From f12db70e6969dfb32ff3a85b78f3d6c42411948a Mon Sep 17 00:00:00 2001 From: Mike Gerwitz Date: Sun, 12 Mar 2017 04:06:15 -0400 Subject: [PATCH] images/Makefile: Add file. --- images/Makefile | 25 +++ sapsf.bib | 240 +++++++++++++++++++++ slides.org | 556 ++++++++++++++++++++++++++++-------------------- 3 files changed, 588 insertions(+), 233 deletions(-) create mode 100644 images/Makefile diff --git a/images/Makefile b/images/Makefile new file mode 100644 index 0000000..bc1b28c --- /dev/null +++ b/images/Makefile @@ -0,0 +1,25 @@ +# Third-party image retrieval +# +# Licensed under the CC0 1.0 Universal license (public domain). +## + +images := sf-cameras.jpg alpr-mounted.png alpr-capture.png \ + alpr-pips.png + +define imgfetch + torify wget -O +endef + +all: $(images) + +sf-cameras.jpg: + $(imgfetch) "$@" 'https://cbssanfran.files.wordpress.com/2015/09/san_francisco_surveillance_cameras_092315.jpg' + +alpr-mounted.png: + $(imgfetch) "$@" 'https://www.eff.org/files/2015/10/20/paxton_and_spencer_.png' + +alpr-capture.png: + $(imgfetch) "$@" 'https://www.eff.org/files/2015/10/20/paxton_captures.png' + +alpr-pips.png: + $(imgfetch) "$@" 'https://www.eff.org/files/2015/10/15/pipscam9_redacted.png' diff --git a/sapsf.bib b/sapsf.bib index 512b9e0..7eb96d6 100644 --- a/sapsf.bib +++ b/sapsf.bib @@ -222,3 +222,243 @@ history, telephone numbers, IMEIs, etc to third-party servers without users' knolwedge or censent} } + +@online{intercept:nyc-surveil, + author = {Currier, Cora}, + title = {A Walking Tour of New York's Massive Surveillance Network}, + organization = {The Intercept}, + date = {2016-09-24}, + url = {https://theintercept.com/2016/09/24/a-walking-tour-of-new-yorks-massive-surveillance-network/}, + urldate = {2017-03-12}, +} + +@online{shodan, + title = {Shodan}, + subtitle = {The search engine for the Internet of Things}, + url = {https://shodan.io}, + urldate = {2017-03-12}, +} + +@online{krebs:mongodb, + author = {Krebs, Brian}, + title = {Extortionists Wipe Thousands of Databases, + Victims Who Pay Up Get Stiffed}, + url = {https://krebsonsecurity.com/2017/01/extortionists-wipe-thousands-of-databases-victims-who-pay-up-get-stiffed/}, + urldate = {2017-03-12}, +} + +@online{insecam, + title = {Insecam - World biggest online cameras directory}, + url = {http://insecam.org}, + urldate = {2017-03-12}, + annotation = {Load the HTTP (non-HTTPS) site, otherwise mixed content is + blocked and thumbnails will not work.} +} + +@article{ieee:gait, + author = {Rogez, Gr\'egory + and Rihan, Jonathan + and Guerrero, Jose J.}, + title = {Monocular {3D} Gait Tracking in Surveillance Scenes}, + journal = {IEEE Transactions on Cybernetics}, + url = {http://vision.ics.uci.edu/papers/RogezRGO_Cybernetics_2013/RogezRGO_Cybernetics_2013.pdf} +} + +@article{ijca:gait, + author = {Vaidya, Sonali + and Shah, Kamal}, + title = {Real Time Video Surveillance System}, + journal = {International Journal of Computer Applications}, + volume = 86, + pages = {22-27}, + year = 2014, + url = {http://research.ijcaonline.org/volume86/number14/pxc3893419.pdf}, + annotation = {Discusses realtime gait analysis for video surveillance}, +} + + +@online{newsci:fb-noface, + author = {Rutkin, Aviva}, + title = {Facebook can recognize you in photos even if you're not looking}, + organization = {New Scientist}, + url = {https://www.newscientist.com/article/dn27761-facebook-can-recognise-you-in-photos-even-if-youre-not-looking/}, + urldate = {2017-03-12}, +} + +@online{rms:facebook, + author = {Stallman, Richard}, + title = {Reasons not to use (i.e., be used by) {Facebook}}, + url = {https://stallman.org/facebook.html}, + urldate = {2017-03-12}, +} + +@online{register:fb-scan, + author = {Chirgwin, Richard}, + title = {Facebook conjures up a trap for the unwary: scanning your camera + for your friends}, + subtitle = {Auto-spam your friends with Photo Magic}, + organization = {The Register}, + url = {https://web.archive.org/web/20160605165148/http://www.theregister.co.uk/2015/11/10/facebook_scans_camera_for_your_friends/}, + urldate = {2017-03-12}, + annotation = {Archive.org link used because The~Register blocks + Tor~users unless they execute proprietary JavaScript.