could be done against Flickr and a whole range of sites that at that time didn't have or didn't require encrypted connections. Gmail was one of the few at that point that required them, so it didn't work against Gmail. But against a lot of the other ones, it did. And the level of technical expertise that you had to have to use the FireSheep tool was really low. You basically just install this thing and open it up and it says, these are the accounts that people are logging in as on your Wi-Fi network around you. Click on one to become that person. And then you would click on one and it would open up your browser, connecting to that site as that person. Amazing. And that was a couple of years ago, that happened. Yeah. Wow. It's just one of the things that really sort of created this wider awareness like, oh, these unencrypted connections are dangerous for people. And so EFF around that time started to work on campaigning to try to convince website operators, you know, you should have encrypted connections and protect your users. And one of the difficulties was this whole business about credit cards. Like, we only need this if we're accepting credit card numbers. Right. So that did more harm than good, basically, by saying that this was designed to protect people entering credit cards. People thought, oh, if I'm not entering credit cards, I don't have to worry. That's right. We still hear that to this day. Amazing. Yeah. The other difficulty, the other obstacle, I think, apart from that sort of conceptual one, was the certificate authority system. Okay. The fact that in order to have a secure site that doesn't show an error in people's browsers, you need to get one of these certificates from one of these trusted authorities. And that does traditionally cost money. It's been getting cheaper over time. But it still typically costs money. And it also is a little bit complicated and a little bit time consuming. Yes. It seems like for sysadmins who are used to running servers but not used to getting a certificate all the time, it can often take about an hour to figure out how you do this thing and to go through all the steps and then to figure out how to install the certificate on the server. And they usually only have to do it once a year because the certificate typically lasts a year and then expires. And then that's just enough time to forget all the steps and then have to figure it out again. Right. And the certificate, once it's made, it can be made to just continue to exist. By expiring, it just forces you to pay for it for another year, correct? Yeah. I mean, I think there's a good security reason for having expiration. Not to express too much sympathy with the DMV or with government ID cards. But, you know, there's a reason for credentials to expire periodically, which is not just to extract money from people, but to sort of limit the damage if something goes wrong. If you put out a bad one or a fake one or someone, you know, counterfeits it. If there's an expiry, you sort of limit the damage or the window of exposure from it. And you force people to come sort of check in periodically and you can re-verify them. Is that what in fact happens? Are people re-verified or do they just collect the money? It's a good point. In many cases, for many of the authorities, they just collect the money. But, you know, there's a reason for that. It's a good point. In many cases, for many of the authorities, they just collect the money. But the purpose, at least, of having an expiration, in theory, is if something goes wrong, it's not going to be a problem forever. And there's a theoretical opportunity to re-verify. In that process, you get something that has changed or is updated or different, in other words, right, as a part of getting your key re-certified? Different authorities have different practices about that. It could be either way. It could be totally redoing the process, including generating a new cryptographic key. Or it could be collect the money, here's the new certificate that's identical to the old one. You know, it gets even worse, though, because many of these certificate authorities require you to get a different cert for each subdomain. For instance, we run the HOPE Conference, and every one of our HOPE Conferences is a different subdomain of hope.net. You know, x.hope.net was hopex, and whatever was hope number nine. But the thing is, we'd have to get 10 certificates just for hope.net alone, and that's only one of our domains. And each of those is going to be an additional payment. Yeah, exactly. Yeah. Well, again, there are technical reasons for that, but it turns out to cost people a lot of extra money. Yeah. Well, Seth, I can't express my appreciation enough for what you guys are doing as far as the Let's Encrypt project. Do you need people to get involved at this point? Are you accepting donations? Yes, to both, definitely. You know, what I was just going to say, and this relates to needing to get people involved. The other advantage that we have, apart from not charging money, is that we're going to be totally automated, not just for the verification process, but also, if people want, for the deployment process. Meaning, if you have a website, if you have a web server, you can just run one command, and go through the whole process in less than a minute, and get the certificate, and install the certificate. That's even better than not having to pay, is the simplicity. I think so. We can save that hour of the system administrator's time. Wow. I think that's going to be a real advantage. So, you'll be able to run that from your machine, like you would run any sort of application update or something, and