HAK_MTL (2019) - full transcript
Does privacy still exist in 2019? In less than a generation, the internet has become a mass surveillance machine based on one simple mindset: If it's free, you're the product. Our ...
Welcome to Metro-Optic,
one of Montreal's
main telecom centres,
which is a well-kept secret,
a major Internet data centre
serving the province
and part of Canada.
This room is located
beneath train tracks
in the bowels of Montreal.
About 75% of Internet
traffic travels through here.
Here we have more "private"
clients, as it were,
with their own exclusive room,
who wouldn't want it filmed.
So we'll move on.
- Who are they?
- A government agency?
- You can't say?
- They... Yeah.
It's very private.
Of course...
the hoodie's a classic.
So trite, huh?
Anonymous mask,
a series of ones and zeros,
numbers, hexadecimals...
That's often
considered a bad thing,
a crime, that kind of thing.
Not so. There's more to it.
There are different
kinds of hackers.
Some do it for the money,
some do it professionally,
some do it for fun,
some work for the government.
There's no such thing
as a typical hacker,
because there are
different kinds.
Hackers seen in the
movies are just one type.
It's important
to make a distinction.
The pessimist in me thinks
the battle has been
lost for some time.
The mere fact that everyone
carries a cellphone,
the optimal surveillance device,
beyond George Orwell's
wildest dreams
when trying to imagine
an omniscient panopticon.
This is also fuelled
by social media.
I do it, too. Everyone does.
Anything that can be
monitored is monitored,
as well as monetized.
And the prevailing
business model
for all high-tech companies now
is the selling of
personal information.
It remains a cash cow
for these companies.
And all this is based on data
collection, mass surveillance,
and the slow but steady
erosion of privacy.
It's an Orwellian
nightmare of sorts.
And I think I can
help in that regard,
through Crypto.Québec,
what we produce,
with our podcast,
articles, training,
and what we say to the media.
These matters affect everyone,
though people may
not realize it.
They affect everyone,
so this must be addressed.
Welcome to the 37th edition of
Crypto.Quebec's
Watchdogs podcast.
Hosted by Geneviève Lajeunesse,
Luc Lefebvre,
Jean-Philippe Décarie-Mathieu,
And Sophie Thériault.
We have a lot to
talk about today.
I simply wanted to look back
on a little trip
we made last week,
myself, Jean-Philippe and Luc,
to the nation's capital, Ottawa.
We visited CSIS and
CSE headquarters.
- Just to check them out.
- From outside.
- Well, you tried.
- Right.
Can you see the
building back there?
Kinda.
I really didn't expect to
see Canada's cyber elite
across from Loblaws.
For real, it's... Imagine...
Like, a huge, magical airport
next to the Quartier DIX30.
- It's kind of like that.
- That's exactly it.
- With nice bay windows...
- It's awesome.
Bay windows?
Of course.
They're all about transparency.
There they are.
Those who must be stopped.
Those who track your aunt's
metadata when she goes jogging,
because she happens to be
related to a person of interest.
- They work there.
- That's it.
I would tell an ordinary citizen
that they're the cyber
strong arm of the government.
To work there is to be part
of the problem, really.
Because they're really knee-deep
in the global
surveillance network.
I wonder what happens when
we reach the no-filming zone.
If we don't go beyond the
sign, we should be okay.
But we will be there in
about eight seconds.
There you go.
- "Breakin' the law."
- Story of my life.
Wait.
The reason we came to the
march against police brutality
was to see what
kind of surveillance
was conducted on protesters.
Would surveillance methods
be more conventional,
more technological?
So the CryptoPhone is the
device that was used in Ottawa
when IMSI-Catchers were found.
Same device.
I think it's highly
likely the Montreal Police
uses this type of equipment.
Here too, I'd wager.
This is a warning from the
Montreal Police Department.
Some protesters persist
in breaking the law.
Due to offences committed,
protesters are ordered to
disperse and leave the scene.
Otherwise,
we will be forced to step in.
I'm opposed to the
use of IMSI-Catchers,
because it not only affects
the targeted individual,
but everyone within range
of the IMSI-Catcher.
So everyone around
can be overheard,
can be tracked down here.
There isn't much to see,
the readings are not
showing anything abnormal.
Seems IMSI-Catchers
weren't used tonight.
For years,
the police denied using them.
So they were being manufactured
and sold, but to no one.
They caught me and took my cell!
Interesting.
The scenario is a thinly veiled
parody of North Korea, I guess.
Elections are being held in
the fictional kingdom of Rao.
It's rather unclear.
Seems we can either help
the regime or the rebels.
Now, we're helping everyone
to get more points.
Rao is basically a
fictional character.
People will think
he's North Korean,
but he's really based on
Mao, so more Chinese.
Everyone okay?
What are you working on?
Ah, nice!
Nice challenge.
NorthSec is a somewhat
elitist organization.
Since the event was launched,
we're the first to question
people's abilities.
They should hone their
skills to help,
because cybersecurity
is about helping people.
30 to 40% of our challenges
are won by all teams.
So about 60% of them go unsolved
by the end of the
weekend competition.
So people come here
because they know
they're really gonna
bust their humps.
They'll really challenge
themselves. And it's non-stop.
All hail Rao.
We can only vote once.
All hail Rao.
I think most people
with NorthSec
are against the idea
of mass surveillance.
Essentially, it's problematic,
giving so much
information to people
who have no business having it.
I was what's known as
a penetration tester,
a professional hacker,
in the banking world,
for several years.
When you work in this
field, in cybersecurity,
you realize that every scrap
of information is a key.
The more keys you have,
the more powerful you are.
And if this information
is misused, mishandled,
it can become a weapon
for many people.
So, of course,
most cybersecurity experts
are troubled by
mass surveillance,
because they know the stakes.
Why do it when it's
probably pointless?
Surveillance and intelligence
agencies already exist.
In Canada, we have one with a
relatively decent reputation.
Why do they need
more information?
Is it because they're...
...caught short?
Or are they simply really lazy?
Maybe they're lazy.
Subgraph is a Linux-based
operating system
designed to thwart
malicious attacks.
There are two kinds
of surveillance:
Mass surveillance, dragnets;
And targeted surveillance.
We try to prevent
targeted surveillance.
There's very little privacy.
Even people who are very...
shrewd about their
Internet usage,
their use of technology, even
they have very little privacy.
Among other things,
even if they're careful,
someone they know is posting
information about them
without their knowledge.
Foulab is a hackerspace.
It's really a collective that
offers its members resources,
and, above all, know-how.
So human capital,
in terms of knowledge,
for the sharing of
ideas and techniques.
In hacker culture, access to
information is fundamental,
in order to understand a system.
I call it an
open-source think-tank.
Now we'll rid this computer
of its malicious
piece of software.
The computer comes
with software,
which users are
usually unaware of,
installed by the supplier.
For example,
the NSA and ThinkPad
could have conspired
to install software to
access the computer remotely.
So we'll replace this
with open-source software
to ensure there's no backdoor,
or to simply make changes and
change the computer's features.
There. I have a copy
of the previous BIOS,
so I could configure
a new one here.
So I'll get OpenBIOS
or Coreboot.
I need to know the ins
and outs of a computer,
because I can't...
BIOS is at the
core of a computer.
It controls...
all functions.
So if we don't know how it works
and can't guarantee
its operation,
we can't guarantee the
computer's integrity.
So you can have the most
secure operating system ever,
but if the BIOS isn't secure,
unfortunately,
the rest won't be either.
Let me know if you need help.
Yeah, Mathieu...
if you could... hold it.
- Need help?
- Yeah. Thanks.
It'd be fun - it's
been done before -
to crack WiFi
networks from above.
So build a drone that flies
over and cracks WiFi networks.
Another thing would be - just
to prove it can be done -
to use an aerial cellphone
surveillance device,
like that used by the
police, known as a StingRay.
Essentially,
we do this to detect
critical flaws in
the infrastructure.
That's why most
people would do this.
The issue of what society
considers private and public
will define our generation.
What really worries me
is when neighbours
start pointing fingers.
We may well eventually
reach the point
where someone could
download a program
as powerful as a military weapon
and use it against
their neighbour.
Against their spouse, even.
That's what worries me most.
...3, 4, 5, 6, 7, 8, ground.
A mesh is a distributed network.
The idea is to have
rooftop antennas
to create a network alongside
commercial Internet service
and connect homes directly.
Like, connect
neighbours together.
I'm kind of discouraged.
Honestly.
People must change
their mentality,
but they seem unwilling.
They want "ubiquitous
computing."
They're willing
to be monitored by Amazon
24/7 at home through a device,
which they can order from
at the push of a button.
They use Gmail, Google
knows their every move,
their location, everything.
- What they think.
- Same with Facebook.
They're dominated by computer
technology - unwittingly.
Even when they know, it's: "I
can't do anything about it."
Basically, it's a lot
easier to monitor everyone
when they're in the same room.
We're gonna run about
10 feet of cable down.
Google, Facebook and the like
centralize information,
making surveillance easier.
If services are distributed,
it's more difficult
for a hostile party -
be it the government or
"black hats" - to spy on you.
It doesn't prevent
targeted surveillance of
a particular individual,
or even a group,
but it makes
dragnet surveillance
a lot more complicated.
Monitoring everyone at once,
then targeting
someone in particular.
Okay, the tester's hooked up.
Let's check it again?
- Let's do it.
- 1, 2, 3, 4, 5,
- 6, 7, 8, ground. - Done.
Excellent. It works.
It's all good.
Great. I'll plug into the wall.
The big problem now is
that huge corporations,
the world's most
powerful companies -
like Amazon, Google, Facebook,
Microsoft and Apple -
their goal now, their lobbying,
is geared toward
destroying the Internet.
Facebook's goal is to replace
the Internet... with Facebook.
They want you to go on
Facebook and stay there.
They entice you to
stay on Facebook
and away from ordinary sites.
Google is similar. They...
When you use search engines,
sometimes you're
stuck within Google
instead of going
to the real site.
So there are a lot of
forces at work preventing
us from re-distributing
the Internet
and make it the horizontal
platform it was devised to be.
There it is: Relais.reseaulibre.
It's the original
version of the Internet.
When I first went online in
'96, it was free.
We didn't pay for
Internet access, and...
...Internet access also
meant having a web page.
That was it, really.
It was about checking out
your friends' web pages.
What did he post? "Hi.
I'm Antoine. I play guitar."
With a picture of your guitar.
People had all kinds of stuff.
Then they started sharing
increasingly interesting things.
And it grew,
turning into Wikipedia,
into Google, and so on.
But it started with
someone in their garage.
Google started out
with a web page.
And I've always done that.
It's good enough for me.
That's it.
I don't need to connect with
all my friends on Facebook 24/7,
know the latest news,
the latest opinion,
Trump's latest fake news,
this and that on Facebook.
I don't want to be online 24/7.
For me,
it's something you turn on,
you go online, you're online,
then you turn it off
and you're offline.
I'm not always connected,
and I choose when to go online.
I call the shots.
I'm currently coding...
...what's known as
next-generation hidden services.
It's being completely
re-engineered
to improve security.
The concept of privacy
is extremely important.
Increasingly so.
If people are being monitored...
Today, it's not that
people aren't aware of it.
They know and accept it.
They're not acting in
bad faith or ignorant.
It's just the new normal.
When you know you're
under surveillance,
unconsciously or not,
you change your ways.
It really controls society.
So the beauty of Tor is,
whatever you do online,
your privacy is
protected to some extent.
I requested access
to information
from the federal government,
for all my personal information.
They sent me this letter,
which basically said:
We have your information on
file - maybe, maybe not...
I'm under investigation.
I was kind of proud, because I
must be doing something right.
I'm doing something useful,
and the powers-that-be clearly
aren't too happy about it.
So it's a vindication of sorts.
What's the conference
in Montreal about?
Okay, we're currently holding
our biannual Tor meeting.
We invite everyone -
staff and the community -
to get together, convene,
and over the course of five
days, we problem-solve, rally,
seek to improve Tor.
Any particular reason it's
in Montreal this year?
Yeah, a lot of people refuse
to go to the Five Eyes,
including Canada.
But especially since Trump,
I'd say at least half our
team refuses to go to the U.S.
- Half the team refuses...
- Minimum.
Can you explain why we
can't film the meeting?
Right. I mean,
these people are for privacy.
They don't want to
end up on Facebook,
have anyone know they came.
Some people here
literally can't be filmed,
because they're coming
here at their peril.
So, overall, their
privacy must be respected.
Projects like Tor,
like Subgraph, aren't winning.
This great surveillance machine
is obviously prevailing.
Clearly.
Of course, there's pushback now.
But I think we're 20 years
behind our rival, as it were.
The forces at work
behind this security and
surveillance campaign
are very powerful.
We're talking huge corporations,
governments, and so on.
So it takes tremendous effort
to make a real impact.