mikegerwitz
/
sapsf
1
0
Fork 0
Code Releases Activity

images/Makefile: Add file.

master
Mike Gerwitz 2017-03-12 04:06:15 -04:00
parent 17dbce4b7f
commit f12db70e69
3 changed files with 588 additions and 233 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
images/Makefile 100644
View File

@ -0,0 +1,25 @@
# Third-party image retrieval
#
# Licensed under the CC0 1.0 Universal license (public domain).
##
images := sf-cameras.jpg alpr-mounted.png alpr-capture.png \
alpr-pips.png
define imgfetch
torify wget -O
endef
all: $(images)
sf-cameras.jpg:
$(imgfetch) "$@" 'https://cbssanfran.files.wordpress.com/2015/09/san_francisco_surveillance_cameras_092315.jpg'
alpr-mounted.png:
$(imgfetch) "$@" 'https://www.eff.org/files/2015/10/20/paxton_and_spencer_.png'
alpr-capture.png:
$(imgfetch) "$@" 'https://www.eff.org/files/2015/10/20/paxton_captures.png'
alpr-pips.png:
$(imgfetch) "$@" 'https://www.eff.org/files/2015/10/15/pipscam9_redacted.png'

240
sapsf.bib
View File

@ -222,3 +222,243 @@
history, telephone numbers, IMEIs, etc to third-party
servers without users' knolwedge or censent}
}
@online{intercept:nyc-surveil,
author = {Currier, Cora},
title = {A Walking Tour of New York's Massive Surveillance Network},
organization = {The Intercept},
date = {2016-09-24},
url = {https://theintercept.com/2016/09/24/a-walking-tour-of-new-yorks-massive-surveillance-network/},
urldate = {2017-03-12},
}
@online{shodan,
title = {Shodan},
subtitle = {The search engine for the Internet of Things},
url = {https://shodan.io},
urldate = {2017-03-12},
}
@online{krebs:mongodb,
author = {Krebs, Brian},
title = {Extortionists Wipe Thousands of Databases,
Victims Who Pay Up Get Stiffed},
url = {https://krebsonsecurity.com/2017/01/extortionists-wipe-thousands-of-databases-victims-who-pay-up-get-stiffed/},
urldate = {2017-03-12},
}
@online{insecam,
title = {Insecam - World biggest online cameras directory},
url = {http://insecam.org},
urldate = {2017-03-12},
annotation = {Load the HTTP (non-HTTPS) site, otherwise mixed content is
blocked and thumbnails will not work.}
}
@article{ieee:gait,
author = {Rogez, Gr\'egory
and Rihan, Jonathan
and Guerrero, Jose J.},
title = {Monocular {3D} Gait Tracking in Surveillance Scenes},
journal = {IEEE Transactions on Cybernetics},
url = {http://vision.ics.uci.edu/papers/RogezRGO_Cybernetics_2013/RogezRGO_Cybernetics_2013.pdf}
}
@article{ijca:gait,
author = {Vaidya, Sonali
and Shah, Kamal},
title = {Real Time Video Surveillance System},
journal = {International Journal of Computer Applications},
volume = 86,
pages = {22-27},
year = 2014,
url = {http://research.ijcaonline.org/volume86/number14/pxc3893419.pdf},
annotation = {Discusses realtime gait analysis for video surveillance},
}
@online{newsci:fb-noface,
author = {Rutkin, Aviva},
title = {Facebook can recognize you in photos even if you're not looking},
organization = {New Scientist},
url = {https://www.newscientist.com/article/dn27761-facebook-can-recognise-you-in-photos-even-if-youre-not-looking/},
urldate = {2017-03-12},
}
@online{rms:facebook,
author = {Stallman, Richard},
title = {Reasons not to use (i.e., be used by) {Facebook}},
url = {https://stallman.org/facebook.html},
urldate = {2017-03-12},
}
@online{register:fb-scan,
author = {Chirgwin, Richard},
title = {Facebook conjures up a trap for the unwary: scanning your camera
for your friends},
subtitle = {Auto-spam your friends with Photo Magic},
organization = {The Register},
url = {https://web.archive.org/web/20160605165148/http://www.theregister.co.uk/2015/11/10/facebook_scans_camera_for_your_friends/},
urldate = {2017-03-12},
annotation = {Archive.org link used because The~Register blocks
Tor~users unless they execute proprietary JavaScript.},
}
@online{guardian:fb-scan,
author = {Arthur, Charles},
title = {Facebook in new privacy row over facial recognition feature},
subtitle = {Social network turns on new feature to automatically identify
people in photos, raising questions about privacy
implications of the service},
organization = {The Guardian},
date = {2011-06-08},
url = {https://www.theguardian.com/technology/2011/jun/08/facebook-privacy-facial-recognition},
urldate = {2017-03-12},
}
@online{techcrunch:fb-baby,
author = {Constine, Josh},
title = {Facebooks New Photo “Scrapbook” Lets Parents Give Kids An
Official Presence},
organization = {TechCrunch},
date = {2016-03-31},
url = {https://techcrunch.com/2015/03/31/step-1-identify-baby-photo-step-2-hide-baby-photos/},
urldate = {2017-03-12},
annotation = {Facebook tricks users into violating their child's privacy
before they have any say in the matter.},
}
@online{eff:ios-photo-diff,
author = {Gebhart, Gennie
and Grant, Starchy
and Portnov, Erica},
title = {Facial Recognition, Differential Privacy, and Trade-Offs in
Apple's Latest OS Releases},
organization = {Electronic Frontier Foundation},
date = {2016-09-27},
url = {https://www.eff.org/deeplinks/2016/09/facial-recognition-differential-privacy-and-trade-offs-apples-latest-os-releases},
urldate = {2017-03-12},
}
@online{churchix,
title = {Churchix Facial Recognition Software},
subtitle = {Churchix Facial Recognition Software for Event Attendance},
url = {http://churchix.com/},
urldate = {2017-03-12},
annotation = {This software is cited for illustration; do~not use it.}
}
@online{facefirst,
title = {Face Recognition Software for Retail Stores: \#1~Biometric
Surveillance for Loss Prevention},
url = {https://www.facefirst.com/industry/retail-face-recognition/},
urldate = {2017-03-12},
annotation = {Full-page loading spinner does not remove itself without
running non-free JavaScript; remove it manually using a
web browser with a~debugger. This software is cited for
illustration; do~not use it.},
}
@online{bio:iris,
title = {Hacker extracts Merkel's iris image},
organization = {Planet Biometrics},
date = {2015-11-30},
url = {http://www.planetbiometrics.com/article-details/i/3644/},
urldate = {2017-03-12},
}
@online{eff:facial-tech,
author = {Schwartz, Adam},
title = {The Danger of Corporate Facial Recognition Tech},
subtitle = {The Illinois Biometric Privacy Statute Survived a Recent
Attack. But the Struggle Continues},
organization = {Electronic Frontier Foundation},
date = {2016-06-07},
url = {https://www.eff.org/deeplinks/2016/06/danger-corporate-facial-recognition-techgg},
urldate = {2017-03-12},
}
@online{eff:fbi-bio,
author = {Lynch, Jennifer},
title = {New Report: FBI Can Access Hundreds of Millions of Face
Recognition Photos},
organization = {Electronic Frontier Foundation},
date = {2016-06-15},
url = {https://www.eff.org/deeplinks/2016/06/fbi-can-search-400-million-face-recognition-photos},
urldate = {2017-03-12},
}
@online{cbs:sf-smile,
author = {Borba, Andria},
title = {Nowhere To Hide: Few Public Places Without Surveillance Cameras
In San Francisco},
organization = {CBS},
date = {2015-09-24},
url = {http://sanfrancisco.cbslocal.com/2015/09/24/san-francisco-surveillance-camera-tenderloin/},
urldate = {2017-03-12},
}
@online{pbs:nova:boston,
author = {O'Brien, Michael
and Cort, Julia},
title = {Manhunt---{Boston Bombers}},
subtitle = {Which technologies worked—and which didn't---in the race to
track down the men behind the marathon attack?},
organization = {WGBH Educational Foundation},
date = {2013-05-29},
url = {http://www.pbs.org/wgbh/nova/tech/manhunt-boston-bombers.html},
urldate = {2017-03-13},
annotation = {Specificall, pay attention to the Domain Awareness System
and other surveillance capabilities. Transcript
available.},
}
@online{reuters:nypd-das,
author = {Francescani, Chris},
title = {NYPD expands surveillance net to fight crime as well as terrorism},
organization = {Reuters},
date = {2013-06-21},
url = {http://www.reuters.com/article/usa-ny-surveillance-idUSL2N0EV0D220130621},
urldate = {2017-03-13},
}
@online{wired:pixel-face,
author = {Newman, Lily Hay},
title = {AI Can Recognize Your Face Even If Youre Pixelated},
organization = {Wired},
date = {2016-09-12},
url = {https://www.wired.com/2016/09/machine-learning-can-identify-pixelated-faces-researchers-show/},
urldate = {2017-03-13},
}
@online{arxiv:google-pixel-res,
author = {Dahl, Ryan
and Norouzi, Mohammad
and Shlens, Jonathan},
title = {Pixel Recursive Super Resolution},
organization = {Google Brain},
date = {2017-02-02},
archivePrefix= {arXiv},
eprint = {1702.00783},
primaryClass = {cs.CV},
}
@online{fast:das,
author = {Ungerleider, Neal},
title = {NYPD, Microsoft Launch All-Seeing “Domain Awareness System” With
Real-Time CCTV, License Plate Monitoring},
subtitle = {The New York Police Department has a new terrorism detection
system that will also generate profit for the city},
organization = {Fast Company},
date = {2012-08-08},