it would do all of that as a batch? Is that what you said? Basically, so, yeah. It's something that's run on the web server, but it's run as a single command. Brilliant. That's very cool. And it will handle all the steps, and take you through the whole thing. There is an existing tool that works with a paid certificate authority that has some of that functionality, for people who, at least in the meantime, are looking for paid certs. There's a tool called the SSLmate that's had a kind of similar concept about automating that process. I think, in the long run, we may have even more functionality. But I do appreciate what the SSLmate folks have managed to do with their tool. Well, of course, I think the end goal for many hackers, and a lot of people who are familiar with the Internet, is to get everything to be encrypted by default. And that's always been a problem, because it's been way too complex for most people. Yeah, I think that's right, and I think we may be able to help with that. One possibility is that our software could even be included with web servers, so that when you install the web server, it could just get the certificate automatically for you. Wow. As a completely automated, behind-the-scenes process. That would be pretty different from the way things work today. Absolutely, yes. Changing the rules entirely. Seth, let me just ask you one more question. Is there any reason why anybody running a website should not be using encryption? People have argued about that quite a bit. There are some people who argue that if they have a site where all of the content is totally public, then they have no reason to use encryption at all. And it will just sort of slow down their site, or add complexity, or add reasons to possibly break things. I think for some of the things that we've seen in the Snowden documents, there's evidence that there's a wide range of benefits to people for using encryption, even to access totally public information. Not just from a privacy point of view, but even from a security point of view. The Snowden documents show that there are tools that sit on the network that inject malware into third-party sites, or that inject tracking into third-party sites. And so even where people think that there's no privacy consequence, with some of the surveillance and espionage tools that are out there, there may still be a privacy consequence to having an unencrypted site. So I think there's an argument to be made that it would be a good thing to just make this a default background part of the web's technology. That's an interesting distinction, because a lot of times when we hear that argument, we hear a lot about it really just being a way for intelligence or bureaucratic agencies to build a picture of who you are, and what you're doing, and what you're interested in. But that does add a layer to that that is well put. Yeah, I mean, I think both sides are there. In the sense that there are sites that don't have any private content, but that give the user a cookie for advertising tracking. And there's reporting from the Snowden documents that shows that those advertising cookies were repurposed for tracking by intelligence agencies. Wow. And so there, you could be facilitating spying without even knowing about it, or without even intending to, just by having an unencrypted connection, and by having cookies on your site. So there's your reason. There's your reason for having encryption on your site, even if it just serves public information, correct? Yeah. I mean, you can go way into this in terms of the panoply of reasons that could exist. Also, often there's a privacy interest that the site operator might not really appreciate, where information might be very controversial or very privacy sensitive for one reader, but not for another. Yes, yes. One might say, no one will care that someone is reading this site. This site is so innocuous. And for some reader, it's not necessarily that innocuous. Maybe somebody from North Korea might be browsing your website, and they could get into a whole lot of trouble for going on a particular story, even though it's public. Yeah, I think that's a real possibility. You can construct a lot of scenarios. We have sites with medical information. All of the information on the site is public, but there's still a privacy interest in which kind of medical information someone is interested in. So there's sort of many different levels, many different layers, privacy and security arguments for why the encryption is significant. All right, Seth Shone, we want to thank you so much for talking with us, senior staff technologist over at Electronic Frontier Foundation. The site is letsencrypt.org, and it will be going live to the public in the next few months. Is that the timeline? Yeah, that's right. And we have that client software that we're working on to try to automate the whole process, to try to automate the getting and deploying the certificate. So for technical listeners who have a website, you won't be able to get the cert yet, but we can use a lot of help with the development and with the testing of that client to make sure that it's compatible with a wide range of servers and configurations. And is there a way people can get involved with that kind of help formally? And also donations, how's that going? Where can people direct any kind of funding if they're interested? I think we have information about making donations on the letsencrypt.org site. And there's a link to our GitHub repository that has code where people can download and try it on their servers right now. The certificate that you get today will not be accepted by browsers, but you can test the compatibility part today. And that's something that would be very, very valuable for us to find out about how well it does or doesn't work with different people's servers and configurations. All right. Again, Seth, thank you so much for your efforts and everybody else involved in this project. And we look forward to it. And we'll encourage everybody we know to use us. We certainly will because we're sick of being threatened with not being trusted anymore unless we pay up. letsencrypt.org is the website. Seth, again, thank you. Thank you very much for having me. All right. Seth Schoen from the Electronic Frontier Foundation. He's the senior staff technologist over there. I'm looking forward to this, guys. What do you think? I think it's really interesting. I'm very impressed with some of the things they're offering. I hadn't been aware of just how much they've been doing. So, okay, you might see that little error message for a little while. We'll try to fix it. We'll try to replace it with something else or make it so that maybe we can make it so it's a promo for this. That would be kind of cool. But we have not been hijacked as of yet. We're still trustworthy as trustworthy as we were before. We signed up for a cert in the first place. I knew this kind of thing would happen if we signed up for a cert. But letsencrypt.org is the site accepting donations, accepting technical help. It's going to change the rules quite a bit. And I think that's always a good thing. I'm always in favor of changing the rules to take something that people are exploiting for ridiculous amounts of money and put up. It sounds like what's in the works is not only a free counterpart, but an actually functionally better counterpart to what they're doing. I appreciate that very much. We have a letter. We always get lots of letters, but we don't have time to read them. But I'm going to try and squeeze this one in. And if you'd like to add your voice to the many letters that come in, you can email othat2600.com. Is this the one about us not radicalizing enough? No, I'm not going to read that one this week. You have to tune in a future week for that. Oh, and by the way, Seth did mention that the Chaos Communication Camp is happening in Germany starting tomorrow. And folks, I don't think I'm going to make it this year. I just don't think I can get over there. I can't lend a hand. I only have one. Well, that's true. Your hand is still busted, although we're going to get that cast off pretty soon. Volunteering is a big part of it, though. We have a lot of other things to do, and I really want to be there. They're in spirit, folks. If you're listening to us, we're here in New York, and we hope to see you at future events. And I really feel bad not being at that one. Can we go virtually? Can we go virtually? Well, I assume there's streaming. I think there is. Yeah, I mean, we had streaming at Hope. Chaos Communication Congress certainly has streaming. The camps, I believe, have streaming as well. No. Lots of hacker conferences have streaming, so you don't actually have to show your face there. You can just watch online. The important ones. Anyway, so let's go through this letter quickly, because it's a fairly long letter, and we're almost out of time. Guys, I was just listening to the podcast version of the August 5th broadcast, where you're talking about the dire security posture of the Android ecosystem. I wrote an article on my own blog about this a few days ago, when I first heard about the stage fright vulnerability, which I'm sure doesn't say anything you guys don't already know, but does talk about mitigation steps that Android users can and should take, given the unlikelihood that a patch will come to your channel anytime soon. Thinking about this a bit more, it occurs to me that there are a few possible solutions that I have not heard anyone else talk about yet, and I'm curious to know what you think about it. Won't really have time to go into it, but maybe our listeners can write into us. Given that the stage fright vulnerability is exploited via weaponized MMS, and that, unless I'm mistaken, MMS has to propagate over the carrier's network in order to reach your handset, is it possible for the carriers to monitor and intercept such weaponized MMS messages on the network end using their own nodes? If so, doing this would likely nullify the threat of this exploit faster than what issuing a patch that would need to be tested on all the thousands of different devices that run Android. My immediate thought on that is that that works if there's one weaponized MMS out there, but if there are, say, a thousand different varieties, then it could take a long, long time. We already suggested not automatically downloading MMS, right? Yes, and we successfully turned that off but that's one way, so don't accept MMS. It's not SMS. SMS messages are not the threat. Apparently it's in MMS. Number two, would exploiting the stage fright vulnerability allow a benevolent attacker to deliver a patch for the vulnerability as the payload, thereby fixing the problem? This thought immediately conjures images of the renegade repairman Harry Buttle from Terry Gilliam's film Brazil, which I'm sure you know was based in part on Orwell's 1984. It's a delightful thought. The idea that people exploit this vulnerability in order to get OEMs and carriers to take the threat seriously and roll out patches while a quote-unquote Pearl Harbor-level security event is clearly looming, advocating for it is not something that I would consider to be in the public's interest. While it is said, well, said rather, that it is probably the case that such a major incident might well