mikegerwitz
/
sapsf
1
0
Fork 0
Code Releases Activity

slides.org (Mobile): Review 

The references were supposed to be committed a little while back, but I'm
not going to rewrite history; I have better things to do right now.

* sapsf.bib: Add references.
master
Mike Gerwitz 2017-03-11 23:25:25 -05:00
parent d86e016cfc
commit 17dbce4b7f
2 changed files with 630 additions and 238 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

224
sapsf.bib 100644
View File

@ -0,0 +1,224 @@
@online{panopti:about,
author = {Electric Frontier Foundation},
title = {Panopticlick | About},
url = {https://panopticlick.eff.org/about},
urldate = {2017-03-08},
}
@online{whonix:donot,
author = {Whonix},
title = {DoNot},
url = {https://www.whonix.org/wiki/DoNot},
urldate = {2017-03-05}
}
@online{tor,
author = {Tor Project},
title = {Tor Project: Anonymity Online},
url = {http://torproject.org/},
urldate = {2017-03-09},
}
@online{eff:nsa:timeline,
author = {Electronic Frontier Foundation},
title = {Timeline of NSA Domestic Spying},
url = {https://www.eff.org/nsa-spying/timeline},
urldate = {2017-03-09},
}
@online{mtg:uproar,
author = {Mike Gerwitz},
title = {National Uproar: A Comprehensive Overview of the
NSA Leaks and Revelations},
url = {https://mikegerwitz.com/2013/06/National-Uproar-A-Comprehensive-Overview-of-the-NSA-Leaks-and-Revelations},
month = 06,
year = 2013,
urldate = {2017-03-09},
}
@online{eff:bernstein:doj,
author = {Electronic Frontier Foundation},
title = {Bernstein v. US Department of Justice},
url = {https://www.eff.org/cases/bernstein-v-us-dept-justice},
urldate = {2017-03-09},
}
% TODO: figure out how to render the URL
@techreport{poodle:paper,
author = {Möller, Brodo and Duong, Thai and Kotowicz, Krzysztof},
title = {This POODLE Bites: Exploiting the SSL 3.0 Fallback},
institution = {Google},
year = 2014,
month = Sep,
url = {https://www.openssl.org/~bodo/ssl-poodle.pdf},
}
@online{w:crypto-wars,
author = {Wikipedia},
title = {Crypto Wars},
url = {https://en.wikipedia.org/wiki/Crypto_wars},
urldate = {2017-03-10},
}
@online{fedr:export-controls,
author = {Executive Office of the President},
title = {Administration of Export Controls on Encryption Products},
url = {https://www.gpo.gov/fdsys/pkg/FR-1996-11-19/pdf/96-29692.pdf},
urldate = {2017-03-10},
month = 11,
year = 1996,
note = {Federal Register, Vol. 61, No. 224, Executive Order 58767},
}
@online{doc:rev-export-reg,
author = {United States Department of Commerce},
title = {Revised U.S. Encryption Export Regulations},
url = {https://epic.org/crypto/export_controls/regs_1_00.html},
month = 01,
year = 2000,
urldate = {2017-03-10},
}
@online{arxiv:mac,
author = {Martin, Jeremy
and Mayberry, Travis
and Donahue, Collin
and Foppe, Lucas,
and Brown, Lamont
and Riggins, Chadwick
and Rye, Erik C.
and Brown, Dane},
title = {A Study of MAC Address Randomization in Mobile Devices and When it Fails},
year = 2017,
month = 03,
archivePrefix= {arXiv},
eprint = {1703.02874},
primaryClass = {cs.CR},
}
@online{aimsid,
author = {CellularPrivacy},
title = {Android IMSI-Catcher Detector},
url = {https://cellularprivacy.github.io/Android-IMSI-Catcher-Detector/},
urldate = {2017-03-11},
}
@online{osmand,
title = {OsmAnd - Offline Mobile Maps and Navigation},
url = {http://osmand.net/},
urldate = {2017-03-11},
}
@online{mozilla:loc-services,
author = {MozillaWiki},
title = {CloudServices/Location - MozillaWiki},
url = {https://wiki.mozilla.org/CloudServices/Location},
urldate = {2017-03-11},
}
@online{openmobilenetwork,
title = {OpenMobileNetwork},
url = {http://www.openmobilenetwork.org/},
urldate = {2017-03-11},
}
@online{w:wps,
author = {Wikipedia},
title = {Wi-Fi positioning system},
url = {https://en.wikipedia.org/wiki/Wi-Fi_positioning_system},
urldate = {2017-03-11},
}
@online{w:trilateration,
author = {Wikipedia},
title = {Trilateration},
url = {https://en.wikipedia.org/wiki/Trilateration},
urldate = {2017-03-11},
}
@article{acm:spotfi,
author = {Kotaru, Manikanta
and Joshi, Kiran
and Bharadia, Dinesh
and Katti, Sachin},
title = {{SpotFi}: Decimeter Level Localization Using {WiFi}},
journal = {{ACM} {SIGCOMM} Computer Communication Review - {SIGCOMM'15}},
doi = {10.1145/2785956.2787487},
volume = 45,
pages = {269-282},
year = 2015,
}
@article{acm:lteye,
author = {Kumar, Swarun
and Hamed, Ezzeldin
and Katabi, Dina
and Li, Li Erran},
title = {{LTE} radio analytics made easy and accessible},
journal = {{S3 '14} Proceedings of the 6th annual workshop on Wireless of
the students, by the students, for the students},
doi = {10.1145/2645884.2645891},
pages = {29-30},
