mikegerwitz
/
sapsf
1
0
Fork 0
Code Releases Activity
sapsf/slides.org

58 KiB
Raw Blame History

The Surreptitious Assault on Privacy, Security, and Freedom

ITEM DURATION TODO ENVIRONMENT
* LaTeX Configuration
* Slides 0:47 LACKING
** Introduction / Opening 00:01 REVIEWED fullframe
** Mobile [0/5] 0:07 REVIEWED
* Introduction 0:00 REVIEWED ignoreheading
** Introduction 00:00:15 REVIEWED fullframe
* Cell Towers [0/2] 0:02 REVIEWED
** Fundamentally Needed 00:00:45 REVIEWED
** Cell-Site Simulators 00:00:45 REVIEWED
* Wifi [0/3] 0:01 REVIEWED
** ESSID and MAC Broadcast 00:01 REVIEWED
* Geolocation [0/3] 0:02 REVIEWED
** GPS 00:01 REVIEWED
** But I Want GPS! 00:00:30 REVIEWED
** Location Services 00:00:45 REVIEWED
* Operating System [0/3] 0:02 REVIEWED
** Untrusted/Proprietary OS 00:00:45 REVIEWED
** Free/Libre Mobile OS? 00:00:30 REVIEWED
** Modem Isolation 00:00:30 REVIEWED
** Stationary [0/5] 0:08 LACKING
* Introduction [0/1] 0:00 DRAFT ignoreheading
** Introduction 00:00:30 DRAFT fullframe
* Surveillance Cameras [0/2] 0:00 DRAFT
** Unavoidable Surveillance DRAFT
** Access to Data 00:00:30 DRAFT
* Internet of Things [0/4] 0:04 LACKING
** Internet-Connected Cameras 00:00:30 DRAFT
** The ``S'' In IoT Stands For ``Security'' 00:01:30 LACKING
** Who's Watching? 00:00:30 DEVOID
** Facial Recognition 00:01 DRAFT
* Social Media [0/1] 0:01 DRAFT
** Collateral Damage 00:01 DRAFT
* Driving [0/3] 0:02 RAW
** Introduction 00:00:30 DRAFT fullframe
** ALPRs 00:01 LACKING
** Car Itself 00:00:30 LACKING
** The Web [0/6] 0:10 LACKING
* Introduction [0/1] DRAFT ignoreheading
** Introduction DRAFT fullframe
* Bridging the Gap [0/1] 0:01 LACKING
** Ultrasound Tracking 00:01 LACKING
* Incentive to Betray [0/1] 0:00 DRAFT
** Summary 00:00:30 DRAFT fullframe
* Analytics [0/2] 0:02 LACKING
** Trackers 00:01 LACKING
** Like Buttons 00:01 DRAFT
* Fingerprinting [0/3] 0:03 LACKING
** Summary DRAFT
** Alarmingly Effective 00:03 LACKING fullframe
** User Agent DRAFT
* Anonymity [0/4] 0:04 DRAFT
** Summary 00:01 DRAFT fullframe
* Anonymity
* Pseudonymity
** IANAAE DRAFT fullframe
** The Tor Network 00:01 DRAFT
** TorBrowser, Tails, and Whonix 00:02 DRAFT
** Data Analytics [0/2] 0:04 LACKING
* Introduction [0/1] 0:00 DRAFT ignoreheading
** Introduction 00:00 DRAFT fullframe
* Headings [0/3] 0:04 LACKING
** Advertisers 00:02 LACKING
** Social Media 00:01 DEVOID
** Governments 00:00:30 DEVOID
** Policy and Government [0/6] 0:12 LACKING
* Introduction [0/1] 0:00 DRAFT ignoreheading
** Introduction 00:00:30 DRAFT fullframe
* Surveillance [0/7] 0:06 LACKING
** History of NSA Surveillance 00:02 DRAFT
** Ron Wyden DRAFT fullframe
** The Leak DRAFT fullframe
** Verizon Metadata 00:00:30 DRAFT
** PRISM DRAFT
** Snowden 00:01 DRAFT
** Tools 00:02 DEVOID
* Crypto Wars [0/6] 0:04 LACKING
** Introduction 00:00 DRAFT fullframe
** Export-Grade Crypto 00:01:30 DRAFT
** Bernstein v. United States 00:01 DRAFT
** The First Crypto Wars 00:01 DRAFT
** Re-repeats Itself 00:00 DRAFT fullframe
** Modern Crypto Wars DRAFT fullframe
** ``Going Dark'' DEVOID
* Espionage [0/1] 0:01 LACKING
** US Can't Keep Its Own Secrets 00:01 DEVOID
* Subpoenas, Warrants, NSLs [0/1] 0:01 LACKING
** National Security Letters 00:01 DEVOID
* Law [0/1] 0:01 LACKING
** Summary 00:01 DEVOID fullframe
** Your Fight [0/1] 0:05 LACKING
* Headings [0/6] 0:05 LACKING
** Feeding 00:00 DRAFT fullframe
** SaaSS and Centralization 00:01 DEVOID
** Corporate Negligence 00:01 LACKING
** Status Quo 00:02 DRAFT
** Status Quo Cannot Hold DRAFT fullframe
** Push Back 00:01 DRAFT fullframe
** Thank You fullframe
** References appendix
* Exporting
* Local Variables

#+END

Remember the themes!:

  • Surreptitious
  • User privacy and security
  • Affects on freedom; chilling effects
  • How free software can help

The big players seem to be the Web and Government. No surprises there.

