diff --git a/images/ftc-silver.png b/images/ftc-silver.png deleted file mode 100644 index ac41899..0000000 Binary files a/images/ftc-silver.png and /dev/null differ diff --git a/images/tp/SHA256SUM b/images/tp/SHA256SUM index e30819f..68a77cb 100644 --- a/images/tp/SHA256SUM +++ b/images/tp/SHA256SUM @@ -7,6 +7,7 @@ ca51e8ba23a87140b1f2cf573d4761df888d7f939947823c695004ce5d3f31f7 replicant.png 31597ba3731e6eccf2e68ae8b91ad25b2e6e4685814e723333d9ea1d2579b635 alpr-pips.png e7029f70524f420ef32044aeae8280434d5b03ddbab4e90188409a93597c0726 sf-cameras.jpg 67483c5d78b168782b787765284937b8a269ae6d87d4effbb58f4a7d603d8997 aclu-tracked.jpg +1e48106a362e8c64b8876daabd794fa5994b30e4706147c7ccb0aca52a049040 ftc-silver.png 9edddcac31bbb09e4ba9f6fea5d36e5298ec65ce88d4c015121fc27edd466947 silverpush-logo.png cfda12117815c35bfc51266d9e8227b1645dcd5ffe054c4ae9922e75595f09b9 ga-dashboard.png d905d3b378daea4c002c873a4ad8192246959cb6df6fb470e29ade9f2b2354c9 piwik-dashboard.png diff --git a/images/tp/remote-list b/images/tp/remote-list index 72ffeae..4915f42 100644 --- a/images/tp/remote-list +++ b/images/tp/remote-list @@ -7,6 +7,7 @@ alpr-capture.png https://web.archive.org/web/20170318173346/https://www.eff.org/ alpr-pips.png https://web.archive.org/web/20170318173427/https://www.eff.org/files/2015/10/15/pipscam9_redacted.png sf-cameras.jpg https://web.archive.org/web/20170318173846/https://cbssanfran.files.wordpress.com/2015/09/san_francisco_surveillance_cameras_092315.jpg aclu-tracked.jpg https://web.archive.org/web/20170320025735/https://www.aclu.org/sites/default/files/styles/content_area_full_width/public/field_media_media_image/web15-feature-alpr-report-580x535.jpg?itok=n_JYZGN5 -crop 410x535+170+0 +ftc-silver.png https://web.archive.org/web/20170320041757/https://www.ftc.gov/system/files/attachments/press-releases/ftc-issues-warning-letters-app-developers-using-silverpush-code/160317samplesilverpushltr.pdf -density 100 ftc-silver.png[0] -trim -crop 1024x420+0+0 -trim silverpush-logo.png https://web.archive.org/web/20160623032522/http://1.bp.blogspot.com/-r9WGkxWE3RI/Vk9wK_RisSI/AAAAAAAAAy0/ZydFsogCrnc/s640/silverpush.png ga-dashboard.png https://web.archive.org/web/20170315055350/https://www.google.com/analytics/images/analytics/features/hero_1x.png -crop 580x370+115+35 piwik-dashboard.png https://web.archive.org/web/20170310025254/https://piwik.org/wp-content/themes/piwik/assets/img/piwiklaptop.png -crop 730x520+225+85 diff --git a/sapsf.bib b/sapsf.bib index 90c0295..149f30b 100644 --- a/sapsf.bib +++ b/sapsf.bib @@ -957,6 +957,13 @@ urldate = {2017-03-17}, } +@online{tor:overview, + title = {Tor Project: Overview}, + organization = {Tor Project}, + url = {https://www.torproject.org/about/overview.html.en}, + urldate = {2017-03-17}, +} + @online{ghostery:companies, title = {Company Database}, organization = {Ghostery Enterprise}, diff --git a/slides.org b/slides.org index 661be44..c1bb4e1 100644 --- a/slides.org +++ b/slides.org @@ -1147,12 +1147,12 @@ Just something to consider when taking photos of others.. #+END_COMMENT -** REVIEWED The Web [0/7] -*** REVIEWED Introduction [0/1] :B_ignoreheading: +** AUGMENT The Web [7/7] +*** READY Introduction [1/1] :B_ignoreheading: :PROPERTIES: :BEAMER_env: ignoreheading :END: -**** REVIEWED Introduction :B_fullframe: +**** READY Introduction :B_fullframe: :PROPERTIES: :BEAMER_env: fullframe :DURATION: 00:00:10 @@ -1166,18 +1166,21 @@ Just something to consider when taking photos of others.. But you're not just tracked in the flesh. Much of what we do today is virtual. So, naturally, there are those that want to bridge them. + +There's a lot of research and methods to achieve this; + we're only going to explore one of the most startling ones. #+END_COMMENT -*** REVIEWED Bridging the Gap [0/3] -**** REVIEWED FTC: They're