2017-04-02 21:59:29 -04:00
|
|
|
#+startup: beamer
|
|
|
|
#+TITLE: The Surreptitious Assault on Privacy, Security, and Freedom
|
|
|
|
#+AUTHOR: Mike Gerwitz
|
|
|
|
#+EMAIL: mtg@gnu.org
|
|
|
|
#+DATE: 26 March, LibrePlanet 2017
|
|
|
|
#+OPTIONS: H:3 num:nil toc:nil p:nil todo:nil stat:nil
|
|
|
|
#+LaTeX_CLASS: beamer
|
|
|
|
#+LaTeX_CLASS_OPTIONS: [presentation]
|
|
|
|
#+BEAMER_THEME: Warsaw
|
|
|
|
#+BEAMER_HEADER: \beamertemplatenavigationsymbolsempty
|
2017-03-08 02:05:07 -05:00
|
|
|
#+BIBLIOGRAPHY: sapsf plain
|
2017-03-07 23:35:16 -05:00
|
|
|
#+TODO: RAW(r) DEVOID(v) LACKING(l) DRAFT(d) REVIEWED(R) | READY(+) REHEARSED(D)
|
2017-03-11 23:25:25 -05:00
|
|
|
#+COLUMNS: %40ITEM %10DURATION{:} %8TODO %BEAMER_ENV(ENVIRONMENT)
|
2017-03-06 21:48:35 -05:00
|
|
|
|
|
|
|
|
|
|
|
#+BEGIN: columnview :hlines 3 :id global
|
2017-03-11 23:25:25 -05:00
|
|
|
| ITEM | DURATION | TODO | ENVIRONMENT |
|
|
|
|
|-----------------------------------------------+----------+----------+---------------|
|
|
|
|
| * LaTeX Configuration | | | |
|
|
|
|
|-----------------------------------------------+----------+----------+---------------|
|
|
|
|
| * Slides | 0:47 | LACKING | |
|
|
|
|
|-----------------------------------------------+----------+----------+---------------|
|
|
|
|
| ** Introduction / Opening | 00:01 | REVIEWED | fullframe |
|
|
|
|
|-----------------------------------------------+----------+----------+---------------|
|
|
|
|
| ** Mobile [0/5] | 0:07 | REVIEWED | |
|
|
|
|
|-----------------------------------------------+----------+----------+---------------|
|
|
|
|
| *** Introduction | 0:00 | REVIEWED | ignoreheading |
|
|
|
|
| **** Introduction | 00:00:15 | REVIEWED | fullframe |
|
|
|
|
|-----------------------------------------------+----------+----------+---------------|
|
|
|
|
| *** Cell Towers [0/2] | 0:02 | REVIEWED | |
|
|
|
|
| **** Fundamentally Needed | 00:00:45 | REVIEWED | |
|
|
|
|
| **** Cell-Site Simulators | 00:00:45 | REVIEWED | |
|
|
|
|
|-----------------------------------------------+----------+----------+---------------|
|
|
|
|
| *** Wifi [0/3] | 0:01 | REVIEWED | |
|
|
|
|
| **** ESSID and MAC Broadcast | 00:01 | REVIEWED | |
|
|
|
|
|-----------------------------------------------+----------+----------+---------------|
|
|
|
|
| *** Geolocation [0/3] | 0:02 | REVIEWED | |
|
|
|
|
| **** GPS | 00:01 | REVIEWED | |
|
|
|
|
| **** But I Want GPS! | 00:00:30 | REVIEWED | |
|
|
|
|
| **** Location Services | 00:00:45 | REVIEWED | |
|
|
|
|
|-----------------------------------------------+----------+----------+---------------|
|
|
|
|
| *** Operating System [0/3] | 0:02 | REVIEWED | |
|
|
|
|
| **** Untrusted/Proprietary OS | 00:00:45 | REVIEWED | |
|
|
|
|
| **** Free/Libre Mobile OS? | 00:00:30 | REVIEWED | |
|
|
|
|
| **** Modem Isolation | 00:00:30 | REVIEWED | |
|
|
|
|
|-----------------------------------------------+----------+----------+---------------|
|
|
|
|
| ** Stationary [0/5] | 0:08 | LACKING | |
|
|
|
|
|-----------------------------------------------+----------+----------+---------------|
|
|
|
|
| *** Introduction [0/1] | 0:00 | DRAFT | ignoreheading |
|
|
|
|
| **** Introduction | 00:00:30 | DRAFT | fullframe |
|
|
|
|
|-----------------------------------------------+----------+----------+---------------|
|
|
|
|
| *** Surveillance Cameras [0/2] | 0:00 | DRAFT | |
|
|
|
|
| **** Unavoidable Surveillance | | DRAFT | |
|
|
|
|
| **** Access to Data | 00:00:30 | DRAFT | |
|
|
|
|
|-----------------------------------------------+----------+----------+---------------|
|
|
|
|
| *** Internet of Things [0/4] | 0:04 | LACKING | |
|
|
|
|
| **** Internet-Connected Cameras | 00:00:30 | DRAFT | |
|
|
|
|
| **** The ``S'' In IoT Stands For ``Security'' | 00:01:30 | LACKING | |
|
|
|
|
| **** Who's Watching? | 00:00:30 | DEVOID | |
|
|
|
|
| **** Facial Recognition | 00:01 | DRAFT | |
|
|
|
|
|-----------------------------------------------+----------+----------+---------------|
|
|
|
|
| *** Social Media [0/1] | 0:01 | DRAFT | |
|
|
|
|
| **** Collateral Damage | 00:01 | DRAFT | |
|
|
|
|
|-----------------------------------------------+----------+----------+---------------|
|
|
|
|
| *** Driving [0/3] | 0:02 | RAW | |
|
|
|
|
| **** Introduction | 00:00:30 | DRAFT | fullframe |
|
|
|
|
| **** ALPRs | 00:01 | LACKING | |
|
|
|
|
| **** Car Itself | 00:00:30 | LACKING | |
|
|
|
|
|-----------------------------------------------+----------+----------+---------------|
|
|
|
|
| ** The Web [0/6] | 0:10 | LACKING | |
|
|
|
|
|-----------------------------------------------+----------+----------+---------------|
|
|
|
|
| *** Introduction [0/1] | | DRAFT | ignoreheading |
|
|
|
|
| **** Introduction | | DRAFT | fullframe |
|
|
|
|
|-----------------------------------------------+----------+----------+---------------|
|
|
|
|
| *** Bridging the Gap [0/1] | 0:01 | LACKING | |
|
|
|
|
| **** Ultrasound Tracking | 00:01 | LACKING | |
|
|
|
|
|-----------------------------------------------+----------+----------+---------------|
|
|
|
|
| *** Incentive to Betray [0/1] | 0:00 | DRAFT | |
|
|
|
|
| **** Summary | 00:00:30 | DRAFT | fullframe |
|
|
|
|
|-----------------------------------------------+----------+----------+---------------|
|
|
|
|
| *** Analytics [0/2] | 0:02 | LACKING | |
|
|
|
|
| **** Trackers | 00:01 | LACKING | |
|
|
|
|
| **** Like Buttons | 00:01 | DRAFT | |
|
|
|
|
|-----------------------------------------------+----------+----------+---------------|
|
|
|
|
| *** Fingerprinting [0/3] | 0:03 | LACKING | |
|
|
|
|
| **** Summary | | DRAFT | |
|
|
|
|
| **** Alarmingly Effective | 00:03 | LACKING | fullframe |
|
|
|
|
| **** User Agent | | DRAFT | |
|
|
|
|
|-----------------------------------------------+----------+----------+---------------|
|
|
|
|
| *** Anonymity [0/4] | 0:04 | DRAFT | |
|
|
|
|
| **** Summary | 00:01 | DRAFT | fullframe |
|
|
|
|
| ***** Anonymity | | | |
|
|
|
|
| ***** Pseudonymity | | | |
|
|
|
|
| **** IANAAE | | DRAFT | fullframe |
|
|
|
|
| **** The Tor Network | 00:01 | DRAFT | |
|
|
|
|
| **** TorBrowser, Tails, and Whonix | 00:02 | DRAFT | |
|
|
|
|
|-----------------------------------------------+----------+----------+---------------|
|
|
|
|
| ** Data Analytics [0/2] | 0:04 | LACKING | |
|
|
|
|
|-----------------------------------------------+----------+----------+---------------|
|
|
|
|
| *** Introduction [0/1] | 0:00 | DRAFT | ignoreheading |
|
|
|
|
| **** Introduction | 00:00 | DRAFT | fullframe |
|
|
|
|
|-----------------------------------------------+----------+----------+---------------|
|
|
|
|
| *** Headings [0/3] | 0:04 | LACKING | |
|
|
|
|
| **** Advertisers | 00:02 | LACKING | |
|
|
|
|
| **** Social Media | 00:01 | DEVOID | |
|
|
|
|
| **** Governments | 00:00:30 | DEVOID | |
|
|
|
|
|-----------------------------------------------+----------+----------+---------------|
|
|
|
|
| ** Policy and Government [0/6] | 0:12 | LACKING | |
|
|
|
|
|-----------------------------------------------+----------+----------+---------------|
|
|
|
|
| *** Introduction [0/1] | 0:00 | DRAFT | ignoreheading |
|
|
|
|
| **** Introduction | 00:00:30 | DRAFT | fullframe |
|
|
|
|
|-----------------------------------------------+----------+----------+---------------|
|
|
|
|
| *** Surveillance [0/7] | 0:06 | LACKING | |
|
|
|
|
| **** History of NSA Surveillance | 00:02 | DRAFT | |
|
|
|
|
| **** Ron Wyden | | DRAFT | fullframe |
|
|
|
|
| **** The Leak | | DRAFT | fullframe |
|
|
|
|
| **** Verizon Metadata | 00:00:30 | DRAFT | |
|
|
|
|
| **** PRISM | | DRAFT | |
|
|
|
|
| **** Snowden | 00:01 | DRAFT | |
|
|
|
|
| **** Tools | 00:02 | DEVOID | |
|
|
|
|
|-----------------------------------------------+----------+----------+---------------|
|
|
|
|
| *** Crypto Wars [0/6] | 0:04 | LACKING | |
|
|
|
|
| **** Introduction | 00:00 | DRAFT | fullframe |
|
|
|
|
| **** Export-Grade Crypto | 00:01:30 | DRAFT | |
|
|
|
|
| **** Bernstein v. United States | 00:01 | DRAFT | |
|
|
|
|
| **** The First Crypto Wars | 00:01 | DRAFT | |
|
|
|
|
| **** Re-repeats Itself | 00:00 | DRAFT | fullframe |
|
|
|
|
| **** Modern Crypto Wars | | DRAFT | fullframe |
|
|
|
|
| **** ``Going Dark'' | | DEVOID | |
|
|
|
|
|-----------------------------------------------+----------+----------+---------------|
|
|
|
|
| *** Espionage [0/1] | 0:01 | LACKING | |
|
|
|
|
| **** US Can't Keep Its Own Secrets | 00:01 | DEVOID | |
|
|
|
|
|-----------------------------------------------+----------+----------+---------------|
|
|
|
|
| *** Subpoenas, Warrants, NSLs [0/1] | 0:01 | LACKING | |
|
|
|
|
| **** National Security Letters | 00:01 | DEVOID | |
|
|
|
|
|-----------------------------------------------+----------+----------+---------------|
|
|
|
|
| *** Law [0/1] | 0:01 | LACKING | |
|
|
|
|
| **** Summary | 00:01 | DEVOID | fullframe |
|
|
|
|
|-----------------------------------------------+----------+----------+---------------|
|
|
|
|
| ** Your Fight [0/1] | 0:05 | LACKING | |
|
|
|
|
|-----------------------------------------------+----------+----------+---------------|
|
|
|
|
| *** Headings [0/6] | 0:05 | LACKING | |
|
|
|
|
| **** Feeding | 00:00 | DRAFT | fullframe |
|
|
|
|
| **** SaaSS and Centralization | 00:01 | DEVOID | |
|
|
|
|
| **** Corporate Negligence | 00:01 | LACKING | |
|
|
|
|
| **** Status Quo | 00:02 | DRAFT | |
|
|
|
|
| **** Status Quo Cannot Hold | | DRAFT | fullframe |
|
|
|
|
| **** Push Back | 00:01 | DRAFT | fullframe |
|
|
|
|
|-----------------------------------------------+----------+----------+---------------|
|
|
|
|
| ** Thank You | | | fullframe |
|
|
|
|
|-----------------------------------------------+----------+----------+---------------|
|
|
|
|
| ** References | | | appendix |
|
|
|
|
|-----------------------------------------------+----------+----------+---------------|
|
|
|
|
| * Exporting | | | |
|
|
|
|
|-----------------------------------------------+----------+----------+---------------|
|
|
|
|
| * Local Variables | | | |
|
2017-04-02 21:59:29 -04:00
|
|
|
#+END
|
|
|
|
|
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
|
|
|
*Remember the themes!*:
|
|
|
|
- Surreptitious
|
|
|
|
- User privacy and security
|
|
|
|
- Affects on freedom; chilling effects
|
|
|
|
- How free software can help
|
2017-03-07 00:36:28 -05:00
|
|
|
|
2017-04-02 21:59:29 -04:00
|
|
|
The big players seem to be the [[The Web][Web]] and [[Policy and Government][Government]].
