mikegerwitz
/
sapsf
1
0
Fork 0
Code Releases Activity

THe Web section mostly ready 

See checklist in notes.org for a couple things that should still be
mentioned here.

* slides.org (The Web): Mostly ready.
* sapsf.bib (tor:overview): Add missing entry.
* images/ftc-silver.png: Remove image.
* images/tp/remote-list (ftc-silver.png): Add remote and transform.
* images/tp/SHA256SUM: Add ftc-silver.png.
master
Mike Gerwitz 2017-03-20 01:59:46 -04:00
parent a8333aae36
commit 0cf1121616
5 changed files with 103 additions and 81 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
images/ftc-silver.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 71 KiB

1
images/tp/SHA256SUM
View File

@ -7,6 +7,7 @@ ca51e8ba23a87140b1f2cf573d4761df888d7f939947823c695004ce5d3f31f7 replicant.png
31597ba3731e6eccf2e68ae8b91ad25b2e6e4685814e723333d9ea1d2579b635 alpr-pips.png
e7029f70524f420ef32044aeae8280434d5b03ddbab4e90188409a93597c0726 sf-cameras.jpg
67483c5d78b168782b787765284937b8a269ae6d87d4effbb58f4a7d603d8997 aclu-tracked.jpg
1e48106a362e8c64b8876daabd794fa5994b30e4706147c7ccb0aca52a049040 ftc-silver.png
9edddcac31bbb09e4ba9f6fea5d36e5298ec65ce88d4c015121fc27edd466947 silverpush-logo.png
cfda12117815c35bfc51266d9e8227b1645dcd5ffe054c4ae9922e75595f09b9 ga-dashboard.png
d905d3b378daea4c002c873a4ad8192246959cb6df6fb470e29ade9f2b2354c9 piwik-dashboard.png

1
images/tp/remote-list
View File

@ -7,6 +7,7 @@ alpr-capture.png https://web.archive.org/web/20170318173346/https://www.eff.org/
alpr-pips.png https://web.archive.org/web/20170318173427/https://www.eff.org/files/2015/10/15/pipscam9_redacted.png
sf-cameras.jpg https://web.archive.org/web/20170318173846/https://cbssanfran.files.wordpress.com/2015/09/san_francisco_surveillance_cameras_092315.jpg
aclu-tracked.jpg https://web.archive.org/web/20170320025735/https://www.aclu.org/sites/default/files/styles/content_area_full_width/public/field_media_media_image/web15-feature-alpr-report-580x535.jpg?itok=n_JYZGN5 -crop 410x535+170+0
ftc-silver.png https://web.archive.org/web/20170320041757/https://www.ftc.gov/system/files/attachments/press-releases/ftc-issues-warning-letters-app-developers-using-silverpush-code/160317samplesilverpushltr.pdf -density 100 ftc-silver.png[0] -trim -crop 1024x420+0+0 -trim
silverpush-logo.png https://web.archive.org/web/20160623032522/http://1.bp.blogspot.com/-r9WGkxWE3RI/Vk9wK_RisSI/AAAAAAAAAy0/ZydFsogCrnc/s640/silverpush.png
ga-dashboard.png https://web.archive.org/web/20170315055350/https://www.google.com/analytics/images/analytics/features/hero_1x.png -crop 580x370+115+35
piwik-dashboard.png https://web.archive.org/web/20170310025254/https://piwik.org/wp-content/themes/piwik/assets/img/piwiklaptop.png -crop 730x520+225+85

7
sapsf.bib
View File

@ -957,6 +957,13 @@
urldate = {2017-03-17},
}
@online{tor:overview,
title = {Tor Project: Overview},
organization = {Tor Project},
url = {https://www.torproject.org/about/overview.html.en},
urldate = {2017-03-17},
}
@online{ghostery:companies,
title = {Company Database},
organization = {Ghostery Enterprise},