}, +} + +@online{guardian:fb-scan, + author = {Arthur, Charles}, + title = {Facebook in new privacy row over facial recognition feature}, + subtitle = {Social network turns on new feature to automatically identify + people in photos, raising questions about privacy + implications of the service}, + organization = {The Guardian}, + date = {2011-06-08}, + url = {https://www.theguardian.com/technology/2011/jun/08/facebook-privacy-facial-recognition}, + urldate = {2017-03-12}, +} + +@online{techcrunch:fb-baby, + author = {Constine, Josh}, + title = {Facebook’s New Photo “Scrapbook” Lets Parents Give Kids An + Official Presence}, + organization = {TechCrunch}, + date = {2016-03-31}, + url = {https://techcrunch.com/2015/03/31/step-1-identify-baby-photo-step-2-hide-baby-photos/}, + urldate = {2017-03-12}, + annotation = {Facebook tricks users into violating their child's privacy + before they have any say in the matter.}, +} + +@online{eff:ios-photo-diff, + author = {Gebhart, Gennie + and Grant, Starchy + and Portnov, Erica}, + title = {Facial Recognition, Differential Privacy, and Trade-Offs in + Apple's Latest OS Releases}, + organization = {Electronic Frontier Foundation}, + date = {2016-09-27}, + url = {https://www.eff.org/deeplinks/2016/09/facial-recognition-differential-privacy-and-trade-offs-apples-latest-os-releases}, + + urldate = {2017-03-12}, +} + +@online{churchix, + title = {Churchix Facial Recognition Software}, + subtitle = {Churchix Facial Recognition Software for Event Attendance}, + url = {http://churchix.com/}, + urldate = {2017-03-12}, + annotation = {This software is cited for illustration; do~not use it.} +} + +@online{facefirst, + title = {Face Recognition Software for Retail Stores: \#1~Biometric + Surveillance for Loss Prevention}, + url = {https://www.facefirst.com/industry/retail-face-recognition/}, + urldate = {2017-03-12}, + annotation = {Full-page loading spinner does not remove itself without + running non-free JavaScript; remove it manually using a + web browser with a~debugger. This software is cited for + illustration; do~not use it.}, +} + +@online{bio:iris, + title = {Hacker extracts Merkel's iris image}, + organization = {Planet Biometrics}, + date = {2015-11-30}, + url = {http://www.planetbiometrics.com/article-details/i/3644/}, + urldate = {2017-03-12}, +} + +@online{eff:facial-tech, + author = {Schwartz, Adam}, + title = {The Danger of Corporate Facial Recognition Tech}, + subtitle = {The Illinois Biometric Privacy Statute Survived a Recent + Attack. But the Struggle Continues}, + organization = {Electronic Frontier Foundation}, + date = {2016-06-07}, + url = {https://www.eff.org/deeplinks/2016/06/danger-corporate-facial-recognition-techgg}, + urldate = {2017-03-12}, +} + +@online{eff:fbi-bio, + author = {Lynch, Jennifer}, + title = {New Report: FBI Can Access Hundreds of Millions of Face + Recognition Photos}, + organization = {Electronic Frontier Foundation}, + date = {2016-06-15}, + url = {https://www.eff.org/deeplinks/2016/06/fbi-can-search-400-million-face-recognition-photos}, + urldate = {2017-03-12}, +} + +@online{cbs:sf-smile, + author = {Borba, Andria}, + title = {Nowhere To Hide: Few Public Places Without Surveillance Cameras + In San Francisco}, + organization = {CBS}, + date = {2015-09-24}, + url = {http://sanfrancisco.cbslocal.com/2015/09/24/san-francisco-surveillance-camera-tenderloin/}, + urldate = {2017-03-12}, +} + +@online{pbs:nova:boston, + author = {O'Brien, Michael + and Cort, Julia}, + title = {Manhunt---{Boston Bombers}}, + subtitle = {Which technologies worked—and which didn't---in the race to + track down the men behind the marathon attack?}, + organization = {WGBH Educational Foundation}, + date = {2013-05-29}, + url = {http://www.pbs.org/wgbh/nova/tech/manhunt-boston-bombers.html}, + urldate = {2017-03-13}, + annotation = {Specificall, pay attention to the Domain Awareness System + and other surveillance capabilities. Transcript + available.}, +} + +@online{reuters:nypd-das, + author = {Francescani, Chris}, + title = {NYPD expands surveillance net to fight crime as well as terrorism}, + organization = {Reuters}, + date = {2013-06-21}, + url = {http://www.reuters.com/article/usa-ny-surveillance-idUSL2N0EV0D220130621}, + urldate = {2017-03-13}, +} + +@online{wired:pixel-face, + author = {Newman, Lily Hay}, + title = {AI Can Recognize Your Face Even If You’re Pixelated}, + organization = {Wired}, + date = {2016-09-12}, + url = {https://www.wired.com/2016/09/machine-learning-can-identify-pixelated-faces-researchers-show/}, + urldate = {2017-03-13}, +} + +@online{arxiv:google-pixel-res, + author = {Dahl, Ryan + and Norouzi, Mohammad + and Shlens, Jonathan}, + title = {Pixel Recursive Super Resolution}, + organization = {Google Brain}, + date = {2017-02-02}, + archivePrefix= {arXiv}, + eprint = {1702.00783}, + primaryClass = {cs.CV}, +} + +@online{fast:das, + author = {Ungerleider, Neal}, + title = {NYPD, Microsoft Launch All-Seeing “Domain Awareness System” With + Real-Time CCTV, License Plate Monitoring}, + subtitle = {The New York Police Department has a new terrorism detection + system that will also generate profit for the city}, + organization = {Fast Company}, + date = {2012-08-08}, + url = {https://www.fastcompany.com/3000272/nypd-microsoft-launch-all-seeing-domain-awareness-system-real-time-cctv-license-plate-monito}, + urldate = {2017-03-13}, +} + +@online{nyc:pspg, + title = {Public Security Privacy Guidelines}, + url = {http://www.nyc.gov/html/nypd/downloads/pdf/crime_prevention/public_security_privacy_guidelines.pdf}, + urldate = {2017-03-13}, + annotation = {Information about the NYPD's Domain Awareness System.} +} diff --git a/slides.org b/slides.org index f5488be..e07bfca 100644 --- a/slides.org +++ b/slides.org @@ -13,150 +13,6 @@ #+COLUMNS: %40ITEM %10DURATION{:} %8TODO %BEAMER_ENV(ENVIRONMENT) -#+BEGIN: columnview :hlines 3 :id global -| ITEM | DURATION | TODO | ENVIRONMENT | -|-----------------------------------------------+----------+----------+---------------| -| * LaTeX Configuration | | | | -|-----------------------------------------------+----------+----------+---------------| -| * Slides | 0:47 | LACKING | | -|-----------------------------------------------+----------+----------+---------------| -| ** Introduction / Opening | 00:01 | REVIEWED | fullframe | -|-----------------------------------------------+----------+----------+---------------| -| ** Mobile [0/5] | 0:07 | REVIEWED | | -|-----------------------------------------------+----------+----------+---------------| -| *** Introduction | 0:00 | REVIEWED | ignoreheading | -| **** Introduction | 00:00:15 | REVIEWED | fullframe | -|-----------------------------------------------+----------+----------+---------------| -| *** Cell Towers [0/2] | 0:02 | REVIEWED | | -| **** Fundamentally Needed | 00:00:45 | REVIEWED | | -| **** Cell-Site Simulators | 00:00:45 | REVIEWED | | -|-----------------------------------------------+----------+----------+---------------| -| *** Wifi [0/3] | 0:01 | REVIEWED | | -| **** ESSID and MAC Broadcast | 00:01 | REVIEWED | | -|-----------------------------------------------+----------+----------+---------------| -| *** Geolocation [0/3] | 0:02 | REVIEWED | | -| **** GPS | 00:01 | REVIEWED | | -| **** But I Want GPS! | 00:00:30 | REVIEWED | | -| **** Location Services | 00:00:45 | REVIEWED | | -|-----------------------------------------------+----------+----------+---------------| -| *** Operating System [0/3] | 0:02 | REVIEWED | | -| **** Untrusted/Proprietary OS | 00:00:45 | REVIEWED | | -| **** Free/Libre Mobile OS? | 00:00:30 | REVIEWED | | -| **** Modem Isolation | 00:00:30 | REVIEWED | | -|-----------------------------------------------+----------+----------+---------------| -| ** Stationary [0/5] | 0:08 | LACKING | | -|-----------------------------------------------+----------+----------+---------------| -| *** Introduction [0/1] | 0:00 | DRAFT | ignoreheading | -| **** Introduction | 00:00:30 | DRAFT | fullframe | -|-----------------------------------------------+----------+----------+---------------| -| *** Surveillance Cameras [0/2] | 0:00 | DRAFT | | -| **** Unavoidable Surveillance | | DRAFT | | -| **** Access to Data | 00:00:30 | DRAFT | | -|-----------------------------------------------+----------+----------+---------------| -| *** Internet of Things [0/4] | 0:04 | LACKING | | -| **** Internet-Connected Cameras | 00:00:30 | DRAFT | | -| **** The ``S'' In IoT Stands For ``Security'' | 00:01:30 | LACKING | | -| **** Who's Watching? | 00:00:30 | DEVOID | | -| **** Facial Recognition | 00:01 | DRAFT | | -|-----------------------------------------------+----------+----------+---------------| -| *** Social Media [0/1] | 0:01 | DRAFT | | -| **** Collateral Damage | 00:01 | DRAFT | | -|-----------------------------------------------+----------+----------+---------------| -| *** Driving [0/3] | 0:02 | RAW | | -| **** Introduction | 00:00:30 | DRAFT | fullframe | -| **** ALPRs | 00:01 | LACKING | | -| **** Car Itself | 00:00:30 | LACKING | | -|-----------------------------------------------+----------+----------+---------------| -| ** The Web [0/6] | 0:10 | LACKING | | -|-----------------------------------------------+----------+----------+---------------| -| *** Introduction [0/1] | | DRAFT | ignoreheading | -| **** Introduction | | DRAFT | fullframe | -|-----------------------------------------------+----------+----------+---------------| -| *** Bridging the Gap [0/1] | 0:01 | LACKING | | -| **** Ultrasound Tracking | 00:01 | LACKING | | -|-----------------------------------------------+----------+----------+---------------| -| *** Incentive to Betray [0/1] | 0:00 | DRAFT | | -| **** Summary | 00:00:30 | DRAFT | fullframe | -|-----------------------------------------------+----------+----------+---------------| -| *** Analytics [0/2] | 0:02 | LACKING | | -| **** Trackers | 00:01 | LACKING | | -| **** Like Buttons | 00:01 | DRAFT | | -|-----------------------------------------------+----------+----------+---------------| -| *** Fingerprinting [0/3] | 0:03 | LACKING | | -| **** Summary | | DRAFT | | -| **** Alarmingly Effective | 00:03 | LACKING | fullframe | -| **** User Agent | | DRAFT | | -|-----------------------------------------------+----------+----------+---------------| -| *** Anonymity [0/4] | 0:04 | DRAFT | | -| **** Summary | 00:01 | DRAFT | fullframe | -| ***** Anonymity | | | | -| ***** Pseudonymity | | | | -| **** IANAAE | | DRAFT | fullframe | -| **** The Tor Network | 00:01 | DRAFT | | -| **** TorBrowser, Tails, and Whonix | 00:02 | DRAFT | | -|-----------------------------------------------+----------+----------+---------------| -| ** Data Analytics [0/2] | 0:04 | LACKING | | -|-----------------------------------------------+----------+----------+---------------| -| *** Introduction [0/1] | 0:00 | DRAFT | ignoreheading | -| **** Introduction | 00:00 | DRAFT | fullframe | -|-----------------------------------------------+----------+----------+---------------| -| *** Headings [0/3] | 0:04 | LACKING | | -| **** Advertisers | 00:02 | LACKING | | -| **** Social Media | 00:01 | DEVOID | | -| **** Governments | 00:00:30 | DEVOID | | -|-----------------------------------------------+----------+----------+---------------| -| ** Policy and Government [0/6] | 0:12 | LACKING | | -|-----------------------------------------------+----------+----------+---------------| -| *** Introduction [0/1] | 0:00 | DRAFT | ignoreheading | -| **** Introduction | 00:00:30 | DRAFT | fullframe | -|-----------------------------------------------+----------+----------+---------------| -| *** Surveillance [0/7] | 0:06 | LACKING | | -| **** History of NSA Surveillance | 00:02 | DRAFT | | -| **** Ron Wyden | | DRAFT | fullframe | -| **** The Leak | | DRAFT | fullframe | -| **** Verizon Metadata | 00:00:30 | DRAFT | | -| **** PRISM | | DRAFT | | -| **** Snowden | 00:01 | DRAFT | | -| **** Tools | 00:02 | DEVOID | | -|-----------------------------------------------+----------+----------+---------------| -| *** Crypto Wars [0/6] | 0:04 | LACKING | | -| **** Introduction | 00:00 | DRAFT | fullframe | -| **** Export-Grade Crypto | 00:01:30 | DRAFT | | -| **** Bernstein v. United States | 00:01 | DRAFT | | -| **** The First Crypto Wars | 00:01 | DRAFT | | -| **** Re-repeats Itself | 00:00 | DRAFT | fullframe | -| **** Modern Crypto Wars | | DRAFT | fullframe | -| **** ``Going Dark'' | | DEVOID | | -|-----------------------------------------------+----------+----------+---------------| -| *** Espionage [0/1] | 0:01 | LACKING | | -| **** US Can't Keep Its Own Secrets | 00:01 | DEVOID | | -|-----------------------------------------------+----------+----------+---------------| -| *** Subpoenas, Warrants, NSLs [0/1] | 0:01 | LACKING | | -| **** National Security Letters | 00:01 | DEVOID | | -|-----------------------------------------------+----------+----------+---------------| -| *** Law [0/1] | 0:01 | LACKING | | -| **** Summary | 00:01 | DEVOID | fullframe | -|-----------------------------------------------+----------+----------+---------------| -| ** Your Fight [0/1] | 0:05 | LACKING | | -|-----------------------------------------------+----------+----------+---------------| -| *** Headings [0/6] | 0:05 | LACKING | | -| **** Feeding | 00:00 | DRAFT | fullframe | -| **** SaaSS and Centralization | 00:01 | DEVOID | | -| **** Corporate Negligence | 00:01 | LACKING | | -| **** Status Quo | 00:02 | DRAFT | | -| **** Status Quo Cannot Hold | | DRAFT | fullframe | -| **** Push Back | 00:01 | DRAFT | fullframe | -|-----------------------------------------------+----------+----------+---------------| -| ** Thank You | | | fullframe | -|-----------------------------------------------+----------+----------+---------------| -| ** References | | | appendix | -|-----------------------------------------------+----------+----------+---------------| -| * Exporting | | | | -|-----------------------------------------------+----------+----------+---------------| -| * Local Variables | | | | -#+END - - #+BEGIN_COMMENT *Remember the themes!