Watching You :B_fullframe: +*** READY Bridging the Gap [3/3] +**** READY FTC: They're Watching You :B_fullframe: :PROPERTIES: :BEAMER_env: fullframe -:DURATION: 00:00:30 +:DURATION: 00:00:40 :END: #+BEGIN_CENTER - [[./images/ftc-silver.png]]\incite{ftc:silver} + [[./images/tp/ftc-silver.png]]\par\incite{ftc:silver} #+END_CENTER #+BEGIN_COMMENT @@ -1196,7 +1199,7 @@ Or give you a unique URL. #+END_COMMENT -**** REVIEWED Ultrasound Tracking +**** READY Ultrasound Tracking :PROPERTIES: :DURATION: 00:00:15 :END: @@ -1240,7 +1243,7 @@ There are other companies too; #+END_COMMENT -**** REVIEWED Ultrasound Cross-Device Tracking (uXDT) +**** READY Ultrasound Cross-Device Tracking (uXDT) :PROPERTIES: :DURATION: 00:00:45 :END: @@ -1249,11 +1252,10 @@ There are other companies too; (uXDT)\cite{bleep:ultrasound-tor,ftc:xdt} - <1-> Mitigations? - <2-> SilverDog is a Chromium addon to filter HTML5 audio\cite{ubeacsec:paper} - - <3-> Researchers propose Android permission system change - - <4-> Don't install software that keep secrets (proprietary) - - <5-> Don't run untrusted code on websites (use e.g. NoScript) - - <6-> Turn off your device when not in use - - <6-> Keep device away from other media + - <3-> Don't install software that keep secrets (proprietary) + - <3-> Don't run untrusted code on websites (use e.g. NoScript)\cite{mtg:rof} + - <4-> Turn off your device when not in use + - <4-> Keep device away from other media #+BEGIN_COMMENT This is termed ``Ultrasound Cross-Device Tracking'', @@ -1280,23 +1282,29 @@ This is far from the only mobile threat; #+END_COMMENT -*** REVIEWED Analytics [0/4] -**** REVIEWED Introduction :B_fullframe: +*** READY Analytics [4/4] +**** READY Introduction :B_fullframe: :PROPERTIES: :BEAMER_env: fullframe :DURATION: 00:00:15 :END: #+BEGIN_CENTER -#+BEAMER: \only<1-3>{\Huge Data Analytics} +#+BEGIN_LATEX +\only<1-3>{ + {\Huge Data Analytics} -#+BEAMER: \only<2-3>{\LARGE (Building User Profiles)} + \uncover<2-3>{\LARGE (Building User Profiles)} -#+BEAMER: \only<3>{\large (Tracking)} + \uncover<3>{\large (Tracking)} +} -#+BEAMER: \only<4->{\Huge Spyware} +\only<4->{ + {\Huge Spyware} -#+BEAMER: \only<5>{\LARGE (With Science)} + \uncover<5>{\LARGE (With Science)} +} +#+END_LATEX #+END_CENTER #+BEGIN_COMMENT @@ -1311,7 +1319,7 @@ But this has science! #+END_COMMENT -**** REVIEWED Trackers +**** READY Trackers :PROPERTIES: :DURATION: 00:00:15 :END: @@ -1328,7 +1336,7 @@ That in itself isn't an unreasonable thing, broadly speaking, #+END_COMMENT -**** REVIEWED Google Analytics +**** READY Google Analytics :PROPERTIES: :DURATION: 00:00:30 :END: @@ -1371,28 +1379,17 @@ A lot of it really is what website owners want to know: geography, screen resolution, time on the page, heatmaps, etc. Except... -And all of this is known to Google. +All of this is known to Google. And because services like GA, AdWords, etc are so widely used, all of this can be used to identify users across the entire web. #+END_COMMENT -**** REVIEWED Piwik +**** READY Piwik :PROPERTIES: -:DURATION: 00:00:30 +:DURATION: 00:00:20 :END: -#+BEGIN_COMMENT -If you must track your users, consider using Piwik, which you can host - yourself. -This means that your visitor data aren't stored and accessible by Google or - other companies. -Pwik has some user privacy settings to anonymize, remove logs, respect DNT, - provide opt-out, etc. -It also gives website owners some privacy by not leaking paths and other - information about the website: -#+END_COMMENT - ***** Dashboard :PROPERTIES: :BEAMER_col: 0.65 @@ -1414,9 +1411,19 @@ It also gives website owners some privacy by not leaking paths and other - <2-> Visitor privacy settings\cite{piwik:privacy} - <2-> Privacy as a site owner +#+BEGIN_COMMENT +If you must track your users, consider using Piwik, which you can host + yourself. +This