url = {https://www.fastcompany.com/3000272/nypd-microsoft-launch-all-seeing-domain-awareness-system-real-time-cctv-license-plate-monito},
urldate = {2017-03-13},
}
@online{nyc:pspg,
title = {Public Security Privacy Guidelines},
url = {http://www.nyc.gov/html/nypd/downloads/pdf/crime_prevention/public_security_privacy_guidelines.pdf},
urldate = {2017-03-13},
annotation = {Information about the NYPD's Domain Awareness System.}
}

556
slides.org
View File

@ -13,150 +13,6 @@
#+COLUMNS: %40ITEM %10DURATION{:} %8TODO %BEAMER_ENV(ENVIRONMENT)
#+BEGIN: columnview :hlines 3 :id global
| ITEM | DURATION | TODO | ENVIRONMENT |
|-----------------------------------------------+----------+----------+---------------|
| * LaTeX Configuration | | | |
|-----------------------------------------------+----------+----------+---------------|
| * Slides | 0:47 | LACKING | |
|-----------------------------------------------+----------+----------+---------------|
| ** Introduction / Opening | 00:01 | REVIEWED | fullframe |
|-----------------------------------------------+----------+----------+---------------|
| ** Mobile [0/5] | 0:07 | REVIEWED | |
|-----------------------------------------------+----------+----------+---------------|
| *** Introduction | 0:00 | REVIEWED | ignoreheading |
| **** Introduction | 00:00:15 | REVIEWED | fullframe |
|-----------------------------------------------+----------+----------+---------------|
| *** Cell Towers [0/2] | 0:02 | REVIEWED | |
| **** Fundamentally Needed | 00:00:45 | REVIEWED | |
| **** Cell-Site Simulators | 00:00:45 | REVIEWED | |
|-----------------------------------------------+----------+----------+---------------|
| *** Wifi [0/3] | 0:01 | REVIEWED | |
| **** ESSID and MAC Broadcast | 00:01 | REVIEWED | |
|-----------------------------------------------+----------+----------+---------------|
| *** Geolocation [0/3] | 0:02 | REVIEWED | |
| **** GPS | 00:01 | REVIEWED | |
| **** But I Want GPS! | 00:00:30 | REVIEWED | |
| **** Location Services | 00:00:45 | REVIEWED | |
|-----------------------------------------------+----------+----------+---------------|
| *** Operating System [0/3] | 0:02 | REVIEWED | |
| **** Untrusted/Proprietary OS | 00:00:45 | REVIEWED | |
| **** Free/Libre Mobile OS? | 00:00:30 | REVIEWED | |
| **** Modem Isolation | 00:00:30 | REVIEWED | |
|-----------------------------------------------+----------+----------+---------------|
| ** Stationary [0/5] | 0:08 | LACKING | |
|-----------------------------------------------+----------+----------+---------------|
| *** Introduction [0/1] | 0:00 | DRAFT | ignoreheading |
| **** Introduction | 00:00:30 | DRAFT | fullframe |
|-----------------------------------------------+----------+----------+---------------|
| *** Surveillance Cameras [0/2] | 0:00 | DRAFT | |
| **** Unavoidable Surveillance | | DRAFT | |
| **** Access to Data | 00:00:30 | DRAFT | |
|-----------------------------------------------+----------+----------+---------------|
| *** Internet of Things [0/4] | 0:04 | LACKING | |
| **** Internet-Connected Cameras | 00:00:30 | DRAFT | |
| **** The ``S'' In IoT Stands For ``Security'' | 00:01:30 | LACKING | |
| **** Who's Watching? | 00:00:30 | DEVOID | |
| **** Facial Recognition | 00:01 | DRAFT | |
|-----------------------------------------------+----------+----------+---------------|
| *** Social Media [0/1] | 0:01 | DRAFT | |
| **** Collateral Damage | 00:01 | DRAFT | |
|-----------------------------------------------+----------+----------+---------------|
| *** Driving [0/3] | 0:02 | RAW | |
| **** Introduction | 00:00:30 | DRAFT | fullframe |
| **** ALPRs | 00:01 | LACKING | |
| **** Car Itself | 00:00:30 | LACKING | |
|-----------------------------------------------+----------+----------+---------------|
| ** The Web [0/6] | 0:10 | LACKING | |
|-----------------------------------------------+----------+----------+---------------|
| *** Introduction [0/1] | | DRAFT | ignoreheading |
| **** Introduction | | DRAFT | fullframe |
|-----------------------------------------------+----------+----------+---------------|
| *** Bridging the Gap [0/1] | 0:01 | LACKING | |
| **** Ultrasound Tracking | 00:01 | LACKING | |
|-----------------------------------------------+----------+----------+---------------|
| *** Incentive to Betray [0/1] | 0:00 | DRAFT | |
| **** Summary | 00:00:30 | DRAFT | fullframe |