year = 2014,
}
@online{replicant,
author = {Replicant},
title = {Replicant},
url = {http://www.replicant.us},
urldate = {2017-03-11},
annotation = {A fully free Android distribution}
}
@online{replicant:sec,
author = {Replicant},
title = {Freedom and privacy/security issues},
url = {http://www.replicant.us/freedom-privacy-security-issues.php},
urldate = {2017-03-11},
}
@online{replicant:samsung-bd,
author = {Replicant},
title = {Samsung Galaxy back-door},
url = {http://redmine.replicant.us/projects/replicant/wiki/SamsungGalaxyBackdoor},
urldate = {2017-03-11},
annotation = {Backdoor in Samsung Galaxy phones closed by Replicant},
}
@online{gnu:malware-mobile,
author = {GNU Project},
title = {Malware in Mobile Devices},
url = {https://www.gnu.org/philosophy/malware-mobiles.html},
urldate = {2017-03-11},
annotation = {Numerous resources on privacy/security issues with mobile
devices}
}
@online{jots:mobile,
author = {Jinyan Zang
and Krysta Dummit
and James Graves
and Paul Lisker
and Latanya Sweeney},
title = {Who Knows What About Me? A Survey of Behind the Scenes Personal
Data Sharing to Third Parties by Mobile Apps},
url = {http://jots.pub/a/2015103001/index.php},
urldate = {2017-03-11},
}
@online{kryptowire:adups,
author = {Kryptowire},
title = {KRYPTOWIRE DISCOVERS MOBILE PHONE FIRMWARE THAT TRANSMITTED
PERSONALLY IDENTIFIABLE INFORMATION (PII) WITHOUT USER
CONSENT OR DISCLOSURE},
url = {http://www.kryptowire.com/adups_security_analysis.html},
urldate = {2017-03-11},
annotation = {BLU mobile phones transmitting SMS content, contacts, call
history, telephone numbers, IMEIs, etc to third-party
servers without users' knolwedge or censent}
}

644
slides.org
View File

@ -10,151 +10,150 @@
#+BEAMER_HEADER: \beamertemplatenavigationsymbolsempty
#+BIBLIOGRAPHY: sapsf plain
#+TODO: RAW(r) DEVOID(v) LACKING(l) DRAFT(d) REVIEWED(R) | READY(+) REHEARSED(D)
#+COLUMNS: %40ITEM %10DURATION{:} %TODO %BEAMER_ENV(ENVIRONMENT)
#+COLUMNS: %40ITEM %10DURATION{:} %8TODO %BEAMER_ENV(ENVIRONMENT)
#+BEGIN: columnview :hlines 3 :id global
| ITEM | DURATION | TODO | ENVIRONMENT |
|-----------------------------------------------+----------+---------+---------------|
| * LaTeX Configuration | | | |
|-----------------------------------------------+----------+---------+---------------|
| * Slides | 0:44 | LACKING | |
|-----------------------------------------------+----------+---------+---------------|
| ** Introduction / Opening | 00:00:30 | DRAFT | fullframe |
|-----------------------------------------------+----------+---------+---------------|
| ** Mobile [0/5] | 0:04 | LACKING | |
|-----------------------------------------------+----------+---------+---------------|
| *** Introduction | 0:00 | DRAFT | ignoreheading |
| **** Introduction | 00:00:30 | DRAFT | fullframe |
|-----------------------------------------------+----------+---------+---------------|
| *** Cell Towers [0/2] | 00:01 | LACKING | |
| **** Fundamentally Needed | | DRAFT | |
| **** Cell-Site Simulators | | LACKING | |
|-----------------------------------------------+----------+---------+---------------|
| *** Wifi [0/3] | 00:01 | LACKING | |
| **** Wifi | | DRAFT | |
| **** Ubiquitous Access Points | | DEVOID | |
| **** Mitigations | | DRAFT | |
|-----------------------------------------------+----------+---------+---------------|
| *** Location Services [0/2] | 00:01 | DRAFT | |
| **** GPS | | DRAFT | |
| **** Access Points | | DRAFT | |
|-----------------------------------------------+----------+---------+---------------|
| *** Operating System [0/3] | 00:01 | DRAFT | |
| **** Untrusted/Proprietary OS | | DRAFT | |
| **** Free/Libre Mobile OS? | | DRAFT | |
| **** Modem | | DRAFT | |
|-----------------------------------------------+----------+---------+---------------|
| ** Stationary [0/5] | 0:08 | LACKING | |
|-----------------------------------------------+----------+---------+---------------|
| *** Introduction [0/1] | 0:00 | DRAFT | ignoreheading |
| **** Introduction | 00:00:30 | DRAFT | fullframe |
|-----------------------------------------------+----------+---------+---------------|
| *** Surveillance Cameras [0/2] | 0:00 | DRAFT | |
| **** Unavoidable Surveillance | | DRAFT | |
| **** Access to Data | 00:00:30 | DRAFT | |
|-----------------------------------------------+----------+---------+---------------|
| *** Internet of Things [0/4] | 0:04 | LACKING | |
| **** Internet-Connected Cameras | 00:00:30 | DRAFT | |
| **** The ``S'' In IoT Stands For ``Security'' | 00:01:30 | LACKING | |
| **** Who's Watching? | 00:00:30 | DEVOID | |