*: - Surreptitious @@ -294,7 +150,7 @@ In other words: they're excellent tracking devices. :DURATION: 00:00:45 :END: - Phone needs tower to make and receive calls -- Gives away approximate location (can triangulate) +- Gives away approximate location\cite{pbs:nova:boston} #+BEGIN_COMMENT The primary reason is inherent in a phone's design: @@ -303,6 +159,9 @@ A phone "needs" to be connected to a tower to make and receive calls. Unless it is off or otherwise disconnected (like airplane mode), its connection to the cell tower exposes your approximate location. +If the signal reaches a second tower, + the potential location can be calculated from the signal delay. +You can also triangulate. These data persist for as long as the phone companies are willing to persist it. @@ -607,13 +466,13 @@ So even with Replicant, ** LACKING Stationary [0/5] -*** DRAFT Introduction [0/1] :B_ignoreheading: +*** REVIEWED Introduction [0/1] :B_ignoreheading: :PROPERTIES: :BEAMER_env: ignoreheading :END: -**** DRAFT Introduction :B_fullframe: +**** REVIEWED Introduction :B_fullframe: :PROPERTIES: -:DURATION: 00:00:30 +:DURATION: 00:00:15 :BEAMER_env: fullframe :END: @@ -629,15 +488,18 @@ Or maybe you've mitigated those threats in some way. There's certain things that are nearly impossible to avoid. #+END_COMMENT -*** DRAFT Surveillance Cameras [0/2] -**** DRAFT Unavoidable Surveillance +*** REVIEWED Surveillance Cameras [0/6] +**** REVIEWED Unavoidable Surveillance +:PROPERTIES: +:DURATION: 00:00:10 +:END: - Security cameras are everywhere - - Homes - - Private businesses - - Traffic cameras - - Streets - - ... + \cite{intercept:nyc-surveil,cbs:sf-smile,fast:das} + - Businesses + - Traffic + - Streets/sidewalks + - Public transportation #+BEGIN_COMMENT On the way here, @@ -645,53 +507,200 @@ On the way here, They could be security cameras for private businesses. Traffic cameras. Cameras on streets to deter crime. - -Let's set aside local, state, and federal-owned cameras for a moment - and focus on businesses. -So a bunch of separate businesses have you on camera. -So what? #+END_COMMENT - - -**** DRAFT Access to Data + +**** REVIEWED Private Cameras in Plain View; Tinerloin, SF :PROPERTIES: :DURATION: 00:00:30 :END: -- <1> Data can be subpoenaed or obtained with a warrant -- <1> If law enforcement wants to track you, they can -- <2> If you own a surveillance system, be responsible and considerate - - <2> Best way to restrict data is to avoid collecting it to begin with +#+BEGIN_CENTER +#+ATTR_LATEX: :height 1.25in +[[./images/sf-cameras.jpg]] +\incite{cbs:sf-smile} +#+END_CENTER + +#+BEGIN_QUOTE +``The idea that you can sort of meet in a public place and quietly have a +conversation that we’re sort of accustomed to from spy movies, that is +really not realistic anymore,'' ---Nadia Kayyali, EFF +#+END_QUOTE #+BEGIN_COMMENT -Well one of the most obvious threats, should it pertain to you, is a - subpoena. -If law enforcement wanted to track you for whatever reason---crime or - not!---they could simply subpoena the surrounding area. +This is a map of private surveillance cameras in plain view around SF's + Tenderloin neighborhood. +Obviously your city or town might be different. +Could be worse, even. +And again, these are just the ones that the DA's office found in + /plain view/! + +According to them, + people who live in this neighborhood could be on camera dozens of times in + a single day. + +Alright, so a bunch of private entities have you on camera; + So what? +#+END_COMMENT + + +**** REVIEWED Access to Data +:PROPERTIES: +:DURATION: 00:01 +:END: + +- <1-> Data can be obtained with a warrant or subpoena +- <2-> Data can be compromised +- <3-> Chilling effect +- <4-> **If you own a surveillance system, be responsible and considerate** + - <4-> Best way to restrict data is to /avoid collecting it to begin with/ + +#+BEGIN_COMMENT +Well one of the most obvious threats, + should it pertain to you, + is a warrant or subpoena. + +Most of us aren't going to have to worry about a crime. +Data can be compromised. +And it isn't possible for you to audit it; + you have no idea who has you on camera. + +This creates a chilling effect. +You're going to act differently in public knowing that someone might be + watching, + or could be watching later on if recorded. +And some will be paranoid---you don't know if cameras are around. + +If you have a