THe Web section mostly ready
See checklist in notes.org for a couple things that should still be mentioned here. * slides.org (The Web): Mostly ready. * sapsf.bib (tor:overview): Add missing entry. * images/ftc-silver.png: Remove image. * images/tp/remote-list (ftc-silver.png): Add remote and transform. * images/tp/SHA256SUM: Add ftc-silver.png.master
parent
a8333aae36
commit
0cf1121616
Binary file not shown.
Before Width: | Height: | Size: 71 KiB |
|
@ -7,6 +7,7 @@ ca51e8ba23a87140b1f2cf573d4761df888d7f939947823c695004ce5d3f31f7 replicant.png
|
|||
31597ba3731e6eccf2e68ae8b91ad25b2e6e4685814e723333d9ea1d2579b635 alpr-pips.png
|
||||
e7029f70524f420ef32044aeae8280434d5b03ddbab4e90188409a93597c0726 sf-cameras.jpg
|
||||
67483c5d78b168782b787765284937b8a269ae6d87d4effbb58f4a7d603d8997 aclu-tracked.jpg
|
||||
1e48106a362e8c64b8876daabd794fa5994b30e4706147c7ccb0aca52a049040 ftc-silver.png
|
||||
9edddcac31bbb09e4ba9f6fea5d36e5298ec65ce88d4c015121fc27edd466947 silverpush-logo.png
|
||||
cfda12117815c35bfc51266d9e8227b1645dcd5ffe054c4ae9922e75595f09b9 ga-dashboard.png
|
||||
d905d3b378daea4c002c873a4ad8192246959cb6df6fb470e29ade9f2b2354c9 piwik-dashboard.png
|
||||
|
|
|
@ -7,6 +7,7 @@ alpr-capture.png https://web.archive.org/web/20170318173346/https://www.eff.org/
|
|||
alpr-pips.png https://web.archive.org/web/20170318173427/https://www.eff.org/files/2015/10/15/pipscam9_redacted.png
|
||||
sf-cameras.jpg https://web.archive.org/web/20170318173846/https://cbssanfran.files.wordpress.com/2015/09/san_francisco_surveillance_cameras_092315.jpg
|
||||
aclu-tracked.jpg https://web.archive.org/web/20170320025735/https://www.aclu.org/sites/default/files/styles/content_area_full_width/public/field_media_media_image/web15-feature-alpr-report-580x535.jpg?itok=n_JYZGN5 -crop 410x535+170+0
|
||||
ftc-silver.png https://web.archive.org/web/20170320041757/https://www.ftc.gov/system/files/attachments/press-releases/ftc-issues-warning-letters-app-developers-using-silverpush-code/160317samplesilverpushltr.pdf -density 100 ftc-silver.png[0] -trim -crop 1024x420+0+0 -trim
|
||||
silverpush-logo.png https://web.archive.org/web/20160623032522/http://1.bp.blogspot.com/-r9WGkxWE3RI/Vk9wK_RisSI/AAAAAAAAAy0/ZydFsogCrnc/s640/silverpush.png
|
||||
ga-dashboard.png https://web.archive.org/web/20170315055350/https://www.google.com/analytics/images/analytics/features/hero_1x.png -crop 580x370+115+35
|
||||
piwik-dashboard.png https://web.archive.org/web/20170310025254/https://piwik.org/wp-content/themes/piwik/assets/img/piwiklaptop.png -crop 730x520+225+85
|
||||
|
|
|
@ -957,6 +957,13 @@
|
|||
urldate = {2017-03-17},
|
||||
}
|
||||
|
||||
@online{tor:overview,
|
||||
title = {Tor Project: Overview},
|
||||
organization = {Tor Project},
|
||||
url = {https://www.torproject.org/about/overview.html.en},
|
||||
urldate = {2017-03-17},
|
||||
}
|
||||
|
||||
@online{ghostery:companies,
|
||||
title = {Company Database},
|
||||
organization = {Ghostery Enterprise},
|
||||
|
|
175
slides.org
175
slides.org
|
@ -1147,12 +1147,12 @@ Just something to consider when taking photos of others..
|
|||
#+END_COMMENT
|
||||
|
||||
|
||||
** REVIEWED The Web [0/7]
|
||||
*** REVIEWED Introduction [0/1] :B_ignoreheading:
|
||||
** AUGMENT The Web [7/7]
|
||||
*** READY Introduction [1/1] :B_ignoreheading:
|
||||
:PROPERTIES:
|
||||
:BEAMER_env: ignoreheading
|
||||
:END:
|
||||
**** REVIEWED Introduction :B_fullframe:
|
||||
**** READY Introduction :B_fullframe:
|
||||
:PROPERTIES:
|
||||
:BEAMER_env: fullframe
|
||||
:DURATION: 00:00:10
|
||||
|
@ -1166,18 +1166,21 @@ Just something to consider when taking photos of others..
|
|||
But you're not just tracked in the flesh.
|
||||
Much of what we do today is virtual.
|
||||
So, naturally, there are those that want to bridge them.
|
||||
|
||||
There's a lot of research and methods to achieve this;
|
||||
we're only going to explore one of the most startling ones.
|
||||
#+END_COMMENT
|
||||
|
||||
|
||||
*** REVIEWED Bridging the Gap [0/3]
|
||||
**** REVIEWED FTC: They're Watching You :B_fullframe:
|
||||
*** READY Bridging the Gap [3/3]
|
||||
**** READY FTC: They're Watching You :B_fullframe:
|
||||
:PROPERTIES:
|
||||
:BEAMER_env: fullframe
|
||||
:DURATION: 00:00:30
|
||||
:DURATION: 00:00:40
|
||||
:END:
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[./images/ftc-silver.png]]\incite{ftc:silver}
|
||||
[[./images/tp/ftc-silver.png]]\par\incite{ftc:silver}
|
||||
#+END_CENTER
|
||||
|
||||
#+BEGIN_COMMENT
|
||||
|
@ -1196,7 +1199,7 @@ Or give you a unique URL.
|
|||
#+END_COMMENT
|
||||
|
||||
|
||||
**** REVIEWED Ultrasound Tracking
|
||||
**** READY Ultrasound Tracking
|
||||
:PROPERTIES:
|
||||
:DURATION: 00:00:15
|
||||
:END:
|
||||
|
@ -1240,7 +1243,7 @@ There are other companies too;
|
|||
#+END_COMMENT
|
||||
|
||||
|
||||
**** REVIEWED Ultrasound Cross-Device Tracking (uXDT)
|
||||
**** READY Ultrasound Cross-Device Tracking (uXDT)
|
||||
:PROPERTIES:
|
||||
:DURATION: 00:00:45
|
||||
:END:
|
||||
|
@ -1249,11 +1252,10 @@ There are other companies too;
|
|||
(uXDT)\cite{bleep:ultrasound-tor,ftc:xdt}
|
||||
- <1-> Mitigations?
