sapsf/slides.org

#+startup: beamer
#+TITLE: The Surreptitious Assault on Privacy, Security, and Freedom
#+AUTHOR: Mike Gerwitz
#+EMAIL: mtg@gnu.org
#+DATE: 26 March, LibrePlanet 2017
#+OPTIONS: H:3 num:nil toc:nil p:nil todo:nil stat:nil
#+LaTeX_CLASS: beamer
#+LaTeX_CLASS_OPTIONS: [presentation]
#+BEAMER_THEME: Warsaw
#+BEAMER_HEADER: \beamertemplatenavigationsymbolsempty
#+TODO: RAW(r) LACKING(l) DRAFT(d) REVIEWED(R) | READY(+) REHEARSED(D)
#+COLUMNS: %25ITEM %10DURATION{:}


#+BEGIN_COMMENT
#+BEGIN: columnview :hlines 1 :id local
| ITEM                               | DURATION |
|------------------------------------+----------|
| * Introduction / Opening           | 00:00:30 |
|------------------------------------+----------|
| * Mobile [0/5]                     |     0:04 |
| ** Introduction                    |     0:00 |
| *** Introduction                   | 00:00:30 |
| ** Cell Towers [0/2]               |    00:01 |
| *** Fundamentally Needed           |          |
| *** Cell-Site Simulators           |          |
| ** Wifi [0/1]                      |     0:01 |
| *** Wifi                           |    00:01 |
| ** Location Services [0/2]         |    00:01 |
| *** GPS                            |          |
| *** Access Points                  |          |
| ** Operating System [0/1]          |     0:01 |
| *** Untrusted/Proprietary OS       |    00:01 |
|------------------------------------+----------|
| * Stationary [0/5]                 |     0:08 |
| ** Introduction [0/1]              |     0:00 |
| *** Introduction                   | 00:00:30 |
| ** Surveillance Cameras [0/2]      |     0:00 |
| *** Unavoidable                    |          |
| *** Access to Data                 | 00:00:30 |
| ** Internet of Things [0/4]        |     0:04 |
| *** Wide Open                      | 00:00:30 |
| *** Lack of Security               | 00:01:30 |
| *** Who's Watching?                | 00:00:30 |
| *** Facial Recognition             |    00:01 |
| ** Social Media [0/1]              |     0:01 |
| *** Collateral Damage              |    00:01 |
| ** Driving [0/3]                   |     0:02 |
| *** Introduction                   | 00:00:30 |
| *** ALPRs                          |    00:01 |
| *** Car Itself                     | 00:00:30 |
|------------------------------------+----------|
| * The Web [0/6]                    |     0:12 |
| ** Introduction [0/1]              |          |
| *** Introduction                   |          |
| ** Bridging the Gap [0/1]          |     0:01 |
| *** Ultrasound Tracking            |    00:01 |
| ** Incentive to Betray [0/1]       |     0:00 |
| *** Summary                        | 00:00:30 |
| ** Analytics [0/2]                 |     0:02 |
| *** Trackers                       |    00:01 |
| *** Like Buttons                   |    00:01 |
| ** Fingerprinting [0/2]            |     0:04 |
| *** Summary                        |    00:03 |
| *** Browser Addons                 |    00:01 |
| ** Anonymity [0/3]                 |     0:04 |
| *** Summary                        |    00:01 |
| *** The Tor Network                |    00:01 |
| *** TorBrowser, Tails, and Whonix  |    00:02 |
|------------------------------------+----------|
| * Data Analytics [0/2]             |     0:04 |
| ** Introduction [0/1]              |     0:00 |
| *** Introduction                   |    00:00 |
| ** Headings [0/3]                  |     0:04 |
| *** Advertisers                    |    00:02 |
| *** Social Media                   |    00:01 |
| *** Governments                    | 00:00:30 |
|------------------------------------+----------|
| * Policy and Government [0/6]      |     0:12 |
| ** Introduction [0/1]              |     0:00 |
| *** Introduction                   | 00:00:30 |
| ** Surveillance [0/4]              |     0:06 |
| *** History of NSA Surveillance    |    00:02 |
| *** Verizon Metadata               | 00:00:30 |
| *** Snowden                        |    00:01 |
| *** Tools                          |    00:02 |
| ** Crypto Wars [0/3]               |     0:03 |
| *** Introduction                   |    00:00 |
| *** Bernstein v. United States     |    00:01 |
| *** Makes Us Less Safe             |    00:02 |
| ** Espionage [0/1]                 |     0:01 |
| *** US Can't Keep Its Own Secrets  |    00:01 |
| ** Subpoenas, Warrants, NSLs [0/1] |     0:01 |
| *** National Security Letters      |    00:01 |
| ** Law [0/1]                       |     0:01 |
| *** Summary                        |    00:01 |
|------------------------------------+----------|
| * Your Fight [0/1]                 |     0:05 |
| ** Headings [0/5]                  |     0:05 |
| *** Feeding                        |    00:00 |
| *** SaaSS and Centralization       |    00:01 |
| *** Corporate Negligence           |    00:01 |
| *** Status Quo                     |    00:02 |
| *** Push Back                      |    00:01 |
|------------------------------------+----------|
| * Local Variabes                   |          |
#+END


