From a896777647748f0d03b965e0330261f818eb3119 Mon Sep 17 00:00:00 2001 From: Mike Gerwitz Date: Sun, 19 Mar 2017 03:35:45 -0400 Subject: [PATCH] Initial revision of Data and Profiling section This is missing information on giving up information to social media, SaaSS, the "cloud", etc. --- images/tp/SHA256SUM | 6 + images/tp/remote-list | 6 + sapsf.bib | 89 ++++++++++++- slides.org | 300 +++++++++++++++++++++++++++++++++++++----- 4 files changed, 365 insertions(+), 36 deletions(-) diff --git a/images/tp/SHA256SUM b/images/tp/SHA256SUM index be428f8..c8e2519 100644 --- a/images/tp/SHA256SUM +++ b/images/tp/SHA256SUM @@ -15,3 +15,9 @@ ee2c1e8325221cc5ae01b078930d7e74d447cec25cebeb18c0aaa1989994b918 tor-diagram.pn f9600308d10debbc56e116087aa83a1ada126f3979f8b528228e1e89a87efd12 torbrowser.png 4f231d937e622d9012706d57d5b0faa233f83d1e864db3b1b50d40d714aa8244 tails.png dce3dbf6572077dd495a9413ff11d7017d785142af85286a5ab51b7c7e4da728 whonix.png +9cb6cfd3c0c07c605f514e9b262a9baf224c622a86aea7d6b978e73127685e76 networks-of-control.png +e52d8250d9a98ae68a68a758e1421231aebd4933cc44bc5a2364222984e1ee7f oracle-id-fuu.png +4d1a1bb46f21f8d88336b6316a1131fc8f21400b96820c4b54e07288ff23fbf7 lexisnexis.png +912270ce97ece82c5a335ce84d80e9470c6fb7e1822aa937fa7550a499d87952 palantir.png +cbf3495473a9b111b3ba9723d5ebb9476bd6abf9bf3af711bdbe803baf98067f target-logo.png +0a47a1e0b74fa4ec168d935357081a6d15e55ba77edad483ecb7fe14c3f6f4dc trustev-graph.png diff --git a/images/tp/remote-list b/images/tp/remote-list index a6a28ea..6d4f264 100644 --- a/images/tp/remote-list +++ b/images/tp/remote-list @@ -15,3 +15,9 @@ tor-diagram.png https://web.archive.org/web/20170318055957/https://www.torprojec torbrowser.png https://web.archive.org/web/20170318161549/https://www.torproject.org/images/tb-lg.png -crop 185x135+0+0 tails.png https://web.archive.org/web/20170318162345/https://tails.boum.org/lib/banner.png -crop 495x114+30+0 whonix.png https://web.archive.org/web/20170318164321/https://upload.wikimedia.org/wikipedia/en/7/75/Whonix_Logo.png +networks-of-control.png https://web.archive.org/web/20170318184646/http://www.facultas.at/upload/verlag/networksofcontrol/Christl_Networks_300.jpg -scale 50% +oracle-id-fuu.png https://web.archive.org/web/20170318183230/http://www.oracle.com/us/corporate/acquisitions/datalogix/general-presentation-2395307.pdf oracle-id-fuu.png[7] +lexisnexis.png https://web.archive.org/web/20170319033528/http://www.lexisnexis.com/risk/img/logo-lexisnexis.png +palantir.png https://web.archive.org/web/20170319035510/https://www.palantir.com/build/images/global/opengraph-banner.png -crop 170x210+515+170 +target-logo.png https://web.archive.org/web/20170319055701/https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Target_Corporation_logo_%28vector%29.svg/240px-Target_Corporation_logo_%28vector%29.svg.png +trustev-graph.png https://web.archive.org/web/20170319060719/http://www.trustev.com/hs-fs/hubfs/JANUARY-2016/Technology/r-feb-t-circle1.png?t=1473256538000&width=1788&name=r-feb-t-circle1.png diff --git a/sapsf.bib b/sapsf.bib index 5437f6f..7f4e2d3 100644 --- a/sapsf.bib +++ b/sapsf.bib @@ -868,7 +868,23 @@ urldate = {2017-03-17}, } -@article{ars:fingerprint, +@article{ijcseit:biometric, + author = {Mudholkar, Smita S. + and Shende, Pradnya M. + and Sarode, Milind V.}, + title = {Biometrics Authentication Technique for Intrustion Detection + Systems Using Fingerprint Recognition}, + journal = {International Journal of Computer Science, Engineering and + Information Technology}, + volume = 2, + number = 4, + doi = {10.5121/ijcseit.2012.2106}, + date = {2012-02}, + url = {http://airccse.org/journal/ijcseit/papers/2112ijcseit06.pdf}, + urldate = {2017-03-19}, +} + +@online{ars:fingerprint, author = {Goodwin, Dan}, title = {Now sites can fingerprint you online even when you use multiple browsers}, @@ -934,9 +950,78 @@ urldate = {2017-03-17}, } -@cite{tor:browser, +@online{tor:browser, title = {Tor Browser}, organization = {Tor Project}, url = {https://www.torproject.org/projects/torbrowser.html.en}, urldate = {2017-03-17}, } + +@online{ghostery:companies, + title = {Company Database}, + organization = {Ghostery Enterprise}, + url = {http://www.ghosteryenterprise.com/company-database/}, + urldate = {2017-03-17}, +} + +@online{networks-of-control, + author = {Christl, Wolfie, + and Spiekermann, Sarah}, + title = {Networks of Control}, + date = {2016}, + url = {http://crackedlabs.org/en/networksofcontrol}, + urldate = {2017-03-18}, +} + +@online{33c3:surveil, + author = {Christl, Wolfie}, + title = {Corporare surveillance, digital tracking, big data~\&~privacy}, + subtitle = {How thousands of companies are profiling, categorizing, rating + and affecting the lives of billions}, + location = {33^{rd} Chaos Communication Congress}, + date = {2016-12-30}, + url = {https://media.ccc.de/v/33c3-8414-corporate_surveillance_digital_tracking_big_data_privacy}, + urldate = {2017-03-18}, + annotation = {See also \cite{networks-of-control}} +} + +@online{oracle:datalogix-acq, + title = {Oracle Buys Datalogix}, + subtitle = {Creates the World's Most Valuable Data Cloud to Maximize the + Power of Digital Marketing}, + organization = {Oracle}, + url = {http://www.oracle.com/us/corporate/acquisitions/datalogix/general-presentation-2395307.pdf}, + urldate = {2017-03-18}, +} + +@online{lexisnexis:trueid, + title = {LexisNexis TrueID}, + organization = {LexisNexis}, + url = {http://www.lexisnexis.com/risk/downloads/literature/trueid.pdf}, + urldate = {2017-03-18}, +} + +@online{techcrunch:palantir, + author = {Burns, Matt}, + title = {Leaked Palantir Doc Reveals Uses, Specific Functions And Key Clients}, + organization = {TechCrunch}, + date = {2015-01-11}, + url = {https://techcrunch.com/2015/01/11/leaked-palantir-doc-reveals-uses-specific-functions-and-key-clients/}, + urldate = {2017-03-19}, +} + +@online{nyt:learn-secrets, + author = {Duhigg, Charles}, + title = {How Companies Learn Your Secrets}, + organization = {The New York Times}, + date = {2016-02-16}, + url = {http://www.nytimes.com/2012/02/19/magazine/shopping-habits.html}, + urldate = {2017-03-19}, +} + +@online{trustev:tech, + title = {TransUnion | Trustev -- Technology}, + organization = {TransUnion}, + url = {http://www.trustev.com/technology}, + urldate = {2017-03-19}, +} diff --git a/slides.org b/slides.org index d7d401f..30ab9e3 100644 --- a/slides.org +++ b/slides.org @@ -1429,7 +1429,8 @@ Very creative ones. - Panopticlick (EFF)\cite{panopti:about} - User Agent, cookies, screen resolution, fonts, language, session storage, - canvas, WebGL, ad blocker, audio, keystrokes, mouse movement, \ldots + canvas, WebGL, ad blocker, audio, keystrokes, + mouse movement,\nbsp{}\ldots\cite{ijcseit:biometric} - Can even track separate browsers on the same hardware\cite{hardware-fingerprint,ars:fingerprint} @@ -1571,7 +1572,7 @@ Well, it depends on your threat model, #+BEAMER: \only<2-3>{ - <2-3> Preempt most sophisticated and damning fingerprinting methods - <2-3> Stop hardware profiling - - <2-3> Stop keystroke/mouse analysis + - <2-3> Stop keystroke/mouse analysis\cite{ijcseit:biometric} - <3> Remember those audio beacons?\cite{bleep:ultrasound-tor} #+BEAMER: } #+BEAMER: \only<4-5>{ @@ -1860,21 +1861,29 @@ There's obvious tradeoffs there for both; #+END_COMMENT -** LACKING Data Analytics [0/2] -*** DRAFT Introduction [0/1] :B_ignoreheading: +** REVIEWED Data and Profiling [0/3] +*** REVIEWED Introduction :B_ignoreheading: :PROPERTIES: :BEAMER_env: ignoreheading :END: -**** DRAFT Introduction :B_fullframe: +**** REVIEWED Introduction :B_fullframe: :PROPERTIES: -:DURATION: 00:00 +:DURATION: 00:00:05 :BEAMER_env: fullframe :END: #+BEGIN_CENTER -``Big Data'' +#+BEAMER: \only<1>{ +\Huge ``Big Data'' (/Your/ Big Data) +#+BEAMER: } +#+BEAMER: \only<2>{ +\Huge ``Business Intelligence'' +#+BEAMER: } +#+BEAMER: \only<3>{ +\Huge ``Data Brokers'' +#+BEAMER: } #+END_CENTER #+BEGIN_COMMENT @@ -1882,52 +1891,275 @@ We've seen adversaries with different motives. Let's explore what some of them do with all those data. #+END_COMMENT - -*** LACKING Headings [0/3] -**** LACKING Advertisers +*** REVIEWED Those Who Spy +**** REVIEWED Data Brokers :PROPERTIES: -:DURATION: 00:02 +:DURATION: 00:00:15 :END: -- Most users' threat models don't include the NSA -- Biggest threat to privacy are companies that aggregate data to understand - you (often /better than you/) - -#+BEGIN_COMMENT -The biggest threat to privacy to the average user is by companies that - aggregate data for the purpose of understanding _you_. -Probably better than you understand you. -I'm sure many of you heard of the story of Target knowing a girl was - pregnant before she did. - -<> -#+END_COMMENT - - -**** DEVOID Social Media +***** Lightbeam Reminder :PROPERTIES: -:DURATION: 00:01 +:BEAMER_col: 0.50 :END: -TODO +[[./images/lightbeam-ex.png]] + +***** Summary +:PROPERTIES: +:BEAMER_col: 0.50 +:END: + +- Ghostery lists *over 3,000 companies receiving web/app + data*\cite{ghostery:companies} + #+BEGIN_COMMENT -(Where you are, what you do.) +Back to that Lightbeam graph of third parties. +Ghostery has a list of third parties receiving web and app data. +There's over 3,000 of them. + +Looking at this graph from a few sites, + that might not be too surprising. #+END_COMMENT - -**** DEVOID Governments +**** REVIEWED Oracle Identity Graph :PROPERTIES: :DURATION: 00:00:30 :END: -TODO +#+BEGIN_CENTER +#+ATTR_LATEX: :height 2in +[[./images/tp/oracle-id-fuu.png]] +#+END_CENTER + +#+BEGIN_QUOTE +\footnotesize ``Aggregates and provides insights on over $2\nbsp{}trillion in +consumer spending from 1,500 data partners across 110 million US +households''\cite{oracle:datalogix-acq} +#+END_QUOTE #+BEGIN_COMMENT -(Segue into government surveillance.) +Look how happy she is to be tracked! +I'm kidding of course. +If we put some random person's picture in her place, + they might feel a bit uncomfortable. + + + +Look at that last bullet point there. #+END_COMMENT +**** REVIEWED All About the Experience :B_fullframe: +:PROPERTIES: +:BEAMER_env: fullframe +:DURATION: 00:00:05 +:END: + +#+BEGIN_CENTER +\Huge ``More Relevant Customer Experience'' +#+END_CENTER + + +**** REVIEWED Target Pregnancy Prediction +:PROPERTIES: +:DURATION: 00:00:25 +:END: + +#+BEGIN_CENTER +#+ATTR_LATEX: :height 1in +[[./images/tp/target-logo.png]] +#+END_CENTER + +- <1-> Records purchases, credit cards, coupons, surveys, refunds, customer + helpline calls, email, website visits, \ldots\cite{networks-of-control} +- <1-> Purchase more information from third parties\cite{networks-of-control} +- <2-> Identified 25 products to create a ``pregnancy prediction'' score and + estimate due date\cite{nyt:learn-secrets} + - <2-> Quantities of types of lotions, soaps, cotton balls, + supplements,\nbsp{}etc + +#+BEGIN_COMMENT +One of the most popular examples of these types of analytics is a case where + a father received coupons for baby clothes in the mail for his daughter. +Target successfully predicted that she was pregnant based on certain items + that she purchased, + like quantities of certain lotions, + and even things like cotton balls. +They call this a ``pregnancy prediction''. +It's creepy. +It's lucrative. +#+END_COMMENT + + +**** REVIEWED Transparency Needed +:PROPERTIES: +:DURATION: 00:00:40 +:END: + +***** Trustev Graph +:PROPERTIES: +:BEAMER_col: 0.50 +:END: + +#+BEGIN_CENTER +[[./images/tp/trustev-graph.png]] + +\incite{trustev:tech} +#+END_CENTER + +***** Summary +:PROPERTIES: +:BEAMER_col: 0.50 +:END: +- *Let users see their data in this graph!* +- Erase nonpublic information that they don't want to be known +- Let them correct what is wrong + - <3> Also a problem with law enforcement / government +- <2-> Let them *opt out!* + +#+BEGIN_COMMENT +Look, at the end of the day, + some people do legitimately want this. +They want to have this ``relevant customer experience''. + +What we need is transparency. + +Companies like Oracle should let you see your data in this graph. +Let you correct it if it's wrong. +Erase it if it's nonpublic information that you don't want to be known. +And allow you to /opt out/! + +We talked about government surveillance a while ago. +This is a problem there as well. +What if you're flagged as suspicious? +Put on some no-fly list or terrorism watch list? +What if it were based on completely wrong information inferred by some + algorithm? + +Let's look at that graph on the left a little more closely. +#+END_COMMENT + + +*** REVIEWED These Data Affect Your Life! +**** REVIEWED Trustev Fraud Detection +:PROPERTIES: +:DURATION: 00:00:25 +:END: +#+BEGIN_CENTER +[[./images/tp/trustev-graph.png]] + +\incite{trustev:tech} +#+END_CENTER + +#+BEGIN_COMMENT +This is a graph of sources for TransUnion's fraud prevention system. +There are a lot of data sources here. +And look at the node at the bottom--- + ``machine learning''. + +What if this were wrong? +You'd be flagged as a fraud. +This could be inconvenient--- + like not being able to make an online purchase. +But what if you are denied a loan because of things like this? +Or...denied employment? +#+END_COMMENT + + +**** REVIEWED LexisNexis +:PROPERTIES: +:DURATION: 00:00:45 +:END: +#+BEGIN_CENTER +#+ATTR_LATEX: :height 0.25in +[[./images/tp/lexisnexis.png]] +#+END_CENTER + +- Risk management for insurance, finance, retail, travel, + government, gaming, and healthcare\cite{networks-of-control} +- Data on over 500 million customers +- TrueID---34 billion records from over 10,000 sources\cite{lexisnexis:trueid} + +#+BEGIN_QUOTE +``We help insurers assess their risk and streamline the underwriting process +in 99% of all U.S. auto insurance claims and more than 90% of all homeowner +claims.'' +#+END_QUOTE + +#+BEGIN_COMMENT +There's a ton of these companies; + we only have time for a few. +LexisNexis is another popular one. +And it's fun to say. + +They handle risk management for various industries. +And they pull from a pool of data of over 500 million customers. + + + +To give you an idea of their scale: + they also have a system called TrueID, + which does identity verification for fraud detection. + They aggregate tens of billions of records from over ten thousand sources. +#+END_COMMENT + +**** REVIEWED Palantir +:PROPERTIES: +:DURATION: 00:00:25 +:END: + +#+BEGIN_CENTER +#+ATTR_LATEX: :height 1in +[[./images/tp/palantir.png]] +#+END_CENTER + +- Co-founded by Peter Thiel of PayPal +- CIA, DHS, NSA, FBI, the CDC, the Marine Corps, the Air Force, Special + Operations Command, West Point, the Joint IED-defeat organization and + Allies, the Recovery Accountability and Transparency Board and the + National Center for Missing and Exploited Children.\cite{techcrunch:palantir} + +#+BEGIN_COMMENT +Another highly controversial one is Palantir. +It was started by one of the co-founders of PayPal, Peter Thiel, + for terrorism intelligence. +It's now used for its powerful analytic capabilities + by not only private corporations, + but numerous government agencies, + a few of them being the CIA, DHS, FBI, and the NSA itself. + +Yeah. +What if these data are wrong? +#+END_COMMENT + + +*** REVIEWED More Information + +**** REVIEWED Networks of Control :B_fullframe: +:PROPERTIES: +:DURATION: 00:00:15 +:BEAMER_env: fullframe +:END: + +#+BEGIN_CENTER +#+ATTR_LATEX: :height 2in +[[./images/tp/networks-of-control.png]] + +\incite{networks-of-control,33c3:surveil} + +Shock and Awe +#+END_CENTER + +#+BEGIN_COMMENT +If this topic interests you, + you need to read the paper Networks of Control. +One of the authors gave a talk at the recent Chaos Communication Congress, + and I was in both shock and awe. +I've only had the chance to skim the paper. +Both are referenced here. +#+END_COMMENT + ** LACKING Policy and Government [0/6] *** DRAFT Introduction [0/1] :B_ignoreheading: :PROPERTIES: