diff --git a/sapsf.bib b/sapsf.bib index b50596e..74623d0 100644 --- a/sapsf.bib +++ b/sapsf.bib @@ -1229,3 +1229,484 @@ url = {http://www.businessinsider.com/ford-exec-gps-2014-1}, urldate = {2017-03-21}, } + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%%%% POST-PRESENTATION %%%%%%%%%%%%%%%% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +@online{verizon-spyware, + author = {Budington, Bill + and Gillula, Jeremy + and Tummarello, Kate}, + title = {The {First Horseman} of the Privacy Apocalypse Has Already Arrived: + {Verizon} Announces Plans to Install Spyware on All Its + {Android} Phones}, + organization = {Electronic Frontier Foundation}, + date = {2017-03-30}, + url = {https://www.eff.org/deeplinks/2017/03/first-horseman-privacy-apocalypse-has-already-arrived-verizon-announces-plans}, + urldate = {2017-03-30}, + tags = {advertising, appflash, geolocation, location, mobile, privacy, + spyware, tracking, verizon}, + annotation = {Less than 48~hours after Congress recended Internet privacy + protections, Verizon intends to install spyware on users' + Android devices}, +} + +@online{sec-https-mitm, + author = {Durumeric, Zakir + and Ma, Zane + and Springall, Drew + and Barnes, Richard + and Sullivan, Nick + and Bursztein, Elie + and Bailey, Michael + and Halderman, J.~Alex + and Paxson, Vern}, + title = {The Security Impact of HTTPS Interception}, + doi = {10.14722/ndss.2017.23456}, + date = {2017}, + organization = {University of Michigan + and University of Illinois Urbana-Champaig, + and Mozilla + and Cloudflare + and Google + and University of California Berkeley + and International Computer Science Institute}, + url = {https://zakird.com/papers/https_interception.pdf}, + urldate = {2017-04-02}, + tags = {https, mitm, security, privacy, antivirus, detection, + cryptography}, +} + +@online{eff:smart-meter, + author = {Gullo, Karen + and Williams, Jamie}, + title = {An {Illinois} Court Just Didn’t Get It: We Are Entitled to Expect + Privacy In Our Smart Meter Data, Which Reveals What’s + Going On Inside Our Homes}, + organization = {Electronic Frontier Foundation}, + date = {2017-03-01}, + url = {https://www.eff.org/deeplinks/2017/03/illinois-court-just-didnt-get-it-we-are-entitled-expect-privacy-our-smart}, + urldate = {2017-04-02}, + tags = {iot, personal data, privacy, fourth amendment, court, + illinois, district court, naperville, court of appeals, + seventh circuit, privacy international} +} + +@online{register:w10-privacy, + author = {Thomson, Lain}, + title = {Put down your coffee and admire the sheer amount of data + {Windows 10 Creators Update} will slurp from your {PC}}, + subtitle = {Official list of phoned-home info revealed by {Microsoft}}, + organization = {The Register}, + date = {2017-04-06}, + url = {https://web.archive.org/save/https://www.theregister.co.uk/2017/04/06/microsoft_windows_10_creators_update/}, + urldate = {2017-04-07}, + annotation = {Archive.org link used because The~Register blocks + Tor~users unless they execute proprietary JavaScript.}, +} + +@online{nsa:windows-0day, + author = {Biddle, Sam}, + title = {Leaked {NSA} Malware Threatens {Windows} Users Around the World}, + organization = {The Intercept}, + date = {2017-04-14}, + url = {https://theintercept.com/2017/04/14/leaked-nsa-malware-threatens-windows-users-around-the-world/}, + urldate = {2017-04-15}, + tags = {0day, esteemaudit, fuzzbunch, malware, nsa, oddjob, security, + shadow brokers, tailored access operations, tao, windows, + zippybeer}, +} + +@online{bk-not-ok-google, + author = {Titcomb, James}, + title = {Not OK, Google: Burger King advert designed to hijack Google Home + speakers backfires}, + organization = {Yahoo!}, + date = {2017-04-13} + url = {https://m.yahoo.com/w/legobpengine/finance/news/not-ok-google-burger-king-084506757.html?.intl=us&.lang=en-us}, + urldate = {2017-04-16}, + tags = {burger king, comercial, google, google home, privacy, security, + whopper, wikipedia}, +} + +@online{ms:windows-diagnostic, + author = {Lich, Brian}, + title = {Windows 10, version~1703 Diagnostic Data}, + organization = {Microsoft}, + date = {2017-04-05}, + url = {https://technet.microsoft.com/itpro/windows/configure/windows-diagnostic-data}, + urldate = {2017-04-20}, + tags = {privacy, security, windows, what the fuck, surveillance, + exfiltrate}, +} + +@online{guardian:uber-godview, + author = {Hern, Alex}, + title = {Uber employees `spied on ex-partners, politicians + and {Beyoncé}'}, + subtitle = {Cab startup’s former forensic investigator Samuel Ward + Spangenberg claims he was fired from the company after + blowing whistle on lack of security}, + organization = {The Guardian}, + date = {2016-12-13}, + url = {https://www.theguardian.com/technology/2016/dec/13/uber-employees-spying-ex-partners-politicians-beyonce}, + urldate = {2017-04-26}, +} + +@online{fpcentral, + url = {https://fpcentral.irisa.fr/}, +} + +@online{sensor-side-channel, + url = {https://blogs.ncl.ac.uk/security/author/b2031864/}, +} + +@online{ambient-light, + url = {https://blog.lukaszolejnik.com/stealing-sensitive-browser-data-with-the-w3c-ambient-light-sensor-api/}, +} + +@online{arixv:airgap-scanner, + url = {https://arxiv.org/abs/1703.07751}, +} + +@online{bloomberg:pacemaker-st-jude, + url = {https://www.bloomberg.com/news/articles/2016-08-25/carson-block-takes-on-st-jude-medical-with-claim-of-hack-risk}, +} + +@online{silverpush-unmasked, + url = {https://github.com/MAVProxyUser/SilverPushUnmasked}, +} + +% specifically, see references +@online{ss7, + url = {https://en.wikipedia.org/wiki/Signalling_System_No._7#Protocol_security_vulnerabilities}, +} + +@online{ars:hajime-botnet, + url = {https://arstechnica.com/security/2017/04/a-vigilante-is-putting-huge-amount-of-work-into-infecting-iot-devices/}, +} + +% oh, imagine that +@online{intel:me-priv-escal, + url = {https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr}, +} + +% no password needed! +@online{ars:intel-amt, + url = {https://arstechnica.com/security/2017/05/the-hijacking-flaw-that-lurked-in-intel-chips-is-worse-than-anyone-thought/}, +} + +@online{eff:intel-amt, + url = {https://www.eff.org/deeplinks/2017/05/intels-management-engine-security-hazard-and-users-need-way-disable-it}, +} + +@online{eff:nhtsa-v2v, + url = {https://www.eff.org/deeplinks/2017/05/danger-ahead-governments-plan-vehicle-vehicle-communication-threatens-privacy}, +} + +@online{nyt:ransom-world, + url = {https://mobile.nytimes.com/2017/05/12/world/europe/uk-national-health-service-cyberattack.html?smprod=nytcore-iphone&smid=nytcore-iphone-share&_r=1&referer=https://www.rt.com/news/388153-thousands-ransomeware-attacks-worldwide/}, +} + +@online{lat:google-offline, + url = {http://www.latimes.com/business/technology/la-fi-tn-google-ads-tracking-20170523-story.html}, +} + +@online{giz:ice-imsi, + url = {https://gizmodo.com/ice-agents-are-using-stingray-surveillance-tech-to-capt-1795377902}, +} + +@online{eff:vep-patch, + url = {https://www.eff.org/deeplinks/2017/05/congress-imperfect-start-addressing-vulnerabilities}, +} + +@online{xato:windows-spying, + url = {https://xato.net/windows-spying-and-a-twitter-rant-19203babb2e7}, +} + +@online{insider-surveillance, + url = {https://insidersurveillance.com/about-us/}, +} + +@online{ccc:iris, + url = {https://www.ccc.de/en/updates/2017/iriden}, +} + +@online{eff:aadhaar, + url = https://www.eff.org/deeplinks/2017/05/aadhaar-ushering-commercialized-era-surveillance-india, +} + +@online{twitter:theresa-may-human-rights, + url = {https://twitter.com/theresa_may/status/872181737933217794}, +} + +@online{ars:uk-afr, + url = {https://arstechnica.com/tech-policy/2017/06/police-automatic-face-recognition/}, +} + +@online{theage:turnball-crypto-war, + url = {http://www.theage.com.au/federal-politics/political-news/how-the-turnbull-government-plans-to-access-encrypted-messages-20170609-gwoge0.html}, +} + +@online{tfreak:russia-tor-vpn, + url = {https://torrentfreak.com/bill-to-ban-vpns-unmask-operators-submitted-to-russias-parliament-170609/}, +} + +@online{bleep:malware-intel-me, + url = {https://www.bleepingcomputer.com/news/security/malware-uses-obscure-intel-cpu-feature-to-steal-data-and-avoid-firewalls/}, +} + +@online{guardian:brandis-hw-backdoor, + url = {https://www.theguardian.com/technology/2017/jun/12/george-brandiss-salvo-in-cryptowars-could-blow-a-hole-in-architecture-of-the-internet}, +} + +@online{p1sec:volte, + url = {https://www.sstic.org/media/SSTIC2017/SSTIC-actes/remote_geolocation_and_tracing_of_subscribers_usin/SSTIC2017-Article-remote_geolocation_and_tracing_of_subscribers_using_4g_volte_android_phone-le-moal_ventuzelo_coudray.pdf} +} + +@online{ucsd:getoffmycloud, + url = {https://cseweb.ucsd.edu/~hovav/dist/cloudsec.pdf}, +} + +@online{ncc:time-trial, + url = {https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/TimeTrial.pdf}, +} + +@online{upguard:rnc-analytics, + url = {https://www.upguard.com/breaches/the-rnc-files} +} + +@online{bbc:eu-e2e-enc, + url = {http://www.bbc.com/news/technology-40326544} +} + +@online{krebs:petya, + url = {https://krebsonsecurity.com/2017/06/petya-ransomware-outbreak-goes-global/} +} + +@online{threatpost:petya, + url = {https://threatpost.com/complex-petya-like-ransomware-outbreak-worse-than-wannacry/126561/} +} + +@online{securelist:petya, + url = {https://securelist.com/schroedingers-petya/78870/} +} + +@online{wired:cia-wifi-tracking, + url = {https://www.wired.com/story/wikileaks-cia-wifi-location-tracking} +} + +@online{china-apple-user-data, + url = {https://www.hongkongfp.com/2017/06/08/china-uncovers-massive-underground-network-apple-employees-selling-customers-personal-data/} +} + +@online{sat-observation, + url = {https://satelliteobservation.wordpress.com/2017/06/04/signal-intelligence-101-sigint-targets/} +} + +@online{aclu:student-spy-laptops, + url = {https://www.aclu.org/blog/speak-freely/rhode-island-some-schools-think-they-have-right-spy-students-school-laptops} +} + +@online{eff:student-spy-report-2017, + url = {https://www.eff.org/wp/school-issued-devices-and-student-privacy} +} + +@online{aclu:school-privacy-report, + url = {http://riaclu.org/images/uploads/ACLU_1-1_School_Privacy_Report_Final.pdf} +} + +@online{ars:cia-cherryblossom, + url = {https://arstechnica.com/security/2017/06/advanced-cia-firmware-turns-home-routers-into-covert-listening-posts/} +} + +@online{vault7:cherryblossom, + url = {https://wikileaks.org/vault7/document/SRI-SLO-FF-2012-177-CherryBlossom_UsersManual_CDRL-12_SLO-FF-2012-171/} +} + +@online{aes-tempest, + url = {https://www.fox-it.com/nl/wp-content/uploads/sites/12/Tempest_attacks_against_AES.pdf} +} + +@online{brennan:foreign-interfere, + url = {https://www.brennancenter.org/sites/default/files/publications/Foreign\%20Interference_0629_1030_AM.pdf}, +} + +@online{myshadow, + url = {https://myshadow.org/}, +} + +@online{motherboard:apple-bug-bounty, + url = {https://motherboard.vice.com/en_us/article/gybppx/iphone-bugs-are-too-valuable-to-report-to-apple}, +} + +@online{eff:australia-pm-e2e-ban, + url = {https://www.eff.org/deeplinks/2017/07/australian-pm-calls-end-end-encryption-ban-says-laws-mathematics-dont-apply-down}, +} + +@online{eff:cbp-remote-content, + url = {https://www.eff.org/deeplinks/2017/07/cbp-responds-sen-wyden-border-agents-may-not-search-travelers-cloud-content}, +} + +@online{engadget:roomba-map, + url = {https://www.engadget.com/2017/07/24/roomba-irobot-sell-digital-maps-home/}, +} + +@online{nytimes:sweden-ibm-breach, + url = {https://www.nytimes.com/2017/07/25/world/europe/ibm-sweden-data-outsourcing.html}, +} + +@online{cell-tracking-how, + url = {https://thehftguy.com/2017/07/19/what-does-it-really-take-to-track-100-million-cell-phones/}, +} + +@online{threatpost:adups, + url = {https://threatpost.com/android-sypware-still-collects-pii-despite-outcry/127042/}, +} + +@online{threatpost:rad-mon-nopatch, + url = {https://threatpost.com/vulnerable-radiation-monitoring-devices-wont-be-patched/126967/}, +} + +@online{ars:lipizzan, + url = {https://arstechnica.com/information-technology/2017/07/stealthy-google-play-apps-recorded-calls-and-stole-e-mails-and-texts/}, +} + +@online{sophos:sms-exfiltrate, + url = {https://nakedsecurity.sophos.com/2017/07/27/dont-want-your-smss-stolen-dont-download-these-android-apps/}, +} + +@online{psmag:resturaunt-surveil, + url = {https://psmag.com/economics/your-favorite-restaurants-are-surveilling-you}, +} + +@online{wapo:google-shop-track, + url = {https://www.washingtonpost.com/news/the-switch/wp/2017/05/23/google-now-knows-when-you-are-at-a-cash-register-and-how-much-you-are-spending/?utm_term=.5959c4d7b4f0}, +} + +@online{wapo:google-shop-track-fed, + url = {https://www.washingtonpost.com/news/the-switch/wp/2017/07/30/googles-new-program-to-track-shoppers-sparks-a-federal-privacy-complaint/}, +} + +@online{voting-crack-defcon, + url = {https://blog.horner.tj/post/hacking-voting-machines-def-con-25}, +} + +@online{electrek:keenlab-tesla-again, + url = {https://electrek.co/2017/07/28/tesla-hack-keen-lab/}, + tags = {vehicle}, +} + +@online{keenlab:tesla-again, + url = {http://keenlab.tencent.com/en/2017/07/27/New-Car-Hacking-Research-2017-Remote-Attack-Tesla-Motors-Again/}, + tags = {vehicle}, +} + +@online{ars:zerodium-mobile, + url = {https://arstechnica.com/information-technology/2017/08/wanted-weaponized-exploits-that-hack-phones-will-pay-top-dollar/}, +} + +@online{zdnet:accuweather-spy, + url = {http://www.zdnet.com/article/accuweather-still-shares-precise-location-with-advertisers-tests-reveal/}, +} + +@online{delete-fb, + url = {http://www.deletefacebook.com/}, +} + +@online{techcrunch:voting-dre-decommission, + url = {https://techcrunch.com/2017/09/08/virginia-dre-voting-machines-hack/}, +} + +@online{eff:dhs-lawsuit, + url = {https://www.eff.org/press/releases/eff-aclu-media-conference-call-today-announce-lawsuit-over-warrantless-phone-and}, +} + +@online{dolphinattack, + title = {DolphinAttack: Inaudible Voice Commands}, + url = {https://endchan.xyz/.media/50cf379143925a3926298f881d3c19ab-applicationpdf.pdf}, +} + +@online{vice:facial-obscured, + title = {{AI} Will Soon Identify Protesters With Their Faces Partly Concealed}, + url = {https://motherboard.vice.com/en_us/article/mbby88/ai-will-soon-identify-protesters-with-their-faces-partly-concealed}, +} + +@online{eff:ios-wifi-off, + title = {{iOS} 11’s Misleading “Off-ish” Setting for {Bluetooth} and {Wi-Fi} is Bad for User Security}, + url = {https://www.eff.org/deeplinks/2017/10/ios-11s-misleading-ish-setting-bluetooth-and-wi-fi-bad-user-security}, +} + +@online{apolice:google-home-mini, + title = {Google is nerfing all {Home Minis} because mine spied on everything I said 24/7}, + url = {http://www.androidpolice.com/2017/10/10/google-nerfing-home-minis-mine-spied-everything-said-247/}, + notes = {It does not matter whether these types of devices have bugs, + deliberate or not: the point is that such things are + possible, and then can indeed be used as surveillance devices.} +} + +@online{reuters:symantic-code-review, + title = {Exclusive: {Symantec} {CEO} says source code reviews pose unacceptable risk}, + url = {http://www.reuters.com/article/us-usa-cyber-russia-symantec/exclusive-symantec-ceo-says-source-code-reviews-pose-unacceptable-risk-idUSKBN1CF2SB}, +} + +@online{oneplus-spyware, + url = {https://www.chrisdcmoore.co.uk/post/oneplus-analytics/}, +} + +@online{reuters:equifax-tp-scripts, + title = {Equifax says systems not compromised in latest cyber scare}, + url = {http://www.reuters.com/article/us-equifax-breach/equifax-takes-down-web-page-after-reports-of-new-hack-idUSKBN1CH2F3}, + notes = {Surprise, you can't trust third-party scripts.} +} + +% ethics +@online{motherboard:pornhub-ai, + title = {Facial Recognition for Porn Stars Is a Privacy Nightmare Waiting to Happen}, + subtitle = {The underlying tech being used by Pornhub could one day be + used by more nefarious actors to identify amateur and + unwitting porn models}, + url = {https://motherboard.vice.com/en_us/article/a3kmpb/facial-recognition-for-porn-stars-is-a-privacy-nightmare-waiting-to-happen}, +} + +% ethics +@online{gizmodo:facebook-sex-workers, + title = {How Facebook Outs Sex Workers}, + url = {https://gizmodo.com/how-facebook-outs-sex-workers-1818861596}, +} + +% ethics +@online{pew:automation, + title = {Automation in Everyday Life}, + subtitle = {Americans express more worry than enthusiasm about coming + developments in automation---from driverless vehicles to a + world in which machines perform many jobs currently done by + humans}, + url = {http://www.pewinternet.org/2017/10/04/automation-in-everyday-life/}, +} + +@online{techcrunch:uk-social-media, + title = {UK spies using social media data for mass surveillance}, + author = {Lomas, Natasha}, + url = {https://techcrunch.com/2017/10/17/uk-spies-using-social-media-data-for-mass-surveillance/}, + urldate = {2017-10-18}, + archive = {https://web.archive.org/web/20171018053036/}, +} + +@online{medium:telco-tracking, + title = {Want to see something crazy? Open this link on your phone with WiFi turned off.}, + author = {philipn}, + url = {https://medium.com/@philipn/want-to-see-something-crazy-open-this-link-on-your-phone-with-wifi-turned-off-9e0adb00d024}, + urldate = {2017-10-18}, + archive = {https://web.archive.org/web/20171018053425/}, +} + +@online{krackattacks, + title = {Key Reinstallation Attacks}, + subtitle = {Breaking {WPA2} by forcing nonce reuse}, + url = {https://www.krackattacks.com/}, + urldate = {2017-10-18}, + archive = {https://web.archive.org/web/20171018050741/}, +}