It would be a good idea to immediately connect with the audience. So:

  • Most everyone has a mobile device.

    • This is the most immediate and relatable since it's physically present with them in their travels.
  • Security cameras et. al. during travel.

So start briefly with the topic of pervasive surveillance?

  • That is what the abstract refers to, after all.

Surreptitious—many audience members won't consider that they're being tracked.

  • But by whom?

Maybe a gentle introduction that gets increasingly more alarming and invasive topic-wise.

GOAL: Captivate; Startle

LaTeX Configuration   export ignore

% citations will be grayed and pushed to the right margin ≤t\origcite\cite % incite = "inline" cite \def\cite{\hfill∈cite} ≠wcommand*{∈cite}[1]{{% \scriptsize \raisebox{1ex}{% \color{gray}% \origcite{#1}% }% }}

\renewcommand*{\bibfont}{\scriptsize}

Slides   export ignore

Introduction / Opening   B_fullframe

Hello, everyone. Thanks for coming!

My name's Mike Gerwitz. I am a free software hacker and activist with a focus on user privacy and security. I'm also a GNU Maintainer, software evaluator, and volunteer for various other duties.

And I'm here to talk to you about an unfortunate, increasingly unavoidable fact of life.

None of you made it here without being tracked in some capacity. Some of us are still being tracked at this very moment!

This isn't a tinfoil hat presentation. It's a survey of facts. Actual facts, not alternative ones! (Dig at Kellyanne Conway, for those reading this in the future.) Since time isn't on my side here, I'm going to present a broad overview of the most pressing concerns of today. Every slide has numeric citations, which are associated with references in the final slides. I won't be showing them here—you can get them online. My goal is to present you with enough information that you know that these things exist, and you know where to find more information about them. Those unknown unknowns.

So: let's start with the obvious.

(Note: You're being "tracked", rather than "watched": the latter is too often used and dismissed as tinfoil-hat FUD.)

Mobile [0/5]

Introduction   B_ignoreheading

Introduction   B_fullframe
  • <1-> Most people carry mobile phones
  • <1-> Synonymous with individual
  • <2> Excellent tracking devices

How many of you are carrying a mobile phone right now? Probably most of us. They are something we carry with us everywhere. They are computers that are always on.

A phone is often synonymous with an individual; they are a part of us. In other words: they're excellent tracking devices.

Cell Towers [0/2]

Fundamentally Needed
  • Phone needs tower to make and receive calls
  • Gives away approximate location (can triangulate)

The primary reason is inherent in a phone's design: cell towers. A phone "needs" to be connected to a tower to make and receive calls.

Unless it is off or otherwise disconnected (like airplane mode), its connection to the cell tower exposes your approximate location. These data persist for as long as the phone companies are willing to persist it.

Some people don't use phones primarily for this reason.

rms, for example, said he might use a phone if it could act as a pager, where he'd only need to expose his location once he is in a safe place. You can imagine that such would be a very useful and important feature for reporters and dissidents as well.

Cell-Site Simulators
  • <1-> IMSI-Catchers
  • <1-> Masquerade as cell towers
  • <1-> Most popular: Stingray
  • <2-> Free/libre Android program AIMSICD available on F-Droid attempts to detect\cite{aimsid}

Cell Site Simulators have made a lot of news in the past (including my local news), one of the most popular examples being the Stingray. These devices masquerade as cell towers. This allows (for example) law enforcement to get a suspect's phone to connect to their device rather than a real tower, which allows their location to be triangulated, calls to be intercepted, texts to be mined, etc. Law enforcement might also use it to record all devices in an area, such as during a protest.

The problem is: every phone in the area will try to connect to it; it amounts to a dragnet search, and is therefore extremely controversial.

The Android program AIMSICD—Android IMSI-Catcher Detector—is being developed in an attempt to detect these devices. It is free software and is available on F-Droid.

Wifi [0/3]

ESSID and MAC Broadcast
  • <1-> Device may broadcast ESSIDs of past hidden networks
  • <2-> Expose unique hardware identifiers (MAC address)

  • <3-> Defending against this is difficult

    • <4-> Turn off Wifi in untrusted places
    • <4-> Turn off settings to auto-connect when receiving e.g. MMS
    • <5-> Use cellular data (e.g. {2,3,4}G)
    • <6-> **MAC address randomization works poorly**\cite{arxiv:mac}

What else is inherent in a modern phone design? A common feature is Wifi.

If you connected to any hidden networks, your phone may broadcast that network name to see if it exists.

It exposes unique device identifiers (MACs), which can be used to uniquely identify you.

Defending against this is difficult, unless you take the simple yet effective route: disable Wifi completely, at least when you're not in a safe area you can trust. Some apps will automatically enable networking if they receive, for example, MMS messages; be careful of that. If you really do need data, use your cellular data. You are already hemmoraging information to your phone company, so at least you're limiting your exposure.

Some phones and apps offer MAC address randomization. That's a good thing in priniciple. Unfortunately, it seems to be easily defeated. One study, cited here, claims to be able to defeat randomization 100% of the time, regardless of manufacturer.

Segue to next section: All these previous risks are passive— they require no malicious software on your device. But what if we do have such software? And of course, we do.

Geolocation [0/3]

GPS
  • <1-> Not inherently a surveillance tool

  • <2-> Often enabled by default

    • <2-> Might prompt user, but features are attractive

  • <3-> Programs give excuses to track\cite{jots:mobile}

    • <3-> Navigation systems
    • <3-> Location information for social media, photos, nearby friends, finding lost phones, location-relative searches, etc.
  • <4-> Not-so-good: targeted advertising and building users profiles
  • <4-> If phone is compromised, location is known

Let's talk about geolocation! Many people find them to be very convenient. The most popular being GPS.

GPS isn't inherently a surveillance tool; it can't track you on its own. Your GPS device triangulates its location based on signals broadcast by GPS satellites in line-of-site.

Because of the cool features it permits, it's often enabled on devices. And programs will track your movements just for the hell of it. Or give an excuse to track you.

I'm not saying there aren't legitimate uses. Navigation systems, social media, photo metadata, finding nearby friends, finding lost phones— all of these things are legitimate. You just need to be able to trust the software that you are running, Often times, you can't. Without source code, it's sometimes hard to say if a program is doing other things. Like using it for targeted advertising, and/or building a user profile (which we'll talk about later).

But I Want GPS!
  • <1-> Is the program transparent in what data it sends? (Is the source code available?)\cite{jots:mobile}
  • <1-> Does the program let you disable those features?

  • <2-> Pre-download location-sensitive data (e.g. street maps)

    • <2-> OsmAnd (free software, Android and iOS)\cite{osmand}

So you may legitimately want GPS enabled. It's terrible that you should be concerned about it.

You need to know what data you're leaking so that you can decide whether or not you want to do so. And you need the option to disable it.

Sometimes your location is leaked as a side-effect. Navigation systems, for example, usually lazy-load map images. Some apps let you use pre-downloaded maps, like OsmAnd, which is free software available on both Android and—if you must—iOS.

Location Services
  • <1-> No GPS? No problem!
  • <1-> Mozilla Location Services, OpenMobileNetwork, … \cite{mozilla:loc-services,openmobilenetwork}

  • <2-> Wifi Positioning System; Bluetooth networks; nearby cell towers\cite{w:wps}

    • <2-> Signal strength and SSIDs and MACs of Access Points \cite{w:trilateration,acm:spotfi,acm:lteye}
  • <3-> Gathered by Google Street View cars
  • <3-> Your device may report back nearby networks to build a more comprehensive database

  • <4-> Works even where GPS and Cell signals cannot penetrate

    • <4-> Can be more accurate than GPS (e.g. what store in a shopping mall)

But GPS doesn't need to be available. Have you ever used a map program on a computer that asked for your location? How does it do that without GPS?

There are numerous services available to geolocate based on nearby access points, bluetooth networks, and cell towers. Based on the signal strength of nearby WiFi networks, your position can be more accurately trangulated.

These data are gathered by Google Street View cars. Your phone might also be reporting back nearby networks in order to improve the quality of these databases.

Sometimes this can be more accurate than GPS. And it works where GPS and maybe even cell service don't, such as inside shopping malls.

So just because GPS is off does not mean your location is unknown.

Operating System [0/3]

Untrusted/Proprietary OS

  • <1-> Who does your phone work for?

    • Apple? Google? Microsoft? Blackberry? Your manufacturer too?
  • <1-> Carry everywhere you go, but fundamentally cannot trust it\cite{gnu:malware-mobile}

  • <2-> Some come with gratis surveillance

    • <2-> BLU phones sent SMS messages, contacts, call history, IMEIs, and more to third-party servers without users' knowledge or censent \cite{kryptowire:adups}

A lot of this boils down to trust. Who does your phone work for?

Does your phone work for Apple? Google? Microsoft? Blackberry? Or does it work for you?

The OS situation on mobile is lousy. You carry around this computer everywhere you go. And you fundamentally cannot trust it.

Take BLU phones for example. In November of last year it was discovered that these popular phones contained software that sent SMS messages, contact lists, call history, IMEIs, etc to third-party servers without users' knowledge or consent. That software could also remotely execute code on the device.