#+BEGIN_COMMENT
*Remember the themes!*:
  - Surreptitious
  - User privacy and security
  - Affects on freedom; chilling effects
  - How free software can help
    
The big players seem to be the [[The Web][Web]] and [[Policy and Government][Government]].
No surprises there.


It would be a good idea to immediately connect with the audience.  So:
  - Most everyone has a mobile device.
    - /This is the most immediate and relatable since it's physically present/
      with them in their travels.
  - Security cameras et. al. during travel.

So start _briefly_ with the topic of pervasive surveillance?
  - That is what the abstract refers to, after all.

*Surreptitious*---many audience members won't consider that they're being
tracked.
  - But by _whom_?

Maybe a gentle introduction that gets increasingly more alarming and
invasive topic-wise.

GOAL: Captivate; Startle
#+END_COMMENT


* DRAFT Introduction / Opening                                  :B_fullframe:
:PROPERTIES:
:DURATION: 00:00:30
:BEAMER_env: fullframe
:END:

#+BEGIN_COMMENT
None of you made it here without being tracked in some capacity.
Some of us are still being tracked at this very moment.

...

Let's start with the obvious.

(Note: You're being "tracked", rather than "watched": the latter is too
often used and dismissed as tinfoil-hat FUD.)
#+END_COMMENT

#+BEGIN_CENTER
  #+BEAMER: \only<1>{You're Being Tracked.}
  #+BEAMER: \only<2>{(No, really, I have references.)}
#+END_CENTER

* LACKING Mobile [0/5]
** DRAFT Introduction                                      :B_ignoreheading:
:PROPERTIES:
:BEAMER_env: ignoreheading
:END:
*** DRAFT Introduction                                        :B_fullframe:
:PROPERTIES:
:DURATION: 00:00:30
:BEAMER_env: fullframe
:END:

- <1-> Most people carry mobile phones
- <1-> Synonymous with individual
- <2> Excellent tracking devices

#+BEGIN_COMMENT
How many of you are carrying a mobile phone right now?
Probably most of us.
They are something we carry with us everywhere;
  they are computers that are always on.
A phone is often synonymous with an individual.
In other words: they're excellent tracking devices.
#+END_COMMENT

** LACKING Cell Towers [0/2]
:PROPERTIES:
:DURATION: 00:01
:END:
*** DRAFT Fundamentally Needed
- <1-> Phone needs tower to make and receive calls
- <2-> Gives away approximate location (can triangulate)

#+BEGIN_COMMENT
The primary reason is inherent in a phone's design: cell towers.
A phone "needs" to be connected to a tower to make and receive calls.

Unless it is off,
  its connection to the cell tower exposes your approximate location.
These data persist for as long as the phone companies are willing to persist
it.  If it's mined by the NSA, then it might be persisted indefinitely.

Some people don't use phones primarily for this reason.

rms said he might use a phone if it could act as a pager,
  where he'd only need to expose his location once he is in a safe place.
You can imagine that such would be a very useful and important feature for
  reporters and dissidents as well.
#+END_COMMENT


*** LACKING Cell-Site Simulators
- <1-> Masquerade as cell towers
- <2-> (List them) e.g. Stingray

#+BEGIN_COMMENT
I'm sure many of you have heard of Cell Site Simulators;
  one of the most popular examples being the Stingray.
These devices masquerade as cell towers and can perform a dragnet search for
  an individual.
Your location can be triangulated.
#+END_COMMENT


** LACKING Wifi [0/3]
:PROPERTIES:
:DURATION: 00:01
:END:

*** DRAFT Wifi
- Device may broadcast ESSIDs of past hidden networks
- Expose unique hardware identifiers (MAC address)

#+BEGIN_COMMENT
What else is inherent in a modern phone design?
A common feature is Wifi.

If you connected to any hidden networks,
  your phone may broadcast that network name to see if it exists.

Your mobile device could be broadcasting information like past network
  connections and unique device identifiers (MAC),
  which can be used to uniquely identify you.
#+END_COMMENT

*** LACKING Ubiquitous Access Points
- <AP stuff>

#+BEGIN_COMMENT
Access points increasingly line the streets or are within range in nearby
  buildings.

Can be incredibly accurate for tracking movements,
  and it is _passive_---it requires no software on your device.
#+END_COMMENT


*** DRAFT Mitigations
- Disable Wifi [when not in use]
- Do not automatically connect to known networks
  - At the very least, not hidden
- Randomize MAC address

#+BEGIN_COMMENT
Disable Wifi when not in use.
You can also randomize your MAC address,
  and be sure not to broadcast hidden networks.
#+END_COMMENT


** DRAFT Location Services [0/2]
:PROPERTIES:
:DURATION: 00:01
:END:

*** DRAFT GPS
- Often enabled by default
  - Might prompt user, but features are attractive
    
- Programs give excuses to track
  - Location for tweets, photos, nearby friends, etc.

#+BEGIN_COMMENT
Oh, but what if we _do_ have software on the device?
And we do.

Let's talk about location services!
Many people find them to be very convenient.

The most popular being GPS.
Because of the cool features it permits,
  it's often enabled.
And programs will track your movements just for the hell of it.
Or give an excuse to track you.
#+END_COMMENT

*** DRAFT Access Points
- <1-> No GPS?  No problem!
- <2-> AP harvesting (e.g. Google Street View cars)
- <2-> Works even where GPS and Cell signals cannot penetrate
  - <3> Can be /more/ accurate than GPS (e.g. what store in a shopping mall)

#+BEGIN_COMMENT
But GPS doesn't need to be available.
Have you ever used a map program on a computer that asked for your location?
How does it do that without GPS?
Google scours the planet recording APs.
It knows based on _what APs are simply near you_ where you are.
Sometimes this can be more accurate than GPS.
And it works where GPS and maybe even cell service don't, such as inside
  shopping malls.

So having radio and GPS off may not help you.
MAC spoofing won't help since software on your device has countless other
  ways to uniquely identify you---this is active monitoring, unlike previous
  examples.
#+END_COMMENT

** DRAFT Operating System [0/3]
:PROPERTIES:
:DURATION: 00:01
:END:

*** DRAFT Untrusted/Proprietary OS

- Who does your phone work for?
  - Apple?  Google?  Microsoft?  Blackberry?  Your manufacturer too?
- Carry everywhere you go, but fundamentally cannot trust it

#+BEGIN_COMMENT
The OS situation on mobile is lousy.
Does your phone work for Apple? Google? Microsoft? Blackberry? ...?

You carry around this computer everywhere you go.
And you fundamentally cannot trust it.
#+END_COMMENT

*** DRAFT Free/Libre Mobile OS?
- <1-3> Android is supposedly free software
  - <1-3> But every phone requires proprietary drivers, or contains
         proprietary software
- <2-3> Replicant
  - <3> Niche.  Interest is low, largely work of one developer now.

#+BEGIN_COMMENT
I use Replicant.
Does anyone here use Replicant?
I feel like I can at least trust my phone a little bit.
#+END_COMMENT


*** DRAFT Modem
- But modem still runs non-free software
- Often has access to CPU, disk, and memory

#+BEGIN_COMMENT
But on nearly every phone,
  the modem still runs proprietary software.
And often times has direct access to CPU, disk, and memory.

