3245 lines
87 KiB
Org Mode
3245 lines
87 KiB
Org Mode
#+startup: beamer
|
||
#+TITLE: The Surreptitious Assault on Privacy, Security, and Freedom
|
||
#+SUBTITLE: /**INCOMPLETE DRAFT PRESENTATION**/
|
||
#+AUTHOR: Mike Gerwitz
|
||
#+EMAIL: mtg@gnu.org
|
||
#+DATE: 26 March, LibrePlanet 2017
|
||
#+OPTIONS: H:3 num:nil toc:nil p:nil todo:nil stat:nil
|
||
#+LaTeX_CLASS: beamer
|
||
#+LaTeX_CLASS_OPTIONS: [presentation]
|
||
#+BEAMER_THEME: Warsaw
|
||
#+BEAMER_HEADER: \beamertemplatenavigationsymbolsempty
|
||
#+BEAMER_HEADER: \setbeamertemplate{bibliography item}{\insertbiblabel}
|
||
#+BIBLIOGRAPHY: sapsf plain
|
||
#+TODO: RAW(r) DEVOID(v) LACKING(l) DRAFT(d) REVIEWED(R) | AUGMENT(A) READY(+) REHEARSED(D)
|
||
#+COLUMNS: %40ITEM %10DURATION{:} %8TODO %BEAMER_ENV(ENVIRONMENT)
|
||
|
||
|
||
#+BEGIN_COMMENT
|
||
*Remember the themes!*:
|
||
- Surreptitious
|
||
- User privacy and security
|
||
- Affects on freedom; chilling effects
|
||
- How free software can help
|
||
|
||
The big players seem to be the [[The Web][Web]] and [[Policy and Government][Government]].
|
||
No surprises there.
|
||
|
||
|
||
It would be a good idea to immediately connect with the audience. So:
|
||
- Most everyone has a mobile device.
|
||
- /This is the most immediate and relatable since it's physically present/
|
||
with them in their travels.
|
||
- Security cameras et. al. during travel.
|
||
|
||
So start _briefly_ with the topic of pervasive surveillance?
|
||
- That is what the abstract refers to, after all.
|
||
|
||
*Surreptitious*---many audience members won't consider that they're being
|
||
tracked.
|
||
- But by _whom_?
|
||
|
||
Maybe a gentle introduction that gets increasingly more alarming and
|
||
invasive topic-wise.
|
||
#+END_COMMENT
|
||
|
||
|
||
* LaTeX Configuration :export:ignore:
|
||
#+LATEX_HEADER: \usepackage[backend=biber]{biblatex}
|
||
#+LATEX_HEADER: \usepackage{color}
|
||
#+LATEX_HEADER: \bibliography{sapsf}
|
||
#+BEGIN_LATEX
|
||
% citations will be grayed and pushed to the right margin
|
||
\let\origcite\cite
|
||
% incite = "inline" cite
|
||
\def\cite{\hfill\incite}
|
||
\newcommand*{\incite}[1]{{%
|
||
\scriptsize
|
||
\raisebox{1ex}{%
|
||
\color{gray}%
|
||
\origcite{#1}%
|
||
}%
|
||
}}
|
||
|
||
\renewcommand*{\bibfont}{\scriptsize}
|
||
#+END_LATEX
|
||
|
||
|
||
* LACKING Slides :export:ignore:
|
||
** READY Introduction / Opening :B_fullframe:
|
||
:PROPERTIES:
|
||
:DURATION: 00:01
|
||
:BEAMER_env: fullframe
|
||
:END:
|
||
|
||
#+BEGIN_COMMENT
|
||
Hello, everyone.
|
||
Thanks for coming!
|
||
|
||
My name's Mike Gerwitz.
|
||
I am a free software hacker and activist with a focus on user privacy and
|
||
security.
|
||
I'm also a GNU Maintainer, software evaluator, and volunteer for various
|
||
other duties.
|
||
|
||
And I'm here to talk to you about an unfortunate,
|
||
increasingly unavoidable fact of life.
|
||
|
||
None of you made it here without being tracked in some capacity.
|
||
Some of us are /still/ being tracked at this very moment!
|
||
|
||
This isn't a tinfoil hat presentation.
|
||
It's a survey of facts.
|
||
Since time isn't on my side here,
|
||
I'm going to present a broad overview of the most pressing concerns of
|
||
today, as it relates to everyone here.
|
||
Every slide has numeric citations,
|
||
which are associated with references on the final slides.
|
||
I won't be showing them here---you can get them online.
|
||
My goal is to present you with enough information that you know that these
|
||
things /exist/,
|
||
and you know where to find more information about them.
|
||
Those unknown unknowns.
|
||
|
||
So: let's start with the obvious.
|
||
|
||
(Note: You're being "tracked", rather than "watched": the latter is too
|
||
often used and dismissed as tinfoil-hat FUD.)
|
||
#+END_COMMENT
|
||
|
||
#+BEGIN_CENTER
|
||
#+BEAMER: \only<1->{\Huge You're Being Tracked.}
|
||
|
||
#+BEAMER: \only<2>{\large(No, really, I have references.)}
|
||
#+END_CENTER
|
||
|
||
|
||
** AUGMENT Mobile [5/5]
|
||
*** READY Introduction :B_ignoreheading:
|
||
:PROPERTIES:
|
||
:BEAMER_env: ignoreheading
|
||
:END:
|
||
**** READY Introduction :B_fullframe:
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:15
|
||
:BEAMER_env: fullframe
|
||
:END:
|
||
|
||
- <1-> Most people carry mobile phones
|
||
- <1-> Synonymous with individual
|
||
- <2> Excellent tracking devices
|
||
|
||
#+BEGIN_COMMENT
|
||
How many of you are carrying a mobile phone right now?
|
||
Probably most of us.
|
||
They are something we carry with us everywhere.
|
||
They are computers that are always on.
|
||
|
||
A phone is often synonymous with an individual;
|
||
they are a part of us---
|
||
we feel /incomplete/ when we're missing our phones.
|
||
In other words: they're excellent tracking devices.
|
||
#+END_COMMENT
|
||
|
||
*** READY Cell Towers [6/6]
|
||
:PROPERTIES:
|
||
:DURATION: 0:03
|
||
:END:
|
||
|
||
**** READY Fundamentally Needed
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:45
|
||
:END:
|
||
|
||
***** Summary
|
||
:PROPERTIES:
|
||
:BEAMER_col: 0.75
|
||
:END:
|
||
- Phone needs tower to make and receive calls
|
||
- Gives away approximate location\cite{pbs:nova:boston}
|
||
|
||
***** Tower Image
|
||
:PROPERTIES:
|
||
:BEAMER_col: 0.25
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
[[./images/tp/cell-tower.jpg]]
|
||
|
||
\incite{w:file:cell-tower}
|
||
#+END_CENTER
|
||
|
||
#+BEGIN_COMMENT
|
||
The primary reason is inherent in a phone's design:
|
||
cell towers.
|
||
A phone "needs" to be connected to a tower to make and receive calls.
|
||
|
||
Unless it is off or otherwise disconnected (like airplane mode),
|
||
its connection to the cell tower exposes your approximate location.
|
||
If the signal reaches a second tower,
|
||
the potential location can be calculated from the signal delay.
|
||
More towers, you can also triangulate.
|
||
|
||
Some people don't use phones primarily for this reason.
|
||
|
||
rms, for example, said he might use a phone if it could act as a pager,
|
||
where he'd only need to expose his location once he is in a safe place.
|
||
You can imagine that such would be a very useful and important feature for
|
||
reporters and dissidents as well.
