timeblock (issue introduction): time estimate and refinement
This is also probably too long. I'll see what I can cut out of other sections. ...really cutting it close to the conference, here.master
parent
83966c982c
commit
f2737d85f1
104
talk.tex
104
talk.tex
|
@ -335,29 +335,29 @@
|
|||
%%%=== END TIMEBLOCK 8m ==============================================
|
||||
|
||||
|
||||
%%%=== BEGIN TIMEBLOCK Nm ==============================================
|
||||
%%%=== BEGIN TIMEBLOCK 8m ==============================================
|
||||
|
||||
\begin{frame}{The Illusion of Remote Execution}
|
||||
\lecture{Perhaps one of the greatest dangers of software on the Web is the
|
||||
illusion of remote execution---}
|
||||
|
||||
\begin{itemize}
|
||||
\item<2-> Looks like the web page is manipulating itself
|
||||
\item<1-> Looks like the web page is manipulating itself
|
||||
\begin{itemize}
|
||||
\item<2-> Many consider the web page as a remote resource, not a local
|
||||
\item<1-> Many consider the web page as a remote resource, not a local
|
||||
copy of that resource
|
||||
\end{itemize}
|
||||
\lecture{the illusion that, because the program is manipulating and
|
||||
appears to be a part of the web page, it must be executing
|
||||
in a magical remote place.}
|
||||
appears to be a part of the web page, that it must be
|
||||
executing in a magical remote place.}
|
||||
|
||||
\item<3-> JavaScript programs run \emph{on the client}
|
||||
\item<2-> JavaScript programs run \emph{on the client}
|
||||
\lecture{But it's not. JavaScript programs are executed \emph{on your
|
||||
computer, by your web browser}: the program is downloaded
|
||||
just like any other resource and interpreted by a JavaScript
|
||||
engine in your browser.}
|
||||
|
||||
\item<4-> Illusion inhibits consideration of freedoms
|
||||
\item<3-> Illusion inhibits consideration of freedoms
|
||||
\lecture{This is an important distinction, because we can't begin to
|
||||
consider how to exercise our four freedoms if we can't even
|
||||
get around to the fact that the program is actually running
|
||||
|
@ -378,7 +378,7 @@
|
|||
|
||||
|
||||
\begin{frame}[plain,c]{}
|
||||
\lecture{Well, you do.}
|
||||
\lecture{Well, you do. Or at least many of you.}
|
||||
|
||||
\begin{center}
|
||||
Well, you do.
|
||||
|
@ -394,44 +394,44 @@
|
|||
|
||||
\begin{frame}{Covert Ephemeral Software}
|
||||
\begin{itemize}
|
||||
\item Browser downloads and executes arbitrary, often non-free software
|
||||
\item<1-> Browser downloads and executes arbitrary, often non-free software
|
||||
\begin{itemize}
|
||||
\item (Automatically clicks the download button for you!)
|
||||
\item<1-> (Automatically clicks the download button for you!)
|
||||
\end{itemize}
|
||||
|
||||
\lecture{But no---our web browsers are being stupid on our behalf!}
|
||||
|
||||
\item Most users have no idea this is happening
|
||||
\item<2-> Most users have no idea this is happening
|
||||
\lecture{And most users---even many technical ones---really don't have
|
||||
any idea that this is happening. Because they don't think
|
||||
about it like that.}
|
||||
|
||||
\begin{itemize}
|
||||
\item And if they did, would they know to care?
|
||||
\lecture{But let's say they did; would they even
|
||||
\emph{know} to care? You can be taught to be suspicious
|
||||
of sites advertising awards and such, but when a site
|
||||
offers no indication at all, then what exactly do you
|
||||
teach? What do you tell them to be suspicious of?
|
||||
Instead, it's just a website.}
|
||||
\item<2-> How would they?
|
||||
\lecture{You can be taught to be suspicious of sites advertising
|
||||
awards and such, but when a site offers no indication at
|
||||
all, then what exactly do you teach? What do you tell
|
||||
them to be suspicious of? Instead, it's just a website.}
|
||||
|
||||
\item Most who \emph{do} know don't care.
|
||||
\item<2-> Most who \emph{do} know don't care.
|
||||
\lecture{But then there are those who are well aware of what is
|
||||
going on. Many of those are web developers---the same
|
||||
people that \emph{write} this covert software. And
|
||||
surprisingly, at least from my experience, most of them
|
||||
don't care. Many instead take the stance that JavaScript
|
||||
is an essential component of the modern web and it would
|
||||
don't care. Many instead take the stance that it would
|
||||
be silly to consider disabling it and quote-unquote
|
||||
``break'' websites.}
|
||||
``break'' websites. They don't consider that they're
|
||||
already broken by robbing users of their freedoms and
|
||||
privacy.}
|
||||
\end{itemize}
|
||||
|
||||
\item Ephemeral software
|
||||
\lecture{And then at the end the software disappears, leaving no
|
||||
\item<3-> Ephemeral software
|
||||
\lecture{And then at the end, the software disappears, leaving no
|
||||
trace except for some persistent data storage. A browser
|
||||
doesn't list all the scripts that it executes as
|
||||
``installed software'' like it would an addon. Users won't
|
||||
know that they were running software.}
|
||||
know that they were running software. The software is
|
||||
ephemeral.}
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
|
@ -444,28 +444,28 @@
|
|||
people pretty excited! Like...}
|
||||
|
||||
\begin{center}
|
||||
\only<+>{Advertisers}
|
||||
\only<2>{Advertisers}
|
||||
\lecture{Advertisers! You say ``yes!'' to their spyware that tracks
|
||||
and analyzes you.}
|
||||
|
||||
\only<+>{Crackers \& Script Kiddies}
|
||||
\only<3>{Crackers \& Script Kiddies}
|
||||
\lecture{Crackers and script kiddies love you too. You happily say
|
||||
``yes!'' to their payloads.}
|
||||
|
||||
\only<+>{Governments (also Crackers \& Script Kiddies)}
|
||||
\only<4>{Governments (also Crackers \& Script Kiddies)}
|
||||
\lecture{Governments! Also crackers and script kiddies. They like to
|
||||
broadly distribute exploits in the hope of maybe catching a
|
||||
criminal. One such exploit was a 0-day used by the FBI to
|
||||
deanonymize Tor users, guilty or not.}
|
||||
|
||||
\only<+>{ISPs (Like Comcast)}
|
||||
\only<5>{ISPs (Like Comcast)}
|
||||
\lecture{And what about the entity you depend on the most for your
|
||||
communications online? In November of last year it was
|
||||
discovered that Comcast was MITM'ing customers to inject
|
||||
JavaScript into non-SSL webpages to inform customers of
|
||||
copyright violations. Oh yes.}
|
||||
|
||||
\only<+>{People who want to show off their cool stuff}
|
||||
\only<6>{People who want to show off their cool stuff}
|
||||
\lecture{There are certainly other malicious actors, but not everyone
|
||||
has bad intentions---you also have hackers that just want to
|
||||
show you their cool new programs. And some of those are also
|
||||
|
@ -549,28 +549,27 @@
|
|||
\end{itemize}
|
||||
|
||||
\item<6-> There is a conscious effort made by the user
|
||||
\lecture{but it's generally a conscious operation all the same. Even
|
||||
users of proprietary operating systems don't like when things
|
||||
appear on their computer without having been requested.}
|
||||
\lecture{but in any case, it's generally a conscious operation all the
|
||||
same. Even users of proprietary operating systems don't like
|
||||
when things appear on their computer without having been
|
||||
requested.}
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}{Software Signing}
|
||||
\lecture{We also have certain other guarantees. Or attempts, at least.}
|
||||
|
||||
\begin{itemize}[<+->]
|
||||
\item Any package manager worth using will verify signatures of package
|
||||
maintainers
|
||||
\lecture{If you're using a package manager that doesn't verify a
|
||||
cryptographic signature of the package, then you should
|
||||
consider another package manager. Many package managers
|
||||
provide---with some caveats---assurances that the package you
|
||||
received is actually the package that the author or
|
||||
maintainer intended for you to receive. I'm not getting into
|
||||
those caveats here.}
|
||||
\begin{itemize}
|
||||
\item<1-> Package manager (should!) verify signatures of package
|
||||
maintainers
|
||||
\lecture{Many package managers provide---with some
|
||||
caveats---assurances that the package you received is
|
||||
actually the package that the author or maintainer intended
|
||||
for you to receive by using cryptographic signatures. I'm
|
||||
not getting into those caveats here.}
|
||||
|
||||
\item GNU projects also distribute detached signatures for manual
|
||||
verification
|
||||
\item<2-> Many projects distribute detached signatures for manual
|
||||
verification
|
||||
\lecture{In the case of source distributions, detached signatures are
|
||||
often used. You'll see this with GNU programs, for
|
||||
example---if you download a program from ftp.gnu.org, you'll
|
||||
|
@ -578,22 +577,25 @@
|
|||
GPG to verify that your download is what the author
|
||||
actually signed.}
|
||||
|
||||
%% TODO: either come up with a plan or delete this
|
||||
\item No such thing exists for the Web
|
||||
\item<3-> No such thing exists for the Web
|
||||
\lecture{...We don't have this type of thing for the web.}
|
||||
|
||||
\item<+-> We need a web of trust (e.g. PGP)---decentralized
|
||||
\item<4-> I wish I had time to discuss this
|
||||
\begin{itemize}
|
||||
\item<+-> What not to do: Firefox refuses to install/run addons that
|
||||
\item<4-> What not to do: Firefox refuses to install/run addons that
|
||||
are not signed by Mozilla
|
||||
\item<+-> No ``walled gardens''
|
||||
\item<4-> No ``walled gardens''
|
||||
\end{itemize}
|
||||
\lecture{I really wish I had the time to discuss this on a more
|
||||
technical level, but I don't. Like I said---it's a
|
||||
presentation about problems, and there's a lot of them to get
|
||||
to in 45 minutes!}
|
||||
\end{itemize}
|
||||
|
||||
\lecture{But what does the absence of user control mean?}
|
||||
\end{frame}
|
||||
|
||||
%%%=== END TIMEBLOCK Nm ==============================================
|
||||
%%%=== END TIMEBLOCK 8m ==============================================
|
||||
|
||||
|
||||
%%%=== BEGIN TIMEBLOCK Nm ==============================================
|
||||
|
|
Loading…
Reference in New Issue