| **** Facial Recognition | 00:01 | DRAFT | |
|-----------------------------------------------+----------+---------+---------------|
| *** Social Media [0/1] | 0:01 | DRAFT | |
| **** Collateral Damage | 00:01 | DRAFT | |
|-----------------------------------------------+----------+---------+---------------|
| *** Driving [0/3] | 0:02 | RAW | |
| **** Introduction | 00:00:30 | DRAFT | fullframe |
| **** ALPRs | 00:01 | LACKING | |
| **** Car Itself | 00:00:30 | LACKING | |
|-----------------------------------------------+----------+---------+---------------|
| ** The Web [0/6] | 0:10 | LACKING | |
|-----------------------------------------------+----------+---------+---------------|
| *** Introduction [0/1] | | DRAFT | ignoreheading |
| **** Introduction | | DRAFT | fullframe |
|-----------------------------------------------+----------+---------+---------------|
| *** Bridging the Gap [0/1] | 0:01 | LACKING | |
| **** Ultrasound Tracking | 00:01 | LACKING | |
|-----------------------------------------------+----------+---------+---------------|
| *** Incentive to Betray [0/1] | 0:00 | DRAFT | |
| **** Summary | 00:00:30 | DRAFT | fullframe |
|-----------------------------------------------+----------+---------+---------------|
| *** Analytics [0/2] | 0:02 | LACKING | |
| **** Trackers | 00:01 | LACKING | |
| **** Like Buttons | 00:01 | DRAFT | |
|-----------------------------------------------+----------+---------+---------------|
| *** Fingerprinting [0/3] | 0:03 | LACKING | |
| **** Summary | | DRAFT | |
| **** Alarmingly Effective | 00:03 | LACKING | fullframe |
| **** User Agent | | DRAFT | |
|-----------------------------------------------+----------+---------+---------------|
| *** Anonymity [0/4] | 0:04 | DRAFT | |
| **** Summary | 00:01 | DRAFT | fullframe |
| ***** Anonymity | | | |
| ***** Pseudonymity | | | |
| **** IANAAE | | DRAFT | fullframe |
| **** The Tor Network | 00:01 | DRAFT | |
| **** TorBrowser, Tails, and Whonix | 00:02 | DRAFT | |
|-----------------------------------------------+----------+---------+---------------|
| ** Data Analytics [0/2] | 0:04 | LACKING | |
|-----------------------------------------------+----------+---------+---------------|
| *** Introduction [0/1] | 0:00 | DRAFT | ignoreheading |
| **** Introduction | 00:00 | DRAFT | fullframe |
|-----------------------------------------------+----------+---------+---------------|
| *** Headings [0/3] | 0:04 | LACKING | |
| **** Advertisers | 00:02 | LACKING | |
| **** Social Media | 00:01 | DEVOID | |
| **** Governments | 00:00:30 | DEVOID | |
|-----------------------------------------------+----------+---------+---------------|
| ** Policy and Government [0/6] | 0:12 | LACKING | |
|-----------------------------------------------+----------+---------+---------------|
| *** Introduction [0/1] | 0:00 | DRAFT | ignoreheading |
| **** Introduction | 00:00:30 | DRAFT | fullframe |
|-----------------------------------------------+----------+---------+---------------|
| *** Surveillance [0/7] | 0:06 | LACKING | |
| **** History of NSA Surveillance | 00:02 | DRAFT | |
| **** Ron Wyden | | DRAFT | fullframe |
| **** The Leak | | DRAFT | fullframe |
| **** Verizon Metadata | 00:00:30 | DRAFT | |
| **** PRISM | | DRAFT | |
| **** Snowden | 00:01 | DRAFT | |
| **** Tools | 00:02 | DEVOID | |
|-----------------------------------------------+----------+---------+---------------|
| *** Crypto Wars [0/6] | 0:04 | LACKING | |
| **** Introduction | 00:00 | DRAFT | fullframe |
| **** Export-Grade Crypto | 00:01:30 | DRAFT | |
| **** Bernstein v. United States | 00:01 | DRAFT | |
| **** The First Crypto Wars | 00:01 | DRAFT | |
| **** Re-repeats Itself | 00:00 | DRAFT | fullframe |
| **** Modern Crypto Wars | | DRAFT | fullframe |
| **** ``Going Dark'' | | DEVOID | |
|-----------------------------------------------+----------+---------+---------------|
| *** Espionage [0/1] | 0:01 | LACKING | |
| **** US Can't Keep Its Own Secrets | 00:01 | DEVOID | |
|-----------------------------------------------+----------+---------+---------------|
| *** Subpoenas, Warrants, NSLs [0/1] | 0:01 | LACKING | |
| **** National Security Letters | 00:01 | DEVOID | |
|-----------------------------------------------+----------+---------+---------------|
| *** Law [0/1] | 0:01 | LACKING | |
| **** Summary | 00:01 | DEVOID | fullframe |
|-----------------------------------------------+----------+---------+---------------|
| ** Your Fight [0/1] | 0:05 | LACKING | |
|-----------------------------------------------+----------+---------+---------------|