|
||
#+END_COMMENT
|
||
|
||
|
||
**** READY Cell-Site Simulators
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:45
|
||
:END:
|
||
|
||
***** Summary
|
||
:PROPERTIES:
|
||
:BEAMER_col: 0.65
|
||
:END:
|
||
- <1-> IMSI-Catchers
|
||
- <1-> Masquerade as cell towers
|
||
- <1-> Most popular: Stingray
|
||
- <2-> Free/libre Android program AIMSICD available on F-Droid attempts to
|
||
detect\cite{aimsid}
|
||
|
||
***** Stingray Image
|
||
:PROPERTIES:
|
||
:BEAMER_col: 0.35
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
[[./images/tp/stingray.jpg]]
|
||
|
||
\incite{w:file:stingray}
|
||
#+END_CENTER
|
||
|
||
|
||
#+BEGIN_COMMENT
|
||
Cell Site Simulators have made a lot of news in the past (including my local
|
||
news),
|
||
one of the most popular examples being the Stingray.
|
||
These devices masquerade as cell towers.
|
||
This allows (for example) law enforcement to get a suspect's phone to
|
||
connect to _their_ device rather than a real tower,
|
||
which allows their location to be triangulated,
|
||
calls to be intercepted,
|
||
texts to be mined,
|
||
etc.
|
||
Law enforcement might also use it to record all devices in an area,
|
||
such as during a protest.
|
||
|
||
The problem is: _every_ phone in the area will try to connect to it;
|
||
it amounts to a dragnet search,
|
||
and is therefore extremely controversial.
|
||
|
||
The Android program AIMSICD---Android IMSI-Catcher Detector---is being
|
||
developed in an attempt to detect these devices.
|
||
It is free software and is available on F-Droid.
|
||
#+END_COMMENT
|
||
|
||
|
||
**** READY Verizon Metadata (Order) :B_fullframe:
|
||
:PROPERTIES:
|
||
:BEAMER_env: fullframe
|
||
:DURATION: 00:00:10
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
[[./images/tp/fisa-verizon.png]]\par\incite{archive:fisa-verizon}
|
||
#+END_CENTER
|
||
|
||
#+BEGIN_COMMENT
|
||
Anyone remember this?
|
||
|
||
This is the first Snowden leak---
|
||
the secret FISA court order that renewed the FBI Verizon metadata
|
||
collection program.
|
||
``#+END_COMMENT
|
||
|
||
**** READY Ron Wyden :B_fullframe:
|
||
:PROPERTIES:
|
||
:BEAMER_env: fullframe
|
||
:DURATION: 00:00:15
|
||
:END:
|
||
|
||
Senator Ron Wyden, 26 May 2011:
|
||
|
||
#+BEGIN_QUOTE
|
||
I have served on the Intelligence Committee for over a decade and I wish to
|
||
deliver a warning this afternoon. When the American people find out how
|
||
their government has secretly interpreted [the business records provision of
|
||
FISA], they are going to be stunned and they are going to be
|
||
angry.\cite{eff:jewel:evidence}
|
||
#+END_QUOTE
|
||
|
||
|
||
**** READY Verizon Metadata
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:30
|
||
:END:
|
||
|
||
- <1-> June 2013---Guardian releases leaked document ordering Verizon to
|
||
collect ``telephony metadata''\cite{guardian:verizon,mtg:uproar}
|
||
|
||
#+BEGIN_QUOTE
|
||
[...] (i) between the United States and abroad; or (ii) wholly within the
|
||
United States, including local telephone calls.\cite{archive:fisa-verizon}
|
||
#+END_QUOTE
|
||
|
||
- <2-> Routing information, source and destination telephone numbers, IMSI
|
||
and\nbsp{}IMEI numbers, and time and duration of the
|
||
call\cite{archive:fisa-verizon,eff:metadata}
|
||
|
||
- <3-> ``Business records'' provision partly declassified by Clapper on
|
||
6\nbsp{}June\nbsp{}2013\cite{dni:business-provs}
|
||
|
||
- <3-> The American people were stunned and angry
|
||
|
||
#+BEGIN_COMMENT
|
||
June 2013.
|
||
I remember where I was.
|
||
|
||
The Guardian newspaper releases a leaked court order,
|
||
which orders Verizon to collect ``telephony metadata'' on /all/ calls,
|
||
/including domestic/.
|
||
|
||
These matadata include <read above>.
|
||
|
||
That ``business records'' provision of FISA that Ron Wyden was talking about
|
||
was partly declassified by the then-DNI James Clapper shortly after that
|
||
publication.
|
||
|
||
As Wyden predicted,
|
||
we were pretty stunned.
|
||
And pretty pissed off.
|
||
#+END_COMMENT
|
||
|
||
|
||
**** READY Metadata Matters
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:30
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
#+ATTR_LATEX: :height 1in
|
||
[[./images/tp/nsa-spying.png]]\incite{eff:nsa-spying}
|
||
#+END_CENTER
|
||
|
||
- EFF on ``Why Metadata Matters'':\cite{eff:metadata}
|
||
- <2-> They know you rang a phone sex service at 2:24 am and spoke for
|
||
18 minutes. But they don't know what you talked about.
|
||
- <3-> They know you spoke with an HIV testing service, then your doctor,
|
||
then your health insurance company in the same hour. But they don't
|
||
know what was discussed.
|
||
|
||
#+BEGIN_COMMENT
|
||
There was quite the debate over how much ``metadata'' matters.
|
||
It matters a lot.
|
||
|
||
Here's some quotes from an EFF article, as cited.
|
||
|
||
<Read quotes>
|
||
|
||
Hm. Metadata.
|
||
#+END_COMMENT
|
||
|
||
|
||
*** READY Wifi [1/1]
|
||
:PROPERTIES:
|
||
:DURATION: 0:01
|
||
:END:
|
||
|
||
**** READY ESSID and MAC Broadcast
|
||
:PROPERTIES:
|
||
:DURATION: 00:01
|
||
:END:
|
||
- <1-> Device may broadcast ESSIDs of past hidden networks
|
||
- <1-> Expose unique hardware identifiers (MAC address)
|
||
- <2-> **Defending against this is difficult**
|
||
- <3-> /Turn off Wifi/ in untrusted places
|
||
- <3-> Turn off settings to auto-connect when receiving e.g. MMS
|
||
- <4-> Use cellular data (e.g. {2,3,4}G)
|
||
- <5-> **MAC address randomization works poorly**\cite{arxiv:mac}
|
||
|
||
#+BEGIN_COMMENT
|
||
What else is inherent in a modern phone design?
|
||
A common feature is Wifi.
|
||
|
||
If you connected to any hidden networks,
|
||
your phone may broadcast that network name to see if it exists.
|
||
|
||
It exposes unique device identifiers (MACs),
|
||
which can be used to identify you.
|
||
|
||
Defending against this is difficult,
|
||
unless you take the simple yet effective route:
|
||
disable Wifi completely,
|
||
at least when you're not in a safe area you can trust.
|
||
Some apps will automatically enable networking if they receive,
|
||
for example,
|
||
MMS messages;
|
||
be careful of that.
|
||
If you really do need data,
|
||
use your cellular data.
|
||
You are already hemmoraging information to your phone company,
|
||
so at least you're limiting your exposure.
|
||
|
||
Some phones and apps offer MAC address randomization.
|
||
That's a good thing in priniciple.
|
||
Unfortunately, it seems to be easily defeated.
|
||
One study, cited here,
|
||
claims to be able to defeat randomization 100% of the time,
|
||
regardless of manufacturer.
|
||
|
||
/Segue to next section:/
|
||
All these previous risks are _passive_---
|
||
they require no malicious software on your device.
|
||
But what if we _do_ have such software?
|
||
And of course, we do.
|
||
#+END_COMMENT
|
||
|
||
|
||
*** READY Geolocation [3/3]
|
||
:PROPERTIES:
|
||
:DURATION: 0:02
|
||
:END:
|
||
|
||
**** READY Global Positioning System (GPS)
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:30
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
#+ATTR_LATEX: :height 1in
|
||
[[./images/tp/gps.jpg]]\incite{w:file:gps}
|
||
#+END_CENTER
|
||
|
||
- <1-> Not inherently a surveillance tool
|
||
- <2-> Often enabled, and programs abuse it\cite{jots:mobile}
|
||
- <2-> Legitimate: navigation, social media, photos, nearby friends, finding
|
||
lost phones, location-relative searches, etc.
|
||
- <3-> If phone is compromised, location is known
|
||
|
||
#+BEGIN_COMMENT
|
||
Let's talk about geolocation!
|
||
Many people find them to be very convenient.
|
||
The most popular being GPS.
|
||
|
||
GPS isn't inherently a surveillance tool;
|
||
it can't track you on its own.
|
||
Your GPS device calculates its location based on signals
|
||
broadcast by GPS satellites in line-of-site.
|
||
|
||
Because of the cool features it permits,
|
||
it's often enabled on devices.
|
||
And programs will track your movements just for the hell of it.
|
||
Or give an excuse to track you.
|
||
|
||
I'm not saying there aren't legitimate uses.
|
||
Navigation systems,
|
||
social media,
|
||
photo metadata,
|
||
finding nearby friends,
|
||
finding lost phones---
|
||
all of these things are legitimate.
|
||
You just need to be able to trust the software that you are running,
|
||
Often times, you can't.
|
||
|
||
Even if you can,
|
||
if your device is owned,
|
||
they can just enable GPS and your location is known.
|
||
#+END_COMMENT
|
||
|
||
**** READY But I Want GPS!
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:40
|
||
:END:
|
||
- <1-> Is the program transparent in what data it sends? (Is the source code
|
||
available?)\cite{jots:mobile}
|
||
- <1-> 2010: 47 of top 100 Android and iOS apps sent location to devs and
|
||
third parties\cite{wsj:app-loc}
|
||
- <1-> Ex: /Angry Birds/ sent address book, location, and device ID to
|
||
third party\cite{networks-of-control}
|
||
- <1-> Does the program let you disable those [anti-]features?
|
||
- <2-> Pre-download location-sensitive data (e.g. street maps)
|
||
- <2-> OsmAnd (free software, Android and iOS)\cite{osmand}
|
||
|
||
#+BEGIN_COMMENT
|
||
So you may legitimately want GPS enabled.
|
||
It's terrible that you should be concerned about it.
|
||
|
||
Are the programs you're using transparent in what they're sending?
|
||
A precondition to that answer is source code;
|
||
it's otherwise hard to say if a program is doing other things.
|
||
|
||
A study by the Wall Street Journal found that 47 of the 100 Android and iOS
|
||
apps in 2010 shared your location with not only the developers,
|
||
but also with third parties.
|
||
|
||
An example is Angry Birds,
|
||
which for whatever the hell reason was sending users' address books,
|
||
locations, and device IDs to third parties.
|
||
|
||
You need to know what data you're leaking so that you can decide whether
|
||
or not you want to do so.
|
||
And you need the option to disable it.
|
||
Or modify the program to disable it.
|
||
|
||
Sometimes your location is leaked as a side-effect.
|
||
Navigation systems, for example, usually lazy-load map images.
|
||
Some apps let you use pre-downloaded maps,
|
||
like OsmAnd,
|
||
which is free software available on both Android and---if you must---iOS.
|
||
#+END_COMMENT
|
||
|
||
|
||
**** READY Location Services
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:30
|
||
:END:
|
||
|
||
- <1-> No GPS? No problem!
|
||
- <1-> Mozilla Location Services, OpenMobileNetwork, ...
|
||
\cite{mozilla:loc-services,openmobilenetwork}
|
||
- <2-> Wifi Positioning System; Bluetooth networks;
|
||
nearby cell towers\cite{w:wps}
|
||
- <2-> Signal strength and SSIDs and MACs of Access Points
|
||
\cite{w:trilateration,acm:spotfi,acm:lteye}
|
||
- <3-> Some gathered by Google Street View cars
|
||
- <3-> Your device may report back nearby networks to build a more
|
||
comprehensive database
|
||
- <4-> Works even where GPS and Cell signals cannot penetrate
|
||
- <4-> Can be /more/ accurate than GPS (e.g. what store in a shopping mall)
|
||
|
||
#+BEGIN_COMMENT
|
||
But GPS doesn't need to be available.
|
||
Have you ever used a map program on a computer that asked for your location?
|
||
How does it do that without GPS?
|
||
|
||
There are numerous services available to geolocate based on nearby access
|
||
points, bluetooth networks, and cell towers.
|
||
Based on the signal strength of nearby WiFi networks,
|
||
your position can be more accurately trangulated.
|
||
|
||
Some of these data are gathered by Google Street View cars.
|
||
Devices that /have/ GPS, like your phone might also be reporting back nearby
|
||
networks in order to improve the quality of these databases.
|
||
|
||
Sometimes this can be more accurate than GPS.
|
||
And it works where GPS and maybe even cell service don't, such as inside
|
||
shopping malls.
|
||
|
||
So just because GPS is off does not mean your location is unknown.
|
||
#+END_COMMENT
|
||
|
||
*** READY Operating System [3/3]
|
||
:PROPERTIES:
|
||
:DURATION: 0:02
|
||
:END:
|
||
|
||
**** READY Untrusted/Proprietary OS
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:40
|
||
:END:
|
||
|
||
- <1-> Who does your phone work for?
|
||
- Apple? Google? Microsoft? Blackberry? Your manufacturer too?
|
||
- <1-> Carry everywhere you go, but fundamentally cannot
|
||
trust it\cite{gnu:malware-mobile}
|
||
- <2-> Some come with gratis surveillance
|
||
- <2-> BLU phones sent SMS messages, contacts, call history, IMEIs, and
|
||
more to third-party servers without users' knowledge or censent
|
||
\cite{kryptowire:adups}
|
||
|
||
#+BEGIN_COMMENT
|
||
A lot of this boils down to trust.
|
||
Who does your phone work for?
|
||
|
||
Does your phone work for Apple? Google? Microsoft? Blackberry?
|
||
Or does it work for you?
|
||
|
||
The OS situation on mobile is lousy.
|
||
You carry around this computer everywhere you go.
|
||
And you fundamentally cannot trust it.
|
||
|
||
Take BLU phones for example---cheap little phones that come with advertising.
|
||
In November of last year it was discovered that these popular phones
|
||
contained software that sent SMS messages, contact lists, call history,
|
||
IMEIs, etc to third-party servers without users' knowledge or consent.
|
||
That software could also remotely execute code on the device.
|
||
#+END_COMMENT
|
||
|
||
**** READY Free/Libre Mobile OS?
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:30
|
||
:END:
|
||
- <1-> Android is supposedly free software
|
||
- <1-> But every phone requires proprietary drivers, or contains
|
||
proprietary software
|
||
- <2-> Replicant\cite{replicant}
|
||
- <2> Niche. Largely work of one developer now. (Help if you can!)
|
||
|
||
#+BEAMER: \uncover<2>{
|
||
#+BEGIN_CENTER
|
||
#+ATTR_LATEX: :width: 7in
|
||
[[./images/tp/replicant.png]]
|
||
#+END_CENTER
|
||
#+BEAMER: }
|
||
|
||
#+BEGIN_COMMENT
|
||
Android is supposedly a free operating system.
|
||
Unfortunately,
|
||
every phone requires proprietary drivers to work,
|
||
and is loaded with proprietary software.
|
||
|
||
Does anyone here use Replicant?
|
||
I do.
|
||
Replicant is a fully free Android fork.
|
||
I feel like I can at least trust my phone a little bit,
|
||
but I still consider any data on it to be essentially compromised in the
|
||
sense that I can't be confident in my ability to audit it and properly
|
||
secure the device.
|
||
#+END_COMMENT
|
||
|
||
|
||
**** READY Modem Isolation
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:30
|
||
:END:
|
||
|
||
- But modem still runs non-free software\cite{replicant:sec}
|
||
- Sometimes has access to CPU, disk, and memory\cite{replicant:samsung-bd}
|
||
|
||
#+BEGIN_COMMENT
|
||
But on nearly every phone,
|
||
the modem still runs proprietary software.
|
||
And sometimes it has direct access to CPU, disk, and memory.
|
||
Replicant closed a backdoor in Samsung Galaxy phones that allowed for remote
|
||
access to the disk.
|
||
That backdoor might not have been intentional,
|
||
but it illustrates the possibility,
|
||
and could still be exploited by an attacker.
|
||
|
||
So even with Replicant,
|
||
I consider the device compromised;
|
||
I put nothing important on it if I can avoid it.
|
||
#+END_COMMENT
|
||
|
||
|
||
*** Vehicles
|
||
**** READY Introduction :B_fullframe:
|
||
:PROPERTIES:
|
||
:BEAMER_env: fullframe
|
||
:DURATION: 00:00:05
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
\Huge What about your car?
|
||
#+END_CENTER
|
||
|
||
#+BEGIN_COMMENT
|
||
Okay, how about something else that's mobile: your car.
|
||
#+END_COMMENT
|
||
|
||
|
||
**** READY OnStar :B_fullframe:
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:30
|
||
:BEAMER_env: fullframe
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
#+ATTR_LATEX: :height 0.5in
|
||
[[./images/tp/onstar-logo.png]]
|
||
|
||
\smallskip
|
||
[[./images/onstar-collects.png]]
|
||
|
||
\incite{onstar:privacy-policy}
|
||
#+END_CENTER
|
||
|
||
- Since 2011, retains all GPS and system data to sell to third
|
||
parties
|
||
|
||
|
||
#+BEGIN_COMMENT
|
||
I vowed never to get a modern vehicle.
|
||
Turns out,
|
||
I can't afford the maintenance on older ones,
|
||
and safety of my children is pretty important.
|
||
I got a decent lease deal on a Chevy.
|
||
|
||
What have Chevys come with for the past 20 years?
|
||
OnStar.
|
||
|
||
The first thing I did when I got home with the car was get out the manual,
|
||
find that it had its own dedicated fuse,
|
||
and pulled it.
|
||
|
||
How much could it possibly track?
|
||
Well, here's the relevant portion of the OnStar privacy policy.
|
||
|
||
Let alone security...we'll cover that in a little bit.
|
||
#+END_COMMENT
|
||
|
||
|
||
**** READY Ford :B_fullframe:
|
||
:PROPERTIES:
|
||
:BEAMER_env: fullframe
|
||
:DURATION: 00:00:25
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
#+ATTR_LATEX: :height 0.5in
|
||
[[./images/tp/ford-logo.png]]
|
||
#+END_CENTER
|
||
|
||
#+BEGIN_QUOTE
|
||
``We know everyone who breaks the law, we know when you're doing it. We have
|
||
GPS in your car, so we know what you're doing. By the way, we don't supply
|
||
that data to anyone.''\cite{binsider:ford-gps}
|
||
|
||
\hfill---Jim Farley, VP/Marketing and Sales, 2014
|
||
#+END_QUOTE
|
||
|
||
#+BEGIN_COMMENT
|
||
And then you have stupid executives saying crap like this:
|
||
|
||
<Read quote>
|
||
|
||
Oh, excellent!
|
||
I'm assured.
|
||
|
||
It's a problem that VPs don't think this is a problem and will just say it
|
||
off the cuff.
|
||
#+END_COMMENT
|
||
|
||
|
||
|
||
** AUGMENT Stationary [5/5]
|
||
*** READY Introduction [1/1] :B_ignoreheading:
|
||
:PROPERTIES:
|
||
:BEAMER_env: ignoreheading
|
||
:END:
|
||
**** READY Introduction :B_fullframe:
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:15
|
||
:BEAMER_env: fullframe
|
||
:END:
|
||
|
||
#+BEGIN_QUOTE
|
||
\large
|
||
``If you've got nothing to hide, you've got nothing
|
||
to\nbsp{}fear.''\cite{rosen:naked,solove:nothing-to-hide,metro:goebbels}
|
||
#+END_QUOTE
|
||
|
||
#+BEGIN_COMMENT
|
||
Well, speaking of stupid quotes!
|
||
|
||
So let's say you have evaded that type of tracking.
|
||
Maybe you don't carry a phone.
|
||
You don't drive or you drive a car instead of a computer.
|
||
Or maybe you've mitigated those threats in some way.
|
||
|
||
There's certain things that are nearly impossible to avoid.
|
||
|
||
This quote. We'll get back to it.
|
||
#+END_COMMENT
|
||
|
||
*** READY Surveillance Cameras (CCTV) [5/5]
|
||
**** READY Unavoidable Surveillance
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:10
|
||
:END:
|
||
|
||
- Certain types of tracking are unavoidable
|
||
- Security cameras are everywhere
|
||
\cite{intercept:nyc-surveil,cbs:sf-smile,fast:das}
|
||
- Businesses
|
||
- Traffic
|
||
- Streets/sidewalks
|
||
- Public transportation
|
||
|
||
#+BEGIN_COMMENT
|
||
On the way here,
|
||
you likely walked by numerous security cameras.
|
||
They could be security cameras for private businesses.
|
||
Traffic cameras.
|
||
Cameras on streets to deter crime.
|
||
#+END_COMMENT
|
||
|
||
**** READY Private Cameras in Plain View; Tinerloin, SF
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:30
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
#+ATTR_LATEX: :height 1.25in
|
||
[[./images/tp/sf-cameras.jpg]]
|
||
\incite{cbs:sf-smile}
|
||
#+END_CENTER
|
||
|
||
#+BEGIN_QUOTE
|
||
``The idea that you can sort of meet in a public place and quietly have a
|
||
conversation that we’re sort of accustomed to from spy movies, that is
|
||
really not realistic anymore,'' ---Nadia Kayyali, EFF\cite{cbs:sf-smile}
|
||
#+END_QUOTE
|
||
|
||
#+BEGIN_COMMENT
|
||
This is a map of private surveillance cameras in plain view around SF's
|
||
Tenderloin neighborhood.
|
||
Obviously your city or town might be different.
|
||
Could be worse, even.
|
||
And these are just the ones that the DA's office found in
|
||
/plain view/!
|
||
|
||
According to them,
|
||
people who live in this neighborhood could be on camera dozens of times in
|
||
a single day.
|
||
|
||
Alright, so a bunch of private entities have you on camera;
|
||
So what?
|
||
#+END_COMMENT
|
||
|
||
|
||
**** READY Access to Data
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:45
|
||
:END:
|
||
|
||
- <1-> Data can be obtained with a warrant or subpoena
|
||
- <2-> Data can be compromised
|
||
- <3-> Chilling effect
|
||
- <4-> **If you own a surveillance system, be responsible and considerate**
|
||
- <4-> Best way to restrict data is to /avoid collecting it to begin with/
|
||
|
||
#+BEGIN_COMMENT
|
||
Well one of the most obvious threats,
|
||
should it pertain to you,
|
||
is a warrant or subpoena.
|
||
|
||
Most of us aren't going to have to worry about a crime.
|
||
But data can be compromised.
|
||
And it isn't possible for you to audit it;
|
||
you have no idea who has you on camera.
|
||
|
||
This creates a chilling effect.
|
||
You're going to act differently in public knowing that someone might be
|
||
watching,
|
||
or could be watching later on if recorded.
|
||
|
||
If you have a surveillance system,
|
||
or any sort of public-facing cameras,
|
||
please be considerate.
|
||
If you only care who is on your property,
|
||
don't record the sidewalk in front of your house.
|
||
Or at least restrict motion detection to your property.
|
||
The best form of privacy is to avoid having the data be collected to begin
|
||
with.