|
|
|
|
No surprises there.
|
|
|
|
|
|
|
|
|
|
|
|
It would be a good idea to immediately connect with the audience. So:
|
|
|
|
- Most everyone has a mobile device.
|
|
|
|
- /This is the most immediate and relatable since it's physically present/
|
|
|
|
with them in their travels.
|
|
|
|
- Security cameras et. al. during travel.
|
|
|
|
|
|
|
|
So start _briefly_ with the topic of pervasive surveillance?
|
|
|
|
- That is what the abstract refers to, after all.
|
|
|
|
|
|
|
|
*Surreptitious*---many audience members won't consider that they're being
|
|
|
|
tracked.
|
|
|
|
- But by _whom_?
|
|
|
|
|
|
|
|
Maybe a gentle introduction that gets increasingly more alarming and
|
|
|
|
invasive topic-wise.
|
|
|
|
|
|
|
|
GOAL: Captivate; Startle
|
|
|
|
#+END_COMMENT
|
|
|
|
|
|
|
|
|
2017-03-08 02:05:07 -05:00
|
|
|
* LaTeX Configuration :export:ignore:
|
2017-03-11 23:13:18 -05:00
|
|
|
#+LATEX_HEADER: \usepackage[backend=biber]{biblatex}
|
2017-03-08 02:05:07 -05:00
|
|
|
#+LATEX_HEADER: \usepackage{color}
|
2017-03-11 23:13:18 -05:00
|
|
|
#+LATEX_HEADER: \bibliography{sapsf}
|
2017-03-08 02:05:07 -05:00
|
|
|
#+BEGIN_LATEX
|
|
|
|
% citations will be grayed and pushed to the right margin
|
|
|
|
\let\origcite\cite
|
2017-03-09 05:19:43 -05:00
|
|
|
% incite = "inline" cite
|
|
|
|
\def\cite{\hfill\incite}
|
|
|
|
\newcommand*{\incite}[1]{{%
|
2017-03-08 02:05:07 -05:00
|
|
|
\scriptsize
|
|
|
|
\raisebox{1ex}{%
|
|
|
|
\color{gray}%
|
|
|
|
\origcite{#1}%
|
|
|
|
}%
|
|
|
|
}}
|
2017-03-11 23:25:25 -05:00
|
|
|
|
|
|
|
\renewcommand*{\bibfont}{\scriptsize}
|
2017-03-08 02:05:07 -05:00
|
|
|
#+END_LATEX
|
|
|
|
|
|
|
|
|
2017-03-07 01:15:10 -05:00
|
|
|
* LACKING Slides :export:ignore:
|
2017-03-11 23:25:25 -05:00
|
|
|
** REVIEWED Introduction / Opening :B_fullframe:
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
2017-03-11 23:25:25 -05:00
|
|
|
:DURATION: 00:01
|
2017-04-02 21:59:29 -04:00
|
|
|
:BEAMER_env: fullframe
|
|
|
|
:END:
|
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
2017-03-11 23:25:25 -05:00
|
|
|
Hello, everyone.
|
|
|
|
Thanks for coming!
|
2017-04-02 21:59:29 -04:00
|
|
|
|
2017-03-11 23:25:25 -05:00
|
|
|
My name's Mike Gerwitz.
|
|
|
|
I am a free software hacker and activist with a focus on user privacy and
|
|
|
|
security.
|
|
|
|
I'm also a GNU Maintainer, software evaluator, and volunteer for various
|
|
|
|
other duties.
|
2017-04-02 21:59:29 -04:00
|
|
|
|
2017-03-11 23:25:25 -05:00
|
|
|
And I'm here to talk to you about an unfortunate,
|
|
|
|
increasingly unavoidable fact of life.
|
|
|
|
|
|
|
|
None of you made it here without being tracked in some capacity.
|
|
|
|
Some of us are /still/ being tracked at this very moment!
|
|
|
|
|
|
|
|
This isn't a tinfoil hat presentation.
|
|
|
|
It's a survey of facts.
|
|
|
|
/Actual/ facts, not alternative ones! (Dig at Kellyanne Conway, for those
|
|
|
|
reading this in the future.)
|
|
|
|
Since time isn't on my side here,
|
|
|
|
I'm going to present a broad overview of the most pressing concerns of
|
|
|
|
today.
|
|
|
|
Every slide has numeric citations,
|
|
|
|
which are associated with references in the final slides.
|
|
|
|
I won't be showing them here---you can get them online.
|
|
|
|
My goal is to present you with enough information that you know that these
|
|
|
|
things /exist/,
|
|
|
|
and you know where to find more information about them.
|
|
|
|
Those unknown unknowns.
|
|
|
|
|
|
|
|
So: let's start with the obvious.
|
2017-04-02 21:59:29 -04:00
|
|
|
|
|
|
|
(Note: You're being "tracked", rather than "watched": the latter is too
|
|
|
|
often used and dismissed as tinfoil-hat FUD.)
|
|
|
|
#+END_COMMENT
|
|
|
|
|
|
|
|
#+BEGIN_CENTER
|
|
|
|
#+BEAMER: \only<1>{You're Being Tracked.}
|
|
|
|
#+BEAMER: \only<2>{(No, really, I have references.)}
|
|
|
|
#+END_CENTER
|
|
|
|
|
2017-03-11 23:25:25 -05:00
|
|
|
|
|
|
|
** REVIEWED Mobile [0/5]
|
|
|
|
*** REVIEWED Introduction :B_ignoreheading:
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
|
|
|
:BEAMER_env: ignoreheading
|
|
|
|
:END:
|
2017-03-11 23:25:25 -05:00
|
|
|
**** REVIEWED Introduction :B_fullframe:
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
2017-03-11 23:25:25 -05:00
|
|
|
:DURATION: 00:00:15
|
2017-04-02 21:59:29 -04:00
|
|
|
:BEAMER_env: fullframe
|
|
|
|
:END:
|
|
|
|
|
|
|
|
- <1-> Most people carry mobile phones
|
|
|
|
- <1-> Synonymous with individual
|
|
|
|
- <2> Excellent tracking devices
|
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
|
|
|
How many of you are carrying a mobile phone right now?
|
|
|
|
Probably most of us.
|
2017-03-11 23:25:25 -05:00
|
|
|
They are something we carry with us everywhere.
|
|
|
|
They are computers that are always on.
|
|
|
|
|
|
|
|
A phone is often synonymous with an individual;
|
|
|
|
they are a part of us.
|
2017-04-02 21:59:29 -04:00
|
|
|
In other words: they're excellent tracking devices.
|
|
|
|
#+END_COMMENT
|
|
|
|
|
2017-03-11 23:25:25 -05:00
|
|
|
*** REVIEWED Cell Towers [0/2]
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
2017-03-11 23:25:25 -05:00
|
|
|
:DURATION: 0:02
|
|
|
|
:END:
|
|
|
|
**** REVIEWED Fundamentally Needed
|
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 00:00:45
|
2017-04-02 21:59:29 -04:00
|
|
|
:END:
|
2017-03-11 23:25:25 -05:00
|
|
|
- Phone needs tower to make and receive calls
|
|
|
|
- Gives away approximate location (can triangulate)
|
2017-04-02 21:59:29 -04:00
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
2017-03-11 23:25:25 -05:00
|
|
|
The primary reason is inherent in a phone's design:
|
|
|
|
cell towers.
|
2017-04-02 21:59:29 -04:00
|
|
|
A phone "needs" to be connected to a tower to make and receive calls.
|
|
|
|
|
2017-03-11 23:25:25 -05:00
|
|
|
Unless it is off or otherwise disconnected (like airplane mode),
|
2017-04-02 21:59:29 -04:00
|
|
|
its connection to the cell tower exposes your approximate location.
|
|
|
|
These data persist for as long as the phone companies are willing to persist
|
2017-03-11 23:25:25 -05:00
|
|
|
it.
|
2017-04-02 21:59:29 -04:00
|
|
|
|
|
|
|
Some people don't use phones primarily for this reason.
|
|
|
|
|
2017-03-11 23:25:25 -05:00
|
|
|
rms, for example, said he might use a phone if it could act as a pager,
|
2017-04-02 21:59:29 -04:00
|
|
|
where he'd only need to expose his location once he is in a safe place.
|
|
|
|
You can imagine that such would be a very useful and important feature for
|
|
|
|
reporters and dissidents as well.
|
|
|
|
#+END_COMMENT
|
|
|
|
|
|
|
|
|
2017-03-11 23:25:25 -05:00
|
|
|
**** REVIEWED Cell-Site Simulators
|
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 00:00:45
|
|
|
|
:END:
|
|
|
|
- <1-> IMSI-Catchers
|
2017-04-02 21:59:29 -04:00
|
|
|
- <1-> Masquerade as cell towers
|
2017-03-11 23:25:25 -05:00
|
|
|
- <1-> Most popular: Stingray
|
|
|
|
- <2-> Free/libre Android program AIMSICD available on F-Droid attempts to
|
|
|
|
detect\cite{aimsid}
|
2017-04-02 21:59:29 -04:00
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
2017-03-11 23:25:25 -05:00
|
|
|
Cell Site Simulators have made a lot of news in the past (including my local
|
|
|
|
news),
|
|
|
|
one of the most popular examples being the Stingray.
|
|
|
|
These devices masquerade as cell towers.
|
|
|
|
This allows (for example) law enforcement to get a suspect's phone to
|
|
|
|
connect to _their_ device rather than a real tower,
|
|
|
|
which allows their location to be triangulated,
|
|
|
|
calls to be intercepted,
|
|
|
|
texts to be mined,
|
|
|
|
etc.
|
|
|
|
Law enforcement might also use it to record all devices in an area,
|
|
|
|
such as during a protest.
|
|
|
|
|
|
|
|
The problem is: _every_ phone in the area will try to connect to it;
|
|
|
|
it amounts to a dragnet search,
|
|
|
|
and is therefore extremely controversial.
|
|
|
|
|
|
|
|
The Android program AIMSICD---Android IMSI-Catcher Detector---is being
|
|
|
|
developed in an attempt to detect these devices.
|
|
|
|
It is free software and is available on F-Droid.
|
2017-04-02 21:59:29 -04:00
|
|
|
#+END_COMMENT
|
|
|
|
|
|
|
|
|
2017-03-11 23:25:25 -05:00
|
|
|
*** REVIEWED Wifi [0/3]
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
2017-03-11 23:25:25 -05:00
|
|
|
:DURATION: 0:01
|
2017-04-02 21:59:29 -04:00
|
|
|
:END:
|
|
|
|
|
2017-03-11 23:25:25 -05:00
|
|
|
**** REVIEWED ESSID and MAC Broadcast
|
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 00:01
|
|
|
|
:END:
|
|
|
|
- <1-> Device may broadcast ESSIDs of past hidden networks
|
|
|
|
- <2-> Expose unique hardware identifiers (MAC address)
|
|
|
|
- <3-> **Defending against this is difficult**
|
|
|
|
- <4-> /Turn off Wifi/ in untrusted places
|
|
|
|
- <4-> Turn off settings to auto-connect when receiving e.g. MMS
|
|
|
|
- <5-> Use cellular data (e.g. {2,3,4}G)
|
|
|
|
- <6-> **MAC address randomization works poorly**\cite{arxiv:mac}
|
2017-03-05 03:23:35 -05:00
|
|
|
|
2017-04-02 21:59:29 -04:00
|
|
|
#+BEGIN_COMMENT
|
|
|
|
What else is inherent in a modern phone design?
|
|
|
|
A common feature is Wifi.
|
|
|
|
|
|
|
|
If you connected to any hidden networks,
|
|
|
|
your phone may broadcast that network name to see if it exists.
|
|
|
|
|
2017-03-11 23:25:25 -05:00
|
|
|
It exposes unique device identifiers (MACs),
|
2017-04-02 21:59:29 -04:00
|
|
|
which can be used to uniquely identify you.
|
2017-03-05 03:23:35 -05:00
|
|
|
|
2017-03-11 23:25:25 -05:00
|
|
|
Defending against this is difficult,
|
|
|
|
unless you take the simple yet effective route:
|
|
|
|
disable Wifi completely,
|
|
|
|
at least when you're not in a safe area you can trust.
|
|
|
|
Some apps will automatically enable networking if they receive,
|
|
|
|
for example,
|
|
|
|
MMS messages;
|
|
|
|
be careful of that.
|
|
|
|
If you really do need data,
|
|
|
|
use your cellular data.
|
|
|
|
You are already hemmoraging information to your phone company,
|
|
|
|
so at least you're limiting your exposure.
|
|
|
|
|
|
|
|
Some phones and apps offer MAC address randomization.
|
|
|
|
That's a good thing in priniciple.
|
|
|
|
Unfortunately, it seems to be easily defeated.
|
|
|
|
One study, cited here,
|
|
|
|
claims to be able to defeat randomization 100% of the time,
|
|
|
|
regardless of manufacturer.
|
|
|
|
|
|
|
|
/Segue to next section:/
|
|
|
|
All these previous risks are _passive_---
|
|
|
|
they require no malicious software on your device.
|
|
|
|
But what if we _do_ have such software?
|
|
|
|
And of course, we do.
|
2017-03-05 03:23:35 -05:00
|
|
|
#+END_COMMENT
|
|
|
|
|
2017-04-02 21:59:29 -04:00
|
|
|
|
2017-03-11 23:25:25 -05:00
|
|
|
*** REVIEWED Geolocation [0/3]
|
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 0:02
|
|
|
|
:END:
|
2017-04-02 21:59:29 -04:00
|
|
|
|
2017-03-11 23:25:25 -05:00
|
|
|
**** REVIEWED GPS
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 00:01
|
|
|
|
:END:
|
2017-03-11 23:25:25 -05:00
|
|
|
- <1-> Not inherently a surveillance tool
|
|
|
|
- <2-> Often enabled by default
|
|
|
|
- <2-> Might prompt user, but features are attractive
|
|
|
|
- <3-> Programs give excuses to track\cite{jots:mobile}
|
|
|
|
- <3-> Navigation systems
|
|
|
|
- <3-> Location information for social media, photos, nearby friends, finding
|
|
|
|
lost phones, location-relative searches, etc.
|
|
|
|
- <4-> Not-so-good: targeted advertising and building users profiles
|
|
|
|
- <4-> If phone is compromised, location is known
|
2017-03-05 03:39:19 -05:00
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
2017-03-11 23:25:25 -05:00
|
|
|
Let's talk about geolocation!
|
2017-04-02 21:59:29 -04:00
|
|
|
Many people find them to be very convenient.
|
|
|
|
The most popular being GPS.
|
2017-03-11 23:25:25 -05:00
|
|
|
|
|
|
|
GPS isn't inherently a surveillance tool;
|
|
|
|
it can't track you on its own.
|
|
|
|
Your GPS device triangulates its location based on signals
|
|
|
|
broadcast by GPS satellites in line-of-site.
|
|
|
|
|
2017-04-02 21:59:29 -04:00
|
|
|
Because of the cool features it permits,
|
2017-03-11 23:25:25 -05:00
|
|
|
it's often enabled on devices.
|
2017-04-02 21:59:29 -04:00
|
|
|
And programs will track your movements just for the hell of it.
|
|
|
|
Or give an excuse to track you.
|
2017-03-11 23:25:25 -05:00
|
|
|
|
|
|
|
I'm not saying there aren't legitimate uses.
|
|
|
|
Navigation systems,
|
|
|
|
social media,
|
|
|
|
photo metadata,
|
|
|
|
finding nearby friends,
|
|
|
|
finding lost phones---
|
|
|
|
all of these things are legitimate.
|
|
|
|
You just need to be able to trust the software that you are running,
|
|
|
|
Often times, you can't.
|
|
|
|
Without source code,
|
|
|
|
it's sometimes hard to say if a program is doing other things.
|
|
|
|
Like using it for targeted advertising,
|
|
|
|
and/or building a user profile (which we'll talk about later).
|
|
|
|
#+END_COMMENT
|
|
|
|
|
|
|
|
**** REVIEWED But I Want GPS!
|
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 00:00:30
|
|
|
|
:END:
|
|
|
|
- <1-> Is the program transparent in what data it sends? (Is the source code
|
|
|
|
available?)\cite{jots:mobile}
|
|
|
|
- <1-> Does the program let you disable those features?
|
|
|
|
- <2-> Pre-download location-sensitive data (e.g. street maps)
|
|
|
|
- <2-> OsmAnd (free software, Android and iOS)\cite{osmand}
|
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
|
|
|
So you may legitimately want GPS enabled.
|
|
|
|
It's terrible that you should be concerned about it.
|
|
|
|
|
|
|
|
You need to know what data you're leaking so that you can decide whether
|
|
|
|
or not you want to do so.
|
|
|
|
And you need the option to disable it.
|
|
|
|
|
|
|
|
Sometimes your location is leaked as a side-effect.
|
|
|
|
Navigation systems, for example, usually lazy-load map images.
|
|
|
|
Some apps let you use pre-downloaded maps,
|
|
|
|
like OsmAnd,
|
|
|
|
which is free software available on both Android and---if you must---iOS.
|
2017-03-05 03:39:19 -05:00
|
|
|
#+END_COMMENT
|
|
|
|
|
2017-03-11 23:25:25 -05:00
|
|
|
|
|
|
|
**** REVIEWED Location Services
|
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 00:00:45
|
|
|
|
:END:
|
|
|
|
|
2017-03-05 03:39:19 -05:00
|
|
|
- <1-> No GPS? No problem!
|
2017-03-11 23:25:25 -05:00
|
|
|
- <1-> Mozilla Location Services, OpenMobileNetwork, ...
|
|
|
|
\cite{mozilla:loc-services,openmobilenetwork}
|
|
|
|
- <2-> Wifi Positioning System; Bluetooth networks;
|
|
|
|
nearby cell towers\cite{w:wps}
|
|
|
|
- <2-> Signal strength and SSIDs and MACs of Access Points
|
|
|
|
\cite{w:trilateration,acm:spotfi,acm:lteye}
|
|
|
|
- <3-> Gathered by Google Street View cars
|
|
|
|
- <3-> Your device may report back nearby networks to build a more
|
|
|
|
comprehensive database
|
|
|
|
- <4-> Works even where GPS and Cell signals cannot penetrate
|
|
|
|
- <4-> Can be /more/ accurate than GPS (e.g. what store in a shopping mall)
|
2017-04-02 21:59:29 -04:00
|
|
|
|
2017-03-05 03:39:19 -05:00
|
|
|
#+BEGIN_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
But GPS doesn't need to be available.
|
|
|
|
Have you ever used a map program on a computer that asked for your location?
|
|
|
|
How does it do that without GPS?
|
2017-03-11 23:25:25 -05:00
|
|
|
|
|
|
|
There are numerous services available to geolocate based on nearby access
|
|
|
|
points, bluetooth networks, and cell towers.
|
|
|
|
Based on the signal strength of nearby WiFi networks,
|
|
|
|
your position can be more accurately trangulated.
|
|
|
|
|
|
|
|
These data are gathered by Google Street View cars.
|
|
|
|
Your phone might also be reporting back nearby networks in order to improve
|
|
|
|
the quality of these databases.
|
|
|
|
|
2017-04-02 21:59:29 -04:00
|
|
|
Sometimes this can be more accurate than GPS.
|
|
|
|
And it works where GPS and maybe even cell service don't, such as inside
|
|
|
|
shopping malls.
|
|
|
|
|
2017-03-11 23:25:25 -05:00
|
|
|
So just because GPS is off does not mean your location is unknown.
|
2017-03-05 03:39:19 -05:00
|
|
|
#+END_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
|
2017-03-11 23:25:25 -05:00
|
|
|
*** REVIEWED Operating System [0/3]
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
2017-03-11 23:25:25 -05:00
|
|
|
:DURATION: 0:02
|
2017-04-02 21:59:29 -04:00
|
|
|
:END:
|
2017-03-05 14:39:19 -05:00
|
|
|
|
2017-03-11 23:25:25 -05:00
|
|
|
**** REVIEWED Untrusted/Proprietary OS
|
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 00:00:45
|
|
|
|
:END:
|
2017-03-05 14:39:19 -05:00
|
|
|
|
2017-03-11 23:25:25 -05:00
|
|
|
- <1-> Who does your phone work for?
|
2017-03-05 14:39:19 -05:00
|
|
|
- Apple? Google? Microsoft? Blackberry? Your manufacturer too?
|
2017-03-11 23:25:25 -05:00
|
|
|
- <1-> Carry everywhere you go, but fundamentally cannot
|
|
|
|
trust it\cite{gnu:malware-mobile}
|
|
|
|
- <2-> Some come with gratis surveillance
|
|
|
|
- <2-> BLU phones sent SMS messages, contacts, call history, IMEIs, and
|
|
|
|
more to third-party servers without users' knowledge or censent
|
|
|
|
\cite{kryptowire:adups}
|
2017-03-05 14:39:19 -05:00
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
2017-03-11 23:25:25 -05:00
|
|
|
A lot of this boils down to trust.
|
|
|
|
Who does your phone work for?
|
|
|
|
|
|
|
|
Does your phone work for Apple? Google? Microsoft? Blackberry?
|
|
|
|
Or does it work for you?
|
2017-04-02 21:59:29 -04:00
|
|
|
|
2017-03-11 23:25:25 -05:00
|
|
|
The OS situation on mobile is lousy.
|
2017-04-02 21:59:29 -04:00
|
|
|
You carry around this computer everywhere you go.
|
|
|
|
And you fundamentally cannot trust it.
|
2017-03-11 23:25:25 -05:00
|
|
|
|
|
|
|
Take BLU phones for example.
|
|
|
|
In November of last year it was discovered that these popular phones
|
|
|
|
contained software that sent SMS messages, contact lists, call history,
|
|
|
|
IMEIs, etc to third-party servers without users' knowledge or consent.
|
|
|
|
That software could also remotely execute code on the device.
|
2017-03-05 14:39:19 -05:00
|
|
|
#+END_COMMENT
|
|
|
|
|
2017-03-11 23:25:25 -05:00
|
|
|
**** REVIEWED Free/Libre Mobile OS?
|
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 00:00:30
|
|
|
|
:END:
|
|
|
|
- <1-> Android is supposedly free software
|
|
|
|
- <1-> But every phone requires proprietary drivers, or contains
|
2017-03-05 14:39:19 -05:00
|
|
|
proprietary software
|
2017-03-11 23:25:25 -05:00
|
|
|
- <2-> Replicant\cite{replicant}
|
2017-03-05 14:39:19 -05:00
|
|
|
- <3> Niche. Interest is low, largely work of one developer now.
|
2017-04-02 21:59:29 -04:00
|
|
|
|
2017-03-05 14:39:19 -05:00
|
|
|
#+BEGIN_COMMENT
|
2017-03-11 23:25:25 -05:00
|
|
|
Android is supposedly a free operating system.
|
|
|
|
Unfortunately,
|
|
|
|
every phone requires proprietary drivers to work,
|
|
|
|
and is loaded with proprietary software.
|
|
|
|
|
2017-04-02 21:59:29 -04:00
|
|
|
Does anyone here use Replicant?
|
2017-03-11 23:25:25 -05:00
|
|
|
I do.
|
|
|
|
Replicant is a fully free Android fork.
|
|
|
|
I feel like I can at least trust my phone a little bit,
|
|
|
|
but I still consider any data on it to be essentially compromised in the
|
|
|
|
sense that I can't be confident in my ability to audit it and properly
|
|
|
|
secure the device.
|
2017-03-05 14:39:19 -05:00
|
|
|
#+END_COMMENT
|
|
|
|
|
|
|
|
|
2017-03-11 23:25:25 -05:00
|
|
|
**** REVIEWED Modem Isolation
|
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 00:00:30
|
|
|
|
:END:
|
|
|
|
|
|
|
|
- But modem still runs non-free software\cite{replicant:sec}
|
|
|
|
- Sometimes has access to CPU, disk, and memory\cite{replicant:samsung-bd}
|
2017-03-05 14:39:19 -05:00
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
But on nearly every phone,
|
|
|
|
the modem still runs proprietary software.
|
2017-03-11 23:25:25 -05:00
|
|
|
And sometimes it has direct access to CPU, disk, and memory.
|
|
|
|
Replicant closed a backdoor in Samsung Galaxy phones that allowed for remote
|
|
|
|
access to the disk.
|
|
|
|
That backdoor might not have been intentional,
|
|
|
|
but it illustrates the possibility,
|
|
|
|
and could still be exploited by an attacker.
|
2017-04-02 21:59:29 -04:00
|
|
|
|
|
|
|
So even with Replicant,
|
|
|
|
I consider the device compromised;
|
|
|
|
I put nothing important on it if I can avoid it.
|
2017-03-05 14:39:19 -05:00
|
|
|
#+END_COMMENT
|
|
|
|
|
2017-04-02 21:59:29 -04:00
|
|
|
|
|
|
|
|
2017-03-06 23:22:57 -05:00
|
|
|
** LACKING Stationary [0/5]
|
2017-03-06 21:48:35 -05:00
|
|
|
*** DRAFT Introduction [0/1] :B_ignoreheading:
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
|
|
|
:BEAMER_env: ignoreheading
|
|
|
|
:END:
|
2017-03-06 21:48:35 -05:00
|
|
|
**** DRAFT Introduction :B_fullframe:
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 00:00:30
|
|
|
|
:BEAMER_env: fullframe
|
|
|
|
:END:
|
2017-03-05 15:06:48 -05:00
|
|
|
|
|
|
|
#+BEGIN_CENTER
|
|
|
|
Certain types of tracking are unavoidable.
|
|
|
|
#+END_CENTER
|
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
So let's say you have evaded that type of tracking.
|
|
|
|
Maybe you don't carry a phone.
|
|
|
|
Or maybe you've mitigated those threats in some way.
|
|
|
|
|
|
|
|
There's certain things that are nearly impossible to avoid.
|
2017-03-05 15:06:48 -05:00
|
|
|
#+END_COMMENT
|
|
|
|
|
2017-03-06 21:48:35 -05:00
|
|
|
*** DRAFT Surveillance Cameras [0/2]
|
|
|
|
**** DRAFT Unavoidable Surveillance
|
2017-04-02 21:59:29 -04:00
|
|
|
|
2017-03-05 15:06:48 -05:00
|
|
|
- Security cameras are everywhere
|
|
|
|
- Homes
|
|
|
|
- Private businesses
|
|
|
|
- Traffic cameras
|
|
|
|
- Streets
|
|
|
|
- ...
|
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
On the way here,
|
|
|
|
you likely walked by numerous security cameras.
|
|
|
|
They could be security cameras for private businesses.
|
|
|
|
Traffic cameras.
|
|
|
|
Cameras on streets to deter crime.
|
|
|
|
|
|
|
|
Let's set aside local, state, and federal-owned cameras for a moment
|
|
|
|
and focus on businesses.
|
|
|
|
So a bunch of separate businesses have you on camera.
|
|
|
|
So what?
|
2017-03-05 15:06:48 -05:00
|
|
|
#+END_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
|
|
|
|
|
2017-03-06 21:48:35 -05:00
|
|
|
**** DRAFT Access to Data
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 00:00:30
|
|
|
|
:END:
|
2017-03-05 15:06:48 -05:00
|
|
|
|
|
|
|
- <1> Data can be subpoenaed or obtained with a warrant
|
|
|
|
- <1> If law enforcement wants to track you, they can
|
|
|
|
- <2> If you own a surveillance system, be responsible and considerate
|
|
|
|
- <2> Best way to restrict data is to avoid collecting it to begin with
|
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
Well one of the most obvious threats, should it pertain to you, is a
|
|
|
|
subpoena.
|
|
|
|
If law enforcement wanted to track you for whatever reason---crime or
|
|
|
|
not!---they could simply subpoena the surrounding area.
|
2017-03-05 15:06:48 -05:00
|
|
|
The best form of privacy is to avoid having the data be collected to begin
|
|
|
|
with.
|
|
|
|
#+END_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
|
2017-03-06 23:22:57 -05:00
|
|
|
|
|
|
|
*** LACKING Internet of Things [0/4]
|
|
|
|
**** DRAFT Internet-Connected Cameras
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 00:00:30
|
|
|
|
:END:
|
2017-03-06 23:22:57 -05:00
|
|
|
|
|
|
|
- Cameras used to be ``closed-circuit''
|
|
|
|
- Today\ldots not always so much
|
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
In the past, these cameras were "closed-circuit"---
|
|
|
|
they were on their own segregated network.
|
|
|
|
You'd _have_ to subpoena the owner,
|
|
|
|
or otherwise physically take the tape.
|
|
|
|
|
|
|
|
Today, that might be the intent, but these cameras are often
|
|
|
|
connected to the Internet for one reason or another.
|
|
|
|
It might be intentional---to view the camera remotely---or it may just be
|
|
|
|
how it is set up by default.
|
|
|
|
|
|
|
|
Well...
|
|
|
|
Let's expand our pool of cameras a bit.
|
|
|
|
Because it's not just businesses that use Internet-connected cameras.
|
|
|
|
They're also popular among individuals for personal/home use.
|
|
|
|
Home security systems.
|
|
|
|
Baby monitors.
|
2017-03-06 23:22:57 -05:00
|
|
|
#+END_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
|
2017-03-06 23:22:57 -05:00
|
|
|
**** LACKING The ``S'' In IoT Stands For ``Security''
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 00:01:30
|
|
|
|
:END:
|
2017-03-06 23:22:57 -05:00
|
|
|
|
|
|
|
- Shodan---IoT search engine
|
|
|
|
- Mirai
|
|
|
|
- ...<other concerns>
|
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
Who here has heard of Shodan?
|
|
|
|
|
|
|
|
Shodan is a search engine for the Internet of Things.
|
|
|
|
It spiders for Internet-connected devices and indexes them.
|
|
|
|
Okay, that's to be expected.
|
|
|
|
Maybe that wouldn't be a problem if people knew proper NAT configuration
|
|
|
|
that isn't subverted by UPnP.
|
|
|
|
Maybe it wouldn't be a problem if these devices even gave a moment of
|
|
|
|
thought to security.
|
2017-03-06 23:22:57 -05:00
|
|
|
#+END_COMMENT
|
|
|
|
|
|
|
|
|
2017-03-07 23:35:16 -05:00
|
|
|
**** DEVOID Who's Watching?
|
2017-03-06 23:22:57 -05:00
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 00:00:30
|
|
|
|
:END:
|
2017-04-02 21:59:29 -04:00
|
|
|
|
2017-03-06 23:22:57 -05:00
|
|
|
- Insecam
|
|
|
|
- <Add information>
|
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
Anyone heard of Insecam?
|
|
|
|
It's a site that aggregates live video feeds of unsecured IP cameras.
|
|
|
|
I can tell you personally that you feel like a scumbag looking at the site.
|
|
|
|
There's fascinating things on there.
|
|
|
|
And sobering ones.
|
|
|
|
And creepy ones.
|
|
|
|
Restaurants---families eating dinner; chefs preparing food in the back.
|
|
|
|
Public areas---beaches, pools, walkways, city streets.
|
|
|
|
Private areas---inside homes; private businesses. Hotel clerks sitting
|
|
|
|
behind desks on their cell phones. Warehouses.
|
|
|
|
Behind security desks.
|
|
|
|
Behind cash registers.
|
|
|
|
Hospital rooms.
|
|
|
|
Inside surveillance rooms where people watch their surveillance system!
|
|
|
|
With armed guards!
|
|
|
|
Scientific research: people in full dress performing experiments.
|
|
|
|
I saw someone at the dentist getting a teeth cleaning.
|
|
|
|
Anything you can think of.
|
|
|
|
You can literally explore the world.
|
|
|
|
There are some beautiful sights! Absolutely gorgeous.
|
|
|
|
They remove things that are too deeply personal.
|
|
|
|
Assuming someone reports it.
|
|
|
|
|
|
|
|
This is an excellent example to demonstrate to others why this is such a big
|
|
|
|
deal.
|
|
|
|
|
|
|
|
So that's what your average person can do.
|
|
|
|
That's what some of you are going to be doing as soon as you leave this
|
|
|
|
talk, if you haven't started looking already!
|
|
|
|
|
|
|
|
That's what law enforcement is going to do.
|
|
|
|
That's what the NSA, GHCQ, et. al. are going to do.
|
2017-03-06 23:22:57 -05:00
|
|
|
#+END_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
|
2017-03-06 23:22:57 -05:00
|
|
|
|
|
|
|
**** DRAFT Facial Recognition
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 00:01
|
|
|
|
:END:
|
2017-03-06 23:22:57 -05:00
|
|
|
|
|
|
|
- <1-> Humans no longer need to scour video feeds
|
|
|
|
- <2-> Facial recognition widely used even for entertainment
|
|
|
|
- <3-> No face? Check your gait.
|
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
Now let's couple that with facial recognition.
|
|
|
|
|
|
|
|
Consider the breadth of devices we just covered.
|
|
|
|
Literally everywhere.
|
|
|
|
People don't need to manually look for you anymore;
|
|
|
|
it's automated.
|
|
|
|
Hell, any of us can download a free (as in freedom) library to do facial
|
|
|
|
recognition and train it to recognize people.
|
|
|
|
Facebook famously got creepy by saying it could recognize people by their
|
|
|
|
dress and posture, from behind.
|
|
|
|
|
|
|
|
You don't need facial recognition, though.
|
|
|
|
You can also be identified by your gait.
|
|
|
|
|
|
|
|
There's a lot to say about IoT.
|
|
|
|
We'll come back to it.
|
2017-03-06 23:22:57 -05:00
|
|
|
#+END_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
|
|
|
|
|
2017-03-06 23:22:57 -05:00
|
|
|
*** DRAFT Social Media [0/1]
|
|
|
|
**** DRAFT Collateral Damage
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 00:01
|
|
|
|
:END:
|
|
|
|
|
2017-03-06 23:22:57 -05:00
|
|
|
- <1-> Don't put pictures of me on Facebook
|
|
|
|
- <1-> Don't put pictures of my children _anywhere_
|
|
|
|
- <2-> That person in the distance that happens to be in your photo has
|
|
|
|
been inflicted with collateral damage
|
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
So you don't have any unsecured IoT cameras in your home.
|
|
|
|
Or in this conference.
|
|
|
|
But you do have unsecured people running wild with their photos and their
|
|
|
|
selfies.
|
|
|
|
|
|
|
|
I'm sure you've heard a frequent request/demand from rms:
|
|
|
|
"Don't put pictures of me on Facebook."
|
|
|
|
This applies to all social media, really.
|
|
|
|
I just mentioned facial recognition---
|
|
|
|
this is precisely what Facebook (for example) made it for!
|
|
|
|
To identify people you might know to tag them.
|
|
|
|
It's excellent surveillance.
|
|
|
|
What irks me is when people try to take pictures of my kids,
|
|
|
|
or do and ask if they can put them online.
|
|
|
|
Uh, no. You cannot.
|
|
|
|
And people are sometimes surprised by that refusal.
|
|
|
|
|
|
|
|
Most people are being innocent---
|
|
|
|
they're just trying to capture the moment.
|
|
|
|
What they're actually doing is inflicting collateral damage.
|
|
|
|
If I'm off in the background when you take a picture of your friends in the
|
|
|
|
foreground,
|
|
|
|
I'm still in the photo.
|
2017-03-06 23:22:57 -05:00
|
|
|
#+END_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
|
|
|
|
|
2017-03-06 21:48:35 -05:00
|
|
|
*** RAW Driving [0/3]
|
2017-03-06 23:22:57 -05:00
|
|
|
**** DRAFT Introduction :B_fullframe:
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 00:00:30
|
|
|
|
:BEAMER_env: fullframe
|
|
|
|
:END:
|
2017-03-06 23:22:57 -05:00
|
|
|
|
|
|
|
- Do you drive a vehicle?
|
|
|
|
|
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
Okay.
|
|
|
|
So you have no phone.
|
|
|
|
You sneak around public areas like a ninja.
|
|
|
|
Like a vampire, you don't show up in photos.
|
|
|
|
And you have no friends.
|
|
|
|
|
|
|
|
So how else can I physically track you in your travels here?
|
|
|
|
|
|
|
|
Well if you flew here,
|
|
|
|
then your location is obviously known.
|
|
|
|
That's not even worth discussing.
|
|
|
|
|
|
|
|
But what about if you drove?
|
2017-03-06 23:22:57 -05:00
|
|
|
#+END_COMMENT
|
|
|
|
|
2017-04-02 21:59:29 -04:00
|
|
|
|
2017-03-06 23:22:57 -05:00
|
|
|
**** LACKING ALPRs
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 00:01
|
|
|
|
:END:
|
2017-03-06 23:22:57 -05:00
|
|
|
|
|
|
|
- Automated License Plate Readers (ALPRs)
|
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
ALPRs possibly tracked your movements.
|
|
|
|
Automated License Plate Readers.
|
|
|
|
|
|
|
|
<...>
|
|
|
|
|
|
|
|
Maybe you try to evade them with special license plate covers.
|
|
|
|
If need be, one could just track you by other unique features of your
|
|
|
|
vehicle.
|
|
|
|
And those might not just be law enforcement.
|
|
|
|
|
|
|
|
Security issues extend to this too!
|
|
|
|
<Mention EFF's project>
|
|
|
|
|
|
|
|
You could rent a car.
|
|
|
|
But the rental place probably took your name, license, and other
|
|
|
|
information.
|
|
|
|
You could take a cab and pay with cash.
|
|
|
|
But that can get expensive.
|
|
|
|
And they might have cameras and such anyway.
|
2017-03-06 23:22:57 -05:00
|
|
|
#+END_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
|
|
|
|
|
2017-03-06 23:22:57 -05:00
|
|
|
**** LACKING Car Itself
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 00:00:30
|
|
|
|
:END:
|
2017-03-06 23:22:57 -05:00
|
|
|
|
|
|
|
- Your vehicle itself might be a spy
|
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
Maybe your car itself is a tracking device (e.g. OnStar).
|
|
|
|
|
|
|
|
(Move into Mobile?)
|
|
|
|
|
|
|
|
<...>
|
2017-03-06 23:22:57 -05:00
|
|
|
#+END_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
|
|
|
|
|
2017-03-06 23:57:38 -05:00
|
|
|
** LACKING The Web [0/6]
|
|
|
|
*** DRAFT Introduction [0/1] :B_ignoreheading:
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
|
|
|
:BEAMER_env: ignoreheading
|
|
|
|
:END:
|
2017-03-06 23:57:38 -05:00
|
|
|
**** DRAFT Introduction :B_fullframe:
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
|
|
|
:BEAMER_env: fullframe
|
|
|
|
:END:
|
2017-03-06 23:57:38 -05:00
|
|
|
|
|
|
|
- Much of our lives are no longer in the flesh
|
|
|
|
- Or have some non-fleshy (virtual) analog
|
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
But you're not just tracked in the flesh.
|
|
|
|
Much of what we do today is virtual.
|
|
|
|
What better way to segue than to bridge the two?
|
2017-03-06 23:57:38 -05:00
|
|
|
#+END_COMMENT
|
|
|
|
|
2017-04-02 21:59:29 -04:00
|
|
|
|
2017-03-06 23:57:38 -05:00
|
|
|
*** LACKING Bridging the Gap [0/1]
|
|
|
|
**** LACKING Ultrasound Tracking
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 00:01
|
|
|
|
:END:
|
|
|
|
|
2017-03-06 23:57:38 -05:00
|
|
|
- <1-> How do you bridge that analog?
|
|
|
|
- <2-> Particularly insidious example: ultrasound tracking
|
|
|
|
- <2-> Correlates users across devices
|
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
A challenge for advertisers is correlating users across multiple devices,
|
|
|
|
and in the real world.
|
|
|
|
|
|
|
|
Let's say you saw a commercial for some product Foo on TV.
|
|
|
|
And then you went online to research Foo.
|
|
|
|
And then you bought Foo.
|
|
|
|
|
|
|
|
Sometimes commercials have you enter promo codes online to know that you
|
|
|
|
arrived at the site from a TV commercial.
|
|
|
|
Or give you a unique URL.
|
|
|
|
|
|
|
|
Others play inaudible sounds that are picked up by your mobile device or
|
|
|
|
computer.
|
|
|
|
|
|
|
|
<...>
|
2017-03-06 23:57:38 -05:00
|
|
|
#+END_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
|
|
|
|
|
2017-03-06 23:57:38 -05:00
|
|
|
*** DRAFT Incentive to Betray [0/1]
|
|
|
|
**** DRAFT Summary :B_fullframe:
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 00:00:30
|
|
|
|
:BEAMER_env: fullframe
|
|
|
|
:END:
|
2017-03-06 23:57:38 -05:00
|
|
|
|
|
|
|
#+BEGIN_CENTER
|
|
|
|
There is strong incentive to betray
|
|
|
|
#+END_CENTER
|
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
So how does tracking happen?
|
|
|
|
How does this tracking code _get_ on so much of the web?
|
|
|
|
|
|
|
|
Incentives to betray users.
|
|
|
|
|
|
|
|
Many websites make money through advertising.
|
|
|
|
It can be lucrative.
|
|
|
|
And it's _easy_ to do.
|
2017-03-06 23:57:38 -05:00
|
|
|
#+END_COMMENT
|
|
|
|
|
2017-04-02 21:59:29 -04:00
|
|
|
|
2017-03-06 23:57:38 -05:00
|
|
|
*** LACKING Analytics [0/2]
|
|
|
|
**** LACKING Trackers
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 00:01
|
|
|
|
:END:
|
|
|
|
|
2017-03-06 23:57:38 -05:00
|
|
|
- <1-> Website owners want to know what their visitors are doing
|
|
|
|
- <1-> That in itself isn't an unreasonable concept
|
|
|
|
- <2-> Methods and data define the issue
|
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
Site analytics is another issue.
|
|
|
|
Website owners want to know what their visitors are doing.
|
|
|
|
That in itself isn't an unreasonable thing broadly speaking,
|
|
|
|
but how you go about it and what types of data you collect
|
|
|
|
defines the issue.
|
|
|
|
|
|
|
|
Take Google Analytics for example.
|
|
|
|
A very popular proprietary analytics service.
|
|
|
|
It is one of the most widely distributed malware programs in the world.
|
|
|
|
|
|
|
|
<<examples of how GA tracks>>
|
|
|
|
|
|
|
|
And all of this is known to Google.
|
|
|
|
All of this can be used to identify users across the entire web.
|
|
|
|
|
|
|
|
<<list others>>
|
|
|
|
|
|
|
|
If you must track your users, consider using Piwik, which you can host
|
|
|
|
yourself.
|
2017-03-06 23:57:38 -05:00
|
|
|
#+END_COMMENT
|
|
|
|
|
2017-04-02 21:59:29 -04:00
|
|
|
|
2017-03-06 23:57:38 -05:00
|
|
|
**** DRAFT Like Buttons
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 00:01
|
|
|
|
:END:
|
|
|
|
|
2017-03-06 23:57:38 -05:00
|
|
|
- <1-> Services encourage use of "like" buttons and such
|
|
|
|
- <1-> Infecting the web with trackers under the guise of community
|
|
|
|
- <2-> **Use Privacy Badger**
|
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
Another popular example are "like buttons" and similar little widgets that
|
|
|
|
websites like Facebook offer.
|
|
|
|
If a user is logged into Facebook,
|
|
|
|
then Facebook now knows that they visited that website,
|
|
|
|
_even if they don't click on the button_.
|
|
|
|
|
|
|
|
But even if you don't have a Facebook account,
|
|
|
|
information is being leaked to them
|
|
|
|
you are still being tracked.
|
2017-03-07 00:36:28 -05:00
|
|
|
|
2017-04-02 21:59:29 -04:00
|
|
|
Addons like Privacy Badger will block these.
|
2017-03-06 23:57:38 -05:00
|
|
|
#+END_COMMENT
|
|
|
|
|
|
|
|
|
|
|
|
*** LACKING Fingerprinting [0/3]
|
|
|
|
**** DRAFT Summary :B_fullframe:
|
|
|
|
#+BEGIN_CENTER
|
|
|
|
Browser Fingerprinting
|
|
|
|
#+END_CENTER
|
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
|
|
|
These methods are part of a broader topic called "browser fingerprinting".
|
|
|
|
It's just what it sounds like:
|
|
|
|
uniquely identify users online.
|
|
|
|
#+END_COMMENT
|
|
|
|
|
2017-04-02 21:59:29 -04:00
|
|
|
|
2017-03-09 05:20:33 -05:00
|
|
|
**** LACKING Alarmingly Effective
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 00:03
|
|
|
|
:BEAMER_env: fullframe
|
|
|
|
:END:
|
|
|
|
|
2017-03-09 05:20:33 -05:00
|
|
|
- Panopticlick (EFF)\cite{panopti:about}
|
|
|
|
- JavaScript opens up a world of possibilities
|
|
|
|
- Clearing cookies et al. won't always help
|
|
|
|
- Can even track separate browsers on the same box
|
2017-03-06 23:57:38 -05:00
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
It's alarmingly effective.
|
|
|
|
|
|
|
|
Some methods allow fingerprinting even if the user uses multiple browsers
|
|
|
|
and takes care to clear all session data.
|
|
|
|
They can do this by effectively breaking out of the browser's sandbox by
|
|
|
|
doing operations that depend heavily on specifics of users' hardware.
|
2017-03-06 23:57:38 -05:00
|
|
|
#+END_COMMENT
|
|
|
|
|
2017-03-07 00:36:28 -05:00
|
|
|
|
2017-03-09 05:20:33 -05:00
|
|
|
**** DRAFT User Agent
|
|
|
|
- <1-> User agents can leak a lot of information
|
|
|
|
- <1-> ~18 bits in my browser on GNU/Linux, 1/~250,000
|
|
|
|
- <2-> Tor Browser\cite{panopti:about}
|
2017-03-06 23:57:38 -05:00
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
2017-03-09 05:20:33 -05:00
|
|
|
Your browser's user agent is a string that it sends with every request
|
|
|
|
identifying itself and some of its capabilities.
|
|
|
|
It can be surprisingly unique.
|
|
|
|
When I tested a Firefox browser on GNU/Linux,
|
|
|
|
I was unique out of nearly 250,000 users.
|
2017-03-06 23:57:38 -05:00
|
|
|
#+END_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
|
|
|
|
|
2017-03-09 05:20:33 -05:00
|
|
|
*** DRAFT Anonymity [0/4]
|
|
|
|
**** DRAFT Summary :B_fullframe:
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 00:01
|
|
|
|
:BEAMER_env: fullframe
|
|
|
|
:END:
|
2017-03-06 23:57:38 -05:00
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
Another way is to be anonymous or pseudononymous.
|
|
|
|
In the latter case,
|
|
|
|
you assume a pseudoynm online and perform only activities that should be
|
|
|
|
associated with that pseudonym.
|
|
|
|
In the former case,
|
|
|
|
there should be no way to ever correlate past or future actions with your
|
|
|
|
current session.
|
2017-03-06 23:57:38 -05:00
|
|
|
#+END_COMMENT
|
|
|
|
|
2017-03-09 05:20:33 -05:00
|
|
|
***** Anonymity
|
|
|
|
Origin is unknown to server; no unique identifier known by
|
|
|
|
server\incite{whonix:donot}
|
2017-03-06 23:57:38 -05:00
|
|
|
|
2017-03-09 05:20:33 -05:00
|
|
|
***** Pseudonymity
|
|
|
|
Origin is unknown to server; unique identifier /is available/ to
|
|
|
|
server\incite{whonix:donot}
|
2017-04-02 21:59:29 -04:00
|
|
|
|
2017-03-06 23:57:38 -05:00
|
|
|
|
|
|
|
**** DRAFT IANAAE :B_fullframe:
|
|
|
|
:PROPERTIES:
|
|
|
|
:BEAMER_env: fullframe
|
|
|
|
:END:
|
|
|
|
|
|
|
|
#+BEGIN_CENTER
|
|
|
|
IANAAE (I Am Not An Anonymity Expert)
|
|
|
|
#+END_CENTER
|
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
This is a difficult topic that's pretty dangerous to give advice on if you
|
|
|
|
have strong need for anonymity---for example, if you are a dissident or
|
|
|
|
whistleblower.
|
|
|
|
If your life depends on anonymity,
|
|
|
|
please do your own research.
|
|
|
|
I provide a number of resources to get you started.
|
2017-03-06 23:57:38 -05:00
|
|
|
#+END_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
|
|
|
|
|
2017-03-09 05:20:33 -05:00
|
|
|
**** DRAFT The Tor Network
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 00:01
|
|
|
|
:END:
|
2017-03-06 23:57:38 -05:00
|
|
|
|
2017-03-09 05:20:33 -05:00
|
|
|
- The Onion Router (Tor)\cite{tor}
|
|
|
|
- Helps defend against traffic analysis
|
|
|
|
- (Routing image)
|
2017-03-06 23:57:38 -05:00
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
Most here have probably heard of Tor.
|
|
|
|
"Tor" stands for "The Onion Router",
|
|
|
|
which describes how it relays data through the Tor network.
|
|
|
|
|
|
|
|
The packet is routed through a number of servers,
|
|
|
|
encrypted with the public key of each server such that the first hop
|
|
|
|
strips off the first layer and so on.
|
|
|
|
The exit node reveals the packet and delivers it to the destination,
|
|
|
|
then begins relaying the reply back to through the network to the user.
|
|
|
|
|
|
|
|
As long as a sufficient portion of the network can be trusted and has not
|
|
|
|
been compromised by an adversary,
|
|
|
|
it isn't possible to trace data back through the network.
|
|
|
|
|
|
|
|
The most common use of Tor is to route web traffic.
|
|
|
|
Many nodes block most other ports.
|
|
|
|
It's also possible to resolve DNS requests through Tor.
|
|
|
|
|
|
|
|
There are lots of other details that I don't have time to get to here,
|
|
|
|
but I provide a number of resources for you.
|
2017-03-06 23:57:38 -05:00
|
|
|
#+END_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
|
|
|
|
|
2017-03-09 05:20:33 -05:00
|
|
|
**** DRAFT TorBrowser, Tails, and Whonix
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 00:02
|
|
|
|
:END:
|
2017-03-06 23:57:38 -05:00
|
|
|
|
2017-03-09 05:20:33 -05:00
|
|
|
- <1-> Tor alone isn't enough
|
|
|
|
- <1-> Browser needs to be hardened
|
|
|
|
- <2-> TorBrowser is a hardened Firefox derivative
|
|
|
|
- <1-> Operating System needs to be hardened
|
|
|
|
- <2-> Tails, Whonix
|
2017-03-06 23:57:38 -05:00
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
Tor alone isn't enough to secure your anonymity.
|
|
|
|
|
|
|
|
It's hard to secure a web browser.
|
|
|
|
|
|
|
|
TorBrowser is a hardened version of Firefox.
|
|
|
|
The Tor browser recommends that you don't rely on a vanilla Firefox for
|
|
|
|
anonymity with Tor.
|
|
|
|
|
|
|
|
Tails...
|
|
|
|
|
|
|
|
Whonix...
|
2017-03-06 23:57:38 -05:00
|
|
|
#+END_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
|
|
|
|
|
2017-03-06 21:48:35 -05:00
|
|
|
** LACKING Data Analytics [0/2]
|
2017-03-07 00:24:40 -05:00
|
|
|
*** DRAFT Introduction [0/1] :B_ignoreheading:
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
|
|
|
:BEAMER_env: ignoreheading
|
|
|
|
:END:
|
2017-03-07 00:24:40 -05:00
|
|
|
**** DRAFT Introduction :B_fullframe:
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 00:00
|
|
|
|
:BEAMER_env: fullframe
|
|
|
|
:END:
|
2017-03-07 00:24:40 -05:00
|
|
|
|
|
|
|
#+BEGIN_CENTER
|
|
|
|
``Big Data''
|
|
|
|
|
|
|
|
(/Your/ Big Data)
|
|
|
|
#+END_CENTER
|
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
We've seen adversaries with different motives.
|
|
|
|
Let's explore what some of them do with all those data.
|
2017-03-07 00:24:40 -05:00
|
|
|
#+END_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
|
|
|
|
|
2017-03-06 21:48:35 -05:00
|
|
|
*** LACKING Headings [0/3]
|
|
|
|
**** LACKING Advertisers
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 00:02
|
|
|
|
:END:
|
2017-03-07 00:24:40 -05:00
|
|
|
|
|
|
|
- Most users' threat models don't include the NSA
|
|
|
|
- Biggest threat to privacy are companies that aggregate data to understand
|
|
|
|
you (often /better than you/)
|
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
The biggest threat to privacy to the average user is by companies that
|
|
|
|
aggregate data for the purpose of understanding _you_.
|
|
|
|
Probably better than you understand you.
|
|
|
|
I'm sure many of you heard of the story of Target knowing a girl was
|
|
|
|
pregnant before she did.
|
|
|
|
|
|
|
|
<<user profiles>>
|
2017-03-07 00:24:40 -05:00
|
|
|
#+END_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
|
|
|
|
|
2017-03-07 23:35:16 -05:00
|
|
|
**** DEVOID Social Media
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 00:01
|
|
|
|
:END:
|
2017-03-07 00:24:40 -05:00
|
|
|
|
|
|
|
TODO
|
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
(Where you are, what you do.)
|
2017-03-07 00:24:40 -05:00
|
|
|
#+END_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
|
|
|
|
|
2017-03-07 23:35:16 -05:00
|
|
|
**** DEVOID Governments
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 00:00:30
|
|
|
|
:END:
|
2017-03-07 00:24:40 -05:00
|
|
|
|
|
|
|
TODO
|
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
(Segue into government surveillance.)
|
2017-03-07 00:24:40 -05:00
|
|
|
#+END_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
|
|
|
|
|
2017-03-07 00:36:28 -05:00
|
|
|
** LACKING Policy and Government [0/6]
|
|
|
|
*** DRAFT Introduction [0/1] :B_ignoreheading:
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
|
|
|
:BEAMER_env: ignoreheading
|
|
|
|
:END:
|
2017-03-07 00:36:28 -05:00
|
|
|
**** DRAFT Introduction :B_fullframe:
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 00:00:30
|
|
|
|
:BEAMER_env: fullframe
|
|
|
|
:END:
|
2017-03-07 00:36:28 -05:00
|
|
|
|
|
|
|
- <1-> Governments have a duty to protect their people
|
|
|
|
- <2-> Governments have a duty to protect citizens' rights
|
|
|
|
|
|
|
|
#+BEGIN_LATEX
|
|
|
|
\vspace{2ex}
|
|
|
|
\only<3>{
|
|
|
|
\begin{center}
|
|
|
|
These duties are often at odds
|
|
|
|
\end{center}
|
|
|
|
}
|
|
|
|
#+END_LATEX
|
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
Where to begin.
|
|
|
|
|
|
|
|
Governments have a duty to protect their people.
|
|
|
|
But they also have a duty to know their bounds;
|
2017-03-07 00:36:28 -05:00
|
|
|
to protect citizens' rights and privacy.
|
|
|
|
|
2017-04-02 21:59:29 -04:00
|
|
|
We know how that story goes.
|
2017-03-07 00:36:28 -05:00
|
|
|
#+END_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
|
|
|
|
|
2017-03-09 07:17:13 -05:00
|
|
|
*** LACKING Surveillance [0/7]
|
|
|
|
**** DRAFT History of NSA Surveillance
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 00:02
|
|
|
|
:END:
|
2017-03-07 00:36:28 -05:00
|
|
|
|
2017-03-09 07:17:13 -05:00
|
|
|
- <1-> EFF has been fighting NSA domestic spying
|
|
|
|
since 2005\cite{eff:nsa:timeline,mtg:uproar}
|
|
|
|
- <1-> AT&T technician Mark Klein
|
|
|
|
- <1-> Dragnet surveillance; NSA-controlled ``SG3 Secure Room''
|
|
|
|
- <2-> Hepting v. AT&T (2006)
|
|
|
|
- <2-> Government and AT&T retroactive immunity through FAA (2008)
|
|
|
|
- <2-> Jewel v. NSA (2008)
|
|
|
|
- <2-> Summary of Voluminous Evidence
|
2017-03-07 00:36:28 -05:00
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
2017-03-09 07:17:13 -05:00
|
|
|
When we think of the term ``surveillance'',
|
|
|
|
the NSA usually comes to mind.
|
|
|
|
|
|
|
|
The Electronic Frontier Foundation has been fighting the NSA
|
|
|
|
in court since 2006.
|
|
|
|
In 2005, a former AT&T technician Mark Klein provided ``undisputed
|
|
|
|
evidence'' about an NSA-controlled room at AT&T named ``SG-3'', through
|
|
|
|
which all traffic passed.
|
|
|
|
|
|
|
|
The EFF filed Hepting v. AT&T in 2006.
|
|
|
|
But in 2008, both the government and AT&T were awarded retroactive immunity
|
|
|
|
through the FISA Amendments Act.
|
|
|
|
The case was dismissed in 2009, along with dozens of other lawsuits.
|
|
|
|
|
|
|
|
In response,
|
|
|
|
the EFF filed Jewel v. NSA.
|
|
|
|
The case also benefitted from three additional whistleblowers.
|
2017-03-07 00:36:28 -05:00
|
|
|
#+END_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
|
|
|
|
|
2017-03-09 07:17:13 -05:00
|
|
|
**** DRAFT Ron Wyden :B_fullframe:
|
|
|
|
:PROPERTIES:
|
|
|
|
:BEAMER_env: fullframe
|
|
|
|
:END:
|
|
|
|
|
|
|
|
Senator Ron Wyden, 26 May 2011:
|
|
|
|
|
|
|
|
#+BEGIN_QUOTE
|
|
|
|
I have served on the Intelligence Committee for over a decade and I wish to
|
|
|
|
deliver a warning this afternoon. When the American people find out how
|
|
|
|
their government has secretly interpreted [the business records provision of
|
|
|
|
FISA], they are going to be stunned and they are going to be angry.
|
|
|
|
#+END_QUOTE
|
|
|
|
|
|
|
|
|
|
|
|
**** DRAFT The Leak :B_fullframe:
|
|
|
|
:PROPERTIES:
|
|
|
|
:BEAMER_env: fullframe
|
|
|
|
:END:
|
|
|
|
|
|
|
|
#+BEGIN_CENTER
|
|
|
|
5 June 2013
|
|
|
|
#+END_CENTER
|
|
|
|
|
|
|
|
|
|
|
|
**** DRAFT Verizon Metadata
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 00:00:30
|
|
|
|
:END:
|
2017-03-07 00:36:28 -05:00
|
|
|
|
2017-03-09 07:17:13 -05:00
|
|
|
- <1-> 5 June 2013---Guardian releases leaked document ordering Verizon to
|
|
|
|
collect ``telephony metadata''
|
|
|
|
|
|
|
|
#+BEGIN_QUOTE
|
|
|
|
[...] (i) between the United States and abroad; or (ii) wholly within the
|
|
|
|
United States, including local telephone calls.
|
|
|
|
#+END_QUOTE
|
|
|
|
|
|
|
|
- <2-> ``Business records'' provision partly declassified by Clapper on 6 June 2013
|
|
|
|
|
|
|
|
- <2-> The American people were stunned and angry
|
|
|
|
- <2-> But it wasn't a surprise to many
|
2017-03-07 00:36:28 -05:00
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
2017-03-09 07:17:13 -05:00
|
|
|
June 5th 2013.
|
|
|
|
I remember where I was.
|
|
|
|
Does anyone remember what that date represents?
|
2017-04-02 21:59:29 -04:00
|
|
|
|
2017-03-09 07:17:13 -05:00
|
|
|
The Guardian newspaper releases a leaked court order,
|
|
|
|
which orders Verizon to collect ``telephony metadata'' on /all/ calls,
|
|
|
|
/including local/.
|
|
|
|
|
|
|
|
That ``business records'' provision of FISA that Ron Wyden was talking about
|
|
|
|
was partly declassified by the then-DNI James Clapper on June 6th, 2013.
|
|
|
|
|
|
|
|
As Wyden predicted,
|
|
|
|
we were pretty stunned.
|
|
|
|
And pretty pissed off.
|
|
|
|
|
|
|
|
But it wasn't a surprise to many security researchers.
|
|
|
|
You guys can take a look at the references for more information on that.
|
2017-03-07 00:36:28 -05:00
|
|
|
#+END_COMMENT
|
|
|
|
|
2017-04-02 21:59:29 -04:00
|
|
|
|
2017-03-09 07:17:13 -05:00
|
|
|
**** DRAFT PRISM
|
|
|
|
- 6 June 2013---Guardian leaks slideshow describing PRISM
|
|
|
|
|
|
|
|
- All companies denied involvement
|
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
|
|
|
But it didn't end there!
|
|
|
|
Well, obviously, we know that now.
|
|
|
|
|
|
|
|
One day later,
|
|
|
|
the Guardian releases a leaked slideshow that describes PRISM.
|
|
|
|
|
|
|
|
All companies eventually denied involvement in this program.
|
|
|
|
#+END_COMMENT
|
|
|
|
|
|
|
|
|
|
|
|
**** DRAFT Snowden
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 00:01
|
|
|
|
:END:
|
2017-03-07 00:36:28 -05:00
|
|
|
|
2017-03-09 07:17:13 -05:00
|
|
|
- 9 June 2013---The Guardian reveals Edward Snowden as the whistleblower
|
|
|
|
|
|
|
|
- Smear campaign
|
|
|
|
|
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
|
|
|
These were serious leaks.
|
|
|
|
They still are.
|
|
|
|
And three days later---to our surprise---the source of the leaks was
|
|
|
|
revealed.
|
|
|
|
|
|
|
|
And the world came to know Edward Snowden through a huge smear campaign.
|
|
|
|
They pointed out that his girlfriend was a pole dancer.
|
|
|
|
They tried to discredit his role at the agency.
|
|
|
|
They tried to paint him as this social loner, and downplay his skills.
|
|
|
|
|
|
|
|
Fortunately, that conversation didn't last long, and did not succeed.
|
|
|
|
I'm not sure how many of you were here last year,
|
|
|
|
but Snowden gave the opening keynote to LP2016.
|
|
|
|
He received a minute-long standing ovation.
|
|
|
|
The energy in that room was incredible.
|
|
|
|
#+END_COMMENT
|
|
|
|
|
2017-04-02 21:59:29 -04:00
|
|
|
|
2017-03-07 23:35:16 -05:00
|
|
|
**** DEVOID Tools
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 00:02
|
|
|
|
:END:
|
2017-03-07 00:36:28 -05:00
|
|
|
|
|
|
|
TODO
|
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
- XKeyscore and others
|
|
|
|
- Exploits
|
|
|
|
- Hardware
|
|
|
|
- Intercepting shipments
|
|
|
|
- Etc.
|
2017-03-07 00:36:28 -05:00
|
|
|
#+END_COMMENT
|
|
|
|
|
2017-04-02 21:59:29 -04:00
|
|
|
|
2017-03-10 02:07:56 -05:00
|
|
|
*** LACKING Crypto Wars [0/6]
|
2017-03-07 00:36:28 -05:00
|
|
|
**** DRAFT Introduction :B_fullframe:
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 00:00
|
|
|
|
:BEAMER_env: fullframe
|
|
|
|
:END:
|
2017-03-07 00:36:28 -05:00
|
|
|
|
|
|
|
#+BEGIN_CENTER
|
2017-03-10 02:07:56 -05:00
|
|
|
\Huge History repeats itself
|
2017-03-07 00:36:28 -05:00
|
|
|
#+END_CENTER
|
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
All of that happened behind our backs.
|
|
|
|
|
|
|
|
But there is also a war being waged in public.
|
|
|
|
As if we haven't learned from the past.
|
|
|
|
The Crypto wars.
|
2017-03-07 00:36:28 -05:00
|
|
|
#+END_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
|
|
|
|
|
2017-03-10 02:07:56 -05:00
|
|
|
**** DRAFT Export-Grade Crypto
|
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 00:01:30
|
|
|
|
:END:
|
|
|
|
|
|
|
|
- <1-> Cryptography classified as munitions (Arms Export Control Act; ITAR)
|
|
|
|
- <1-> ``Export-grade'' cryptography
|
|
|
|
- <2-> Lotus Notes
|
|
|
|
- <2-> 40-bit export-grade symmetric key
|
|
|
|
- <3-> Agreement with NSA: 64-bit export, but 24 of those bits a "workload
|
|
|
|
reduction factor" for the NSA
|
|
|
|
- <4-> Phil Zimmerman: PGP (\geq 128 bits)
|
|
|
|
- <4-> Formal investigation by US government in 1993
|
|
|
|
- <4-> Published source code in a book, which could be OCR'd
|
|
|
|
- <5-> Still suffer long-term effects today
|
|
|
|
(downgrade attacks, e.g. POODLE)\cite{poodle:paper}
|
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
|
|
|
Back in the 1990s,
|
|
|
|
cryptography was classified as munitions.
|
|
|
|
|
|
|
|
If you wanted to export it to other countries,
|
|
|
|
you essentially had to make it crackable by the NSA.
|
|
|
|
|
|
|
|
Lotus Notes is often used as an example of the negative effects of such
|
|
|
|
regulation.
|
|
|
|
Interestingly, it was actually the first widely used software to use
|
|
|
|
public-key cryptography.
|
|
|
|
Due to export restrictions,
|
|
|
|
the maximum symmetric key size they could support was 40 bits.
|
|
|
|
This was easily crackable by the NSA,
|
|
|
|
but also feasible for other adversaries.
|
|
|
|
They compromised with the NSA:
|
|
|
|
64-bit keys, but 24 of those bits would be encrypted specially for the NSA
|
|
|
|
as a "workload reduction factor".
|
|
|
|
So you had protection against most adversaries,
|
|
|
|
but not the US government.
|
|
|
|
|
|
|
|
Then we have Phil Zimmerman, author of PGP.
|
|
|
|
He didn't consult the NSA.
|
|
|
|
Instead, he published the source code for PGP in a book with MIT Press,
|
|
|
|
and widely distributed it.
|
|
|
|
If someone wanted to use PGP,
|
|
|
|
they could unbind the book, OCR the pages, and compile it with GCC.
|
|
|
|
The US government opened a formal investigation into the case in 1993;
|
|
|
|
the charges were dropped years later.
|
|
|
|
|
|
|
|
We are still observing the fallout from export-grade crypto today.
|
|
|
|
They are called "downgrade attacks",
|
|
|
|
where a program such as a browser is tricked into using a weaker
|
|
|
|
cipher or keysize,
|
|
|
|
allowing an attacker to MitM the connection.
|
|
|
|
POODLE is an example of this.
|
|
|
|
#+END_COMMENT
|
|
|
|
|
|
|
|
|
|
|
|
**** DRAFT Bernstein v. United States
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 00:01
|
|
|
|
:END:
|
2017-03-10 02:07:56 -05:00
|
|
|
- <1-> 1995: Bernstein v. US Department of Justice\cite{eff:bernstein:doj}
|
|
|
|
- <1-> Argued that restrictions violated First Amendment
|
|
|
|
- <2-> **Code Is Speech**
|
|
|
|
- <1-> 1996: Bill Clinton Executive Order 13026 transferred to Commerce
|
|
|
|
Control List\cite{fedr:export-controls}
|
|
|
|
- <1-> Department of Commerce relaxed rules in 2000\cite{doc:rev-export-reg}
|
2017-03-07 00:36:28 -05:00
|
|
|
|
2017-03-10 02:07:56 -05:00
|
|
|
#+BEGIN_COMMENT
|
|
|
|
In order to publish information on encryption algorithms and the like,
|
|
|
|
you had to get permission from the government.
|
|
|
|
|
|
|
|
In 1995, Daniel Bernstein---then a graduate student---wanted to publish the
|
|
|
|
source code and mathematical papers for his encryption algorithm
|
|
|
|
/Snuffle/.
|
|
|
|
Like Zimmerman,
|
|
|
|
Bernstein thought export restrictions to be a violation of his First
|
|
|
|
Amendment rights.
|
|
|
|
But instead of blatant defiance,
|
|
|
|
he decided to sue the US government.
|
|
|
|
He was represented by the EFF.
|
|
|
|
The Ninth Circuit Court of Appeals ruled in his favor.
|
|
|
|
|
|
|
|
The following year, President Bill Clinton signed an executive order that
|
|
|
|
removed encryption from the munitions list,
|
|
|
|
and in 2000 the Department of Commerce relaxed export restrictions.
|
|
|
|
|
|
|
|
You might have heard the term "code is speech".
|
|
|
|
Bernstein v. United States case had wide-reaching consequences,
|
|
|
|
not just for cryptography.
|
|
|
|
Source code is protected under the First Amendment.
|
|
|
|
|
|
|
|
(See also Junger v. Daley.)
|
|
|
|
#+END_COMMENT
|
|
|
|
|
|
|
|
|
|
|
|
**** DRAFT The First Crypto Wars
|
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 00:01
|
|
|
|
:END:
|
|
|
|
|
|
|
|
- <1-> These incidents part of the first Crypto Wars\cite{w:crypto-wars}
|
|
|
|
- <2-> DES Originally 64-bit key; NSA wanted 48 bits; compromised at 56.
|
|
|
|
- <2-> Two version of the browser: 128-bit "U.S. edition" and effective
|
|
|
|
40-bit "international".
|
|
|
|
- <3-> **Clipper Chip** was a hardware backdoor that employed a key escrow
|
|
|
|
system
|
|
|
|
- <3-> Complete failure
|
|
|
|
- <3-> Terribly insecure (property of key escrow in general)
|
|
|
|
- <3-> Opposite effect: spurred development of Nautilus and PGPfone
|
2017-03-07 00:36:28 -05:00
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
2017-03-10 02:07:56 -05:00
|
|
|
These incidents are classified into a period of time informally described as
|
|
|
|
the "Crypo Wars".
|
|
|
|
|
|
|
|
There's a couple other good examples that I don't have time to get into:
|
|
|
|
The DES encryption algorithm, for example, was originally 64-bit;
|
|
|
|
the NSA wanted 48-bit, but compromised with 56.
|
|
|
|
Netscape had /two versions of their browser/: one with 128-bit SSL and the
|
|
|
|
other with 88 of those bits exposed to meet export regulations.
|
|
|
|
This sounds insane today---because it is.
|
|
|
|
|
|
|
|
But there's even more insanity.
|
|
|
|
|
|
|
|
The Clipper Chip!
|
|
|
|
It was the US government's attempt to backdoor communications with hardware.
|
|
|
|
It used a key escrow system,
|
|
|
|
and the algorithm they devised---called Skipjack---was classified,
|
|
|
|
and so could not be reviewed by crypto experts at the time.
|
|
|
|
Backlash was large.
|
|
|
|
It failed miserably.
|
|
|
|
Later cryptanalysis yielded scathing flaws,
|
|
|
|
as is generally the case with key escrow cryptosystems.
|
|
|
|
It even had the opposite effect:
|
|
|
|
it spurred the development of encrypted communication programs like
|
|
|
|
Nautilus and PGPfone (the latter being proprietary).
|
|
|
|
|
|
|
|
So,
|
|
|
|
why did I go into so much history in a talk meant to deal with today's
|
|
|
|
privacy and security threats?