|-----------------------------------------------+----------+----------+---------------|
| *** Analytics [0/2] | 0:02 | LACKING | |
| **** Trackers | 00:01 | LACKING | |
| **** Like Buttons | 00:01 | DRAFT | |
|-----------------------------------------------+----------+----------+---------------|
| *** Fingerprinting [0/3] | 0:03 | LACKING | |
| **** Summary | | DRAFT | |
| **** Alarmingly Effective | 00:03 | LACKING | fullframe |
| **** User Agent | | DRAFT | |
|-----------------------------------------------+----------+----------+---------------|
| *** Anonymity [0/4] | 0:04 | DRAFT | |
| **** Summary | 00:01 | DRAFT | fullframe |
| ***** Anonymity | | | |
| ***** Pseudonymity | | | |
| **** IANAAE | | DRAFT | fullframe |
| **** The Tor Network | 00:01 | DRAFT | |
| **** TorBrowser, Tails, and Whonix | 00:02 | DRAFT | |
|-----------------------------------------------+----------+----------+---------------|
| ** Data Analytics [0/2] | 0:04 | LACKING | |
|-----------------------------------------------+----------+----------+---------------|
| *** Introduction [0/1] | 0:00 | DRAFT | ignoreheading |
| **** Introduction | 00:00 | DRAFT | fullframe |
|-----------------------------------------------+----------+----------+---------------|
| *** Headings [0/3] | 0:04 | LACKING | |
| **** Advertisers | 00:02 | LACKING | |
| **** Social Media | 00:01 | DEVOID | |
| **** Governments | 00:00:30 | DEVOID | |
|-----------------------------------------------+----------+----------+---------------|
| ** Policy and Government [0/6] | 0:12 | LACKING | |
|-----------------------------------------------+----------+----------+---------------|
| *** Introduction [0/1] | 0:00 | DRAFT | ignoreheading |
| **** Introduction | 00:00:30 | DRAFT | fullframe |
|-----------------------------------------------+----------+----------+---------------|
| *** Surveillance [0/7] | 0:06 | LACKING | |
| **** History of NSA Surveillance | 00:02 | DRAFT | |
| **** Ron Wyden | | DRAFT | fullframe |
| **** The Leak | | DRAFT | fullframe |
| **** Verizon Metadata | 00:00:30 | DRAFT | |
| **** PRISM | | DRAFT | |
| **** Snowden | 00:01 | DRAFT | |
| **** Tools | 00:02 | DEVOID | |
|-----------------------------------------------+----------+----------+---------------|
| *** Crypto Wars [0/6] | 0:04 | LACKING | |
| **** Introduction | 00:00 | DRAFT | fullframe |
| **** Export-Grade Crypto | 00:01:30 | DRAFT | |
| **** Bernstein v. United States | 00:01 | DRAFT | |
| **** The First Crypto Wars | 00:01 | DRAFT | |
| **** Re-repeats Itself | 00:00 | DRAFT | fullframe |
| **** Modern Crypto Wars | | DRAFT | fullframe |
| **** ``Going Dark'' | | DEVOID | |
|-----------------------------------------------+----------+----------+---------------|
| *** Espionage [0/1] | 0:01 | LACKING | |
| **** US Can't Keep Its Own Secrets | 00:01 | DEVOID | |
|-----------------------------------------------+----------+----------+---------------|
| *** Subpoenas, Warrants, NSLs [0/1] | 0:01 | LACKING | |
| **** National Security Letters | 00:01 | DEVOID | |
|-----------------------------------------------+----------+----------+---------------|
| *** Law [0/1] | 0:01 | LACKING | |
| **** Summary | 00:01 | DEVOID | fullframe |
|-----------------------------------------------+----------+----------+---------------|
| ** Your Fight [0/1] | 0:05 | LACKING | |
|-----------------------------------------------+----------+----------+---------------|
| *** Headings [0/6] | 0:05 | LACKING | |
| **** Feeding | 00:00 | DRAFT | fullframe |
| **** SaaSS and Centralization | 00:01 | DEVOID | |
| **** Corporate Negligence | 00:01 | LACKING | |
| **** Status Quo | 00:02 | DRAFT | |
| **** Status Quo Cannot Hold | | DRAFT | fullframe |
| **** Push Back | 00:01 | DRAFT | fullframe |
|-----------------------------------------------+----------+----------+---------------|
| ** Thank You | | | fullframe |
|-----------------------------------------------+----------+----------+---------------|
| ** References | | | appendix |
|-----------------------------------------------+----------+----------+---------------|
| * Exporting | | | |
|-----------------------------------------------+----------+----------+---------------|
| * Local Variables | | | |
#+END
#+BEGIN_COMMENT
*Remember the themes!*:
- Surreptitious
@ -294,7 +150,7 @@ In other words: they're excellent tracking devices.