So even with Replicant,
  I consider the device compromised;
    I put nothing important on it if I can avoid it.
#+END_COMMENT



* RAW Stationary [0/5]
** RAW Introduction [0/1]                                  :B_ignoreheading:
:PROPERTIES:
:BEAMER_env: ignoreheading
:END:
*** RAW Introduction                                          :B_fullframe:
:PROPERTIES:
:DURATION: 00:00:30
:BEAMER_env: fullframe
:END:
So let's say you have evaded that type of tracking.
Maybe you don't carry a phone.
Or maybe you've mitigated those threats in some way.

There's certain things that are nearly impossible to avoid.

** RAW Surveillance Cameras [0/2]
*** RAW Unavoidable
On the way here,
  you likely walked by numerous security cameras.
They could be security cameras for private businesses.
Traffic cameras.
Cameras on streets to deter crime.

Let's set aside local, state, and federal-owned cameras for a moment
  and focus on businesses.
So a bunch of separate businesses have you on camera.
So what?


*** RAW Access to Data
:PROPERTIES:
:DURATION: 00:00:30
:END:
Well one of the most obvious threats, should it pertain to you, is a
  subpoena.
The best form of privacy is to avoid having the data be collected to begin
  with.
If law enforcement wanted to track you for whatever reason---crime or
  not!---they could simply subpoena the surrounding area.

** RAW Internet of Things [0/4]
*** RAW Wide Open
:PROPERTIES:
:DURATION: 00:00:30
:END:
In the past, these cameras were "closed-circuit"---
  they were on their own segregated network.
You'd _have_ to subpoena the owner,
  or otherwise physically take the tape.

Today, that might be the intent, but these cameras are often
  connected to the Internet for one reason or another.
It might be intentional---to view the camera remotely---or it may just be
  how it is set up by default.

Well...
Let's expand our pool of cameras a bit.
Because it's not just businesses that use Internet-connected cameras.
They're also popular among individuals for personal/home use.
Home security systems.
Baby monitors.

*** RAW Lack of Security
:PROPERTIES:
:DURATION: 00:01:30
:END:
Who here has heard of Shodan?

Shodan is a search engine for the Internet of Things.
It spiders for Internet-connected devices and indexes them.
Okay, that's to be expected.
Maybe that wouldn't be a problem if people knew proper NAT configuration
  that isn't subverted by UPnP.
Maybe it wouldn't be a problem if these devices even gave a moment of
  thought to security.

Anyone heard of Insecam?
It's a site that aggregates live video feeds of unsecured IP cameras.
I can tell you personally that you feel like a scumbag looking at the site.
There's fascinating things on there.
And sobering ones.
And creepy ones.
Restaurants---families eating dinner; chefs preparing food in the back.
Public areas---beaches, pools, walkways, city streets.
Private areas---inside homes; private businesses.  Hotel clerks sitting
  behind desks on their cell phones.  Warehouses.
Behind security desks.
Behind cash registers.
Hospital rooms.
Inside surveillance rooms where people watch their surveillance system!
  With armed guards!
Scientific research: people in full dress performing experiments.
I saw someone at the dentist getting a teeth cleaning.
Anything you can think of.
You can literally explore the world.
There are some beautiful sights!  Absolutely gorgeous.
They remove things that are too deeply personal.
  Assuming someone reports it.

This is an excellent example to demonstrate to others why this is such a big
  deal.

*** RAW Who's Watching?
:PROPERTIES:
:DURATION: 00:00:30
:END:
So that's what your average person can do.
That's what some of you are going to be doing as soon as you leave this
  talk, if you haven't started looking already!

That's what law enforcement is going to do.
That's what the NSA, GHCQ, et. al. are going to do.

*** RAW Facial Recognition
:PROPERTIES:
:DURATION: 00:01
:END:
Now let's couple that with facial recognition.

Consider the breadth of devices we just covered.
Literally everywhere.
People don't need to manually look for you anymore;
  it's automated.
Hell, any of us can download a free (as in freedom) library to do facial
  recognition and train it to recognize people.
Facebook famously got creepy by saying it could recognize people by their
  dress and posture, from behind.

You don't need facial recognition, though.
You can also be identified by your gait.

There's a lot to say about IoT.
We'll come back to it.