| *** Headings [0/6] | 0:05 | LACKING | |
| **** Feeding | 00:00 | DRAFT | fullframe |
| **** SaaSS and Centralization | 00:01 | DEVOID | |
| **** Corporate Negligence | 00:01 | LACKING | |
| **** Status Quo | 00:02 | DRAFT | |
| **** Status Quo Cannot Hold | | DRAFT | fullframe |
| **** Push Back | 00:01 | DRAFT | fullframe |
|-----------------------------------------------+----------+---------+---------------|
| ** Thank You | | | fullframe |
|-----------------------------------------------+----------+---------+---------------|
| ** References | | | appendix |
|-----------------------------------------------+----------+---------+---------------|
| * Exporting | | | |
|-----------------------------------------------+----------+---------+---------------|
| * Local Variables | | | |
| ITEM | DURATION | TODO | ENVIRONMENT |
|-----------------------------------------------+----------+----------+---------------|
| * LaTeX Configuration | | | |
|-----------------------------------------------+----------+----------+---------------|
| * Slides | 0:47 | LACKING | |
|-----------------------------------------------+----------+----------+---------------|
| ** Introduction / Opening | 00:01 | REVIEWED | fullframe |
|-----------------------------------------------+----------+----------+---------------|
| ** Mobile [0/5] | 0:07 | REVIEWED | |
|-----------------------------------------------+----------+----------+---------------|
| *** Introduction | 0:00 | REVIEWED | ignoreheading |
| **** Introduction | 00:00:15 | REVIEWED | fullframe |
|-----------------------------------------------+----------+----------+---------------|
| *** Cell Towers [0/2] | 0:02 | REVIEWED | |
| **** Fundamentally Needed | 00:00:45 | REVIEWED | |
| **** Cell-Site Simulators | 00:00:45 | REVIEWED | |
|-----------------------------------------------+----------+----------+---------------|
| *** Wifi [0/3] | 0:01 | REVIEWED | |
| **** ESSID and MAC Broadcast | 00:01 | REVIEWED | |
|-----------------------------------------------+----------+----------+---------------|
| *** Geolocation [0/3] | 0:02 | REVIEWED | |
| **** GPS | 00:01 | REVIEWED | |
| **** But I Want GPS! | 00:00:30 | REVIEWED | |
| **** Location Services | 00:00:45 | REVIEWED | |
|-----------------------------------------------+----------+----------+---------------|
| *** Operating System [0/3] | 0:02 | REVIEWED | |
| **** Untrusted/Proprietary OS | 00:00:45 | REVIEWED | |
| **** Free/Libre Mobile OS? | 00:00:30 | REVIEWED | |
| **** Modem Isolation | 00:00:30 | REVIEWED | |
|-----------------------------------------------+----------+----------+---------------|
| ** Stationary [0/5] | 0:08 | LACKING | |
|-----------------------------------------------+----------+----------+---------------|
| *** Introduction [0/1] | 0:00 | DRAFT | ignoreheading |
| **** Introduction | 00:00:30 | DRAFT | fullframe |
|-----------------------------------------------+----------+----------+---------------|
| *** Surveillance Cameras [0/2] | 0:00 | DRAFT | |
| **** Unavoidable Surveillance | | DRAFT | |
| **** Access to Data | 00:00:30 | DRAFT | |
|-----------------------------------------------+----------+----------+---------------|
| *** Internet of Things [0/4] | 0:04 | LACKING | |
| **** Internet-Connected Cameras | 00:00:30 | DRAFT | |
| **** The ``S'' In IoT Stands For ``Security'' | 00:01:30 | LACKING | |
| **** Who's Watching? | 00:00:30 | DEVOID | |
| **** Facial Recognition | 00:01 | DRAFT | |
|-----------------------------------------------+----------+----------+---------------|
| *** Social Media [0/1] | 0:01 | DRAFT | |
| **** Collateral Damage | 00:01 | DRAFT | |
|-----------------------------------------------+----------+----------+---------------|
| *** Driving [0/3] | 0:02 | RAW | |
| **** Introduction | 00:00:30 | DRAFT | fullframe |
| **** ALPRs | 00:01 | LACKING | |
| **** Car Itself | 00:00:30 | LACKING | |
|-----------------------------------------------+----------+----------+---------------|
| ** The Web [0/6] | 0:10 | LACKING | |
|-----------------------------------------------+----------+----------+---------------|
| *** Introduction [0/1] | | DRAFT | ignoreheading |
| **** Introduction | | DRAFT | fullframe |
|-----------------------------------------------+----------+----------+---------------|
| *** Bridging the Gap [0/1] | 0:01 | LACKING | |
| **** Ultrasound Tracking | 00:01 | LACKING | |
|-----------------------------------------------+----------+----------+---------------|
| *** Incentive to Betray [0/1] | 0:00 | DRAFT | |
| **** Summary | 00:00:30 | DRAFT | fullframe |