|
||
#+END_COMMENT
|
||
|
||
|
||
**** READY Domain Awareness System (Intro) :B_fullframe:
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:30
|
||
:BEAMER_env: fullframe
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
#+BEGIN_LATEX
|
||
\only<1>{What if all those cameras---including private---were connected?}
|
||
\only<2>{\Huge NYPD\par Domain Awareness System\incite{nyc:pspg}}
|
||
\only<3>{
|
||
#+END_LATEX
|
||
#+BEGIN_QUOTE
|
||
\large
|
||
Although NYPD documents indicate that the system is specifically designed
|
||
for anti-terrorism operations, any incidental data it collects ``for a
|
||
legitimate law enforcement or public safety purpose'' by DAS can be
|
||
utilized by the police department.\cite{fast:das}
|
||
#+END_QUOTE
|
||
#+LATEX: }
|
||
#+END_CENTER
|
||
|
||
|
||
#+BEGIN_COMMENT
|
||
...but what if law enforcement didn't have to go door-to-door?
|
||
|
||
Let's talk about the NYPD's Domain Awareness System.
|
||
|
||
It was designed in part from the usual unjustifiable and irrational response
|
||
to terrorism threats after 9/11.
|
||
But any data this system collects for ``legtimate'' law enforcement or
|
||
public safety purposes can be used against you.
|
||
#+END_COMMENT
|
||
|
||
|
||
**** READY Domain Awareness System
|
||
:PROPERTIES:
|
||
:DURATION: 00:01:15
|
||
:END:
|
||
|
||
- <1-> Partnership between the NYPD and Microsoft at a cost of $230M
|
||
in\nbsp{}2013\cite{reuters:nypd-das,nyc:pspg}
|
||
- <1-> Surveillance cameras, license plate readers, radiation detectors,
|
||
911\nbsp{}system, criminal records, \ldots
|
||
- <2-> \gt 6,000 surveillance cameras, $2\over 3$ private
|
||
businesses\cite{reuters:nypd-das,pbs:nova:boston}
|
||
- <3-> Database of over 16\nbsp{}million plates,
|
||
every car going into Lower Manhatten\cite{reuters:nypd-das,pbs:nova:boston}
|
||
- <4-> Can search in seconds for terms like
|
||
``red baseball cap''\cite{reuters:nypd-das,pbs:nova:boston}
|
||
- <4-> Detects ``suspicious behaviors'' like unattended bags and
|
||
circling cars\cite{reuters:nypd-das,pbs:nova:boston}
|
||
|
||
#+BEGIN_COMMENT
|
||
The Domain Awareness System is a partnership between Microsoft and the NYPD.
|
||
It's mammoth.
|
||
It's pretty amazing---it's like science fiction.
|
||
But I care about privacy,
|
||
so instead I'm going to use adjectives like ``Orwellian'' and ``Kafkaesque''.
|
||
|
||
It contains over six thousand security cameras,
|
||
over two-thirds of which are private closed-circuit cameras.
|
||
It includes license plate readers that record everyone going into Lower
|
||
Manhattan, along with a database of over sixteen million license plates.
|
||
It can search in seconds for very specific terms,
|
||
like ``red baseball cap'',
|
||
and it can monitor for suspicious behaviors,
|
||
like unattended bags,
|
||
or cars circling an area.
|
||
If it finds an unattended bag,
|
||
you can rewind to find who left it.
|
||
|
||
A lot of us are programmers---
|
||
think about the realtime analysis of all of these frames.
|
||
It really is a fascinating field to work in.
|
||
But there's serious ethical concerns with how it's applied.
|
||
|
||
This thing also integrates the 911 system, radiation detectors, criminal
|
||
records, etc.
|
||
|
||
This is the direction we're heading in---
|
||
these things will only spread.
|
||
In fact,
|
||
the NYPD will get a 30% cut when Microsoft sells it to others.
|
||
#+END_COMMENT
|
||
|
||
|
||
*** READY Driver Surveillance [3/3]
|
||
**** READY Automated License Plate Readers (ALPRs)
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:30
|
||
:END:
|
||
|
||
***** Images
|
||
:PROPERTIES:
|
||
:BEAMER_col: 0.50
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
#+BEAMER: \only<1>{
|
||
[[./images/tp/alpr-mounted.png]]\par\incite{eff:alpr}
|
||
#+BEAMER: }
|
||
#+BEAMER: \only<2>{
|
||
[[./images/tp/alpr-capture.png]]\par\incite{eff:alpr}
|
||
#+BEAMER: }
|
||
#+BEAMER: \only<3>{
|
||
#+ATTR_LATEX: :height 2in
|
||
[[./images/tp/aclu-tracked.jpg]]\par\incite{aclu:tracked}
|
||
#+BEAMER: }
|
||
#+END_CENTER
|
||
|
||
***** Summary
|
||
:PROPERTIES:
|
||
:BEAMER_col: 0.50
|
||
:END:
|
||
- Scan passing cars' license plates\cite{aclu:tracked,eff:alpr}
|
||
- Produce alphanumeric representation with timestamp and photograph
|
||
|
||
#+BEGIN_COMMENT
|
||
I want to talk about a couple issues related to driver surveillance.
|
||
These things are a widespread, nasty threat to privacy,
|
||
and they don't need a sophisticated Domain Awareness System to deploy.
|
||
|
||
The first are ALPRs.
|
||
ALPRs are mounted on police cars and objects like light poles.
|
||
They scan passing cars' license plates,
|
||
convert them to alphanumeric data,
|
||
record the time and date,
|
||
and possibly an image of the vehcile.
|
||
Here's a screenshot of the interface of one;
|
||
we'll get into how exactly we got that in a bit.
|
||
The ACLU has an excellent report on it,
|
||
and the EFF has a campaign against it;
|
||
see those two resources for more info.
|
||
#+END_COMMENT
|
||
|
||
|
||
**** READY Automatic Toll Readers
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:30
|
||
:END:
|
||
- <1-> Electronic toll booth using RFIDs or ALPRs\cite{eff:golden-gate-toll}
|
||
- <1-> In the North-East we have E-ZPass (RFID)\cite{w:ezpass}
|
||
- <1-> Golden Gate Bridge requires FasTrack or plate-based
|
||
- <2-> /But/ they provide an option for an anonymous FasTrack account
|
||
using cash\cite{goldengate:anon}
|
||
- <2-> (Granted, you're still captured by an ALPR)
|
||
- <3-> Routinely used by law enforcement\cite{baynews:fastack-data}
|
||
- <4-> They're not very secure,
|
||
either\cite{blackhat:toll-systems,register:rfid-clone}
|
||
|
||
#+BEGIN_COMMENT
|
||
The other is automatic toll readers.
|
||
|
||
Electronic toll booths are replacing traditional cash-based tolls.
|
||
Some places require it,
|
||
like the Golden Gate Bridge.
|
||
I was unsettled when I heard my county discussing it.
|
||
One option is windshield-mounted RFIDs.
|
||
In the North-East, we have E-ZPass.
|
||
For the Golden Gate Bridge, FasTrack.
|
||
|
||
We've already seen that law enforcement uses these data,
|
||
but in the case of FasTrack,
|
||
data are even used in civil suits like divorces.
|
||
|
||
And they have their security issues;
|
||
many can be easily cloned, for example.
|
||
#+END_COMMENT
|
||
|
||
|
||
**** READY Akin To GPS Tracking
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:30
|
||
:END:
|
||
|
||
- /United States v. Jones/: GPS tracking constitutes search under
|
||
Fourth\nbsp{}Amendment\cite{w:us-v-jones}
|
||
|
||
- How is pervasive surveillance different if it achieves essentially the
|
||
same result?
|
||
|
||
#+BEGIN_COMMENT
|
||
In the US Supreme Court case United States v. Jones, the judges unanimously
|
||
ruled that GPS tracking of a vehicle constitutes a search under the
|
||
Fourth Amendment.
|
||
|
||
Many wonder how tracking as I just described is any different.
|
||
If you have ALPRs and other surveillance systems throughout the same area
|
||
within which a warrant for GPS tracking can be executed,
|
||
you would get similar results.
|
||
With much less risk, too---no secret device that may be discovered.
|
||
|
||
That's for a court to eventually decide.
|
||
But it's a useful comparison against precedent.
|
||
#+END_COMMENT
|
||
|
||
|
||
*** AUGMENT Internet of Things [13/13]
|
||
**** READY Internet-Connected Cameras :B_fullframe:
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:35
|
||
:BEAMER_env: fullframe
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
\Huge
|
||
#+BEAMER: \only<1>{Cameras used to need physical access}
|
||
#+BEAMER: \only<2>{Today\ldots not always so much}
|
||
#+END_CENTER
|
||
|
||
#+BEGIN_COMMENT
|
||
In the past, these cameras were on their own segregated networks.
|
||
You'd _have_ to subpoena the owner or get a warrant,
|
||
or otherwise physically take the tape.
|
||
|
||
Today...that might be the intent, but these cameras are often
|
||
connected to the Internet for one reason or another.
|
||
It might be intentional---to view the camera remotely or on a device---or it
|
||
may just be how the camera is set up by default.
|
||
|
||
Well...
|
||
It's not just businesses that use Internet-connected cameras.
|
||
They're also popular among individuals for personal/home use so that they
|
||
can view them on their smart phones and elsewhere.
|
||
Like home security systems.
|
||
Baby monitors.
|
||
#+END_COMMENT
|
||
|
||
**** READY The ``S'' In IoT Stands For ``Security''
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:50
|
||
:END:
|
||
|
||
- <1-> Shodan---IoT search engine\cite{shodan}
|
||
- <2-> You'll also find other things. Secure your databases.
|
||
\cite{krebs:mongodb}
|
||
- <2-> Can search for specific devices
|
||
- <2-> If you are vulnerable, someone will find you
|
||
- <3-> Top voted search was ``Webcam'' when I was writing this slide
|
||
|
||
#+BEGIN_COMMENT
|
||
Who here has heard of Shodan?
|
||
|
||
Shodan is a search engine for the Internet of Things.
|
||
It spiders for Internet-connected devices and indexes them.
|
||
Okay, that's to be expected.
|
||
Maybe that wouldn't be a problem if NAT configuration weren't subverted by
|
||
UPnP.
|
||
Or maybe it wouldn't be a problem if these devices even gave a moment of
|
||
thought to security.
|
||
|
||
It also indexes other interesting things.
|
||
For example,
|
||
it was used to find unsecured MongoDB instances so that the attackers
|
||
could hold data for ransom.
|
||
|
||
So people can find your stuff.
|
||
If an attacker knows that some device is vulnerable,
|
||
Shodan can be used to search for that device.
|
||
|
||
At the time I was writing this,
|
||
the top voted search under "Explore" was "Webcam".
|
||
Followed by "Cams", "Netcam", and "default password".
|
||
#+END_COMMENT
|
||
|
||
|
||
**** READY Who's Watching?
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:20
|
||
:END:
|
||
|
||
***** Screenshot
|
||
:PROPERTIES:
|
||
:BEAMER_col: 0.30
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
#+ATTR_LATEX: :height 2.25in
|
||
[[./images/insecam-ss.png]]\par\incite{insecam}
|
||
#+END_CENTER
|
||
|
||
|
||
***** Summary
|
||
:PROPERTIES:
|
||
:BEAMER_col: 0.70
|
||
:END:
|
||
|
||
- Insecam is a directory of Internet-connected surveillance
|
||
cameras\cite{insecam}
|
||
- Live video feeds (browser connects directly to cameras)
|
||
|
||
|
||
#+BEGIN_COMMENT
|
||
But Shodan isn't the only thing out there.
|
||
Anyone heard of Insecam?
|
||
|
||
It's a site that aggregates live video feeds of unsecured IP cameras.
|
||
Your browser connects directly to the cameras---
|
||
literally, they are wide open;
|
||
nothing fancy is going on here.
|
||
I can tell you personally that you feel like a scumbag looking at the site.
|
||
#+END_COMMENT
|
||
|
||
|
||
**** READY Insecam Example 1 :B_fullframe:
|
||
:PROPERTIES:
|
||
:BEAMER_env: fullframe
|
||
:DURATION: 00:00:40
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
#+ATTR_LATEX: :height 1in
|
||
[[./images/insecam-01.png]]
|
||
#+LATEX: \hspace{0.1in}
|
||
#+ATTR_LATEX: :height 1in
|
||
[[./images/insecam-06.png]]
|
||
|
||
#+ATTR_LATEX: :height 1in
|
||
[[./images/insecam-03.png]]
|
||
#+LATEX: \hspace{0.1in}
|
||
#+ATTR_LATEX: :height 1in
|
||
[[./images/insecam-05.png]]
|
||
#+END_CENTER
|
||
|
||
#+BEGIN_COMMENT
|
||
Here are some examples.
|
||
I blurred any identifying features for privacy.
|
||
|
||
We have surveillance rooms where people watch their surveillance system!
|
||
Inception-kinda thing going on here.
|
||
Also doesn't help that they are watching the TV on the wall too.
|
||
|
||
There's many public swimming pools.
|
||
|
||
Elevators are awkward enough to begin with.
|
||
How about someone watching you in such a vulnerable space?
|
||
|
||
We have a photolithography lab in my home city.
|
||
I have no idea which one, or where exactly.
|
||
|
||
These are creepy.
|
||
Somewhat cool, even.
|
||
Let's get a little more personal.
|
||
#+END_COMMENT
|
||
|
||
**** READY Example 2 :B_fullframe:
|
||
:PROPERTIES:
|
||
:BEAMER_env: fullframe
|
||
:DURATION: 00:01:00
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
#+ATTR_LATEX: :height 1in
|
||
[[./images/insecam-02.png]]
|
||
#+LATEX: \hspace{0.1in}
|
||
#+LATEX: \only<2>{
|
||
#+ATTR_LATEX: :height 1in
|
||
[[./images/insecam-04.png]]
|
||
#+LATEX: }
|
||
#+END_CENTER
|
||
|
||
#+BEGIN_COMMENT
|
||
How about inside hospital rooms?
|
||
This patient has an ice pack strapped to the side of her face.
|
||
I'm pretty sure this feed was outside of the United States;
|
||
I can't imagine that this type of thing would make it past HIPAA audits.
|
||
|
||
How about inside someone's home?
|
||
This looks to be a bedroom.
|
||
There is a family photo on the wall.
|
||
Oh yeah.
|
||
|
||
I saw someone at the dentist getting a teeth cleaning.
|
||
I didn't copy that photo at the time,
|
||
and I can't find it now, fortunately.
|
||
|
||
This is an excellent example to demonstrate to others why this is such a big
|
||
deal.
|
||
This should make anyone feel uncomfortable.
|
||
|
||
Especially those home cameras.
|
||
I wish I knew whose camera that was,
|
||
so that they could be notified.
|
||
These people are unaware.
|
||
And these manufactuers set them up for this.
|
||
|
||
Even if you can't find a camera on this site,
|
||
Shodan might have indexed it;
|
||
just connect.
|
||
#+END_COMMENT
|
||
|
||
|
||
**** READY Smart TVs (Samsung Privacy Policy) :B_fullframe:
|
||
:PROPERTIES:
|
||
:BEAMER_env: fullframe
|
||
:DURATION: 00:00:30
|
||
:END:
|
||
|
||
#+BEGIN_QUOTE
|
||
``Please be aware that if your spoken words include personal or other
|
||
sensitive information, that information will be among the data captured and
|
||
transmitted to a third party through your use of Voice Recognition.''
|
||
|
||
\hfill---Samsung SmartTV Privacy Policy, 2015
|
||
|
||
\cite{eff:samsung-tv-policy}
|
||
#+END_QUOTE
|
||
|
||
#+BEGIN_COMMENT
|
||
So while we're on the topic of being in someone's home...
|
||
|
||
Samsung's SmartTV privacy policy caused a big fuss a couple years ago by
|
||
blatantly stating that your personal conversations will be sent to
|
||
third-party servers for voice recognition.
|
||
|
||
It was compared to George Orwell's telescreens.
|
||
|
||
<Read above>
|
||
#+END_COMMENT
|
||
|
||
|
||
**** READY Smart TVs (Weeping Angel) :B_fullframe:
|
||
:PROPERTIES:
|
||
:BEAMER_env: fullframe
|
||
:DURATION: 00:00:30
|
||
:END:
|
||
|
||
***** Wikileaks
|
||
:PROPERTIES:
|
||
:BEAMER_col: 0.15
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
#+ATTR_LATEX: :height 1in
|
||
[[./images/tp/wikileaks.png]]
|
||
#+END_CENTER
|
||
|
||
***** Title
|
||
:PROPERTIES:
|
||
:BEAMER_col: 0.60
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
#+BEAMER: {\Huge Weeping Angel}
|
||
\par\incite{vault7:weeping,vault7:y0}
|
||
|
||
- Suppress LEDs for ``fake off''
|
||
- Record audio
|
||
- Remote shell and file transfer
|
||
- Extract WiFi credentials
|
||
- ``TODO'': Record video
|
||
#+END_CENTER
|
||
|
||
#+BEGIN_COMMENT
|
||
But it might not be Samsung that's listening.
|
||
|
||
Recently,
|
||
Wikileaks released what it refers to as ``Vault 7'',
|
||
an unprecedented doxxing of the CIA.
|
||
|
||
Weeping Angel was one of the projects.
|
||
It targets Samsung Smart TVs and can suppress LEDs to enter what they call a
|
||
``fake off'' mode,
|
||
covertly listening to the environment.
|
||
As of their 2014 notes,
|
||
video surveillance was explicitly on their TODO list.
|
||
I find it unlikely that they didn't succeed given that they appear to have
|
||
root access to the device.
|
||
#+END_COMMENT
|
||
|
||
***** CIA
|
||
:PROPERTIES:
|
||
:BEAMER_col: 0.15
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
#+ATTR_LATEX: :height 0.85in
|
||
[[./images/tp/cia-logo.png]]
|
||
#+END_CENTER
|
||
|
||
|
||
#+BEGIN_COMMENT
|
||
If Samsung isn't listening,
|
||
then others might be.
|
||
#+END_COMMENT
|
||
|
||
|
||
**** READY Smart TV Ransomware (LG)
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:15
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
#+ATTR_LATEX: :height 2in
|
||
[[./images/tp/lgtv-pwnd.png]]
|
||
|
||
\incite{bleep:lgtv-ransom}
|
||
#+END_CENTER
|
||
|
||
#+BEGIN_COMMENT
|
||
Remember:
|
||
if the CIA exploited a vulnerability,
|
||
it's very possible that other adversaires have as well;
|
||
it isn't just the CIA you have to worry about.
|
||
|
||
This is an LG Smart TV owned by Android ransomware.
|
||
#+END_COMMENT
|
||
|
||
|
||
**** READY Amazon Echo---Always Listening
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:45
|
||
:END:
|
||
|
||
***** Echo echo echo echo...
|
||
:PROPERTIES:
|
||
:BEAMER_col: 0.3
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
#+ATTR_LATEX: :height 2in
|
||
[[./images/tp/amazon-echo.jpg]]
|
||
|
||
\incite{w:file:echo}
|
||
#+END_CENTER
|
||
|
||
|
||
***** Summary
|
||
:PROPERTIES:
|
||
:BEAMER_col: 0.7
|
||
:END:
|
||
|
||
- Voice recognition on Amazon's servers; have recordings
|
||
\cite{engadget:murder-echo,guardian:murder-echo}
|
||
- Warrant issued in murder case for recordings
|
||
\cite{engadget:murder-echo,guardian:murder-echo}
|
||
- Always listening; ``wake word'' doesn't matter (they control the software;
|
||
device can be compromised)\cite{gizmodo:echo-wiretap}
|
||
- <2-> Should do voice recognition on the device
|
||
- <2-> Run free software
|
||
- <2-> Connect to /your own server/ for actions
|
||
- <2-> Hardware switch for microphone
|
||
|
||
#+BEGIN_COMMENT
|
||
Personal assistants have become pretty popular.
|
||
Amazon Echo is one of those ``always-listening'' devices that can do your
|
||
bidding.
|
||
But since it performs voice recognition on Amazon's servers,
|
||
they have access to recordings of your data.
|
||
A court has issued a warrant for those recordings in a murder case in
|
||
December of this past year.
|
||
|
||
Look: a device like this---one that is always listening---
|
||
is a security nightmare.
|
||
It doesn't matter if it has some sort of ``wake word'';
|
||
functionality can be hidden from you or changed with an update.
|
||
You do not have control over that device or the software that it is running.
|
||
If an attacker owns the device,
|
||
they're sitting there in your living room.
|
||
A device like this needs to do voice recognition locally,
|
||
run free software,
|
||
connect to a server of /your choosing/ for actions.
|
||
and have a hardware switch for the microphone.
|
||
#+END_COMMENT
|
||
|
||
|
||
**** READY Consder the Benign
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:20
|
||
:END:
|
||
- Water meter used in murder case as evidence\cite{guardian:murder-echo}
|
||
- 140 gallons between 1AM and 3AM in Winter?
|
||
- Thermostat?
|
||
- Usage patterns could hint at when you're home
|
||
- Window/door sensors?
|
||
|
||
#+BEGIN_COMMENT
|
||
Consider what devices in your home might have access to.
|
||
|
||
That murder case I just mentioned with the Echo---
|
||
they also gathered data from the water meter which showed that the
|
||
suspect used 140 gallons between 1AM and 3AM.
|
||
During Winter, nonetheless.
|
||
|
||
Your thermostat could reveal usage patterns to determine remotely when you
|
||
might be home.
|
||
There are door and window sensors.
|
||
#+END_COMMENT
|
||
|
||
|
||
**** READY Creepy-Ass Children's Toys?
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:15
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
#+BEAMER: \uncover<2>{
|
||
#+ATTR_LATEX: :height 0.15in
|
||
[[./images/tp/the-onion-logo.png]] ???
|
||
#+BEAMER: }
|
||
#+ATTR_LATEX: :height 2.35in
|
||
[[./images/guardian-doll-spy.png]]\incite{guardian:doll-spy}
|
||
#+END_CENTER
|
||
|
||
#+BEGIN_COMMENT
|
||
What about creepy-ass children's toys?
|
||
I took a screenshot of this Guardian article because...
|
||
A couple years ago you'd only find a headline like this in something like
|
||
The Onion.
|
||
|
||
``German watchdog classifies My Friend Cayla doll as `illegal espionage
|
||
apparatus'.''
|
||
|
||
/What the hell./
|
||
#+END_COMMENT
|
||
|
||
|
||
|
||
**** READY ALPRs Wide Open
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:20
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
#+ATTR_LATEX: :height 1.5in
|
||
[[./images/tp/alpr-pips.png]]\incite{eff:alpr}
|
||
#+END_CENTER
|
||
|
||
- John Matherly (Shodon author) noticed many web-accessible PIPS
|
||
control panels
|
||
- Other researcher found some accessible via telnet\cite{darius:alpr-telnet}
|
||
|
||
#+BEGIN_COMMENT
|
||
Alright, well, stupid things happen outside the home too.
|
||
Those ALPRs we just talked about.
|
||
|
||
Turns out that they have web interfaces.
|
||
John Matherly, the author of Shodon, found a number of control panels for
|
||
PIPS ALPRs.
|
||
Another researcher found telnet access on some.