surveillance system, + or any sort of public-facing cameras, + please be considerate. +If you only care who is on your property, + don't record the sidewalk in front of your house. +Or at least restrict motion detection to your property. The best form of privacy is to avoid having the data be collected to begin with. #+END_COMMENT -*** LACKING Internet of Things [0/4] -**** DRAFT Internet-Connected Cameras +**** REVIEWED Domain Awareness System (Intro) :B_fullframe: :PROPERTIES: :DURATION: 00:00:30 +:BEAMER_env: fullframe :END: -- Cameras used to be ``closed-circuit'' -- Today\ldots not always so much +#+BEGIN_CENTER +#+BEGIN_LATEX +\only<1>{What if all those cameras---including private---were connected?} +\only<2>{NYPD---Domain Awareness System}\cite{nyc:pspg} +\only<3>{ +#+END_LATEX +#+BEGIN_QUOTE + Although NYPD documents indicate that the system is specifically designed + for anti-terrorism operations, any incidental data it collects ``for a + legitimate law enforcement or public safety purpose'' by DAS can be + utilized by the police department.\cite{fast:das} +#+END_QUOTE +#+LATEX: } +#+END_CENTER + + +#+BEGIN_COMMENT +...but what if law enforcement didn't have to go door-to-door? + +Let's talk about the NYPD's Domain Awareness System. + +It was designed in part from the usual unjustifiable and irrational response + to terrorism threats after 9/11. +But any ``incidental data'' can be used by law enforcement. +Yeah, sounds familiar; business as usual. +#+END_COMMENT + + +**** REVIEWED Domain Awareness System +:PROPERTIES: +:DURATION: 00:01 +:END: + +- <1-> Partnership between the NYPD and Microsoft at a cost of $230M + in\nbsp{}2013\cite{reuters:nypd-das,nyc:pspg} + - <1-> Surveillance cameras, license plate readers, radiation detectors, + 911\nbsp{}system, criminal records, \ldots +- <2-> \gt 6,000 surveillance cameras, $2\over 3$ private + businesses\cite{reuters:nypd-das,pbs:nova:boston} +- <3-> Database of over 16\nbsp{}million plates, + every car going into Lower Manhatten\cite{reuters:nypd-das,pbs:nova:boston} +- <4-> Can search in seconds for terms like + ``red baseball cap''\cite{reuters:nypd-das,pbs:nova:boston} +- <4-> Detects ``suspicious behaviors'' like unattended bags and + circling cars\cite{reuters:nypd-das,pbs:nova:boston} + +#+BEGIN_COMMENT +The Domain Awareness System is a partnership between Microsoft and the NYPD. +It's mammoth. +It's pretty amazing---it's like science fiction. +But I care about privacy, + so instead I'm going to use adjectives like ``Orwellian''. + +It contains over six thousand security cameras, + over two-thirds of which are private closed-circuit cameras. +It includes license plate readers that record everyone going into Lower + Manhattan, along with a database of over sixteen million license plates. +It can search in seconds for very specific terms, + like ``red baseball cap'', + and it can monitor for suspicious behaviors, + like unattended bags, + or cars circling an area. +If it finds an unattended bag, + you can rewind to find who left it. + +A lot of us are programmers--- + think about the realtime analysis of all of these frames. +It really is a fascinating field to work in. +But there's serious ethical concerns with how it's applied. + +This thing also integrates the 911 system, radiation detectors, criminal + records, etc. + +This is the direction we're heading in--- + these things will only spread. +In fact, + the NYPD will get 30% of the profits from selling it to others. +#+END_COMMENT + + +**** DEVOID Automated License Plate Readers (ALPRs) +:PROPERTIES: +:DURATION: 00:00 +:END: + +#+BEGIN_COMMENT +So before we leave the topic of government surveillance for a little bit, + I want to talk about automated license plate readers. +These things are a widespread, nasty threat to privacy, + and they don't need a sophisticated Domain Awareness System to deploy. +#+END_COMMENT + + +*** DRAFT Internet of Things [0/4] +**** REVIEWED Internet-Connected Cameras +:PROPERTIES: +:DURATION: 00:00:45 +:END: + +#+BEGIN_CENTER +#+BEAMER: \only<1>{Cameras used to be ``closed-circuit''} +#+BEAMER: \only<2>{Today\ldots not always so much} +#+END_CENTER #+BEGIN_COMMENT In the past, these cameras were "closed-circuit"--- they were on their own segregated network. -You'd _have_ to subpoena the owner, +You'd _have_ to subpoena the owner or get a warrant, or otherwise physically take the tape. -Today, that might be the intent, but these cameras are often +Today...that might be the intent, but these cameras are often connected to