|-----------------------------------------------+----------+----------+---------------|
| *** Analytics [0/2] | 0:02 | LACKING | |
| **** Trackers | 00:01 | LACKING | |
| **** Like Buttons | 00:01 | DRAFT | |
|-----------------------------------------------+----------+----------+---------------|
| *** Fingerprinting [0/3] | 0:03 | LACKING | |
| **** Summary | | DRAFT | |
| **** Alarmingly Effective | 00:03 | LACKING | fullframe |
| **** User Agent | | DRAFT | |
|-----------------------------------------------+----------+----------+---------------|
| *** Anonymity [0/4] | 0:04 | DRAFT | |
| **** Summary | 00:01 | DRAFT | fullframe |
| ***** Anonymity | | | |
| ***** Pseudonymity | | | |
| **** IANAAE | | DRAFT | fullframe |
| **** The Tor Network | 00:01 | DRAFT | |
| **** TorBrowser, Tails, and Whonix | 00:02 | DRAFT | |
|-----------------------------------------------+----------+----------+---------------|
| ** Data Analytics [0/2] | 0:04 | LACKING | |
|-----------------------------------------------+----------+----------+---------------|
| *** Introduction [0/1] | 0:00 | DRAFT | ignoreheading |
| **** Introduction | 00:00 | DRAFT | fullframe |
|-----------------------------------------------+----------+----------+---------------|
| *** Headings [0/3] | 0:04 | LACKING | |
| **** Advertisers | 00:02 | LACKING | |
| **** Social Media | 00:01 | DEVOID | |
| **** Governments | 00:00:30 | DEVOID | |
|-----------------------------------------------+----------+----------+---------------|
| ** Policy and Government [0/6] | 0:12 | LACKING | |
|-----------------------------------------------+----------+----------+---------------|
| *** Introduction [0/1] | 0:00 | DRAFT | ignoreheading |
| **** Introduction | 00:00:30 | DRAFT | fullframe |
|-----------------------------------------------+----------+----------+---------------|
| *** Surveillance [0/7] | 0:06 | LACKING | |
| **** History of NSA Surveillance | 00:02 | DRAFT | |
| **** Ron Wyden | | DRAFT | fullframe |
| **** The Leak | | DRAFT | fullframe |
| **** Verizon Metadata | 00:00:30 | DRAFT | |
| **** PRISM | | DRAFT | |
| **** Snowden | 00:01 | DRAFT | |
| **** Tools | 00:02 | DEVOID | |
|-----------------------------------------------+----------+----------+---------------|
| *** Crypto Wars [0/6] | 0:04 | LACKING | |
| **** Introduction | 00:00 | DRAFT | fullframe |
| **** Export-Grade Crypto | 00:01:30 | DRAFT | |
| **** Bernstein v. United States | 00:01 | DRAFT | |
| **** The First Crypto Wars | 00:01 | DRAFT | |
| **** Re-repeats Itself | 00:00 | DRAFT | fullframe |
| **** Modern Crypto Wars | | DRAFT | fullframe |
| **** ``Going Dark'' | | DEVOID | |
|-----------------------------------------------+----------+----------+---------------|
| *** Espionage [0/1] | 0:01 | LACKING | |
| **** US Can't Keep Its Own Secrets | 00:01 | DEVOID | |
|-----------------------------------------------+----------+----------+---------------|
| *** Subpoenas, Warrants, NSLs [0/1] | 0:01 | LACKING | |
| **** National Security Letters | 00:01 | DEVOID | |
|-----------------------------------------------+----------+----------+---------------|
| *** Law [0/1] | 0:01 | LACKING | |
| **** Summary | 00:01 | DEVOID | fullframe |
|-----------------------------------------------+----------+----------+---------------|
| ** Your Fight [0/1] | 0:05 | LACKING | |
|-----------------------------------------------+----------+----------+---------------|
| *** Headings [0/6] | 0:05 | LACKING | |
| **** Feeding | 00:00 | DRAFT | fullframe |
| **** SaaSS and Centralization | 00:01 | DEVOID | |
| **** Corporate Negligence | 00:01 | LACKING | |
| **** Status Quo | 00:02 | DRAFT | |
| **** Status Quo Cannot Hold | | DRAFT | fullframe |
| **** Push Back | 00:01 | DRAFT | fullframe |
|-----------------------------------------------+----------+----------+---------------|
| ** Thank You | | | fullframe |
|-----------------------------------------------+----------+----------+---------------|
| ** References | | | appendix |
|-----------------------------------------------+----------+----------+---------------|
| * Exporting | | | |
|-----------------------------------------------+----------+----------+---------------|
| * Local Variables | | | |
#+END
@ -205,23 +204,50 @@ GOAL: Captivate; Startle
\origcite{#1}%
}%
}}
\renewcommand*{\bibfont}{\scriptsize}
#+END_LATEX
* LACKING Slides :export:ignore:
** DRAFT Introduction / Opening :B_fullframe:
** REVIEWED Introduction / Opening :B_fullframe:
:PROPERTIES:
:DURATION: 00:00:30
:DURATION: 00:01
:BEAMER_env: fullframe
:END:
#+BEGIN_COMMENT
Hello, everyone.