** RAW Social Media [0/1]
*** RAW Collateral Damage
:PROPERTIES:
:DURATION: 00:01
:END:

So you don't have any unsecured IoT cameras in your home.
Or in this conference.
But you do have unsecured people running wild with their photos and their
  selfies.

I'm sure you've heard a frequent request/demand from rms:
"Don't put pictures of me on Facebook."
This applies to all social media, really.
I just mentioned facial recognition---
  this is precisely what Facebook (for example) made it for!
To identify people you might know to tag them.
It's excellent surveillance.
What irks me is when people try to take pictures of my kids,
  or do and ask if they can put them online.
Uh, no.  You cannot.
And people are sometimes surprised by that refusal.

Most people are being innocent---
  they're just trying to capture the moment.
What they're actually doing is inflicting collateral damage.
If I'm off in the background when you take a picture of your friends in the
  foreground,
  I'm still in the photo.


** RAW Driving [0/3]
*** RAW Introduction                                          :B_fullframe:
:PROPERTIES:
:DURATION: 00:00:30
:BEAMER_env: fullframe
:END:
Okay.
So you have no phone.
You sneak around public areas like a ninja.
Like a vampire, you don't show up in photos.
And you have no friends.

So how else can I physically track you in your travels here?

Well if you flew here,
  then your location is obviously known.
That's not even worth discussing.

But what about if you drove?

*** RAW ALPRs
:PROPERTIES:
:DURATION: 00:01
:END:
ALPRs possibly tracked your movements.
Automated License Plate Readers.

<...>

Maybe you try to evade them with special license plate covers.
If need be, one could just track you by other unique features of your
  vehicle.
And those might not just be law enforcement.

Security issues extend to this too!
<Mention EFF's project>

You could rent a car.
But the rental place probably took your name, license, and other
  information.
You could take a cab and pay with cash.
But that can get expensive.
And they might have cameras and such anyway.


*** RAW Car Itself
:PROPERTIES:
:DURATION: 00:00:30
:END:
Maybe your car itself is a tracking device (e.g. OnStar).

(Move into Mobile?)

<...>


* RAW The Web [0/6]
** RAW Introduction [0/1]                                  :B_ignoreheading:
:PROPERTIES:
:BEAMER_env: ignoreheading
:END:
*** RAW Introduction                                          :B_fullframe:
:PROPERTIES:
:BEAMER_env: fullframe
:END:
But you're not just tracked in the flesh.
Much of what we do today is virtual.
What better way to segue than to bridge the two?

** RAW Bridging the Gap [0/1]
*** RAW Ultrasound Tracking
:PROPERTIES:
:DURATION: 00:01
:END:

A challenge for advertisers is correlating users across multiple devices,
and in the real world.

Let's say you saw a commercial for some product Foo on TV.
And then you went online to research Foo.
And then you bought Foo.

Sometimes commercials have you enter promo codes online to know that you
  arrived at the site from a TV commercial.
Or give you a unique URL.

Others play inaudible sounds that are picked up by your mobile device or
  computer.

<...>


** RAW Incentive to Betray [0/1]
*** RAW Summary                                               :B_fullframe:
:PROPERTIES:
:DURATION: 00:00:30
:BEAMER_env: fullframe
:END:
So how does tracking happen?
How does this tracking code _get_ on so much of the web?

Incentives to betray users.

Many websites make money through advertising.
It can be lucrative.
And it's _easy_ to do.

** RAW Analytics [0/2]
*** RAW Trackers
:PROPERTIES:
:DURATION: 00:01
:END:

Site analytics is another issue.
Website owners want to know what their visitors are doing.
That in itself isn't an unreasonable thing broadly speaking,
  but how you go about it and what types of data you collect
  defines the issue.

Take Google Analytics for example.
A very popular proprietary analytics service.
It is one of the most widely distributed malware programs in the world.

<<examples of how GA tracks>>

And all of this is known to Google.
All of this can be used to identify users across the entire web.

<<list others>>

If you must track your users, consider using Piwik, which you can host
  yourself.

*** RAW Like Buttons
:PROPERTIES:
:DURATION: 00:01
:END:

Another popular example are "like buttons" and similar little widgets that
  websites like Facebook offer.
If a user is logged into Facebook,
  then Facebook now knows that they visited that website,
 _even if they don't click on the button_.