Free/Libre Mobile OS?

  • <1-> Android is supposedly free software

    • <1-> But every phone requires proprietary drivers, or contains proprietary software

  • <2-> Replicant\cite{replicant}

    • <3> Niche. Interest is low, largely work of one developer now.

Android is supposedly a free operating system. Unfortunately, every phone requires proprietary drivers to work, and is loaded with proprietary software.

Does anyone here use Replicant? I do. Replicant is a fully free Android fork. I feel like I can at least trust my phone a little bit, but I still consider any data on it to be essentially compromised in the sense that I can't be confident in my ability to audit it and properly secure the device.

Modem Isolation
  • But modem still runs non-free software\cite{replicant:sec}
  • Sometimes has access to CPU, disk, and memory\cite{replicant:samsung-bd}

But on nearly every phone, the modem still runs proprietary software. And sometimes it has direct access to CPU, disk, and memory. Replicant closed a backdoor in Samsung Galaxy phones that allowed for remote access to the disk. That backdoor might not have been intentional, but it illustrates the possibility, and could still be exploited by an attacker.

So even with Replicant, I consider the device compromised; I put nothing important on it if I can avoid it.

Stationary [0/5]

Introduction [0/1]   B_ignoreheading

Introduction   B_fullframe

Certain types of tracking are unavoidable.

So let's say you have evaded that type of tracking. Maybe you don't carry a phone. Or maybe you've mitigated those threats in some way.

There's certain things that are nearly impossible to avoid.

Surveillance Cameras [0/2]

Unavoidable Surveillance

  • Security cameras are everywhere

    • Homes
    • Private businesses
    • Traffic cameras
    • Streets

On the way here, you likely walked by numerous security cameras. They could be security cameras for private businesses. Traffic cameras. Cameras on streets to deter crime.

Let's set aside local, state, and federal-owned cameras for a moment and focus on businesses. So a bunch of separate businesses have you on camera. So what?

Access to Data
  • <1> Data can be subpoenaed or obtained with a warrant
  • <1> If law enforcement wants to track you, they can

  • <2> If you own a surveillance system, be responsible and considerate

    • <2> Best way to restrict data is to avoid collecting it to begin with

Well one of the most obvious threats, should it pertain to you, is a subpoena. If law enforcement wanted to track you for whatever reason—crime or not!—they could simply subpoena the surrounding area. The best form of privacy is to avoid having the data be collected to begin with.

Internet of Things [0/4]

Internet-Connected Cameras
  • Cameras used to be ``closed-circuit''
  • Today\ldots not always so much

In the past, these cameras were "closed-circuit"— they were on their own segregated network. You'd have to subpoena the owner, or otherwise physically take the tape.

Today, that might be the intent, but these cameras are often connected to the Internet for one reason or another. It might be intentional—to view the camera remotely—or it may just be how it is set up by default.

Well… Let's expand our pool of cameras a bit. Because it's not just businesses that use Internet-connected cameras. They're also popular among individuals for personal/home use. Home security systems. Baby monitors.

The ``S'' In IoT Stands For ``Security''
  • Shodan—IoT search engine
  • Mirai
  • …<other concerns>

Who here has heard of Shodan?

Shodan is a search engine for the Internet of Things. It spiders for Internet-connected devices and indexes them. Okay, that's to be expected. Maybe that wouldn't be a problem if people knew proper NAT configuration that isn't subverted by UPnP. Maybe it wouldn't be a problem if these devices even gave a moment of thought to security.

Who's Watching?

  • Insecam

    • <Add information>

Anyone heard of Insecam? It's a site that aggregates live video feeds of unsecured IP cameras. I can tell you personally that you feel like a scumbag looking at the site. There's fascinating things on there. And sobering ones. And creepy ones. Restaurants—families eating dinner; chefs preparing food in the back. Public areas—beaches, pools, walkways, city streets. Private areas—inside homes; private businesses. Hotel clerks sitting behind desks on their cell phones. Warehouses. Behind security desks. Behind cash registers. Hospital rooms. Inside surveillance rooms where people watch their surveillance system! With armed guards! Scientific research: people in full dress performing experiments. I saw someone at the dentist getting a teeth cleaning. Anything you can think of. You can literally explore the world. There are some beautiful sights! Absolutely gorgeous. They remove things that are too deeply personal. Assuming someone reports it.

This is an excellent example to demonstrate to others why this is such a big deal.

So that's what your average person can do. That's what some of you are going to be doing as soon as you leave this talk, if you haven't started looking already!

That's what law enforcement is going to do. That's what the NSA, GHCQ, et. al. are going to do.

Facial Recognition
  • <1-> Humans no longer need to scour video feeds
  • <2-> Facial recognition widely used even for entertainment
  • <3-> No face? Check your gait.

Now let's couple that with facial recognition.

Consider the breadth of devices we just covered. Literally everywhere. People don't need to manually look for you anymore; it's automated. Hell, any of us can download a free (as in freedom) library to do facial recognition and train it to recognize people. Facebook famously got creepy by saying it could recognize people by their dress and posture, from behind.

You don't need facial recognition, though. You can also be identified by your gait.

There's a lot to say about IoT. We'll come back to it.

Social Media [0/1]

Collateral Damage
  • <1-> Don't put pictures of me on Facebook
  • <1-> Don't put pictures of my children anywhere
  • <2-> That person in the distance that happens to be in your photo has been inflicted with collateral damage

So you don't have any unsecured IoT cameras in your home. Or in this conference. But you do have unsecured people running wild with their photos and their selfies.

I'm sure you've heard a frequent request/demand from rms: "Don't put pictures of me on Facebook." This applies to all social media, really. I just mentioned facial recognition— this is precisely what Facebook (for example) made it for! To identify people you might know to tag them. It's excellent surveillance. What irks me is when people try to take pictures of my kids, or do and ask if they can put them online. Uh, no. You cannot. And people are sometimes surprised by that refusal.

Most people are being innocent— they're just trying to capture the moment. What they're actually doing is inflicting collateral damage. If I'm off in the background when you take a picture of your friends in the foreground, I'm still in the photo.

Driving [0/3]

Introduction   B_fullframe
  • Do you drive a vehicle?

Okay. So you have no phone. You sneak around public areas like a ninja. Like a vampire, you don't show up in photos. And you have no friends.

So how else can I physically track you in your travels here?

Well if you flew here, then your location is obviously known. That's not even worth discussing.

But what about if you drove?

ALPRs
  • Automated License Plate Readers (ALPRs)

ALPRs possibly tracked your movements. Automated License Plate Readers.

<…>

Maybe you try to evade them with special license plate covers. If need be, one could just track you by other unique features of your vehicle. And those might not just be law enforcement.

Security issues extend to this too! <Mention EFF's project>

You could rent a car. But the rental place probably took your name, license, and other information. You could take a cab and pay with cash. But that can get expensive. And they might have cameras and such anyway.

Car Itself
  • Your vehicle itself might be a spy

Maybe your car itself is a tracking device (e.g. OnStar).

(Move into Mobile?)

<…>

The Web [0/6]

Introduction [0/1]   B_ignoreheading

Introduction   B_fullframe
  • Much of our lives are no longer in the flesh
  • Or have some non-fleshy (virtual) analog

But you're not just tracked in the flesh. Much of what we do today is virtual. What better way to segue than to bridge the two?

Bridging the Gap [0/1]

Ultrasound Tracking
  • <1-> How do you bridge that analog?

  • <2-> Particularly insidious example: ultrasound tracking

    • <2-> Correlates users across devices

A challenge for advertisers is correlating users across multiple devices, and in the real world.

Let's say you saw a commercial for some product Foo on TV. And then you went online to research Foo. And then you bought Foo.

Sometimes commercials have you enter promo codes online to know that you arrived at the site from a TV commercial. Or give you a unique URL.

Others play inaudible sounds that are picked up by your mobile device or computer.

<…>

Incentive to Betray [0/1]

Summary   B_fullframe

There is strong incentive to betray

So how does tracking happen? How does this tracking code get on so much of the web?

Incentives to betray users.

Many websites make money through advertising. It can be lucrative. And it's easy to do.

Analytics [0/2]

Trackers

  • <1-> Website owners want to know what their visitors are doing

    • <1-> That in itself isn't an unreasonable concept
  • <2-> Methods and data define the issue

Site analytics is another issue. Website owners want to know what their visitors are doing. That in itself isn't an unreasonable thing broadly speaking, but how you go about it and what types of data you collect defines the issue.

Take Google Analytics for example. A very popular proprietary analytics service. It is one of the most widely distributed malware programs in the world.

<<examples of how GA tracks>>

And all of this is known to Google. All of this can be used to identify users across the entire web.

<<list others>>

If you must track your users, consider using Piwik, which you can host yourself.

Like Buttons
  • <1-> Services encourage use of "like" buttons and such
  • <1-> Infecting the web with trackers under the guise of community
  • <2-> Use Privacy Badger

Another popular example are "like buttons" and similar little widgets that websites like Facebook offer. If a user is logged into Facebook, then Facebook now knows that they visited that website, even if they don't click on the button.

But even if you don't have a Facebook account, information is being leaked to them you are still being tracked.

Addons like Privacy Badger will block these.

Fingerprinting [0/3]

Summary   B_fullframe

Browser Fingerprinting

These methods are part of a broader topic called "browser fingerprinting". It's just what it sounds like: uniquely identify users online.

Alarmingly Effective
  • Panopticlick (EFF)\cite{panopti:about}
  • JavaScript opens up a world of possibilities
  • Clearing cookies et al. won't always help
  • Can even track separate browsers on the same box

It's alarmingly effective.

Some methods allow fingerprinting even if the user uses multiple browsers and takes care to clear all session data. They can do this by effectively breaking out of the browser's sandbox by doing operations that depend heavily on specifics of users' hardware.

User Agent

  • <1-> User agents can leak a lot of information

    • <1-> ~18 bits in my browser on GNU/Linux, 1/~250,000
  • <2-> Tor Browser\cite{panopti:about}

Your browser's user agent is a string that it sends with every request identifying itself and some of its capabilities. It can be surprisingly unique. When I tested a Firefox browser on GNU/Linux, I was unique out of nearly 250,000 users.

Anonymity [0/4]

Summary   B_fullframe

Another way is to be anonymous or pseudononymous. In the latter case, you assume a pseudoynm online and perform only activities that should be associated with that pseudonym. In the former case, there should be no way to ever correlate past or future actions with your current session.

Anonymity

Origin is unknown to server; no unique identifier known by server∈cite{whonix:donot}

Pseudonymity

Origin is unknown to server; unique identifier is available to server∈cite{whonix:donot}

IANAAE   B_fullframe

IANAAE (I Am Not An Anonymity Expert)

This is a difficult topic that's pretty dangerous to give advice on if you have strong need for anonymity—for example, if you are a dissident or whistleblower. If your life depends on anonymity, please do your own research. I provide a number of resources to get you started.

The Tor Network
  • The Onion Router (Tor)\cite{tor}
  • Helps defend against traffic analysis
  • (Routing image)

Most here have probably heard of Tor. "Tor" stands for "The Onion Router", which describes how it relays data through the Tor network.

The packet is routed through a number of servers, encrypted with the public key of each server such that the first hop strips off the first layer and so on. The exit node reveals the packet and delivers it to the destination, then begins relaying the reply back to through the network to the user.

As long as a sufficient portion of the network can be trusted and has not been compromised by an adversary, it isn't possible to trace data back through the network.

The most common use of Tor is to route web traffic. Many nodes block most other ports. It's also possible to resolve DNS requests through Tor.

There are lots of other details that I don't have time to get to here, but I provide a number of resources for you.

TorBrowser, Tails, and Whonix
  • <1-> Tor alone isn't enough

  • <1-> Browser needs to be hardened

    • <2-> TorBrowser is a hardened Firefox derivative

  • <1-> Operating System needs to be hardened

    • <2-> Tails, Whonix

Tor alone isn't enough to secure your anonymity.

It's hard to secure a web browser.

TorBrowser is a hardened version of Firefox. The Tor browser recommends that you don't rely on a vanilla Firefox for anonymity with Tor.

Tails…

Whonix…

Data Analytics [0/2]

Introduction [0/1]   B_ignoreheading

Introduction   B_fullframe

``Big Data''

(Your Big Data)

We've seen adversaries with different motives. Let's explore what some of them do with all those data.

Headings [0/3]

Advertisers
  • Most users' threat models don't include the NSA
  • Biggest threat to privacy are companies that aggregate data to understand you (often better than you)

The biggest threat to privacy to the average user is by companies that aggregate data for the purpose of understanding you. Probably better than you understand you. I'm sure many of you heard of the story of Target knowing a girl was pregnant before she did.

<<user profiles>>

Social Media

TODO

(Where you are, what you do.)

Governments

TODO

(Segue into government surveillance.)

Policy and Government [0/6]

Introduction [0/1]   B_ignoreheading

Introduction   B_fullframe
  • <1-> Governments have a duty to protect their people
  • <2-> Governments have a duty to protect citizens' rights

\vspace{2ex} \only<3>{ \begin{center} These duties are often at odds \end{center} }

Where to begin.

Governments have a duty to protect their people. But they also have a duty to know their bounds; to protect citizens' rights and privacy.

We know how that story goes.

Surveillance [0/7]

History of NSA Surveillance
  • <1-> EFF has been fighting NSA domestic spying since 2005\cite{eff:nsa:timeline,mtg:uproar}
  • <1-> AT&T technician Mark Klein
  • <1-> Dragnet surveillance; NSA-controlled ``SG3 Secure Room''

  • <2-> Hepting v. AT&T (2006)

    • <2-> Government and AT&T retroactive immunity through FAA (2008)

  • <2-> Jewel v. NSA (2008)

    • <2-> Summary of Voluminous Evidence

When we think of the term ``surveillance'', the NSA usually comes to mind.

The Electronic Frontier Foundation has been fighting the NSA in court since 2006. In 2005, a former AT&T technician Mark Klein provided ``undisputed evidence'' about an NSA-controlled room at AT&T named ``SG-3'', through which all traffic passed.

The EFF filed Hepting v. AT&T in 2006. But in 2008, both the government and AT&T were awarded retroactive immunity through the FISA Amendments Act. The case was dismissed in 2009, along with dozens of other lawsuits.

In response, the EFF filed Jewel v. NSA. The case also benefitted from three additional whistleblowers.