175
slides.org
View File

@ -1147,12 +1147,12 @@ Just something to consider when taking photos of others..
#+END_COMMENT
** REVIEWED The Web [0/7]
*** REVIEWED Introduction [0/1] :B_ignoreheading:
** AUGMENT The Web [7/7]
*** READY Introduction [1/1] :B_ignoreheading:
:PROPERTIES:
:BEAMER_env: ignoreheading
:END:
**** REVIEWED Introduction :B_fullframe:
**** READY Introduction :B_fullframe:
:PROPERTIES:
:BEAMER_env: fullframe
:DURATION: 00:00:10
@ -1166,18 +1166,21 @@ Just something to consider when taking photos of others..
But you're not just tracked in the flesh.
Much of what we do today is virtual.
So, naturally, there are those that want to bridge them.
There's a lot of research and methods to achieve this;
we're only going to explore one of the most startling ones.
#+END_COMMENT
*** REVIEWED Bridging the Gap [0/3]
**** REVIEWED FTC: They're Watching You :B_fullframe:
*** READY Bridging the Gap [3/3]
**** READY FTC: They're Watching You :B_fullframe:
:PROPERTIES:
:BEAMER_env: fullframe
:DURATION: 00:00:30
:DURATION: 00:00:40
:END:
#+BEGIN_CENTER
[[./images/ftc-silver.png]]\incite{ftc:silver}
[[./images/tp/ftc-silver.png]]\par\incite{ftc:silver}
#+END_CENTER
#+BEGIN_COMMENT
@ -1196,7 +1199,7 @@ Or give you a unique URL.
#+END_COMMENT
**** REVIEWED Ultrasound Tracking
**** READY Ultrasound Tracking
:PROPERTIES:
:DURATION: 00:00:15
:END:
@ -1240,7 +1243,7 @@ There are other companies too;
#+END_COMMENT
**** REVIEWED Ultrasound Cross-Device Tracking (uXDT)
**** READY Ultrasound Cross-Device Tracking (uXDT)
:PROPERTIES:
:DURATION: 00:00:45
:END:
@ -1249,11 +1252,10 @@ There are other companies too;
(uXDT)\cite{bleep:ultrasound-tor,ftc:xdt}
- <1-> Mitigations?
- <2-> SilverDog is a Chromium addon to filter HTML5 audio\cite{ubeacsec:paper}
- <3-> Researchers propose Android permission system change
- <4-> Don't install software that keep secrets (proprietary)
- <5-> Don't run untrusted code on websites (use e.g. NoScript)
- <6-> Turn off your device when not in use
- <6-> Keep device away from other media
- <3-> Don't install software that keep secrets (proprietary)
- <3-> Don't run untrusted code on websites (use e.g. NoScript)\cite{mtg:rof}
- <4-> Turn off your device when not in use
- <4-> Keep device away from other media
#+BEGIN_COMMENT
This is termed ``Ultrasound Cross-Device Tracking'',
@ -1280,23 +1282,29 @@ This is far from the only mobile threat;
#+END_COMMENT
*** REVIEWED Analytics [0/4]
**** REVIEWED Introduction :B_fullframe:
*** READY Analytics [4/4]
**** READY Introduction :B_fullframe:
:PROPERTIES:
:BEAMER_env: fullframe
:DURATION: 00:00:15
:END:
#+BEGIN_CENTER
#+BEAMER: \only<1-3>{\Huge Data Analytics}
#+BEGIN_LATEX
\only<1-3>{
{\Huge Data Analytics}
#+BEAMER: \only<2-3>{\LARGE (Building User Profiles)}
\uncover<2-3>{\LARGE (Building User Profiles)}
#+BEAMER: \only<3>{\large (Tracking)}
\uncover<3>{\large (Tracking)}
}
#+BEAMER: \only<4->{\Huge Spyware}
\only<4->{
{\Huge Spyware}
#+BEAMER: \only<5>{\LARGE (With Science)}
\uncover<5>{\LARGE (With Science)}
}
#+END_LATEX
#+END_CENTER
#+BEGIN_COMMENT
@ -1311,7 +1319,7 @@ But this has science!
#+END_COMMENT
**** REVIEWED Trackers
**** READY Trackers
:PROPERTIES:
:DURATION: 00:00:15
:END:
@ -1328,7 +1336,7 @@ That in itself isn't an unreasonable thing, broadly speaking,
#+END_COMMENT
**** REVIEWED Google Analytics
**** READY Google Analytics
:PROPERTIES:
:DURATION: 00:00:30
:END:
@ -1371,28 +1379,17 @@ A lot of it really is what website owners want to know:
geography, screen resolution, time on the page, heatmaps, etc.
Except...
And all of this is known to Google.
All of this is known to Google.
And because services like GA, AdWords, etc are so widely used,
all of this can be used to identify users across the entire web.
#+END_COMMENT
**** REVIEWED Piwik
**** READY Piwik
:PROPERTIES:
:DURATION: 00:00:30
:DURATION: 00:00:20
:END:
#+BEGIN_COMMENT
If you must track your users, consider using Piwik, which you can host
yourself.
This means that your visitor data aren't stored and accessible by Google or
other companies.
Pwik has some user privacy settings to anonymize, remove logs, respect DNT,
provide opt-out, etc.
It also gives website owners some privacy by not leaking paths and other
information about the website:
#+END_COMMENT
***** Dashboard
:PROPERTIES:
:BEAMER_col: 0.65
@ -1414,9 +1411,19 @@ It also gives website owners some privacy by not leaking paths and other
- <2-> Visitor privacy settings\cite{piwik:privacy}
- <2-> Privacy as a site owner
#+BEGIN_COMMENT
If you must track your users, consider using Piwik, which you can host
yourself.
This means that your visitor data aren't stored and accessible by Google or
other companies.
Pwik has some user privacy settings to anonymize, remove logs, respect DNT,
provide opt-out, etc.
It also gives website owners some privacy by not leaking paths and other
information about the website:
#+END_COMMENT
*** REVIEWED Social Networking
**** REVIEWED Like Buttons
*** READY Social Networking
**** READY Like Buttons
:PROPERTIES:
:DURATION: 00:00:30
:END:
@ -1429,7 +1436,7 @@ It also gives website owners some privacy by not leaking paths and other
- <2-> Infecting the Web with trackers under guise of
community\cite{pnas:predict,w:behavioral-targeting,uld:fb}
- <2-> Tracks regardless of whether you are logged in to Facebook
\cite{bloomberg:belgum-fb,roosendaal:fb-like}
\cite{bloomberg:belgum-fb,roosendaal:fb-like,networks-of-control}
#+BEGIN_COMMENT
Another popular example are "like buttons" and similar little widgets that
@ -1449,10 +1456,11 @@ But even if you don't have a Facebook account,
#+END_COMMENT
*** REVIEWED Fingerprinting [0/3]
**** REVIEWED Summary :B_fullframe:
*** READY Fingerprinting [3/3]
**** READY Summary :B_fullframe:
:PROPERTIES:
:DURATION: 00:00:15
:DURATION: 00:00:10
:BEAMER_env: fullframe
:END:
#+BEGIN_CENTER
\Huge Fingerprinting
@ -1465,7 +1473,7 @@ It's just what it sounds like:
#+END_COMMENT
**** REVIEWED EFF Research :B_fullframe:
**** READY EFF Research :B_fullframe:
:PROPERTIES:
:BEAMER_env: fullframe
:DURATION: 00:00:20
@ -1509,9 +1517,9 @@ Very creative ones.
#+END_COMMENT
**** REVIEWED Alarmingly Effective
**** READY Alarmingly Effective
:PROPERTIES:
:DURATION: 00:00:40
:DURATION: 00:00:45
:END:
- Panopticlick (EFF)\cite{panopti:about}
@ -1547,16 +1555,17 @@ We'll get into some defenses in a bit.
*** REVIEWED Incentive to Betray [0/2]
**** REVIEWED Summary :B_fullframe:
*** READY Incentive to Betray [2/2]
**** READY Summary :B_fullframe:
:PROPERTIES:
:DURATION: 00:00:30
:BEAMER_env: fullframe
:END:
#+BEGIN_CENTER
There is strong incentive to betray
#+END_CENTER
- <1-> There is strong incentive to betray
- <2> Money (advertising)
- <2> Attention & praise
- <2> ``Business intelligence''
#+BEGIN_COMMENT
So how does tracking happen?
@ -1577,9 +1586,10 @@ They're unknowing pawns in the Web of surveillance.
#+END_COMMENT
**** DRAFT Web of Surveillance :B_fullframe:
**** READY Web of Surveillance :B_fullframe:
:PROPERTIES:
:BEAMER_env: fullframe
:DURATION: 00:00:45
:END:
#+BEGIN_CENTER
@ -1609,7 +1619,7 @@ It's an addon for Firefox that graphs first- and third-party sites that you
I created a new FF profile and installed the addon;
none of my privacy settings or other addons I'm used to.
You can see at the top that I visited five websites:
Washington Post, NY Times from Google, Guargian, and---which you can't see
Washington Post, NY Times from Google, Guardian, and---which you can't see
here because they're actually disjoint from this graph---The Intercept.
Good for them!
And yet,
@ -1627,8 +1637,8 @@ This is what happens when I try to mitigate some of these threats.
#+END_COMMENT
*** REVIEWED Mitigations & Anonymity [0/8]
**** REVIEWED Summary :B_fullframe:
*** READY Mitigations & Anonymity [8/8]
**** READY Summary :B_fullframe:
:PROPERTIES:
:DURATION: 00:00:05
:BEAMER_env: fullframe
@ -1646,9 +1656,9 @@ Well, it depends on your threat model,
#+END_COMMENT
**** REVIEWED Disable the Damn JavaScript!
**** READY Disable the Damn JavaScript!
:PROPERTIES:
:DURATION: 00:00:45
:DURATION: 00:00:50
:END:
#+BEGIN_CENTER
@ -1682,21 +1692,24 @@ The Web isn't broken without it,
I write a lot of JavaScript for a living.
My GNU project is ease.js, which is a JavaScript library.
And yet,
/I do not allow JavaScript to run 99% of the time!/.
Even on most websites I trust.
Some people run LibreJS.
But note that free software doesn't mean free of malice.
/I only allow JavaScript to execute on a few websites!/.
Even on most websites I trust, I don't.
Some people run LibreJS,
and I support that project.
But note that free software doesn't mean free of malice;
LibreJS solves a different problem than the one I'm describing---
when you /do/ allow JS to run, it should be free.
It's probably obvious from the logo that I'm talking about the NoScript
extension.
addon.
It does more than just block JS---
it also blocks media, custom fonts, prevents against certain types of XSS
it also blocks media, custom fonts, protects against certain types of XSS
and clickjacking attacks, and more.
If you don't know what XSS and clickjacking is, that's okay.
If you don't know those are, that's okay.
#+END_COMMENT
**** REVIEWED LightBeam NoScript :B_fullframe:
**** READY LightBeam NoScript :B_fullframe:
:PROPERTIES:
:BEAMER_env: fullframe
:DURATION: 00:00:15
@ -1713,14 +1726,14 @@ If you don't know what XSS and clickjacking is, that's okay.
#+ATTR_LATEX: :height 2.5in
[[./images/lightbeam-ex-noscript.png]]
(After NoScript)
(After NoScript with /no whitelist/)
#+BEAMER: }
#+END_CENTER
#+BEGIN_COMMENT
So this was our graph before NoScript.
So this is our graph again before NoScript.
And here it is after disabling scripts.
And here it is after running NoScript with no whitelist.
Without any other mitigations.
Obviously results will vary depending on the website.
@ -1729,9 +1742,9 @@ We're going to get back to JS soon.
#+END_COMMENT
**** REVIEWED Block Ads and Trackers
**** READY Block Ads and Trackers
:PROPERTIES:
:DURATION: 00:00:40
:DURATION: 00:00:45
:END:
#+BEGIN_CENTER
#+ATTR_LATEX: :height 0.75in
@ -1752,8 +1765,8 @@ The issue surrounding Ad Blockers is framed such that we're waging war
against advertisers.
No---they're waging war against /us/.
You'll find that the bulk of what these addons for Firefox browsers handle
is related to ad networks.
You'll find that the bulk of what these addons handle is related to ad
networks.
Privacy Badger works to block sites that appear to be tracking you.
Cooper Quintin---developer of Privacy Badger---gave a great talk last year
here at LP; go check it out.
@ -1768,7 +1781,7 @@ I don't have time to go into technical details, unfortunately.
#+END_COMMENT
**** REVIEWED Anonymity :B_fullframe:
**** READY Anonymity :B_fullframe:
:PROPERTIES:
:BEAMER_env: fullframe
:DURATION: 00:00:15
@ -1802,10 +1815,10 @@ In the former case,
#+END_COMMENT
**** REVIEWED IANAAE :B_fullframe:
**** READY IANAAE :B_fullframe:
:PROPERTIES:
:BEAMER_env: fullframe
:DURATION: 00:00:10
:DURATION: 00:00:15
:END:
#+BEGIN_CENTER
@ -1824,9 +1837,9 @@ I provide a number of resources to get you started.
#+END_COMMENT
**** REVIEWED The Tor Network
**** READY The Tor Network
:PROPERTIES:
:DURATION: 00:00:30
:DURATION: 00:00:45
:END:
#+BEGIN_CENTER
@ -1835,7 +1848,7 @@ I provide a number of resources to get you started.
[[./images/tp/tor.png]]
#+BEAMER: }
#+BEAMER: \only<2>{
[[./images/tp/tor-diagram.png]]
[[./images/tp/tor-diagram.png]]\incite{tor:overview}
#+BEAMER: }
#+END_CENTER
@ -1859,7 +1872,7 @@ The exit node reveals the packet and delivers it to the destination,
As long as a sufficient portion of the network can be trusted and has not
been compromised by an adversary,
it isn't possible to trace data back through the network.
it should not be possible to figure out that path.
The most common use of Tor is to route web traffic.
@ -1868,9 +1881,9 @@ There are lots of other details that I don't have time to get to here,
#+END_COMMENT
**** REVIEWED TorBrowser, Tails, and Whonix
**** READY TorBrowser, Tails, and Whonix
:PROPERTIES:
:DURATION: 00:01
:DURATION: 00:01:30
:END:
#+BEGIN_CENTER