means that your visitor data aren't stored and accessible by Google or + other companies. +Pwik has some user privacy settings to anonymize, remove logs, respect DNT, + provide opt-out, etc. +It also gives website owners some privacy by not leaking paths and other + information about the website: +#+END_COMMENT -*** REVIEWED Social Networking -**** REVIEWED Like Buttons +*** READY Social Networking +**** READY Like Buttons :PROPERTIES: :DURATION: 00:00:30 :END: @@ -1429,7 +1436,7 @@ It also gives website owners some privacy by not leaking paths and other - <2-> Infecting the Web with trackers under guise of community\cite{pnas:predict,w:behavioral-targeting,uld:fb} - <2-> Tracks regardless of whether you are logged in to Facebook - \cite{bloomberg:belgum-fb,roosendaal:fb-like} + \cite{bloomberg:belgum-fb,roosendaal:fb-like,networks-of-control} #+BEGIN_COMMENT Another popular example are "like buttons" and similar little widgets that @@ -1449,10 +1456,11 @@ But even if you don't have a Facebook account, #+END_COMMENT -*** REVIEWED Fingerprinting [0/3] -**** REVIEWED Summary :B_fullframe: +*** READY Fingerprinting [3/3] +**** READY Summary :B_fullframe: :PROPERTIES: -:DURATION: 00:00:15 +:DURATION: 00:00:10 +:BEAMER_env: fullframe :END: #+BEGIN_CENTER \Huge Fingerprinting @@ -1465,7 +1473,7 @@ It's just what it sounds like: #+END_COMMENT -**** REVIEWED EFF Research :B_fullframe: +**** READY EFF Research :B_fullframe: :PROPERTIES: :BEAMER_env: fullframe :DURATION: 00:00:20 @@ -1509,9 +1517,9 @@ Very creative ones. #+END_COMMENT -**** REVIEWED Alarmingly Effective +**** READY Alarmingly Effective :PROPERTIES: -:DURATION: 00:00:40 +:DURATION: 00:00:45 :END: - Panopticlick (EFF)\cite{panopti:about} @@ -1547,16 +1555,17 @@ We'll get into some defenses in a bit. -*** REVIEWED Incentive to Betray [0/2] -**** REVIEWED Summary :B_fullframe: +*** READY Incentive to Betray [2/2] +**** READY Summary :B_fullframe: :PROPERTIES: :DURATION: 00:00:30 :BEAMER_env: fullframe :END: -#+BEGIN_CENTER -There is strong incentive to betray -#+END_CENTER +- <1-> There is strong incentive to betray + - <2> Money (advertising) + - <2> Attention & praise + - <2> ``Business intelligence'' #+BEGIN_COMMENT So how does tracking happen? @@ -1577,9 +1586,10 @@ They're unknowing pawns in the Web of surveillance. #+END_COMMENT -**** DRAFT Web of Surveillance :B_fullframe: +**** READY Web of Surveillance :B_fullframe: :PROPERTIES: :BEAMER_env: fullframe +:DURATION: 00:00:45 :END: #+BEGIN_CENTER @@ -1609,7 +1619,7 @@ It's an addon for Firefox that graphs first- and third-party sites that you I created a new FF profile and installed the addon; none of my privacy settings or other addons I'm used to. You can see at the top that I visited five websites: - Washington Post, NY Times from Google, Guargian, and---which you can't see + Washington Post, NY Times from Google, Guardian, and---which you can't see here because they're actually disjoint from this graph---The Intercept. Good for them! And yet, @@ -1627,8 +1637,8 @@ This is what happens when I try to mitigate some of these threats. #+END_COMMENT -*** REVIEWED Mitigations & Anonymity [0/8] -**** REVIEWED Summary :B_fullframe: +*** READY Mitigations & Anonymity [8/8] +**** READY Summary :B_fullframe: :PROPERTIES: :DURATION: 00:00:05 :BEAMER_env: fullframe @@ -1646,9 +1656,9 @@ Well, it depends on your threat model, #+END_COMMENT -**** REVIEWED Disable the Damn JavaScript! +**** READY Disable the Damn JavaScript! :PROPERTIES: -:DURATION: 00:00:45 +:DURATION: 00:00:50 :END: #+BEGIN_CENTER @@ -1682,21 +1692,24 @@ The Web isn't broken without it, I write a lot of JavaScript for a living. My GNU project is ease.js, which is a JavaScript library. And yet, - /I do not allow JavaScript to run 99% of the time!