But even if you don't have a Facebook account,
  information is being leaked to them
  you are still being tracked.
  
Addons like Privacy Badger will block these.

** RAW Fingerprinting [0/2]
*** RAW Summary                                               :B_fullframe:
:PROPERTIES:
:DURATION: 00:03
:BEAMER_env: fullframe
:END:

These methods are part of a broader topic called "browser fingerprinting".
It's just what it sounds like:
  uniquely identify users online.
It's alarmingly effective.

<<general fingerprinting stuff>>

<<hardware-fingerprint>>
Some methods allow fingerprinting even if the user uses multiple browsers
  and takes care to clear all session data.
They can do this by effectively breaking out of the browser's sandbox by
  doing operations that depend heavily on specifics of users' hardware.
  
*** RAW Browser Addons
:PROPERTIES:
:DURATION: 00:01
:END:

(Merge into other sections?)

So how do we avoid this type of tracking?

<<Talk about browser addons>>.


** RAW Anonymity [0/3]
*** RAW Summary                                               :B_fullframe:
:PROPERTIES:
:DURATION: 00:01
:BEAMER_env: fullframe
:END:
Another way is to be anonymous or pseudononymous.
In the latter case,
  you assume a pseudoynm online and perform only activities that should be
  associated with that pseudonym.
In the former case,
  there should be no way to ever correlate past or future actions with your
  current session.

This is a difficult topic that's pretty dangerous to give advice on if you
  have strong need for anonymity---for example, if you are a dissident or
  whistleblower.
If your life depends on anonymity,
  please do your own research.
I provide a number of resources to get you started.


*** RAW The Tor Network
:PROPERTIES:
:DURATION: 00:01
:END:
Most here have probably heard of Tor.
"Tor" stands for "The Onion Router",
  which describes how it relays data through the Tor network.

The packet is routed through a number of servers,
  encrypted with the public key of each server such that the first hop
  strips off the first layer and so on.
The exit node reveals the packet and delivers it to the destination,
  then begins relaying the reply back to through the network to the user.

As long as a sufficient portion of the network can be trusted and has not
  been compromised by an adversary,
  it isn't possible to trace data back through the network.

The most common use of Tor is to route web traffic.
Many nodes block most other ports.
It's also possible to resolve DNS requests through Tor.

There are lots of other details that I don't have time to get to here,
  but I provide a number of resources for you.


*** RAW TorBrowser, Tails, and Whonix
:PROPERTIES:
:DURATION: 00:02
:END:
Tor alone isn't enough to secure your anonymity.

It's hard to secure a web browser.
<links>

TorBrowser is a hardened version of Firefox.
The Tor browser recommends that you don't rely on a vanilla Firefox for
  anonymity with Tor.

Tails...

Whonix...


* LACKING Data Analytics [0/2]
** RAW Introduction [0/1]                                  :B_ignoreheading:
:PROPERTIES:
:BEAMER_env: ignoreheading
:END:
*** RAW Introduction                                          :B_fullframe:
:PROPERTIES:
:DURATION: 00:00
:BEAMER_env: fullframe
:END:
We've seen adversaries with different motives.
Let's explore what some of them do with all those data.


** LACKING Headings [0/3]
*** LACKING Advertisers
:PROPERTIES:
:DURATION: 00:02
:END:
The biggest threat to privacy to the average user is by companies that
  aggregate data for the purpose of understanding _you_.
Probably better than you understand you.
I'm sure many of you heard of the story of Target knowing a girl was
  pregnant before she did.

<<user profiles>>


*** LACKING Social Media
:PROPERTIES:
:DURATION: 00:01
:END:
(Where you are, what you do.)


*** LACKING Governments
:PROPERTIES:
:DURATION: 00:00:30
:END:
(Segue into government surveillance.)


* RAW Policy and Government [0/6]
** RAW Introduction [0/1]                                  :B_ignoreheading:
:PROPERTIES:
:BEAMER_env: ignoreheading
:END:
*** RAW Introduction                                          :B_fullframe:
:PROPERTIES:
:DURATION: 00:00:30
:BEAMER_env: fullframe
:END:
Where to begin.