:DURATION: 00:00:45
:END:
- Phone needs tower to make and receive calls
- Gives away approximate location (can triangulate)
- Gives away approximate location\cite{pbs:nova:boston}
#+BEGIN_COMMENT
The primary reason is inherent in a phone's design:
@ -303,6 +159,9 @@ A phone "needs" to be connected to a tower to make and receive calls.
Unless it is off or otherwise disconnected (like airplane mode),
its connection to the cell tower exposes your approximate location.
If the signal reaches a second tower,
the potential location can be calculated from the signal delay.
You can also triangulate.
These data persist for as long as the phone companies are willing to persist
it.
@ -607,13 +466,13 @@ So even with Replicant,
** LACKING Stationary [0/5]
*** DRAFT Introduction [0/1] :B_ignoreheading:
*** REVIEWED Introduction [0/1] :B_ignoreheading:
:PROPERTIES:
:BEAMER_env: ignoreheading
:END:
**** DRAFT Introduction :B_fullframe:
**** REVIEWED Introduction :B_fullframe:
:PROPERTIES:
:DURATION: 00:00:30
:DURATION: 00:00:15
:BEAMER_env: fullframe
:END:
@ -629,15 +488,18 @@ Or maybe you've mitigated those threats in some way.
There's certain things that are nearly impossible to avoid.
#+END_COMMENT
*** DRAFT Surveillance Cameras [0/2]
**** DRAFT Unavoidable Surveillance
*** REVIEWED Surveillance Cameras [0/6]
**** REVIEWED Unavoidable Surveillance
:PROPERTIES:
:DURATION: 00:00:10
:END:
- Security cameras are everywhere
- Homes
- Private businesses
- Traffic cameras
- Streets
- ...
\cite{intercept:nyc-surveil,cbs:sf-smile,fast:das}
- Businesses
- Traffic
- Streets/sidewalks
- Public transportation
#+BEGIN_COMMENT
On the way here,
@ -645,53 +507,200 @@ On the way here,
They could be security cameras for private businesses.
Traffic cameras.
Cameras on streets to deter crime.
Let's set aside local, state, and federal-owned cameras for a moment
and focus on businesses.
So a bunch of separate businesses have you on camera.
So what?
#+END_COMMENT
**** DRAFT Access to Data
**** REVIEWED Private Cameras in Plain View; Tinerloin, SF
:PROPERTIES:
:DURATION: 00:00:30
:END:
- <1> Data can be subpoenaed or obtained with a warrant
- <1> If law enforcement wants to track you, they can
- <2> If you own a surveillance system, be responsible and considerate
- <2> Best way to restrict data is to avoid collecting it to begin with
#+BEGIN_CENTER
#+ATTR_LATEX: :height 1.25in
[[./images/sf-cameras.jpg]]
\incite{cbs:sf-smile}
#+END_CENTER
#+BEGIN_QUOTE
``The idea that you can sort of meet in a public place and quietly have a
conversation that were sort of accustomed to from spy movies, that is
really not realistic anymore,'' ---Nadia Kayyali, EFF
#+END_QUOTE
#+BEGIN_COMMENT
Well one of the most obvious threats, should it pertain to you, is a
subpoena.
If law enforcement wanted to track you for whatever reason---crime or
not!---they could simply subpoena the surrounding area.
This is a map of private surveillance cameras in plain view around SF's
Tenderloin neighborhood.
Obviously your city or town might be different.
Could be worse, even.
And again, these are just the ones that the DA's office found in
/plain view/!
According to them,
people who live in this neighborhood could be on camera dozens of times in
a single day.
Alright, so a bunch of private entities have you on camera;
So what?
#+END_COMMENT
**** REVIEWED Access to Data
:PROPERTIES:
:DURATION: 00:01
:END:
- <1-> Data can be obtained with a warrant or subpoena
- <2-> Data can be compromised
- <3-> Chilling effect
- <4-> **If you own a surveillance system, be responsible and considerate**
- <4-> Best way to restrict data is to /avoid collecting it to begin with/
#+BEGIN_COMMENT
Well one of the most obvious threats,
should it pertain to you,
is a warrant or subpoena.
Most of us aren't going to have to worry about a crime.
Data can be compromised.
And it isn't possible for you to audit it;
you have no idea who has you on camera.
This creates a chilling effect.
You're going to act differently in public knowing that someone might be
watching,
or could be watching later on if recorded.
And some will be paranoid---you don't know if cameras are around.
If you have a surveillance system,
or any sort of public-facing cameras,
please be considerate.
If you only care who is on your property,
don't record the sidewalk in front of your house.
Or at least restrict motion detection to your property.
The best form of privacy is to avoid having the data be collected to begin
with.
#+END_COMMENT
*** LACKING Internet of Things [0/4]
**** DRAFT Internet-Connected Cameras
**** REVIEWED Domain Awareness System (Intro) :B_fullframe:
:PROPERTIES:
:DURATION: 00:00:30
:BEAMER_env: fullframe
:END:
- Cameras used to be ``closed-circuit''
- Today\ldots not always so much
#+BEGIN_CENTER
#+BEGIN_LATEX
\only<1>{What if all those cameras---including private---were connected?}
\only<2>{NYPD---Domain Awareness System}\cite{nyc:pspg}
\only<3>{
#+END_LATEX
#+BEGIN_QUOTE
Although NYPD documents indicate that the system is specifically designed
for anti-terrorism operations, any incidental data it collects ``for a
legitimate law enforcement or public safety purpose'' by DAS can be
utilized by the police department.\cite{fast:das}
#+END_QUOTE
#+LATEX: }
#+END_CENTER
#+BEGIN_COMMENT
...but what if law enforcement didn't have to go door-to-door?
Let's talk about the NYPD's Domain Awareness System.
It was designed in part from the usual unjustifiable and irrational response
to terrorism threats after 9/11.
But any ``incidental data'' can be used by law enforcement.
Yeah, sounds familiar; business as usual.
#+END_COMMENT
**** REVIEWED Domain Awareness System
:PROPERTIES:
:DURATION: 00:01
:END:
- <1-> Partnership between the NYPD and Microsoft at a cost of $230M
in\nbsp{}2013\cite{reuters:nypd-das,nyc:pspg}
- <1-> Surveillance cameras, license plate readers, radiation detectors,
911\nbsp{}system, criminal records, \ldots
- <2-> \gt 6,000 surveillance cameras, $2\over 3$ private
businesses\cite{reuters:nypd-das,pbs:nova:boston}
- <3-> Database of over 16\nbsp{}million plates,
every car going into Lower Manhatten\cite{reuters:nypd-das,pbs:nova:boston}
- <4-> Can search in seconds for terms like
``red baseball cap''\cite{reuters:nypd-das,pbs:nova:boston}
- <4-> Detects ``suspicious behaviors'' like unattended bags and
circling cars\cite{reuters:nypd-das,pbs:nova:boston}
#+BEGIN_COMMENT
The Domain Awareness System is a partnership between Microsoft and the NYPD.
It's mammoth.
It's pretty amazing---it's like science fiction.
But I care about privacy,
so instead I'm going to use adjectives like ``Orwellian''.
It contains over six thousand security cameras,
over two-thirds of which are private closed-circuit cameras.
It includes license plate readers that record everyone going into Lower
Manhattan, along with a database of over sixteen million license plates.
It can search in seconds for very specific terms,
like ``red baseball cap'',
and it can monitor for suspicious behaviors,
like unattended bags,
or cars circling an area.
If it finds an unattended bag,
you can rewind to find who left it.
A lot of us are programmers---
think about the realtime analysis of all of these frames.
It really is a fascinating field to work in.
But there's serious ethical concerns with how it's applied.
This thing also integrates the 911 system, radiation detectors, criminal
records, etc.
This is the direction we're heading in---
these things will only spread.
In fact,
the NYPD will get 30% of the profits from selling it to others.
#+END_COMMENT
**** DEVOID Automated License Plate Readers (ALPRs)
:PROPERTIES:
:DURATION: 00:00
:END:
#+BEGIN_COMMENT
So before we leave the topic of government surveillance for a little bit,
I want to talk about automated license plate readers.
These things are a widespread, nasty threat to privacy,
and they don't need a sophisticated Domain Awareness System to deploy.
#+END_COMMENT
*** DRAFT Internet of Things [0/4]
**** REVIEWED Internet-Connected Cameras
:PROPERTIES:
:DURATION: 00:00:45
:END:
#+BEGIN_CENTER
#+BEAMER: \only<1>{Cameras used to be ``closed-circuit''}
#+BEAMER: \only<2>{Today\ldots not always so much}
#+END_CENTER
#+BEGIN_COMMENT
In the past, these cameras were "closed-circuit"---
they were on their own segregated network.
You'd _have_ to subpoena the owner,
You'd _have_ to subpoena the owner or get a warrant,
or otherwise physically take the tape.
Today, that might be the intent, but these cameras are often
Today...that might be the intent, but these cameras are often
connected to the Internet for one reason or another.
It might be intentional---to view the camera remotely---or it may just be
how it is set up by default.
It might be intentional---to view the camera remotely or on a device---or it
may just be how the camera is set up by default.
Well...
Let's expand our pool of cameras a bit.
@ -701,14 +710,17 @@ Home security systems.
Baby monitors.
#+END_COMMENT
**** LACKING The ``S'' In IoT Stands For ``Security''
**** REVIEWED The ``S'' In IoT Stands For ``Security''
:PROPERTIES:
:DURATION: 00:01:30
:DURATION: 00:01
:END:
- Shodan---IoT search engine
- Mirai
- ...<other concerns>
- <1-> Shodan---IoT search engine\cite{shodan}
- <2-> You'll also find other interesting things. Secure your databases.
\cite{krebs:mongodb}
- <2-> Can search for specific devices
- <2-> If you are vulnerable, someone will find you
- <3-> Top voted search was ``Webcam'' when I was writing this slide
#+BEGIN_COMMENT
Who here has heard of Shodan?
@ -716,65 +728,135 @@ Who here has heard of Shodan?
Shodan is a search engine for the Internet of Things.
It spiders for Internet-connected devices and indexes them.
Okay, that's to be expected.
Maybe that wouldn't be a problem if people knew proper NAT configuration
that isn't subverted by UPnP.
Maybe it wouldn't be a problem if these devices even gave a moment of
Maybe that wouldn't be a problem if NAT configuration weren't subverted by
UPnP.
Or maybe it wouldn't be a problem if these devices even gave a moment of
thought to security.
It also indexes other interesting things.
For example,
it was used to find unsecured MongoDB instances so that the attackers
could hold data for ransom.
Secure your databases.
So people can find your stuff.
If an attacker knows that some device is vulnerable,
Shodan can be used to search for that device.
At the time I was writing this,
the top voted search under "Explore" was "Webcam".
Followed by "Cams", "Netcam", and "default password".
#+END_COMMENT
**** DEVOID Who's Watching?
**** DRAFT Who's Watching?
:PROPERTIES:
:DURATION: 00:00:30
:END:
- Insecam
- <Add information>
- Insecam is a directory of Internet-connected surveillance
cameras\cite{insecam}
- Live video feeds (browser connects directly to cameras)
#+BEGIN_COMMENT
But Shodan isn't the only thing out there.
Anyone heard of Insecam?
It's a site that aggregates live video feeds of unsecured IP cameras.
I can tell you personally that you feel like a scumbag looking at the site.
There's fascinating things on there.
And sobering ones.
And creepy ones.
Restaurants---families eating dinner; chefs preparing food in the back.
Public areas---beaches, pools, walkways, city streets.
Private areas---inside homes; private businesses. Hotel clerks sitting
behind desks on their cell phones. Warehouses.
Behind security desks.
Behind cash registers.
Hospital rooms.
Inside surveillance rooms where people watch their surveillance system!
With armed guards!
Scientific research: people in full dress performing experiments.
#+END_COMMENT
**** DRAFT Insecam Example 1 :B_fullframe:
:PROPERTIES:
:BEAMER_env: fullframe
:END:
#+BEGIN_CENTER
#+ATTR_LATEX: :height 1in
[[./images/insecam-01.png]]
#+LATEX: \hspace{0.1in}
#+ATTR_LATEX: :height 1in
[[./images/insecam-06.png]]
#+ATTR_LATEX: :height 1in
[[./images/insecam-03.png]]
#+LATEX: \hspace{0.1in}
#+ATTR_LATEX: :height 1in
[[./images/insecam-05.png]]
#+END_CENTER
#+BEGIN_COMMENT
Here are some examples.
I blurred any identifying features for privacy.
We have surveillance rooms where people watch their surveillance system!
Inception-kinda thing going on here.
Also doesn't help that they are watching the TV on the wall too.
There's many public swimming pools.
Elevator are awkward enough to begin with.
How about someone watching you in such a vulnerable space?
A photolithography lab.
#+END_COMMENT
**** DRAFT Example 2 :B_fullframe:
:PROPERTIES:
:BEAMER_env: fullframe
:END:
#+BEGIN_CENTER
#+ATTR_LATEX: :height 1in
[[./images/insecam-02.png]]
#+LATEX: \hspace{0.1in}
#+ATTR_LATEX: :height 1in
[[./images/insecam-04.png]]
#+END_CENTER
#+BEGIN_COMMENT
If you thought those were personal.
Inside hospital rooms.
This patient has an ice pack strapped to the side of her face.
How about inside someone's home?
This looks to be a bedroom.
There is a family photo on the wall that's in view.
I saw someone at the dentist getting a teeth cleaning.
Anything you can think of.
You can literally explore the world.
There are some beautiful sights! Absolutely gorgeous.
They remove things that are too deeply personal.
Assuming someone reports it.
I didn't copy that photo at the time.
This is an excellent example to demonstrate to others why this is such a big
deal.
So that's what your average person can do.
That's what some of you are going to be doing as soon as you leave this
talk, if you haven't started looking already!
That's what law enforcement is going to do.
That's what the NSA, GHCQ, et. al. are going to do.
Especially those home cameras.
I wish I knew whose camera that was,
so that they could be notified.
These people are unaware.
And these manufactuers set them up for this.
#+END_COMMENT
**** DRAFT Facial Recognition
**** REVIEWED Biometrics
:PROPERTIES:
:DURATION: 00:01
:DURATION: 00:00:45
:END:
- <1-> Humans no longer need to scour video feeds
- <2-> Facial recognition widely used even for entertainment
- <3-> No face? Check your gait.
- <1-> Humans no longer need to scour video
feeds\cite{eff:facial-tech,churchix,facefirst,pbs:nova:boston}
- <1-> Facial recognition widely used, even for
mobile\nbsp apps\cite{register:fb-scan,eff:ios-photo-diff,eff:fbi-bio}
- <2-> NYPD has a gallery of over 4M individuals\cite{pbs:nova:boston}
- <2-> Quality can be low and pixelated; various machine learning
algorithms\cite{pbs:nova:boston,wired:pixel-face,arxiv:google-pixel-res}
- <3-> No face? Check your gait.\cite{ieee:gait,ijca:gait}
- <4-> No gait? Well\ldots whatever, just ask Facebook.\cite{newsci:fb-noface}
- <5-> Even fingerprints and iris from high-resolutions photos\cite{bio:iris}
#+BEGIN_COMMENT
Now let's couple that with facial recognition.
@ -785,27 +867,37 @@ People don't need to manually look for you anymore;
it's automated.
Hell, any of us can download a free (as in freedom) library to do facial
recognition and train it to recognize people.
Facebook famously got creepy by saying it could recognize people by their
dress and posture, from behind.
It doesn't even have to be clear---
there's machine learning algorithms to reconstruct pixelated faces with
somewhat decent accuracy to be useful.
The NYPD has over 4 million people's images in a database that they compare
against during facial recognition.
You don't need facial recognition, though.
Don't have a face?
You can also be identified by your gait.
No gait?
Facebook famously got even creepier by saying it could recognize people by
their dress, posture, and hair, without seeing their face.
Your fingerprints and iris data can even be extracted from high-resolution
photos;
a cracker used such a method to defeat Apple's TouchID by making a mould.
There's a lot to say about IoT.
There's a lot more to say about IoT.
We'll come back to it.
#+END_COMMENT
*** DRAFT Social Media [0/1]
**** DRAFT Collateral Damage
*** REVIEWED Social Media [0/1]
**** REVIEWED Collateral Damage
:PROPERTIES:
:DURATION: 00:01
:DURATION: 00:00:45
:END:
- <1-> Don't put pictures of me on Facebook
- <1-> Don't put pictures of my children _anywhere_
- <2-> That person in the distance that happens to be in your photo has
been inflicted with collateral damage
- <1-> Please don't put pictures of me on Facebook\cite{rms:facebook}
- <1-> Don't put pictures of my children _anywhere_\cite{techcrunch:fb-baby}
- <2-> That person in the distance is collateral
damage\cite{register:fb-scan,guardian:fb-scan,pbs:nova:boston}
#+BEGIN_COMMENT
So you don't have any unsecured IoT cameras in your home.
@ -815,10 +907,6 @@ But you do have unsecured people running wild with their photos and their
I'm sure you've heard a frequent request/demand from rms:
"Don't put pictures of me on Facebook."
This applies to all social media, really.
I just mentioned facial recognition---
this is precisely what Facebook (for example) made it for!
To identify people you might know to tag them.
It's excellent surveillance.
What irks me is when people try to take pictures of my kids,
or do and ask if they can put them online.
@ -841,14 +929,16 @@ If I'm off in the background when you take a picture of your friends in the
:BEAMER_env: fullframe
:END:
- Do you drive a vehicle?
#+BEGIN_CENTER
Do you drive a vehicle?
#+END_CENTER
#+BEGIN_COMMENT
Okay.
So you have no phone.
You sneak around public areas like a ninja.
Like a vampire, you don't show up in photos.
You don't show up in photos like a vampire.
And you have no friends.
So how else can I physically track you in your travels here?