be the only thing that spurs the industry to act, actually advocating for it to happen is a bit extreme. Thank you. Particularly in light of Emmanuel's oft-repeated appeal to not use the term in a conservative sense, this seems like a poorly considered remark for him to have made. If Emmanuel really wants to double down on advocating exploiting the stage fright vulnerability, I'd hope he'd at least advocate that the attacker construct an attack that benevolently delivers a patch to the vulnerability if that is indeed possible, perhaps shaming the vendors for failing to act in the process or if that might help to spur the industry. Anyway, I'm glad to hear you guys covering this topic. Love listening to the show. Best wishes. I always advocate that people do things, not just talk about doing things. I'm not advocating destructiveness. Never do. But if there is some kind of a remote exploit in anything, I would much rather, instead of reading a PR piece about it like we've been doing the last few weeks and saying that all the details are going to be released if you attend this person's talk a month from now or if you go to this person's website or become a customer of theirs, if you have the information demonstrated, show us, be specific. And by us, I mean the radio show, I mean the magazine, I mean the hacker community in general. If you know how to make a 747 actually move around in the air, don't just brag about it. I'm not pointing to anybody in particular, but don't just brag about it on TV or say that, yes, this will be detailed in my upcoming book a year from now. Either put out the book and then deal with the aftermath of that. Talk about it on the radio. Be specific. Put it up on a website. Show us what it is you're talking about. It shouldn't be attached to a product. Once the information is there, it should be spread around. And then, yes, it's going to cause chaos and mayhem. It's going to piss off a bunch of people. But that's the nature of information. That's the nature of security holes. The alternative is to pretend that you can control the information and have it so that certain people know and certain people don't know. And you can guess that you might think certain people know, but certain other people know that you really don't want to know. And since everybody doesn't know, those people have a lot more power. So that's kind of, in a nutshell, the thinking behind statements like that. Absolutely. In the computer security field, just as in the regular security field, if you learn of a weakness, the standard procedure is to assume that if you do something that exploits that weakness but in a non-destructive way, in a way that just gets the word out, in a way that leads to it getting fixed faster, I think that can be helpful in the long run. I like specifics. I hate reading these articles that say, yeah, hackers can do this, they can do that, without telling you what they're talking about. I want to see it right in front of me. I want to be able to have it happen to me or demonstrate it to somebody else so that the issue gets dealt with and I don't have to focus on the story I really want to focus on. That is what Google did this week. I guess we'll just focus on it next week. They are changing, not changing their name so much, but changing their company name to, of all things, Alphabet. Wow. That's just going to change everything. It's the first thing you learn when you're a kid. Now, it's like the first thing you learn is going to be Google. Imagine the power behind that. We'll talk about that probably next week but head over to us, othat2600.com and we'll be back again with another exciting edition of Off the Hook next week. Yes. Let's go out with something Alphabet related at least and we'll be back to talk about that next week. I feel like Alphabet Soup. That would be nice. It's not playing. I don't know why it's not playing. I have CD2 up and it's not working. What did Reggie do to the board? He always booby traps it like a CD player. Guys, give us some small talk for a moment. I'm a great fan of the alphabet but I always wondered who decides on what order it goes in. I'm curious. They have a holding company now and that's Alphabet. They're stepping back and making a bigger company. They used to work for Google and now they don't work for Google. They invented Alphabet. They invented a company that now owns them. I think I got it working. I think I got it working. I think I got it working. I think I got it working. I think I got it working. I think I got it working. I think I got it working. I think I got it working. I think I got it working. I think I got it working. I think I got it working. I think I got it working. I think I got it working. I think I got it working. I think I got it working. I think I got it working. I think I got it working. I think I got it working. I think I got it working. I think I got it working. I think I got it working. I think I got it working. I think I got it working. I think I got it working. I think I got it working. I think I got it working. I think I got it working. I think I got it working. I think I got it working. I think I got it working. I think I got it working. I think I got it working. I think I got it working. I think I got it working. I think I got it working. I think I got it working. I think I got it working. I think I got it working. I think I got it working. I think I got it working. I think I got it working. I think I got it working. I think I got it working. I think I got it working. I think I got it working. I think I got it working. What we need today is an alphabet army. What we need today is an alphabet army. What we need today...