the Internet for one reason or another. -It might be intentional---to view the camera remotely---or it may just be - how it is set up by default. +It might be intentional---to view the camera remotely or on a device---or it + may just be how the camera is set up by default. Well... Let's expand our pool of cameras a bit. @@ -701,14 +710,17 @@ Home security systems. Baby monitors. #+END_COMMENT -**** LACKING The ``S'' In IoT Stands For ``Security'' +**** REVIEWED The ``S'' In IoT Stands For ``Security'' :PROPERTIES: -:DURATION: 00:01:30 +:DURATION: 00:01 :END: -- Shodan---IoT search engine -- Mirai -- ... +- <1-> Shodan---IoT search engine\cite{shodan} + - <2-> You'll also find other interesting things. Secure your databases. + \cite{krebs:mongodb} +- <2-> Can search for specific devices +- <2-> If you are vulnerable, someone will find you +- <3-> Top voted search was ``Webcam'' when I was writing this slide #+BEGIN_COMMENT Who here has heard of Shodan? @@ -716,65 +728,135 @@ Who here has heard of Shodan? Shodan is a search engine for the Internet of Things. It spiders for Internet-connected devices and indexes them. Okay, that's to be expected. -Maybe that wouldn't be a problem if people knew proper NAT configuration - that isn't subverted by UPnP. -Maybe it wouldn't be a problem if these devices even gave a moment of +Maybe that wouldn't be a problem if NAT configuration weren't subverted by + UPnP. +Or maybe it wouldn't be a problem if these devices even gave a moment of thought to security. + +It also indexes other interesting things. +For example, + it was used to find unsecured MongoDB instances so that the attackers + could hold data for ransom. +Secure your databases. + +So people can find your stuff. +If an attacker knows that some device is vulnerable, + Shodan can be used to search for that device. + +At the time I was writing this, + the top voted search under "Explore" was "Webcam". +Followed by "Cams", "Netcam", and "default password". #+END_COMMENT -**** DEVOID Who's Watching? +**** DRAFT Who's Watching? :PROPERTIES: :DURATION: 00:00:30 :END: -- Insecam - - +- Insecam is a directory of Internet-connected surveillance + cameras\cite{insecam} +- Live video feeds (browser connects directly to cameras) #+BEGIN_COMMENT +But Shodan isn't the only thing out there. Anyone heard of Insecam? + It's a site that aggregates live video feeds of unsecured IP cameras. I can tell you personally that you feel like a scumbag looking at the site. There's fascinating things on there. And sobering ones. And creepy ones. -Restaurants---families eating dinner; chefs preparing food in the back. -Public areas---beaches, pools, walkways, city streets. -Private areas---inside homes; private businesses. Hotel clerks sitting - behind desks on their cell phones. Warehouses. -Behind security desks. -Behind cash registers. -Hospital rooms. -Inside surveillance rooms where people watch their surveillance system! - With armed guards! -Scientific research: people in full dress performing experiments. +#+END_COMMENT + + +**** DRAFT Insecam Example 1 :B_fullframe: +:PROPERTIES: +:BEAMER_env: fullframe +:END: + +#+BEGIN_CENTER +#+ATTR_LATEX: :height 1in +[[./images/insecam-01.png]] +#+LATEX: \hspace{0.1in} +#+ATTR_LATEX: :height 1in +[[./images/insecam-06.png]] + +#+ATTR_LATEX: :height 1in +[[./images/insecam-03.png]] +#+LATEX: \hspace{0.1in} +#+ATTR_LATEX: :height 1in +[[./images/insecam-05.png]] +#+END_CENTER + +#+BEGIN_COMMENT +Here are some examples. +I blurred any identifying features for privacy. + +We have surveillance rooms where people watch their surveillance system! + Inception-kinda thing going on here. + Also doesn't help that they are watching the TV on the wall too. + +There's many public swimming pools. + +Elevator are awkward enough to begin with. + How about someone watching you in such a vulnerable space? + +A photolithography lab. +#+END_COMMENT + +**** DRAFT Example 2 :B_fullframe: +:PROPERTIES: +:BEAMER_env: fullframe +:END: + +#+BEGIN_CENTER +#+ATTR_LATEX: :height 1in +[[./images/insecam-02.png]] +#+LATEX: \hspace{0.1in} +#+ATTR_LATEX: :height 1in +[[./images/insecam-04.png]] +#+END_CENTER + +#+BEGIN_COMMENT +If you thought those were personal. + +Inside hospital rooms. + This patient has an ice pack strapped to the side of her face. + +How about inside someone's home? +This looks to be a bedroom. +There is a family photo on the wall that's in view. + I saw someone at the dentist getting a teeth cleaning. -Anything you can think of. -You can literally explore the