|
||||
- <2-> SilverDog is a Chromium addon to filter HTML5 audio\cite{ubeacsec:paper}
|
||||
- <3-> Researchers propose Android permission system change
|
||||
- <4-> Don't install software that keep secrets (proprietary)
|
||||
- <5-> Don't run untrusted code on websites (use e.g. NoScript)
|
||||
- <6-> Turn off your device when not in use
|
||||
- <6-> Keep device away from other media
|
||||
- <3-> Don't install software that keep secrets (proprietary)
|
||||
- <3-> Don't run untrusted code on websites (use e.g. NoScript)\cite{mtg:rof}
|
||||
- <4-> Turn off your device when not in use
|
||||
- <4-> Keep device away from other media
|
||||
|
||||
#+BEGIN_COMMENT
|
||||
This is termed ``Ultrasound Cross-Device Tracking'',
|
||||
|
@ -1280,23 +1282,29 @@ This is far from the only mobile threat;
|
|||
#+END_COMMENT
|
||||
|
||||
|
||||
*** REVIEWED Analytics [0/4]
|
||||
**** REVIEWED Introduction :B_fullframe:
|
||||
*** READY Analytics [4/4]
|
||||
**** READY Introduction :B_fullframe:
|
||||
:PROPERTIES:
|
||||
:BEAMER_env: fullframe
|
||||
:DURATION: 00:00:15
|
||||
:END:
|
||||
|
||||
#+BEGIN_CENTER
|
||||
#+BEAMER: \only<1-3>{\Huge Data Analytics}
|
||||
#+BEGIN_LATEX
|
||||
\only<1-3>{
|
||||
{\Huge Data Analytics}
|
||||
|
||||
#+BEAMER: \only<2-3>{\LARGE (Building User Profiles)}
|
||||
\uncover<2-3>{\LARGE (Building User Profiles)}
|
||||
|
||||
#+BEAMER: \only<3>{\large (Tracking)}
|
||||
\uncover<3>{\large (Tracking)}
|
||||
}
|
||||
|
||||
#+BEAMER: \only<4->{\Huge Spyware}
|
||||
\only<4->{
|
||||
{\Huge Spyware}
|
||||
|
||||
#+BEAMER: \only<5>{\LARGE (With Science)}
|
||||
\uncover<5>{\LARGE (With Science)}
|
||||
}
|
||||
#+END_LATEX
|
||||
#+END_CENTER
|
||||
|
||||
#+BEGIN_COMMENT
|
||||
|
@ -1311,7 +1319,7 @@ But this has science!
|
|||
#+END_COMMENT
|
||||
|
||||
|
||||
**** REVIEWED Trackers
|
||||
**** READY Trackers
|
||||
:PROPERTIES:
|
||||
:DURATION: 00:00:15
|
||||
:END:
|
||||
|
@ -1328,7 +1336,7 @@ That in itself isn't an unreasonable thing, broadly speaking,
|
|||
#+END_COMMENT
|
||||
|
||||
|
||||
**** REVIEWED Google Analytics
|
||||
**** READY Google Analytics
|
||||
:PROPERTIES:
|
||||
:DURATION: 00:00:30
|
||||
:END:
|
||||
|
@ -1371,28 +1379,17 @@ A lot of it really is what website owners want to know:
|
|||
geography, screen resolution, time on the page, heatmaps, etc.
|
||||
Except...
|
||||
|
||||
And all of this is known to Google.
|
||||
All of this is known to Google.
|
||||
And because services like GA, AdWords, etc are so widely used,
|
||||
all of this can be used to identify users across the entire web.
|
||||
#+END_COMMENT
|
||||
|
||||
|
||||
**** REVIEWED Piwik
|
||||
**** READY Piwik
|
||||
:PROPERTIES:
|
||||
:DURATION: 00:00:30
|
||||
:DURATION: 00:00:20
|
||||
:END:
|
||||
|
||||
#+BEGIN_COMMENT
|
||||
If you must track your users, consider using Piwik, which you can host
|
||||
yourself.
|
||||
This means that your visitor data aren't stored and accessible by Google or
|
||||
other companies.
|
||||
Pwik has some user privacy settings to anonymize, remove logs, respect DNT,
|
||||
provide opt-out, etc.
|
||||
It also gives website owners some privacy by not leaking paths and other
|
||||
information about the website:
|
||||
#+END_COMMENT
|
||||
|
||||
***** Dashboard
|
||||
:PROPERTIES:
|
||||
:BEAMER_col: 0.65
|
||||
|
@ -1414,9 +1411,19 @@ It also gives website owners some privacy by not leaking paths and other
|
|||
- <2-> Visitor privacy settings\cite{piwik:privacy}
|
||||
- <2-> Privacy as a site owner
|
||||
|
||||
#+BEGIN_COMMENT
|
||||
If you must track your users, consider using Piwik, which you can host
|
||||
yourself.
|
||||
This means that your visitor data aren't stored and accessible by Google or
|
||||
other companies.
|
||||
Pwik has some user privacy settings to anonymize, remove logs, respect DNT,
|
||||
provide opt-out, etc.
|
||||
It also gives website owners some privacy by not leaking paths and other
|
||||
information about the website:
|
||||
#+END_COMMENT
|
||||
|
||||
*** REVIEWED Social Networking
|
||||
**** REVIEWED Like Buttons
|
||||
*** READY Social Networking
|
||||
**** READY Like Buttons
|
||||
:PROPERTIES:
|
||||
:DURATION: 00:00:30
|
||||
:END:
|
||||
|
@ -1429,7 +1436,7 @@ It also gives website owners some privacy by not leaking paths and other
|
|||
- <2-> Infecting the Web with trackers under guise of
|
||||
community\cite{pnas:predict,w:behavioral-targeting,uld:fb}
|
||||
- <2-> Tracks regardless of whether you are logged in to Facebook
|
||||
\cite{bloomberg:belgum-fb,roosendaal:fb-like}
|
||||
\cite{bloomberg:belgum-fb,roosendaal:fb-like,networks-of-control}
|
||||
|
||||
#+BEGIN_COMMENT
|
||||
Another popular example are "like buttons" and similar little widgets that
|
||||
|
@ -1449,10 +1456,11 @@ But even if you don't have a Facebook account,
|
|||
#+END_COMMENT
|
||||
|
||||
|
||||
*** REVIEWED Fingerprinting [0/3]
|
||||
**** REVIEWED Summary :B_fullframe:
|
||||
*** READY Fingerprinting [3/3]
|
||||
**** READY Summary :B_fullframe:
|
||||
:PROPERTIES:
|
||||
:DURATION: 00:00:15
|
||||
:DURATION: 00:00:10
|
||||
:BEAMER_env: fullframe
|
||||
:END:
|
||||
#+BEGIN_CENTER
|
||||
\Huge Fingerprinting
|
||||
|
@ -1465,7 +1473,7 @@ It's just what it sounds like:
|
|||
#+END_COMMENT
|
||||
|
||||
|
||||
**** REVIEWED EFF Research :B_fullframe:
|
||||
**** READY EFF Research :B_fullframe:
|
||||
:PROPERTIES:
|
||||
:BEAMER_env: fullframe
|
||||
:DURATION: 00:00:20
|
||||
|
@ -1509,9 +1517,9 @@ Very creative ones.
|
|||
#+END_COMMENT
|
||||
|
||||
|
||||
**** REVIEWED Alarmingly Effective
|
||||
**** READY Alarmingly Effective
|
||||
:PROPERTIES:
|
||||
:DURATION: 00:00:40
|
||||
:DURATION: 00:00:45
|
||||
:END:
|
||||
|
||||
- Panopticlick (EFF)\cite{panopti:about}
|
||||
|
@ -1547,16 +1555,17 @@ We'll get into some defenses in a bit.
|
|||
|
||||
|
||||
|
||||
*** REVIEWED Incentive to Betray [0/2]
|
||||
**** REVIEWED Summary :B_fullframe:
|
||||
*** READY Incentive to Betray [2/2]
|
||||
**** READY Summary :B_fullframe:
|
||||
:PROPERTIES:
|
||||
:DURATION: 00:00:30
|
||||
:BEAMER_env: fullframe
|
||||
:END:
|
||||
|
||||
#+BEGIN_CENTER
|
||||
There is strong incentive to betray
|
||||
#+END_CENTER
|
||||
- <1-> There is strong incentive to betray
|
||||
- <2> Money (advertising)
|
||||
- <2> Attention & praise
|
||||
- <2> ``Business intelligence''
|
||||
|
||||
#+BEGIN_COMMENT
|
||||
So how does tracking happen?
|
||||
|
@ -1577,9 +1586,10 @@ They're unknowing pawns in the Web of surveillance.
|
|||
#+END_COMMENT
|
||||
|
||||
|
||||
**** DRAFT Web of Surveillance :B_fullframe:
|
||||
**** READY Web of Surveillance :B_fullframe:
|
||||
:PROPERTIES:
|
||||
:BEAMER_env: fullframe
|
||||
:DURATION: 00:00:45
|
||||
:END:
|
||||
|
||||
#+BEGIN_CENTER
|
||||
|
@ -1609,7 +1619,7 @@ It's an addon for Firefox that graphs first- and third-party sites that you
|
|||
I created a new FF profile and installed the addon;
|
||||
none of my privacy settings or other addons I'm used to.
|
||||
You can see at the top that I visited five websites:
|
||||
Washington Post, NY Times from Google, Guargian, and---which you can't see
|
||||
Washington Post, NY Times from Google, Guardian, and---which you can't see
|
||||
here because they're actually disjoint from this graph---The Intercept.
|
||||
Good for them!
|
||||
And yet,
|
||||
|
@ -1627,8 +1637,8 @@ This is what happens when I try to mitigate some of these threats.
|
|||
#+END_COMMENT
|
||||
|
||||
|
||||
*** REVIEWED Mitigations & Anonymity [0/8]
|
||||
**** REVIEWED Summary :B_fullframe:
|
||||
*** READY Mitigations & Anonymity [8/8]
|
||||
**** READY Summary :B_fullframe:
|
||||
:PROPERTIES:
|
||||
:DURATION: 00:00:05
|
||||
:BEAMER_env: fullframe
|
||||
|
@ -1646,9 +1656,9 @@ Well, it depends on your threat model,
|
|||
#+END_COMMENT
|
||||
|
||||
|
||||
**** REVIEWED Disable the Damn JavaScript!
|
||||
**** READY Disable the Damn JavaScript!
|
||||
:PROPERTIES:
|
||||
:DURATION: 00:00:45
|
||||
:DURATION: 00:00:50
|
||||
:END:
|
||||
|
||||
#+BEGIN_CENTER
|
||||
|
@ -1682,21 +1692,24 @@ The Web isn't broken without it,
|
|||
I write a lot of JavaScript for a living.
|
||||
My GNU project is ease.js, which is a JavaScript library.
|
||||
And yet,
|
||||
/I do not allow JavaScript to run 99% of the time!/.
|
||||
Even on most websites I trust.
|
||||
Some people run LibreJS.
|
||||
But note that free software doesn't mean free of malice.
|
||||
/I only allow JavaScript to execute on a few websites!/.
|
||||
Even on most websites I trust, I don't.
|
||||
Some people run LibreJS,
|
||||
and I support that project.
|
||||
But note that free software doesn't mean free of malice;
|
||||
LibreJS solves a different problem than the one I'm describing---
|
||||
when you /do/ allow JS to run, it should be free.
|
||||
|
||||
It's probably obvious from the logo that I'm talking about the NoScript
|
||||
extension.
|
||||
addon.
|
||||
It does more than just block JS---
|
||||
it also blocks media, custom fonts, prevents against certain types of XSS
|
||||
it also blocks media, custom fonts, protects against certain types of XSS
|
||||
and clickjacking attacks, and more.
|
||||
If you don't know what XSS and clickjacking is, that's okay.
|
||||
If you don't know those are, that's okay.
|
||||
#+END_COMMENT
|
||||
|
||||
|
||||
**** REVIEWED LightBeam NoScript :B_fullframe:
|
||||
**** READY LightBeam NoScript :B_fullframe:
|
||||
:PROPERTIES:
|
||||
:BEAMER_env: fullframe
|
||||
:DURATION: 00:00:15
|
||||
|
@ -1713,14 +1726,14 @@ If you don't know what XSS and clickjacking is, that's okay.
|
|||
#+ATTR_LATEX: :height 2.5in
|
||||
[[./images/lightbeam-ex-noscript.png]]
|
||||
|
||||
(After NoScript)
|
||||
(After NoScript with /no whitelist/)
|
||||
#+BEAMER: }
|
||||
#+END_CENTER
|
||||
|
||||
#+BEGIN_COMMENT
|
||||
So this was our graph before NoScript.
|
||||
So this is our graph again before NoScript.
|
||||
|
||||
And here it is after disabling scripts.
|
||||
And here it is after running NoScript with no whitelist.
|
||||
Without any other mitigations.
|
||||
|
||||
Obviously results will vary depending on the website.
|
||||
|
@ -1729,9 +1742,9 @@ We're going to get back to JS soon.
|
|||
#+END_COMMENT
|
||||
|
||||
|
||||
**** REVIEWED Block Ads and Trackers
|
||||
**** READY Block Ads and Trackers
|
||||
:PROPERTIES:
|
||||
:DURATION: 00:00:40
|
||||
:DURATION: 00:00:45
|
||||
:END:
|
||||
#+BEGIN_CENTER
|
||||
#+ATTR_LATEX: :height 0.75in
|
||||
|
@ -1752,8 +1765,8 @@ The issue surrounding Ad Blockers is framed such that we're waging war
|
|||
against advertisers.
|
||||
No---they're waging war against /us/.
|
||||
|
||||
You'll find that the bulk of what these addons for Firefox browsers handle
|
||||
is related to ad networks.
|
||||
You'll find that the bulk of what these addons handle is related to ad
|
||||
networks.
|
||||
Privacy Badger works to block sites that appear to be tracking you.
|
||||
Cooper Quintin---developer of Privacy Badger---gave a great talk last year
|
||||
here at LP; go check it out.
|
||||
|
@ -1768,7 +1781,7 @@ I don't have time to go into technical details, unfortunately.
|
|||
#+END_COMMENT
|
||||
|
||||
|
||||
**** REVIEWED Anonymity :B_fullframe:
|
||||
**** READY Anonymity :B_fullframe:
|
||||
:PROPERTIES:
|
||||
:BEAMER_env: fullframe
|
||||
:DURATION: 00:00:15
|
||||
|
@ -1802,10 +1815,10 @@ In the former case,
|
|||
#+END_COMMENT
|
||||
|
||||
|
||||
**** REVIEWED IANAAE :B_fullframe:
|
||||
**** READY IANAAE :B_fullframe:
|
||||
:PROPERTIES:
|
||||
:BEAMER_env: fullframe
|
||||
:DURATION: 00:00:10
|
||||
:DURATION: 00:00:15
|
||||
:END:
|
||||
|
||||
#+BEGIN_CENTER
|
||||
|
@ -1824,9 +1837,9 @@ I provide a number of resources to get you started.
|
|||
#+END_COMMENT
|
||||
|
||||
|
||||
**** REVIEWED The Tor Network
|
||||
**** READY The Tor Network
|
||||
:PROPERTIES:
|
||||
:DURATION: 00:00:30
|
||||
:DURATION: 00:00:45
|
||||
:END:
|
||||
|
||||
#+BEGIN_CENTER
|
||||
|
@ -1835,7 +1848,7 @@ I provide a number of resources to get you started.
|
|||
[[./images/tp/tor.png]]
|
||||
#+BEAMER: }
|
||||
#+BEAMER: \only<2>{
|
||||
[[./images/tp/tor-diagram.png]]
|
||||
[[./images/tp/tor-diagram.png]]\incite{tor:overview}
|
||||
#+BEAMER: }
|
||||
#+END_CENTER
|
||||
|
||||
|
@ -1859,7 +1872,7 @@ The exit node reveals the packet and delivers it to the destination,
|
|||
|
||||
As long as a sufficient portion of the network can be trusted and has not
|
||||
been compromised by an adversary,
|
||||
it isn't possible to trace data back through the network.
|
||||
it should not be possible to figure out that path.
|
||||
|
||||
The most common use of Tor is to route web traffic.
|
||||
|
||||
|
@ -1868,9 +1881,9 @@ There are lots of other details that I don't have time to get to here,
|
|||
#+END_COMMENT
|
||||
|
||||
|
||||
**** REVIEWED TorBrowser, Tails, and Whonix
|
||||
**** READY TorBrowser, Tails, and Whonix
|
||||
:PROPERTIES:
|
||||
:DURATION: 00:01
|
||||
:DURATION: 00:01:30
|
||||
:END:
|
||||
|
||||
#+BEGIN_CENTER
|
||||
|
|
Loading…
Reference in New Issue