|
2017-03-07 00:36:28 -05:00
|
|
|
#+END_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
|
|
|
|
|
2017-03-10 02:07:56 -05:00
|
|
|
**** DRAFT Re-repeats Itself :B_fullframe:
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
2017-03-10 02:07:56 -05:00
|
|
|
:DURATION: 00:00
|
|
|
|
:BEAMER_env: fullframe
|
2017-04-02 21:59:29 -04:00
|
|
|
:END:
|
2017-03-07 00:36:28 -05:00
|
|
|
|
2017-03-10 02:07:56 -05:00
|
|
|
#+BEGIN_CENTER
|
|
|
|
\Huge History repeats itself
|
|
|
|
#+END_CENTER
|
2017-03-07 00:36:28 -05:00
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
2017-03-10 02:07:56 -05:00
|
|
|
Because history repeats itself.
|
2017-04-02 21:59:29 -04:00
|
|
|
|
2017-03-10 02:07:56 -05:00
|
|
|
Today's attempted legal/policy assault on privacy and security are enormous.
|
|
|
|
We've already covered some.
|
|
|
|
I don't have time to cover more than a small fraction of them.
|
|
|
|
#+END_COMMENT
|
|
|
|
|
|
|
|
|
|
|
|
**** DRAFT Modern Crypto Wars :B_fullframe:
|
|
|
|
:PROPERTIES:
|
|
|
|
:BEAMER_env: fullframe
|
|
|
|
:END:
|
|
|
|
|
|
|
|
#+BEGIN_CENTER
|
|
|
|
\Huge ``Going Dark''
|
|
|
|
#+END_CENTER
|
|
|
|
|
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
|
|
|
But the big phrase you hear today is "going dark".
|
|
|
|
Government agencies are fearful of broadening use of encryption
|
|
|
|
because they can't read many of those communications.
|
|
|
|
#+END_COMMENT
|
|
|
|
|
|
|
|
|
|
|
|
**** DEVOID ``Going Dark''
|
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
|
|
|
Apple v. FBI
|
|
|
|
VEP
|
2017-03-07 00:36:28 -05:00
|
|
|
#+END_COMMENT
|
|
|
|
|
2017-04-02 21:59:29 -04:00
|
|
|
|
2017-03-06 21:48:35 -05:00
|
|
|
*** LACKING Espionage [0/1]
|
2017-03-07 23:35:16 -05:00
|
|
|
**** DEVOID US Can't Keep Its Own Secrets
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 00:01
|
|
|
|
:END:
|
2017-03-07 00:36:28 -05:00
|
|
|
|
|
|
|
TODO
|
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
- Office of Personnel Management
|
|
|
|
- DNC
|
2017-03-10 02:07:56 -05:00
|
|
|
- VEP
|
2017-03-07 00:36:28 -05:00
|
|
|
#+END_COMMENT
|
|
|
|
|
2017-04-02 21:59:29 -04:00
|
|
|
|
2017-03-06 21:48:35 -05:00
|
|
|
*** LACKING Subpoenas, Warrants, NSLs [0/1]
|
2017-03-07 23:35:16 -05:00
|
|
|
**** DEVOID National Security Letters
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 00:01
|
|
|
|
:END:
|
2017-03-07 00:36:28 -05:00
|
|
|
|
|
|
|
TODO
|
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
- Gag orders
|
|
|
|
- Prior restraint
|
|
|
|
- Canaries
|
2017-03-07 00:36:28 -05:00
|
|
|
#+END_COMMENT
|
|
|
|
|
|
|
|
|
2017-03-06 21:48:35 -05:00
|
|
|
*** LACKING Law [0/1]
|
2017-03-07 23:35:16 -05:00
|
|
|
**** DEVOID Summary :B_fullframe:
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 00:01
|
|
|
|
:BEAMER_env: fullframe
|
|
|
|
:END:
|
2017-03-07 00:36:28 -05:00
|
|
|
|
|
|
|
TODO
|
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
- DMCA
|
|
|
|
- Risks to security researchers
|
|
|
|
- Draconian
|
|
|
|
- CFAA
|
2017-03-07 00:36:28 -05:00
|
|
|
#+END_COMMENT
|
|
|
|
|
2017-04-02 21:59:29 -04:00
|
|
|
|
2017-03-07 00:45:58 -05:00
|
|
|
** LACKING Your Fight [0/1]
|
|
|
|
*** LACKING Headings [0/6]
|
|
|
|
**** DRAFT Feeding :B_fullframe:
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 00:00
|
|
|
|
:BEAMER_env: fullframe
|
|
|
|
:END:
|
2017-03-07 00:45:58 -05:00
|
|
|
|
|
|
|
#+BEGIN_CENTER
|
2017-04-02 21:59:29 -04:00
|
|
|
We're feeding into all of this!
|
2017-03-07 00:45:58 -05:00
|
|
|
#+END_CENTER
|
2017-04-02 21:59:29 -04:00
|
|
|
|
|
|
|
|
2017-03-07 23:35:16 -05:00
|
|
|
**** DEVOID SaaSS and Centralization
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 00:01
|
|
|
|
:END:
|
2017-03-07 00:45:58 -05:00
|
|
|
|
|
|
|
TODO
|
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
- Be sure to mention Cloudbleed and S3
|
|
|
|
- Who has access to your data?
|
|
|
|
- The "Cloud"
|
2017-03-07 00:45:58 -05:00
|
|
|
#+END_COMMENT
|
2017-03-07 00:36:28 -05:00
|
|
|
|
2017-04-02 21:59:29 -04:00
|
|
|
|
2017-03-07 00:45:58 -05:00
|
|
|
**** LACKING Corporate Negligence
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 00:01
|
|
|
|
:END:
|
2017-03-07 00:45:58 -05:00
|
|
|
|
|
|
|
- Companies balance security and privacy on their balance sheets
|
|
|
|
|
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
Companies don't care.
|
|
|
|
They'll balance _costs_ of failure to comply with regulation.
|
|
|
|
Is it cheaper just to pay up in the event of a data breach?
|
|
|
|
|
|
|
|
Governments try, sort of.
|
|
|
|
They need to catch up with the times.
|
|
|
|
<<sec regulations>>
|
|
|
|
|
|
|
|
<<large-scale breaches>>
|
|
|
|
|
|
|
|
(Tie into SaaSS)
|
2017-03-07 00:45:58 -05:00
|
|
|
#+END_COMMENT
|
2017-03-07 00:36:28 -05:00
|
|
|
|
2017-04-02 21:59:29 -04:00
|
|
|
|
2017-03-07 00:45:58 -05:00
|
|
|
**** DRAFT Status Quo
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 00:02
|
|
|
|
:END:
|
2017-03-07 00:45:58 -05:00
|
|
|
|
|
|
|
- Do people care more about privacy and security since the Snowden leaks?
|
|
|
|
- (Cite)
|
|
|
|
- ``I have nothing to hide''
|
|
|
|
- ``Report anything suspicious''
|
|
|
|
- Chilling effects
|
|
|
|
|
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
You would think after the Snowden revelations that people would be more
|
|
|
|
privacy-centric.
|
2017-03-07 00:36:28 -05:00
|
|
|
|
2017-04-02 21:59:29 -04:00
|
|
|
Some are.
|
|
|
|
Many aren't.
|
|
|
|
There is complacency with the status quo.
|
|
|
|
Everything is so _convenient_.
|
|
|
|
|
|
|
|
"I have nothing to hide."
|
|
|
|
A common argument.
|
|
|
|
One that can be notoriously hard to address.
|
|
|
|
|
|
|
|
"Report anything suspicious."
|
|
|
|
(Example of mathematician on plane.)
|
|
|
|
|
|
|
|
These all have chilling effects, conscious or not.
|
|
|
|
<<Wikipedia articles>>
|
2017-03-07 00:45:58 -05:00
|
|
|
#+END_COMMENT
|
|
|
|
|
|
|
|
|
|
|
|
**** DRAFT Status Quo Cannot Hold :B_fullframe:
|
|
|
|
:PROPERTIES:
|
|
|
|
:BEAMER_env: fullframe
|
|
|
|
:END:
|
|
|
|
|
|
|
|
#+BEGIN_CENTER
|
|
|
|
**The status quo cannot hold.**
|
|
|
|
#+END_CENTER
|
2017-04-02 21:59:29 -04:00
|
|
|
|
2017-03-07 00:45:58 -05:00
|
|
|
#+BEGIN_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
I hope I've convinced you that the status quo cannot hold.
|
|
|
|
That even people who aren't that privacy- or security-conscious recognize
|
|
|
|
that there are risks not only at a personal level,
|
|
|
|
but also national and global.
|
2017-03-07 00:45:58 -05:00
|
|
|
#+END_COMMENT
|
2017-03-07 00:36:28 -05:00
|
|
|
|
2017-03-07 00:45:58 -05:00
|
|
|
|
|
|
|
**** DRAFT Push Back :B_fullframe:
|
2017-04-02 21:59:29 -04:00
|
|
|
:PROPERTIES:
|
|
|
|
:DURATION: 00:01
|
2017-03-07 00:45:58 -05:00
|
|
|
:BEAMER_env: fullframe
|
2017-04-02 21:59:29 -04:00
|
|
|
:END:
|
|
|
|
|
2017-03-07 00:45:58 -05:00
|
|
|
#+BEGIn_CENTER
|
|
|
|
#+BEAMER: \only<1>{We need to push back}
|
|
|
|
#+BEAMER: \only<2>{\emph{You} need to push back}
|
|
|
|
#+END_CENTER
|
|
|
|
|
|
|
|
#+BEGIN_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
- Good crypto; no trust
|
|
|
|
- Lawmakers: this is not something we can win while we fight with our
|
|
|
|
governments.
|
2017-03-07 00:45:58 -05:00
|
|
|
#+END_COMMENT
|
2017-04-02 21:59:29 -04:00
|
|
|
|
|
|
|
|
2017-03-07 00:58:21 -05:00
|
|
|
** Thank You :B_fullframe:
|
|
|
|
:PROPERTIES:
|
|
|
|
:BEAMER_env: fullframe
|
|
|
|
:END:
|
|
|
|
|
|
|
|
#+BEGIN_CENTER
|
|
|
|
Mike Gerwitz
|
|
|
|
|
|
|
|
[[mailto:mtg@gnu.org][=mtg@gnu.org=]]
|
|
|
|
|
|
|
|
\bigskip
|
|
|
|
|
|
|
|
**References Available Online**
|
|
|
|
|
|
|
|
[[https://mikegerwitz.com/talks/sapsf]]
|
|
|
|
|
|
|
|
\vfill
|
|
|
|
|
|
|
|
Licensed under the Creative Commons Attribution ShareAlike 4.0
|
|
|
|
International License
|
|
|
|
#+END_CENTER
|
|
|
|
|
|
|
|
|
2017-03-08 02:05:07 -05:00
|
|
|
** References :B_appendix:
|
|
|
|
:PROPERTIES:
|
|
|
|
:BEAMER_env: appendix
|
|
|
|
:END:
|
|
|
|
|
2017-03-11 23:13:18 -05:00
|
|
|
\printbibliography
|
2017-03-08 02:05:07 -05:00
|
|
|
|
|
|
|
|
2017-03-06 21:48:35 -05:00
|
|
|
* Exporting
|
|
|
|
You should be able to simply export this buffer as a Beamer presentation
|
|
|
|
(=C-c C-e l P=) and get a slideshow.
|
|
|
|
|
|
|
|
Note that this requires =ox-extras=, which is part of Org Mode's
|
|
|
|
=contrib/=. Without it, the =:ignore:= tag will not be recognized and the
|
|
|
|
rendered slides will have incorrect depth.
|
2017-04-02 21:59:29 -04:00
|
|
|
|
2017-03-06 21:48:35 -05:00
|
|
|
* Local Variables
|
2017-04-02 21:59:29 -04:00
|
|
|
# Local Variables:
|
|
|
|
# org-todo-keyword-faces: (("DRAFT" . org-upcoming-deadline) \
|
2017-03-07 23:35:16 -05:00
|
|
|
# ("DEVOID" . (:inherit org-warning \
|
|
|
|
# :inverse-video t)) \
|
2017-04-02 21:59:29 -04:00
|
|
|
# ("LACKING" . org-warning) \
|
|
|
|
# ("REVIEWED" . "yellow") \
|
2017-03-07 23:35:16 -05:00
|
|
|
# ("READY" . (:inherit org-scheduled :bold t :underline t)))
|
2017-03-06 21:48:35 -05:00
|
|
|
# eval: (ox-extras-activate '(ignore-headlines))
|
2017-04-02 21:59:29 -04:00
|
|
|
# End:
|