/. -Even on most websites I trust. -Some people run LibreJS. -But note that free software doesn't mean free of malice. + /I only allow JavaScript to execute on a few websites!/. +Even on most websites I trust, I don't. +Some people run LibreJS, + and I support that project. +But note that free software doesn't mean free of malice; + LibreJS solves a different problem than the one I'm describing--- + when you /do/ allow JS to run, it should be free. It's probably obvious from the logo that I'm talking about the NoScript - extension. + addon. It does more than just block JS--- - it also blocks media, custom fonts, prevents against certain types of XSS + it also blocks media, custom fonts, protects against certain types of XSS and clickjacking attacks, and more. -If you don't know what XSS and clickjacking is, that's okay. +If you don't know those are, that's okay. #+END_COMMENT -**** REVIEWED LightBeam NoScript :B_fullframe: +**** READY LightBeam NoScript :B_fullframe: :PROPERTIES: :BEAMER_env: fullframe :DURATION: 00:00:15 @@ -1713,14 +1726,14 @@ If you don't know what XSS and clickjacking is, that's okay. #+ATTR_LATEX: :height 2.5in [[./images/lightbeam-ex-noscript.png]] -(After NoScript) +(After NoScript with /no whitelist/) #+BEAMER: } #+END_CENTER #+BEGIN_COMMENT -So this was our graph before NoScript. +So this is our graph again before NoScript. -And here it is after disabling scripts. +And here it is after running NoScript with no whitelist. Without any other mitigations. Obviously results will vary depending on the website. @@ -1729,9 +1742,9 @@ We're going to get back to JS soon. #+END_COMMENT -**** REVIEWED Block Ads and Trackers +**** READY Block Ads and Trackers :PROPERTIES: -:DURATION: 00:00:40 +:DURATION: 00:00:45 :END: #+BEGIN_CENTER #+ATTR_LATEX: :height 0.75in @@ -1752,8 +1765,8 @@ The issue surrounding Ad Blockers is framed such that we're waging war against advertisers. No---they're waging war against /us/. -You'll find that the bulk of what these addons for Firefox browsers handle - is related to ad networks. +You'll find that the bulk of what these addons handle is related to ad + networks. Privacy Badger works to block sites that appear to be tracking you. Cooper Quintin---developer of Privacy Badger---gave a great talk last year here at LP; go check it out. @@ -1768,7 +1781,7 @@ I don't have time to go into technical details, unfortunately. #+END_COMMENT -**** REVIEWED Anonymity :B_fullframe: +**** READY Anonymity :B_fullframe: :PROPERTIES: :BEAMER_env: fullframe :DURATION: 00:00:15 @@ -1802,10 +1815,10 @@ In the former case, #+END_COMMENT -**** REVIEWED IANAAE :B_fullframe: +**** READY IANAAE :B_fullframe: :PROPERTIES: :BEAMER_env: fullframe -:DURATION: 00:00:10 +:DURATION: 00:00:15 :END: #+BEGIN_CENTER @@ -1824,9 +1837,9 @@ I provide a number of resources to get you started. #+END_COMMENT -**** REVIEWED The Tor Network +**** READY The Tor Network :PROPERTIES: -:DURATION: 00:00:30 +:DURATION: 00:00:45 :END: #+BEGIN_CENTER @@ -1835,7 +1848,7 @@ I provide a number of resources to get you started. [[./images/tp/tor.png]] #+BEAMER: } #+BEAMER: \only<2>{ - [[./images/tp/tor-diagram.png]] + [[./images/tp/tor-diagram.png]]\incite{tor:overview} #+BEAMER: } #+END_CENTER @@ -1859,7 +1872,7 @@ The exit node reveals the packet and delivers it to the destination, As long as a sufficient portion of the network can be trusted and has not been compromised by an adversary, - it isn't possible to trace data back through the network. + it should not be possible to figure out that path. The most common use of Tor is to route web traffic. @@ -1868,9 +1881,9 @@ There are lots of other details that I don't have time to get to here, #+END_COMMENT -**** REVIEWED TorBrowser, Tails, and Whonix +**** READY TorBrowser, Tails, and Whonix :PROPERTIES: -:DURATION: 00:01 +:DURATION: 00:01:30 :END: #+BEGIN_CENTER