Thanks for coming!
My name's Mike Gerwitz.
I am a free software hacker and activist with a focus on user privacy and
security.
I'm also a GNU Maintainer, software evaluator, and volunteer for various
other duties.
And I'm here to talk to you about an unfortunate,
increasingly unavoidable fact of life.
None of you made it here without being tracked in some capacity.
Some of us are still being tracked at this very moment.
Some of us are /still/ being tracked at this very moment!
...
This isn't a tinfoil hat presentation.
It's a survey of facts.
/Actual/ facts, not alternative ones! (Dig at Kellyanne Conway, for those
reading this in the future.)
Since time isn't on my side here,
I'm going to present a broad overview of the most pressing concerns of
today.
Every slide has numeric citations,
which are associated with references in the final slides.
I won't be showing them here---you can get them online.
My goal is to present you with enough information that you know that these
things /exist/,
and you know where to find more information about them.
Those unknown unknowns.
Let's start with the obvious.
So: let's start with the obvious.
(Note: You're being "tracked", rather than "watched": the latter is too
often used and dismissed as tinfoil-hat FUD.)
@ -232,14 +258,15 @@ often used and dismissed as tinfoil-hat FUD.)
#+BEAMER: \only<2>{(No, really, I have references.)}
#+END_CENTER
** LACKING Mobile [0/5]
*** DRAFT Introduction :B_ignoreheading:
** REVIEWED Mobile [0/5]
*** REVIEWED Introduction :B_ignoreheading:
:PROPERTIES:
:BEAMER_env: ignoreheading
:END:
**** DRAFT Introduction :B_fullframe:
**** REVIEWED Introduction :B_fullframe:
:PROPERTIES:
:DURATION: 00:00:30
:DURATION: 00:00:15
:BEAMER_env: fullframe
:END:
@ -250,59 +277,94 @@ often used and dismissed as tinfoil-hat FUD.)
#+BEGIN_COMMENT
How many of you are carrying a mobile phone right now?
Probably most of us.
They are something we carry with us everywhere;
they are computers that are always on.
A phone is often synonymous with an individual.
They are something we carry with us everywhere.
They are computers that are always on.
A phone is often synonymous with an individual;
they are a part of us.
In other words: they're excellent tracking devices.
#+END_COMMENT
*** LACKING Cell Towers [0/2]
*** REVIEWED Cell Towers [0/2]
:PROPERTIES:
:DURATION: 00:01
:DURATION: 0:02
:END:
**** DRAFT Fundamentally Needed
- <1-> Phone needs tower to make and receive calls
- <2-> Gives away approximate location (can triangulate)
**** REVIEWED Fundamentally Needed
:PROPERTIES:
:DURATION: 00:00:45
:END:
- Phone needs tower to make and receive calls
- Gives away approximate location (can triangulate)
#+BEGIN_COMMENT
The primary reason is inherent in a phone's design: cell towers.
The primary reason is inherent in a phone's design:
cell towers.
A phone "needs" to be connected to a tower to make and receive calls.
Unless it is off,
Unless it is off or otherwise disconnected (like airplane mode),
its connection to the cell tower exposes your approximate location.
These data persist for as long as the phone companies are willing to persist
it. If it's mined by the NSA, then it might be persisted indefinitely.
it.
Some people don't use phones primarily for this reason.
rms said he might use a phone if it could act as a pager,
rms, for example, said he might use a phone if it could act as a pager,
where he'd only need to expose his location once he is in a safe place.
You can imagine that such would be a very useful and important feature for
reporters and dissidents as well.
#+END_COMMENT
**** LACKING Cell-Site Simulators
**** REVIEWED Cell-Site Simulators
:PROPERTIES:
:DURATION: 00:00:45
:END:
- <1-> IMSI-Catchers
- <1-> Masquerade as cell towers
- <2-> (List them) e.g. Stingray
- <1-> Most popular: Stingray
- <2-> Free/libre Android program AIMSICD available on F-Droid attempts to
detect\cite{aimsid}
#+BEGIN_COMMENT
I'm sure many of you have heard of Cell Site Simulators;
one of the most popular examples being the Stingray.
These devices masquerade as cell towers and can perform a dragnet search for
an individual.
Your location can be triangulated.
Cell Site Simulators have made a lot of news in the past (including my local
news),
one of the most popular examples being the Stingray.
These devices masquerade as cell towers.
This allows (for example) law enforcement to get a suspect's phone to
connect to _their_ device rather than a real tower,
which allows their location to be triangulated,
calls to be intercepted,
texts to be mined,
etc.
Law enforcement might also use it to record all devices in an area,
such as during a protest.
The problem is: _every_ phone in the area will try to connect to it;
it amounts to a dragnet search,
and is therefore extremely controversial.
The Android program AIMSICD---Android IMSI-Catcher Detector---is being
developed in an attempt to detect these devices.
It is free software and is available on F-Droid.
#+END_COMMENT
*** LACKING Wifi [0/3]
*** REVIEWED Wifi [0/3]
:PROPERTIES:
:DURATION: 0:01
:END:
**** REVIEWED ESSID and MAC Broadcast
:PROPERTIES:
:DURATION: 00:01
:END:
**** DRAFT Wifi
- Device may broadcast ESSIDs of past hidden networks
- Expose unique hardware identifiers (MAC address)
- <1-> Device may broadcast ESSIDs of past hidden networks
- <2-> Expose unique hardware identifiers (MAC address)
- <3-> **Defending against this is difficult**
- <4-> /Turn off Wifi/ in untrusted places
- <4-> Turn off settings to auto-connect when receiving e.g. MMS
- <5-> Use cellular data (e.g. {2,3,4}G)
- <6-> **MAC address randomization works poorly**\cite{arxiv:mac}
#+BEGIN_COMMENT
What else is inherent in a modern phone design?
@ -311,125 +373,231 @@ A common feature is Wifi.
If you connected to any hidden networks,
your phone may broadcast that network name to see if it exists.
Your mobile device could be broadcasting information like past network
connections and unique device identifiers (MAC),
It exposes unique device identifiers (MACs),
which can be used to uniquely identify you.
#+END_COMMENT
**** DEVOID Ubiquitous Access Points
- <AP stuff>
Defending against this is difficult,
unless you take the simple yet effective route:
disable Wifi completely,
at least when you're not in a safe area you can trust.
Some apps will automatically enable networking if they receive,
for example,
MMS messages;
be careful of that.
If you really do need data,
use your cellular data.
You are already hemmoraging information to your phone company,
so at least you're limiting your exposure.
#+BEGIN_COMMENT
Access points increasingly line the streets or are within range in nearby
buildings.
Some phones and apps offer MAC address randomization.
That's a good thing in priniciple.
Unfortunately, it seems to be easily defeated.
One study, cited here,
claims to be able to defeat randomization 100% of the time,
regardless of manufacturer.
Can be incredibly accurate for tracking movements,
and it is _passive_---it requires no software on your device.
/Segue to next section:/
All these previous risks are _passive_---
they require no malicious software on your device.
But what if we _do_ have such software?
And of course, we do.
#+END_COMMENT
**** DRAFT Mitigations
- Disable Wifi [when not in use]
- Do not automatically connect to known networks
- At the very least, not hidden
- Randomize MAC address
*** REVIEWED Geolocation [0/3]
:PROPERTIES:
:DURATION: 0:02
:END:
#+BEGIN_COMMENT
Disable Wifi when not in use.
You can also randomize your MAC address,
and be sure not to broadcast hidden networks.
#+END_COMMENT
*** DRAFT Location Services [0/2]
**** REVIEWED GPS
:PROPERTIES:
:DURATION: 00:01
:END:
**** DRAFT GPS
- Often enabled by default
- Might prompt user, but features are attractive
- Programs give excuses to track
- Location for tweets, photos, nearby friends, etc.
- <1-> Not inherently a surveillance tool
- <2-> Often enabled by default
- <2-> Might prompt user, but features are attractive
- <3-> Programs give excuses to track\cite{jots:mobile}
- <3-> Navigation systems
- <3-> Location information for social media, photos, nearby friends, finding
lost phones, location-relative searches, etc.
- <4-> Not-so-good: targeted advertising and building users profiles
- <4-> If phone is compromised, location is known
#+BEGIN_COMMENT
Oh, but what if we _do_ have software on the device?
And we do.
Let's talk about location services!
Let's talk about geolocation!
Many people find them to be very convenient.
The most popular being GPS.
GPS isn't inherently a surveillance tool;
it can't track you on its own.
Your GPS device triangulates its location based on signals
broadcast by GPS satellites in line-of-site.
Because of the cool features it permits,
it's often enabled.
it's often enabled on devices.
And programs will track your movements just for the hell of it.
Or give an excuse to track you.
I'm not saying there aren't legitimate uses.
Navigation systems,
social media,
photo metadata,
finding nearby friends,
finding lost phones---
all of these things are legitimate.
You just need to be able to trust the software that you are running,
Often times, you can't.
Without source code,
it's sometimes hard to say if a program is doing other things.
Like using it for targeted advertising,
and/or building a user profile (which we'll talk about later).
#+END_COMMENT
**** DRAFT Access Points
**** REVIEWED But I Want GPS!
:PROPERTIES:
:DURATION: 00:00:30
:END:
- <1-> Is the program transparent in what data it sends? (Is the source code
available?)\cite{jots:mobile}
- <1-> Does the program let you disable those features?
- <2-> Pre-download location-sensitive data (e.g. street maps)
- <2-> OsmAnd (free software, Android and iOS)\cite{osmand}
#+BEGIN_COMMENT
So you may legitimately want GPS enabled.
It's terrible that you should be concerned about it.
You need to know what data you're leaking so that you can decide whether
or not you want to do so.
And you need the option to disable it.
Sometimes your location is leaked as a side-effect.
Navigation systems, for example, usually lazy-load map images.
Some apps let you use pre-downloaded maps,
like OsmAnd,
which is free software available on both Android and---if you must---iOS.