Ron Wyden   B_fullframe

Senator Ron Wyden, 26 May 2011:

I have served on the Intelligence Committee for over a decade and I wish to deliver a warning this afternoon. When the American people find out how their government has secretly interpreted [the business records provision of FISA], they are going to be stunned and they are going to be angry.

The Leak   B_fullframe

5 June 2013

Verizon Metadata
  • <1-> 5 June 2013—Guardian releases leaked document ordering Verizon to collect ``telephony metadata''

[…] (i) between the United States and abroad; or (ii) wholly within the United States, including local telephone calls.

  • <2-> ``Business records'' provision partly declassified by Clapper on 6 June 2013

  • <2-> The American people were stunned and angry

    • <2-> But it wasn't a surprise to many

June 5th 2013. I remember where I was. Does anyone remember what that date represents?

The Guardian newspaper releases a leaked court order, which orders Verizon to collect ``telephony metadata'' on all calls, including local.

That ``business records'' provision of FISA that Ron Wyden was talking about was partly declassified by the then-DNI James Clapper on June 6th, 2013.

As Wyden predicted, we were pretty stunned. And pretty pissed off.

But it wasn't a surprise to many security researchers. You guys can take a look at the references for more information on that.

PRISM
  • 6 June 2013—Guardian leaks slideshow describing PRISM
  • All companies denied involvement

But it didn't end there! Well, obviously, we know that now.

One day later, the Guardian releases a leaked slideshow that describes PRISM.

All companies eventually denied involvement in this program.

Snowden
  • 9 June 2013—The Guardian reveals Edward Snowden as the whistleblower
  • Smear campaign

These were serious leaks. They still are. And three days later—to our surprise—the source of the leaks was revealed.

And the world came to know Edward Snowden through a huge smear campaign. They pointed out that his girlfriend was a pole dancer. They tried to discredit his role at the agency. They tried to paint him as this social loner, and downplay his skills.

Fortunately, that conversation didn't last long, and did not succeed. I'm not sure how many of you were here last year, but Snowden gave the opening keynote to LP2016. He received a minute-long standing ovation. The energy in that room was incredible.

Tools

TODO

  • XKeyscore and others
  • Exploits
  • Hardware
  • Intercepting shipments
  • Etc.

Crypto Wars [0/6]

Introduction   B_fullframe

\Huge History repeats itself

All of that happened behind our backs.

But there is also a war being waged in public. As if we haven't learned from the past. The Crypto wars.

Export-Grade Crypto
  • <1-> Cryptography classified as munitions (Arms Export Control Act; ITAR)
  • <1-> ``Export-grade'' cryptography

  • <2-> Lotus Notes

    • <2-> 40-bit export-grade symmetric key
    • <3-> Agreement with NSA: 64-bit export, but 24 of those bits a "workload reduction factor" for the NSA

  • <4-> Phil Zimmerman: PGP (≥ 128 bits)

    • <4-> Formal investigation by US government in 1993
    • <4-> Published source code in a book, which could be OCR'd
  • <5-> Still suffer long-term effects today (downgrade attacks, e.g. POODLE)\cite{poodle:paper}

Back in the 1990s, cryptography was classified as munitions.

If you wanted to export it to other countries, you essentially had to make it crackable by the NSA.

Lotus Notes is often used as an example of the negative effects of such regulation. Interestingly, it was actually the first widely used software to use public-key cryptography. Due to export restrictions, the maximum symmetric key size they could support was 40 bits. This was easily crackable by the NSA, but also feasible for other adversaries. They compromised with the NSA: 64-bit keys, but 24 of those bits would be encrypted specially for the NSA as a "workload reduction factor". So you had protection against most adversaries, but not the US government.

Then we have Phil Zimmerman, author of PGP. He didn't consult the NSA. Instead, he published the source code for PGP in a book with MIT Press, and widely distributed it. If someone wanted to use PGP, they could unbind the book, OCR the pages, and compile it with GCC. The US government opened a formal investigation into the case in 1993; the charges were dropped years later.

We are still observing the fallout from export-grade crypto today. They are called "downgrade attacks", where a program such as a browser is tricked into using a weaker cipher or keysize, allowing an attacker to MitM the connection. POODLE is an example of this.

Bernstein v. United States

  • <1-> 1995: Bernstein v. US Department of Justice\cite{eff:bernstein:doj}

    • <1-> Argued that restrictions violated First Amendment
    • <2-> Code Is Speech
  • <1-> 1996: Bill Clinton Executive Order 13026 transferred to Commerce Control List\cite{fedr:export-controls}
  • <1-> Department of Commerce relaxed rules in 2000\cite{doc:rev-export-reg}

In order to publish information on encryption algorithms and the like, you had to get permission from the government.

In 1995, Daniel Bernstein—then a graduate student—wanted to publish the source code and mathematical papers for his encryption algorithm Snuffle. Like Zimmerman, Bernstein thought export restrictions to be a violation of his First Amendment rights. But instead of blatant defiance, he decided to sue the US government. He was represented by the EFF. The Ninth Circuit Court of Appeals ruled in his favor.

The following year, President Bill Clinton signed an executive order that removed encryption from the munitions list, and in 2000 the Department of Commerce relaxed export restrictions.

You might have heard the term "code is speech". Bernstein v. United States case had wide-reaching consequences, not just for cryptography. Source code is protected under the First Amendment.

(See also Junger v. Daley.)

The First Crypto Wars
  • <1-> These incidents part of the first Crypto Wars\cite{w:crypto-wars}
  • <2-> DES Originally 64-bit key; NSA wanted 48 bits; compromised at 56.
  • <2-> Two version of the browser: 128-bit "U.S. edition" and effective 40-bit "international".

  • <3-> Clipper Chip was a hardware backdoor that employed a key escrow system

    • <3-> Complete failure
    • <3-> Terribly insecure (property of key escrow in general)
    • <3-> Opposite effect: spurred development of Nautilus and PGPfone

These incidents are classified into a period of time informally described as the "Crypo Wars".

There's a couple other good examples that I don't have time to get into: The DES encryption algorithm, for example, was originally 64-bit; the NSA wanted 48-bit, but compromised with 56. Netscape had two versions of their browser: one with 128-bit SSL and the other with 88 of those bits exposed to meet export regulations. This sounds insane today—because it is.

But there's even more insanity.

The Clipper Chip! It was the US government's attempt to backdoor communications with hardware. It used a key escrow system, and the algorithm they devised—called Skipjack—was classified, and so could not be reviewed by crypto experts at the time. Backlash was large. It failed miserably. Later cryptanalysis yielded scathing flaws, as is generally the case with key escrow cryptosystems. It even had the opposite effect: it spurred the development of encrypted communication programs like Nautilus and PGPfone (the latter being proprietary).

So, why did I go into so much history in a talk meant to deal with today's privacy and security threats?

Re-repeats Itself   B_fullframe

\Huge History repeats itself

Because history repeats itself.

Today's attempted legal/policy assault on privacy and security are enormous. We've already covered some. I don't have time to cover more than a small fraction of them.

Modern Crypto Wars   B_fullframe

\Huge ``Going Dark''

But the big phrase you hear today is "going dark". Government agencies are fearful of broadening use of encryption because they can't read many of those communications.

``Going Dark''

Apple v. FBI VEP

Espionage [0/1]

US Can't Keep Its Own Secrets

TODO

  • Office of Personnel Management
  • DNC
  • VEP

Subpoenas, Warrants, NSLs [0/1]

National Security Letters

TODO

  • Gag orders
  • Prior restraint
  • Canaries

Law [0/1]

Summary   B_fullframe

TODO

  • DMCA

    • Risks to security researchers
    • Draconian
  • CFAA

Your Fight [0/1]

Headings [0/6]

Feeding   B_fullframe

We're feeding into all of this!

SaaSS and Centralization

TODO

  • Be sure to mention Cloudbleed and S3
  • Who has access to your data?
  • The "Cloud"
Corporate Negligence
  • Companies balance security and privacy on their balance sheets

Companies don't care. They'll balance costs of failure to comply with regulation. Is it cheaper just to pay up in the event of a data breach?

Governments try, sort of. They need to catch up with the times. <<sec regulations>>

<<large-scale breaches>>

(Tie into SaaSS)

Status Quo

  • Do people care more about privacy and security since the Snowden leaks?

    • (Cite)
  • ``I have nothing to hide''
  • ``Report anything suspicious''
  • Chilling effects

You would think after the Snowden revelations that people would be more privacy-centric.

Some are. Many aren't. There is complacency with the status quo. Everything is so convenient.

"I have nothing to hide." A common argument. One that can be notoriously hard to address.

"Report anything suspicious." (Example of mathematician on plane.)

These all have chilling effects, conscious or not. <<Wikipedia articles>>

Status Quo Cannot Hold   B_fullframe

The status quo cannot hold.

I hope I've convinced you that the status quo cannot hold. That even people who aren't that privacy- or security-conscious recognize that there are risks not only at a personal level, but also national and global.

Push Back   B_fullframe
  • Good crypto; no trust
  • Lawmakers: this is not something we can win while we fight with our governments.

Thank You   B_fullframe

Mike Gerwitz

mtg@gnu.org">mtg@gnu.org

\bigskip

References Available Online

https://mikegerwitz.com/talks/sapsf

\vfill

Licensed under the Creative Commons Attribution ShareAlike 4.0 International License

References   B_appendix

\printbibliography

Exporting

You should be able to simply export this buffer as a Beamer presentation (C-c C-e l P) and get a slideshow.

Note that this requires ox-extras, which is part of Org Mode's contrib/. Without it, the :ignore: tag will not be recognized and the rendered slides will have incorrect depth.

Local Variables