Initial revision of Data and Profiling section
This is missing information on giving up information to social media, SaaSS, the "cloud", etc.master
parent
01c0c4cfc5
commit
a896777647
|
@ -15,3 +15,9 @@ ee2c1e8325221cc5ae01b078930d7e74d447cec25cebeb18c0aaa1989994b918 tor-diagram.pn
|
|||
f9600308d10debbc56e116087aa83a1ada126f3979f8b528228e1e89a87efd12 torbrowser.png
|
||||
4f231d937e622d9012706d57d5b0faa233f83d1e864db3b1b50d40d714aa8244 tails.png
|
||||
dce3dbf6572077dd495a9413ff11d7017d785142af85286a5ab51b7c7e4da728 whonix.png
|
||||
9cb6cfd3c0c07c605f514e9b262a9baf224c622a86aea7d6b978e73127685e76 networks-of-control.png
|
||||
e52d8250d9a98ae68a68a758e1421231aebd4933cc44bc5a2364222984e1ee7f oracle-id-fuu.png
|
||||
4d1a1bb46f21f8d88336b6316a1131fc8f21400b96820c4b54e07288ff23fbf7 lexisnexis.png
|
||||
912270ce97ece82c5a335ce84d80e9470c6fb7e1822aa937fa7550a499d87952 palantir.png
|
||||
cbf3495473a9b111b3ba9723d5ebb9476bd6abf9bf3af711bdbe803baf98067f target-logo.png
|
||||
0a47a1e0b74fa4ec168d935357081a6d15e55ba77edad483ecb7fe14c3f6f4dc trustev-graph.png
|
||||
|
|
|
@ -15,3 +15,9 @@ tor-diagram.png https://web.archive.org/web/20170318055957/https://www.torprojec
|
|||
torbrowser.png https://web.archive.org/web/20170318161549/https://www.torproject.org/images/tb-lg.png -crop 185x135+0+0
|
||||
tails.png https://web.archive.org/web/20170318162345/https://tails.boum.org/lib/banner.png -crop 495x114+30+0
|
||||
whonix.png https://web.archive.org/web/20170318164321/https://upload.wikimedia.org/wikipedia/en/7/75/Whonix_Logo.png
|
||||
networks-of-control.png https://web.archive.org/web/20170318184646/http://www.facultas.at/upload/verlag/networksofcontrol/Christl_Networks_300.jpg -scale 50%
|
||||
oracle-id-fuu.png https://web.archive.org/web/20170318183230/http://www.oracle.com/us/corporate/acquisitions/datalogix/general-presentation-2395307.pdf oracle-id-fuu.png[7]
|
||||
lexisnexis.png https://web.archive.org/web/20170319033528/http://www.lexisnexis.com/risk/img/logo-lexisnexis.png
|
||||
palantir.png https://web.archive.org/web/20170319035510/https://www.palantir.com/build/images/global/opengraph-banner.png -crop 170x210+515+170
|
||||
target-logo.png https://web.archive.org/web/20170319055701/https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Target_Corporation_logo_%28vector%29.svg/240px-Target_Corporation_logo_%28vector%29.svg.png
|
||||
trustev-graph.png https://web.archive.org/web/20170319060719/http://www.trustev.com/hs-fs/hubfs/JANUARY-2016/Technology/r-feb-t-circle1.png?t=1473256538000&width=1788&name=r-feb-t-circle1.png
|
||||
|
|
89
sapsf.bib
89
sapsf.bib
|
@ -868,7 +868,23 @@
|
|||
urldate = {2017-03-17},
|
||||
}
|
||||
|
||||
@article{ars:fingerprint,
|
||||
@article{ijcseit:biometric,
|
||||
author = {Mudholkar, Smita S.
|
||||
and Shende, Pradnya M.
|
||||
and Sarode, Milind V.},
|
||||
title = {Biometrics Authentication Technique for Intrustion Detection
|
||||
Systems Using Fingerprint Recognition},
|
||||
journal = {International Journal of Computer Science, Engineering and
|
||||
Information Technology},
|
||||
volume = 2,
|
||||
number = 4,
|
||||
doi = {10.5121/ijcseit.2012.2106},
|
||||
date = {2012-02},
|
||||
url = {http://airccse.org/journal/ijcseit/papers/2112ijcseit06.pdf},
|
||||
urldate = {2017-03-19},
|
||||
}
|
||||
|
||||
@online{ars:fingerprint,
|
||||
author = {Goodwin, Dan},
|
||||
title = {Now sites can fingerprint you online even when you use multiple
|
||||
browsers},
|
||||
|
@ -934,9 +950,78 @@
|
|||
urldate = {2017-03-17},
|
||||
}
|
||||
|
||||
@cite{tor:browser,
|
||||
@online{tor:browser,
|
||||
title = {Tor Browser},
|
||||
organization = {Tor Project},
|
||||
url = {https://www.torproject.org/projects/torbrowser.html.en},
|
||||
urldate = {2017-03-17},
|
||||
}
|
||||
|
||||
@online{ghostery:companies,
|
||||
title = {Company Database},
|
||||
organization = {Ghostery Enterprise},
|
||||
url = {http://www.ghosteryenterprise.com/company-database/},
|
||||
urldate = {2017-03-17},
|
||||
}
|
||||
|
||||
@online{networks-of-control,
|
||||
author = {Christl, Wolfie,
|
||||
and Spiekermann, Sarah},
|
||||
title = {Networks of Control},
|
||||
date = {2016},
|
||||
url = {http://crackedlabs.org/en/networksofcontrol},
|
||||
urldate = {2017-03-18},
|
||||
}
|
||||
|
||||
@online{33c3:surveil,
|
||||
author = {Christl, Wolfie},
|
||||
title = {Corporare surveillance, digital tracking, big data~\&~privacy},
|
||||
subtitle = {How thousands of companies are profiling, categorizing, rating
|
||||
and affecting the lives of billions},
|
||||
location = {33^{rd} Chaos Communication Congress},
|
||||
date = {2016-12-30},
|
||||
url = {https://media.ccc.de/v/33c3-8414-corporate_surveillance_digital_tracking_big_data_privacy},
|
||||
urldate = {2017-03-18},
|
||||
annotation = {See also \cite{networks-of-control}}
|
||||
}
|
||||
|
||||
@online{oracle:datalogix-acq,
|
||||
title = {Oracle Buys Datalogix},
|
||||
subtitle = {Creates the World's Most Valuable Data Cloud to Maximize the
|
||||
Power of Digital Marketing},
|
||||
organization = {Oracle},
|
||||
url = {http://www.oracle.com/us/corporate/acquisitions/datalogix/general-presentation-2395307.pdf},
|
||||
urldate = {2017-03-18},
|
||||
}
|
||||
|
||||
@online{lexisnexis:trueid,
|
||||
title = {LexisNexis TrueID},
|
||||
organization = {LexisNexis},
|
||||
url = {http://www.lexisnexis.com/risk/downloads/literature/trueid.pdf},
|
||||
urldate = {2017-03-18},
|
||||
}
|
||||
|
||||
@online{techcrunch:palantir,
|
||||
author = {Burns, Matt},
|
||||
title = {Leaked Palantir Doc Reveals Uses, Specific Functions And Key Clients},
|
||||
organization = {TechCrunch},
|
||||
date = {2015-01-11},
|
||||
url = {https://techcrunch.com/2015/01/11/leaked-palantir-doc-reveals-uses-specific-functions-and-key-clients/},
|
||||
urldate = {2017-03-19},
|
||||
}
|
||||
|
||||
@online{nyt:learn-secrets,
|
||||
author = {Duhigg, Charles},
|
||||
title = {How Companies Learn Your Secrets},
|
||||
organization = {The New York Times},
|
||||
date = {2016-02-16},
|
||||
url = {http://www.nytimes.com/2012/02/19/magazine/shopping-habits.html},
|
||||
urldate = {2017-03-19},
|
||||
}
|
||||
|
||||
@online{trustev:tech,
|
||||
title = {TransUnion | Trustev -- Technology},
|
||||
organization = {TransUnion},
|
||||
url = {http://www.trustev.com/technology},
|
||||
urldate = {2017-03-19},
|
||||
}
|
||||
|
|
300
slides.org
300
slides.org
|
@ -1429,7 +1429,8 @@ Very creative ones.
|
|||
|
||||
- Panopticlick (EFF)\cite{panopti:about}
|
||||
- User Agent, cookies, screen resolution, fonts, language, session storage,
|
||||
canvas, WebGL, ad blocker, audio, keystrokes, mouse movement, \ldots
|
||||
canvas, WebGL, ad blocker, audio, keystrokes,
|
||||
mouse movement,\nbsp{}\ldots\cite{ijcseit:biometric}
|
||||
- Can even track separate browsers on the same
|
||||
hardware\cite{hardware-fingerprint,ars:fingerprint}
|
||||
|
||||
|
@ -1571,7 +1572,7 @@ Well, it depends on your threat model,
|
|||
#+BEAMER: \only<2-3>{
|
||||
- <2-3> Preempt most sophisticated and damning fingerprinting methods
|
||||
- <2-3> Stop hardware profiling
|
||||
- <2-3> Stop keystroke/mouse analysis
|
||||
- <2-3> Stop keystroke/mouse analysis\cite{ijcseit:biometric}
|
||||
- <3> Remember those audio beacons?\cite{bleep:ultrasound-tor}
|
||||
#+BEAMER: }
|
||||
#+BEAMER: \only<4-5>{
|
||||
|
@ -1860,21 +1861,29 @@ There's obvious tradeoffs there for both;
|
|||
#+END_COMMENT
|
||||
|
||||
|
||||
** LACKING Data Analytics [0/2]
|
||||
*** DRAFT Introduction [0/1] :B_ignoreheading:
|
||||
** REVIEWED Data and Profiling [0/3]
|
||||
*** REVIEWED Introduction :B_ignoreheading:
|
||||
:PROPERTIES:
|
||||
:BEAMER_env: ignoreheading
|
||||
:END:
|
||||
**** DRAFT Introduction :B_fullframe:
|
||||
**** REVIEWED Introduction :B_fullframe:
|
||||
:PROPERTIES:
|
||||
:DURATION: 00:00
|
||||
:DURATION: 00:00:05
|
||||
:BEAMER_env: fullframe
|
||||
:END:
|
||||
|
||||
#+BEGIN_CENTER
|
||||
``Big Data''
|
||||
#+BEAMER: \only<1>{
|
||||
\Huge ``Big Data''
|
||||
|
||||
(/Your/ Big Data)
|
||||
#+BEAMER: }
|
||||
#+BEAMER: \only<2>{
|
||||
\Huge ``Business Intelligence''
|
||||
#+BEAMER: }
|
||||
#+BEAMER: \only<3>{
|
||||
\Huge ``Data Brokers''
|
||||
#+BEAMER: }
|
||||
#+END_CENTER
|
||||
|
||||
#+BEGIN_COMMENT
|
||||
|
@ -1882,52 +1891,275 @@ We've seen adversaries with different motives.
|
|||
Let's explore what some of them do with all those data.
|
||||
#+END_COMMENT
|
||||
|
||||
|
||||
*** LACKING Headings [0/3]
|
||||
**** LACKING Advertisers
|
||||
*** REVIEWED Those Who Spy
|
||||
**** REVIEWED Data Brokers
|
||||
:PROPERTIES:
|
||||
:DURATION: 00:02
|
||||
:DURATION: 00:00:15
|
||||
:END:
|
||||
|
||||
- Most users' threat models don't include the NSA
|
||||
- Biggest threat to privacy are companies that aggregate data to understand
|
||||
you (often /better than you/)
|
||||
|
||||
#+BEGIN_COMMENT
|
||||
The biggest threat to privacy to the average user is by companies that
|
||||
aggregate data for the purpose of understanding _you_.
|
||||
Probably better than you understand you.
|
||||
I'm sure many of you heard of the story of Target knowing a girl was
|
||||
pregnant before she did.
|
||||
|
||||
<<user profiles>>
|
||||
#+END_COMMENT
|
||||
|
||||
|
||||
**** DEVOID Social Media
|
||||
***** Lightbeam Reminder
|
||||
:PROPERTIES:
|
||||
:DURATION: 00:01
|
||||
:BEAMER_col: 0.50
|
||||
:END:
|
||||
|
||||
TODO
|
||||
[[./images/lightbeam-ex.png]]
|
||||
|
||||
***** Summary
|
||||
:PROPERTIES:
|
||||
:BEAMER_col: 0.50
|
||||
:END:
|
||||
|
||||
- Ghostery lists *over 3,000 companies receiving web/app
|
||||
data*\cite{ghostery:companies}
|
||||
|
||||
|
||||
#+BEGIN_COMMENT
|
||||
(Where you are, what you do.)
|
||||
Back to that Lightbeam graph of third parties.
|
||||
Ghostery has a list of third parties receiving web and app data.
|
||||
There's over 3,000 of them.
|
||||
|
||||
Looking at this graph from a few sites,
|
||||
that might not be too surprising.
|
||||
#+END_COMMENT
|
||||
|
||||
|
||||
**** DEVOID Governments
|
||||
**** REVIEWED Oracle Identity Graph
|
||||
:PROPERTIES:
|
||||
:DURATION: 00:00:30
|
||||
:END:
|
||||
|
||||
TODO
|
||||
#+BEGIN_CENTER
|
||||
#+ATTR_LATEX: :height 2in
|
||||
[[./images/tp/oracle-id-fuu.png]]
|
||||
#+END_CENTER
|
||||
|
||||
#+BEGIN_QUOTE
|
||||
\footnotesize ``Aggregates and provides insights on over $2\nbsp{}trillion in
|
||||
consumer spending from 1,500 data partners across 110 million US
|
||||
households''\cite{oracle:datalogix-acq}
|
||||
#+END_QUOTE
|
||||
|
||||
#+BEGIN_COMMENT
|
||||
(Segue into government surveillance.)
|
||||
Look how happy she is to be tracked!
|
||||
I'm kidding of course.
|
||||
If we put some random person's picture in her place,
|
||||
they might feel a bit uncomfortable.
|
||||
|
||||
<Read quote>
|
||||
|
||||
Look at that last bullet point there.
|
||||
#+END_COMMENT
|
||||
|
||||
|
||||
**** REVIEWED All About the Experience :B_fullframe:
|
||||
:PROPERTIES:
|
||||
:BEAMER_env: fullframe
|
||||
:DURATION: 00:00:05
|
||||
:END:
|
||||
|
||||
#+BEGIN_CENTER
|
||||
\Huge ``More Relevant Customer Experience''
|
||||
#+END_CENTER
|
||||
|
||||
|
||||
**** REVIEWED Target Pregnancy Prediction
|
||||
:PROPERTIES:
|
||||
:DURATION: 00:00:25
|
||||
:END:
|
||||
|
||||
#+BEGIN_CENTER
|
||||
#+ATTR_LATEX: :height 1in
|
||||
[[./images/tp/target-logo.png]]
|
||||
#+END_CENTER
|
||||
|
||||
- <1-> Records purchases, credit cards, coupons, surveys, refunds, customer
|
||||
helpline calls, email, website visits, \ldots\cite{networks-of-control}
|
||||
- <1-> Purchase more information from third parties\cite{networks-of-control}
|
||||
- <2-> Identified 25 products to create a ``pregnancy prediction'' score and
|
||||
estimate due date\cite{nyt:learn-secrets}
|
||||
- <2-> Quantities of types of lotions, soaps, cotton balls,
|
||||
supplements,\nbsp{}etc
|
||||
|
||||
#+BEGIN_COMMENT
|
||||
One of the most popular examples of these types of analytics is a case where
|
||||
a father received coupons for baby clothes in the mail for his daughter.
|
||||
Target successfully predicted that she was pregnant based on certain items
|
||||
that she purchased,
|
||||
like quantities of certain lotions,
|
||||
and even things like cotton balls.
|
||||
They call this a ``pregnancy prediction''.
|
||||
It's creepy.
|
||||
It's lucrative.
|
||||
#+END_COMMENT
|
||||
|
||||
|
||||
**** REVIEWED Transparency Needed
|
||||
:PROPERTIES:
|
||||
:DURATION: 00:00:40
|
||||
:END:
|
||||
|
||||
***** Trustev Graph
|
||||
:PROPERTIES:
|
||||
:BEAMER_col: 0.50
|
||||
:END:
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[./images/tp/trustev-graph.png]]
|
||||
|
||||
\incite{trustev:tech}
|
||||
#+END_CENTER
|
||||
|
||||
***** Summary
|
||||
:PROPERTIES:
|
||||
:BEAMER_col: 0.50
|
||||
:END:
|
||||
- *Let users see their data in this graph!*
|
||||
- Erase nonpublic information that they don't want to be known
|
||||
- Let them correct what is wrong
|
||||
- <3> Also a problem with law enforcement / government
|
||||
- <2-> Let them *opt out!*
|
||||
|
||||
#+BEGIN_COMMENT
|
||||
Look, at the end of the day,
|
||||
some people do legitimately want this.
|
||||
They want to have this ``relevant customer experience''.
|
||||
|
||||
What we need is transparency.
|
||||
|
||||
Companies like Oracle should let you see your data in this graph.
|
||||
Let you correct it if it's wrong.
|
||||
Erase it if it's nonpublic information that you don't want to be known.
|
||||
And allow you to /opt out/!
|
||||
|
||||
We talked about government surveillance a while ago.
|
||||
This is a problem there as well.
|
||||
What if you're flagged as suspicious?
|
||||
Put on some no-fly list or terrorism watch list?
|
||||
What if it were based on completely wrong information inferred by some
|
||||
algorithm?
|
||||
|
||||
Let's look at that graph on the left a little more closely.
|
||||
#+END_COMMENT
|
||||
|
||||
|
||||
*** REVIEWED These Data Affect Your Life!
|
||||
**** REVIEWED Trustev Fraud Detection
|
||||
:PROPERTIES:
|
||||
:DURATION: 00:00:25
|
||||
:END:
|
||||
#+BEGIN_CENTER
|
||||
[[./images/tp/trustev-graph.png]]
|
||||
|
||||
\incite{trustev:tech}
|
||||
#+END_CENTER
|
||||
|
||||
#+BEGIN_COMMENT
|
||||
This is a graph of sources for TransUnion's fraud prevention system.
|
||||
There are a lot of data sources here.
|
||||
And look at the node at the bottom---
|
||||
``machine learning''.
|
||||
|
||||
What if this were wrong?
|
||||
You'd be flagged as a fraud.
|
||||
This could be inconvenient---
|
||||
like not being able to make an online purchase.
|
||||
But what if you are denied a loan because of things like this?
|
||||
Or...denied employment?
|
||||
#+END_COMMENT
|
||||
|
||||
|
||||
**** REVIEWED LexisNexis
|
||||
:PROPERTIES:
|
||||
:DURATION: 00:00:45
|
||||
:END:
|
||||
#+BEGIN_CENTER
|
||||
#+ATTR_LATEX: :height 0.25in
|
||||
[[./images/tp/lexisnexis.png]]
|
||||
#+END_CENTER
|
||||
|
||||
- Risk management for insurance, finance, retail, travel,
|
||||
government, gaming, and healthcare\cite{networks-of-control}
|
||||
- Data on over 500 million customers
|
||||
- TrueID---34 billion records from over 10,000 sources\cite{lexisnexis:trueid}
|
||||
|
||||
#+BEGIN_QUOTE
|
||||
``We help insurers assess their risk and streamline the underwriting process
|
||||
in 99% of all U.S. auto insurance claims and more than 90% of all homeowner
|
||||
claims.''
|
||||
#+END_QUOTE
|
||||
|
||||
#+BEGIN_COMMENT
|
||||
There's a ton of these companies;
|
||||
we only have time for a few.
|
||||
LexisNexis is another popular one.
|
||||
And it's fun to say.
|
||||
|
||||
They handle risk management for various industries.
|
||||
And they pull from a pool of data of over 500 million customers.
|
||||
|
||||
<read quote>
|
||||
|
||||
To give you an idea of their scale:
|
||||
they also have a system called TrueID,
|
||||
which does identity verification for fraud detection.
|
||||
They aggregate tens of billions of records from over ten thousand sources.
|
||||
#+END_COMMENT
|
||||
|
||||
**** REVIEWED Palantir
|
||||
:PROPERTIES:
|
||||
:DURATION: 00:00:25
|
||||
:END:
|
||||
|
||||
#+BEGIN_CENTER
|
||||
#+ATTR_LATEX: :height 1in
|
||||
[[./images/tp/palantir.png]]
|
||||
#+END_CENTER
|
||||
|
||||
- Co-founded by Peter Thiel of PayPal
|
||||
- CIA, DHS, NSA, FBI, the CDC, the Marine Corps, the Air Force, Special
|
||||
Operations Command, West Point, the Joint IED-defeat organization and
|
||||
Allies, the Recovery Accountability and Transparency Board and the
|
||||
National Center for Missing and Exploited Children.\cite{techcrunch:palantir}
|
||||
|
||||
#+BEGIN_COMMENT
|
||||
Another highly controversial one is Palantir.
|
||||
It was started by one of the co-founders of PayPal, Peter Thiel,
|
||||
for terrorism intelligence.
|
||||
It's now used for its powerful analytic capabilities
|
||||
by not only private corporations,
|
||||
but numerous government agencies,
|
||||
a few of them being the CIA, DHS, FBI, and the NSA itself.
|
||||
|
||||
Yeah.
|
||||
What if these data are wrong?
|
||||
#+END_COMMENT
|
||||
|
||||
|
||||
*** REVIEWED More Information
|
||||
|
||||
**** REVIEWED Networks of Control :B_fullframe:
|
||||
:PROPERTIES:
|
||||
:DURATION: 00:00:15
|
||||
:BEAMER_env: fullframe
|
||||
:END:
|
||||
|
||||
#+BEGIN_CENTER
|
||||
#+ATTR_LATEX: :height 2in
|
||||
[[./images/tp/networks-of-control.png]]
|
||||
|
||||
\incite{networks-of-control,33c3:surveil}
|
||||
|
||||
Shock and Awe
|
||||
#+END_CENTER
|
||||
|
||||
#+BEGIN_COMMENT
|
||||
If this topic interests you,
|
||||
you need to read the paper Networks of Control.
|
||||
One of the authors gave a talk at the recent Chaos Communication Congress,
|
||||
and I was in both shock and awe.
|
||||
I've only had the chance to skim the paper.
|
||||
Both are referenced here.
|
||||
#+END_COMMENT
|
||||
|
||||
** LACKING Policy and Government [0/6]
|
||||
*** DRAFT Introduction [0/1] :B_ignoreheading:
|
||||
:PROPERTIES:
|
||||
|
|
Loading…
Reference in New Issue