#+END_COMMENT
**** REVIEWED Location Services
:PROPERTIES:
:DURATION: 00:00:45
:END:
- <1-> No GPS? No problem!
- <2-> AP harvesting (e.g. Google Street View cars)
- <2-> Works even where GPS and Cell signals cannot penetrate
- <3> Can be /more/ accurate than GPS (e.g. what store in a shopping mall)
- <1-> Mozilla Location Services, OpenMobileNetwork, ...
\cite{mozilla:loc-services,openmobilenetwork}
- <2-> Wifi Positioning System; Bluetooth networks;
nearby cell towers\cite{w:wps}
- <2-> Signal strength and SSIDs and MACs of Access Points
\cite{w:trilateration,acm:spotfi,acm:lteye}
- <3-> Gathered by Google Street View cars
- <3-> Your device may report back nearby networks to build a more
comprehensive database
- <4-> Works even where GPS and Cell signals cannot penetrate
- <4-> Can be /more/ accurate than GPS (e.g. what store in a shopping mall)
#+BEGIN_COMMENT
But GPS doesn't need to be available.
Have you ever used a map program on a computer that asked for your location?
How does it do that without GPS?
Google scours the planet recording APs.
It knows based on _what APs are simply near you_ where you are.
There are numerous services available to geolocate based on nearby access
points, bluetooth networks, and cell towers.
Based on the signal strength of nearby WiFi networks,
your position can be more accurately trangulated.
These data are gathered by Google Street View cars.
Your phone might also be reporting back nearby networks in order to improve
the quality of these databases.
Sometimes this can be more accurate than GPS.
And it works where GPS and maybe even cell service don't, such as inside
shopping malls.
So having radio and GPS off may not help you.
MAC spoofing won't help since software on your device has countless other
ways to uniquely identify you---this is active monitoring, unlike previous
examples.
So just because GPS is off does not mean your location is unknown.
#+END_COMMENT
*** DRAFT Operating System [0/3]
*** REVIEWED Operating System [0/3]
:PROPERTIES:
:DURATION: 00:01
:DURATION: 0:02
:END:
**** DRAFT Untrusted/Proprietary OS
**** REVIEWED Untrusted/Proprietary OS
:PROPERTIES:
:DURATION: 00:00:45
:END:
- Who does your phone work for?
- <1-> Who does your phone work for?
- Apple? Google? Microsoft? Blackberry? Your manufacturer too?
- Carry everywhere you go, but fundamentally cannot trust it
- <1-> Carry everywhere you go, but fundamentally cannot
trust it\cite{gnu:malware-mobile}
- <2-> Some come with gratis surveillance
- <2-> BLU phones sent SMS messages, contacts, call history, IMEIs, and
more to third-party servers without users' knowledge or censent
\cite{kryptowire:adups}
#+BEGIN_COMMENT
The OS situation on mobile is lousy.
Does your phone work for Apple? Google? Microsoft? Blackberry? ...?
A lot of this boils down to trust.
Who does your phone work for?
Does your phone work for Apple? Google? Microsoft? Blackberry?
Or does it work for you?
The OS situation on mobile is lousy.
You carry around this computer everywhere you go.
And you fundamentally cannot trust it.
Take BLU phones for example.
In November of last year it was discovered that these popular phones
contained software that sent SMS messages, contact lists, call history,
IMEIs, etc to third-party servers without users' knowledge or consent.
That software could also remotely execute code on the device.
#+END_COMMENT
**** DRAFT Free/Libre Mobile OS?
- <1-3> Android is supposedly free software
- <1-3> But every phone requires proprietary drivers, or contains
**** REVIEWED Free/Libre Mobile OS?
:PROPERTIES:
:DURATION: 00:00:30
:END:
- <1-> Android is supposedly free software
- <1-> But every phone requires proprietary drivers, or contains
proprietary software
- <2-3> Replicant
- <2-> Replicant\cite{replicant}
- <3> Niche. Interest is low, largely work of one developer now.
#+BEGIN_COMMENT
I use Replicant.
Android is supposedly a free operating system.
Unfortunately,
every phone requires proprietary drivers to work,
and is loaded with proprietary software.
Does anyone here use Replicant?
I feel like I can at least trust my phone a little bit.
I do.
Replicant is a fully free Android fork.
I feel like I can at least trust my phone a little bit,
but I still consider any data on it to be essentially compromised in the
sense that I can't be confident in my ability to audit it and properly
secure the device.
#+END_COMMENT
**** DRAFT Modem
- But modem still runs non-free software
- Often has access to CPU, disk, and memory
**** REVIEWED Modem Isolation
:PROPERTIES:
:DURATION: 00:00:30
:END:
- But modem still runs non-free software\cite{replicant:sec}
- Sometimes has access to CPU, disk, and memory\cite{replicant:samsung-bd}
#+BEGIN_COMMENT
But on nearly every phone,
the modem still runs proprietary software.
And often times has direct access to CPU, disk, and memory.
And sometimes it has direct access to CPU, disk, and memory.
Replicant closed a backdoor in Samsung Galaxy phones that allowed for remote
access to the disk.
That backdoor might not have been intentional,
but it illustrates the possibility,
and could still be exploited by an attacker.
So even with Replicant,
I consider the device compromised;