Governments have a duty to protect their people.
But they also have a duty to know their bounds;
  to respect citizens' rights and privacy.
  
We know how that story goes.


** LACKING Surveillance [0/4]
*** LACKING History of NSA Surveillance
:PROPERTIES:
:DURATION: 00:02
:END:
(EFF, <<Klein v. NSA>>)


*** LACKING Verizon Metadata
:PROPERTIES:
:DURATION: 00:00:30
:END:
(Add date)

...

*** LACKING Snowden
:PROPERTIES:
:DURATION: 00:01
:END:
...

*** LACKING Tools
:PROPERTIES:
:DURATION: 00:02
:END:
- XKeyscore and others
- Exploits
- Hardware
- Intercepting shipments
- Etc.
  

** LACKING Crypto Wars [0/3]
*** RAW Introduction                                          :B_fullframe:
:PROPERTIES:
:DURATION: 00:00
:BEAMER_env: fullframe
:END:
All of that happened behind our backs.

But there is also a war being waged in public.
As if we haven't learned from the past.
The Crypto wars.


*** LACKING Bernstein v. United States
:PROPERTIES:
:DURATION: 00:01
:END:
...
(Include export-grade crypto)
(Code is speech)


*** LACKING Makes Us Less Safe
:PROPERTIES:
:DURATION: 00:02
:END:
Apple v. FBI

- Backdoors
- Clipper chip
- LOGJAM, etc from export-grade crypto
- VEP
  

** LACKING Espionage [0/1]
*** LACKING US Can't Keep Its Own Secrets
:PROPERTIES:
:DURATION: 00:01
:END:
- Office of Personnel Management
- DNC
  

** LACKING Subpoenas, Warrants, NSLs [0/1]
*** LACKING National Security Letters
:PROPERTIES:
:DURATION: 00:01
:END:
- Gag orders
- Prior restraint
- Canaries
  
** LACKING Law [0/1]
*** LACKING Summary                                           :B_fullframe:
:PROPERTIES:
:DURATION: 00:01
:BEAMER_env: fullframe
:END:
- DMCA
  - Risks to security researchers
  - Draconian
- CFAA

  
* RAW Your Fight [0/1]
** RAW Headings [0/5]
*** RAW Feeding                                               :B_fullframe:
:PROPERTIES:
:DURATION: 00:00
:BEAMER_env: fullframe
:END:
We're feeding into all of this!


*** RAW SaaSS and Centralization
:PROPERTIES:
:DURATION: 00:01
:END:
- Be sure to mention Cloudbleed and S3
- Who has access to your data?
- The "Cloud"
  

*** RAW Corporate Negligence
:PROPERTIES:
:DURATION: 00:01
:END:
Companies don't care.
They'll balance _costs_ of failure to comply with regulation.
Is it cheaper just to pay up in the event of a data breach?

Governments try, sort of.
They need to catch up with the times.
<<sec regulations>>

<<large-scale breaches>>

(Tie into SaaSS)
  

*** RAW Status Quo
:PROPERTIES:
:DURATION: 00:02
:END:
You would think after the Snowden revelations that people would be more
  privacy-centric.
  
Some are.
Many aren't.
There is complacency with the status quo.
Everything is so _convenient_.

"I have nothing to hide."
A common argument.
One that can be notoriously hard to address.

"Report anything suspicious."
(Example of mathematician on plane.)

These all have chilling effects, conscious or not.
<<Wikipedia articles>>

I hope I've convinced you that the status quo cannot hold.
That even people who aren't that privacy- or security-conscious recognize
  that there are risks not only at a personal level,
  but also national and global.
  
*** RAW Push Back
:PROPERTIES:
:DURATION: 00:01
:END:
We need to push back.

- Good crypto; no trust
- Lawmakers: this is not something we can win while we fight with our
  governments.


* Local Variabes                                                   :noexport:
Just Emacs configuration stuff.

# Local Variables:
# org-todo-keyword-faces: (("DRAFT" . org-upcoming-deadline) \
#                          ("LACKING" . org-warning) \
#                          ("REVIEWED" . "yellow") \
#                          ("READY" . (:inherit org-scheduled bold :underline t)))
# End: