mikegerwitz
/
online-freedom
1
0
Fork 0
Code Releases Activity

timeblock (issue introduction): time estimate and refinement 

This is also probably too long.  I'll see what I can cut out of other
sections.

...really cutting it close to the conference, here.
master
Mike Gerwitz 2016-03-16 22:35:49 -04:00
parent 83966c982c
commit f2737d85f1
No known key found for this signature in database
GPG Key ID: F22BB8158EE30EAB
1 changed files with 53 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

104
talk.tex
View File

@ -335,29 +335,29 @@
%%%=== END TIMEBLOCK 8m ==============================================
%%%=== BEGIN TIMEBLOCK Nm ==============================================
%%%=== BEGIN TIMEBLOCK 8m ==============================================
\begin{frame}{The Illusion of Remote Execution}
\lecture{Perhaps one of the greatest dangers of software on the Web is the
illusion of remote execution---}
\begin{itemize}
\item<2-> Looks like the web page is manipulating itself
\item<1-> Looks like the web page is manipulating itself
\begin{itemize}
\item<2-> Many consider the web page as a remote resource, not a local
\item<1-> Many consider the web page as a remote resource, not a local
copy of that resource
\end{itemize}
\lecture{the illusion that, because the program is manipulating and
appears to be a part of the web page, it must be executing
in a magical remote place.}
appears to be a part of the web page, that it must be
executing in a magical remote place.}
\item<3-> JavaScript programs run \emph{on the client}
\item<2-> JavaScript programs run \emph{on the client}
\lecture{But it's not. JavaScript programs are executed \emph{on your
computer, by your web browser}: the program is downloaded
just like any other resource and interpreted by a JavaScript
engine in your browser.}
\item<4-> Illusion inhibits consideration of freedoms
\item<3-> Illusion inhibits consideration of freedoms
\lecture{This is an important distinction, because we can't begin to
consider how to exercise our four freedoms if we can't even
get around to the fact that the program is actually running
@ -378,7 +378,7 @@
\begin{frame}[plain,c]{}
\lecture{Well, you do.}
\lecture{Well, you do. Or at least many of you.}
\begin{center}
Well, you do.
@ -394,44 +394,44 @@
\begin{frame}{Covert Ephemeral Software}
\begin{itemize}
\item Browser downloads and executes arbitrary, often non-free software
\item<1-> Browser downloads and executes arbitrary, often non-free software
\begin{itemize}
\item (Automatically clicks the download button for you!)
\item<1-> (Automatically clicks the download button for you!)
\end{itemize}
\lecture{But no---our web browsers are being stupid on our behalf!}
\item Most users have no idea this is happening
\item<2-> Most users have no idea this is happening
\lecture{And most users---even many technical ones---really don't have
any idea that this is happening. Because they don't think
about it like that.}
\begin{itemize}
\item And if they did, would they know to care?
\lecture{But let's say they did; would they even
\emph{know} to care? You can be taught to be suspicious
of sites advertising awards and such, but when a site
offers no indication at all, then what exactly do you
teach? What do you tell them to be suspicious of?
Instead, it's just a website.}
\item<2-> How would they?
\lecture{You can be taught to be suspicious of sites advertising
awards and such, but when a site offers no indication at
all, then what exactly do you teach? What do you tell
them to be suspicious of? Instead, it's just a website.}
\item Most who \emph{do} know don't care.
\item<2-> Most who \emph{do} know don't care.
\lecture{But then there are those who are well aware of what is
going on. Many of those are web developers---the same
people that \emph{write} this covert software. And
surprisingly, at least from my experience, most of them
don't care. Many instead take the stance that JavaScript
is an essential component of the modern web and it would
don't care. Many instead take the stance that it would
be silly to consider disabling it and quote-unquote
``break'' websites.}
``break'' websites. They don't consider that they're
already broken by robbing users of their freedoms and
privacy.}
\end{itemize}
\item Ephemeral software
\lecture{And then at the end the software disappears, leaving no
\item<3-> Ephemeral software
\lecture{And then at the end, the software disappears, leaving no
trace except for some persistent data storage. A browser