world. -There are some beautiful sights! Absolutely gorgeous. -They remove things that are too deeply personal. - Assuming someone reports it. +I didn't copy that photo at the time. This is an excellent example to demonstrate to others why this is such a big deal. -So that's what your average person can do. -That's what some of you are going to be doing as soon as you leave this - talk, if you haven't started looking already! - -That's what law enforcement is going to do. -That's what the NSA, GHCQ, et. al. are going to do. +Especially those home cameras. +I wish I knew whose camera that was, + so that they could be notified. +These people are unaware. +And these manufactuers set them up for this. #+END_COMMENT -**** DRAFT Facial Recognition +**** REVIEWED Biometrics :PROPERTIES: -:DURATION: 00:01 +:DURATION: 00:00:45 :END: -- <1-> Humans no longer need to scour video feeds -- <2-> Facial recognition widely used even for entertainment -- <3-> No face? Check your gait. +- <1-> Humans no longer need to scour video + feeds\cite{eff:facial-tech,churchix,facefirst,pbs:nova:boston} +- <1-> Facial recognition widely used, even for + mobile\nbsp apps\cite{register:fb-scan,eff:ios-photo-diff,eff:fbi-bio} + - <2-> NYPD has a gallery of over 4M individuals\cite{pbs:nova:boston} + - <2-> Quality can be low and pixelated; various machine learning + algorithms\cite{pbs:nova:boston,wired:pixel-face,arxiv:google-pixel-res} +- <3-> No face? Check your gait.\cite{ieee:gait,ijca:gait} +- <4-> No gait? Well\ldots whatever, just ask Facebook.\cite{newsci:fb-noface} +- <5-> Even fingerprints and iris from high-resolutions photos\cite{bio:iris} #+BEGIN_COMMENT Now let's couple that with facial recognition. @@ -785,27 +867,37 @@ People don't need to manually look for you anymore; it's automated. Hell, any of us can download a free (as in freedom) library to do facial recognition and train it to recognize people. -Facebook famously got creepy by saying it could recognize people by their - dress and posture, from behind. +It doesn't even have to be clear--- + there's machine learning algorithms to reconstruct pixelated faces with + somewhat decent accuracy to be useful. +The NYPD has over 4 million people's images in a database that they compare + against during facial recognition. -You don't need facial recognition, though. +Don't have a face? You can also be identified by your gait. +No gait? +Facebook famously got even creepier by saying it could recognize people by + their dress, posture, and hair, without seeing their face. + +Your fingerprints and iris data can even be extracted from high-resolution + photos; + a cracker used such a method to defeat Apple's TouchID by making a mould. -There's a lot to say about IoT. +There's a lot more to say about IoT. We'll come back to it. #+END_COMMENT -*** DRAFT Social Media [0/1] -**** DRAFT Collateral Damage +*** REVIEWED Social Media [0/1] +**** REVIEWED Collateral Damage :PROPERTIES: -:DURATION: 00:01 +:DURATION: 00:00:45 :END: -- <1-> Don't put pictures of me on Facebook -- <1-> Don't put pictures of my children _anywhere_ -- <2-> That person in the distance that happens to be in your photo has - been inflicted with collateral damage +- <1-> Please don't put pictures of me on Facebook\cite{rms:facebook} +- <1-> Don't put pictures of my children _anywhere_\cite{techcrunch:fb-baby} +- <2-> That person in the distance is collateral + damage\cite{register:fb-scan,guardian:fb-scan,pbs:nova:boston} #+BEGIN_COMMENT So you don't have any unsecured IoT cameras in your home. @@ -815,10 +907,6 @@ But you do have unsecured people running wild with their photos and their I'm sure you've heard a frequent request/demand from rms: "Don't put pictures of me on Facebook." -This applies to all social media, really. -I just mentioned facial recognition--- - this is precisely what Facebook (for example) made it for! -To identify people you might know to tag them. It's excellent surveillance. What irks me is when people try to take pictures of my kids, or do and ask if they can put them online. @@ -841,14 +929,16 @@ If I'm off in the background when you take a picture of your friends in the :BEAMER_env: fullframe :END: -- Do you drive a vehicle? +#+BEGIN_CENTER +Do you drive a vehicle? +#+END_CENTER #+BEGIN_COMMENT Okay. So you have no phone. You sneak around public areas like a ninja. -Like a vampire, you don't show up in photos. +You don't show up in photos like a vampire. And you have no friends. So how else can I physically track you in your travels here?