doesn't list all the scripts that it executes as
``installed software'' like it would an addon. Users won't
know that they were running software.}
know that they were running software. The software is
ephemeral.}
\end{itemize}
\end{frame}
@ -444,28 +444,28 @@
people pretty excited! Like...}
\begin{center}
\only<+>{Advertisers}
\only<2>{Advertisers}
\lecture{Advertisers! You say ``yes!'' to their spyware that tracks
and analyzes you.}
\only<+>{Crackers \& Script Kiddies}
\only<3>{Crackers \& Script Kiddies}
\lecture{Crackers and script kiddies love you too. You happily say
``yes!'' to their payloads.}
\only<+>{Governments (also Crackers \& Script Kiddies)}
\only<4>{Governments (also Crackers \& Script Kiddies)}
\lecture{Governments! Also crackers and script kiddies. They like to
broadly distribute exploits in the hope of maybe catching a
criminal. One such exploit was a 0-day used by the FBI to
deanonymize Tor users, guilty or not.}
\only<+>{ISPs (Like Comcast)}
\only<5>{ISPs (Like Comcast)}
\lecture{And what about the entity you depend on the most for your
communications online? In November of last year it was
discovered that Comcast was MITM'ing customers to inject
JavaScript into non-SSL webpages to inform customers of
copyright violations. Oh yes.}
\only<+>{People who want to show off their cool stuff}
\only<6>{People who want to show off their cool stuff}
\lecture{There are certainly other malicious actors, but not everyone
has bad intentions---you also have hackers that just want to
show you their cool new programs. And some of those are also
@ -549,28 +549,27 @@
\end{itemize}
\item<6-> There is a conscious effort made by the user
\lecture{but it's generally a conscious operation all the same. Even
users of proprietary operating systems don't like when things
appear on their computer without having been requested.}
\lecture{but in any case, it's generally a conscious operation all the
same. Even users of proprietary operating systems don't like
when things appear on their computer without having been
requested.}
\end{itemize}
\end{frame}
\begin{frame}{Software Signing}
\lecture{We also have certain other guarantees. Or attempts, at least.}
\begin{itemize}[<+->]
\item Any package manager worth using will verify signatures of package
maintainers
\lecture{If you're using a package manager that doesn't verify a
cryptographic signature of the package, then you should
consider another package manager. Many package managers
provide---with some caveats---assurances that the package you
received is actually the package that the author or
maintainer intended for you to receive. I'm not getting into
those caveats here.}
\begin{itemize}
\item<1-> Package manager (should!) verify signatures of package
maintainers
\lecture{Many package managers provide---with some
caveats---assurances that the package you received is
actually the package that the author or maintainer intended
for you to receive by using cryptographic signatures. I'm
not getting into those caveats here.}
\item GNU projects also distribute detached signatures for manual
verification
\item<2-> Many projects distribute detached signatures for manual
verification
\lecture{In the case of source distributions, detached signatures are
often used. You'll see this with GNU programs, for
example---if you download a program from ftp.gnu.org, you'll
@ -578,22 +577,25 @@
GPG to verify that your download is what the author
actually signed.}
%% TODO: either come up with a plan or delete this
\item No such thing exists for the Web
\item<3-> No such thing exists for the Web
\lecture{...We don't have this type of thing for the web.}
\item<+-> We need a web of trust (e.g. PGP)---decentralized
\item<4-> I wish I had time to discuss this
\begin{itemize}
\item<+-> What not to do: Firefox refuses to install/run addons that
\item<4-> What not to do: Firefox refuses to install/run addons that
are not signed by Mozilla
\item<+-> No ``walled gardens''
\item<4-> No ``walled gardens''
\end{itemize}
\lecture{I really wish I had the time to discuss this on a more
technical level, but I don't. Like I said---it's a
presentation about problems, and there's a lot of them to get
to in 45 minutes!}
\end{itemize}
\lecture{But what does the absence of user control mean?}
\end{frame}
%%%=== END TIMEBLOCK Nm ==============================================
%%%=== END TIMEBLOCK 8m ==============================================
%%%=== BEGIN TIMEBLOCK Nm ==============================================