|
||
In both cases,
|
||
license plate data could be extracted,
|
||
and the system could be reconfigured.
|
||
#+END_COMMENT
|
||
|
||
|
||
**** READY Biometrics
|
||
:PROPERTIES:
|
||
:DURATION: 00:01:00
|
||
:END:
|
||
|
||
- <1-> Humans no longer need to scour video
|
||
feeds\cite{eff:facial-tech,churchix,facefirst,pbs:nova:boston}
|
||
- <1-> Facial recognition widely used, even for
|
||
mobile\nbsp apps\cite{register:fb-scan,eff:ios-photo-diff,eff:fbi-bio}
|
||
- <2-> NYPD has a gallery of over 4M individuals\cite{pbs:nova:boston}
|
||
- <2-> Quality can be low and pixelated; various machine learning
|
||
algorithms\cite{pbs:nova:boston,wired:pixel-face,arxiv:google-pixel-res}
|
||
- <3-> No face? Check your gait.\cite{ieee:gait,ijca:gait}
|
||
- <4-> No gait? Well\ldots whatever, just ask Facebook.\cite{newsci:fb-noface}
|
||
- <5-> Even fingerprints and iris from high-resolutions photos\cite{bio:iris}
|
||
|
||
#+BEGIN_COMMENT
|
||
Now let's couple that with facial recognition.
|
||
|
||
Consider the breadth of devices we just covered.
|
||
Literally everywhere.
|
||
People don't need to manually look for you anymore;
|
||
it's automated.
|
||
Hell, any of us can download a free (as in freedom) library to do facial
|
||
recognition and train it to recognize people.
|
||
It doesn't even have to be clear---
|
||
there's machine learning algorithms to reconstruct pixelated faces with
|
||
somewhat decent accuracy to be useful.
|
||
The NYPD has over 4 million people's images in a database that they compare
|
||
against during facial recognition.
|
||
|
||
Don't have a face?
|
||
You can also be identified by your gait.
|
||
No gait?
|
||
Facebook famously got even creepier by saying it could recognize people by
|
||
their dress, posture, and hair, without even seeing their face.
|
||
|
||
Your fingerprints and iris data can even be extracted from high-resolution
|
||
photos;
|
||
a cracker used such a method to defeat Apple's TouchID by making a mould.
|
||
|
||
There's a lot more to say about IoT.
|
||
We'll come back to it.
|
||
#+END_COMMENT
|
||
|
||
|
||
*** READY Social Media [1/1]
|
||
**** READY Collateral Damage
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:45
|
||
:END:
|
||
|
||
- <1-> Please don't put pictures of me on Facebook\cite{rms:facebook}
|
||
- <1-> Don't put pictures of my children _anywhere_\cite{techcrunch:fb-baby}
|
||
- <2-> That person in the distance is collateral
|
||
damage\cite{register:fb-scan,guardian:fb-scan,pbs:nova:boston}
|
||
|
||
#+BEGIN_COMMENT
|
||
So you don't have any unsecured IoT cameras in your home.
|
||
Or in this conference.
|
||
But you do have unsecured people running wild with their photos and their
|
||
selfies.
|
||
|
||
I'm sure you've heard a frequent request/demand from rms:
|
||
"Don't put pictures of me on Facebook."
|
||
It's excellent surveillance.
|
||
What irks me is when people try to take pictures of my kids,
|
||
or do and ask if they can put them online.
|
||
Uh, no. You cannot.
|
||
And people are sometimes surprised by that refusal.
|
||
|
||
Most people are being innocent---
|
||
they're just trying to capture the moment.
|
||
What they're actually doing is inflicting collateral damage.
|
||
If I'm off in the background when you take a picture of your friends in the
|
||
foreground,
|
||
I'm still in the photo.
|
||
Just something to consider when taking photos of others..
|
||
#+END_COMMENT
|
||
|
||
|
||
** AUGMENT The Web [7/7]
|
||
*** READY Introduction [1/1] :B_ignoreheading:
|
||
:PROPERTIES:
|
||
:BEAMER_env: ignoreheading
|
||
:END:
|
||
**** READY Introduction :B_fullframe:
|
||
:PROPERTIES:
|
||
:BEAMER_env: fullframe
|
||
:DURATION: 00:00:10
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
\Huge Fleshy You $\Longleftrightarrow$ Virtual You
|
||
#+END_CENTER
|
||
|
||
#+BEGIN_COMMENT
|
||
But you're not just tracked in the flesh.
|
||
Much of what we do today is virtual.
|
||
So, naturally, there are those that want to bridge them.
|
||
|
||
There's a lot of research and methods to achieve this;
|
||
we're only going to explore one of the most startling ones.
|
||
#+END_COMMENT
|
||
|
||
|
||
*** READY Bridging the Gap [3/3]
|
||
**** READY FTC: They're Watching You :B_fullframe:
|
||
:PROPERTIES:
|
||
:BEAMER_env: fullframe
|
||
:DURATION: 00:00:40
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
[[./images/tp/ftc-silver.png]]\par\incite{ftc:silver}
|
||
#+END_CENTER
|
||
|
||
#+BEGIN_COMMENT
|
||
This is a sample letter template from the FTC.
|
||
It states: <read paragraph>.
|
||
A challenge for advertisers is correlating users across multiple devices,
|
||
and in the real world.
|
||
|
||
Let's say you saw a commercial for some product Foo on TV.
|
||
And then you went online to research Foo.
|
||
And then you bought Foo.
|
||
|
||
Sometimes commercials have you enter promo codes online to know that you
|
||
arrived at the site from a TV commercial.
|
||
Or give you a unique URL.
|
||
#+END_COMMENT
|
||
|
||
|
||
**** READY Ultrasound Tracking
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:15
|
||
:END:
|
||
|
||
#+BEAMER: \only<1>{
|
||
#+BEGIN_CENTER
|
||
\cdots $\Longleftrightarrow$ TV $\Longleftrightarrow$
|
||
Retail Store $\Longleftrightarrow$
|
||
Mobile $\Longleftrightarrow$ Web $\Longleftrightarrow$ \cdots
|
||
#+END_CENTER
|
||
|
||
- Correlates users across devices; airgap
|
||
bridge\cite{ubeacsec:paper,wired:ultrasonic}
|
||
- Inaudible to humans
|
||
- Could deanonymize (e.g. Tor users)\cite{33c3:talk-behind,bleep:ultrasound-tor}
|
||
#+BEAMER: }
|
||
|
||
#+BEAMER: \only<2>{
|
||
#+BEGIN_CENTER
|
||
[[./images/tp/silverpush-logo.png]]
|
||
#+END_CENTER
|
||
|
||
#+BEGIN_QUOTE
|
||
``Silverpush could generate a detailed log of the television
|
||
content viewed while a user’s mobile phone was
|
||
turned\nbsp{}on.''\cite{ftc:silver}
|
||
#+END_QUOTE
|
||
#+BEAMER: }
|
||
|
||
#+BEGIN_COMMENT
|
||
Others play inaudible sounds that are picked up by your mobile device or
|
||
computer.
|
||
|
||
This has other serious implications.
|
||
There are concerns, for example, about this method being able to be used to
|
||
deanonymize Tor users.
|
||
|
||
In that letter, FTC mentions Silverpush by name.
|
||
There are other companies too;
|
||
see the references.
|
||
#+END_COMMENT
|
||
|
||
|
||
**** READY Ultrasound Cross-Device Tracking (uXDT)
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:45
|
||
:END:
|
||
|
||
- <1-> Termed ``Ultrasound Cross-Device Tracking''
|
||
(uXDT)\cite{bleep:ultrasound-tor,ftc:xdt}
|
||
- <1-> Mitigations?
|
||
- <2-> SilverDog is a Chromium addon to filter HTML5 audio\cite{ubeacsec:paper}
|
||
- <3-> Don't install software that keep secrets (proprietary)
|
||
- <3-> Don't run untrusted code on websites (use e.g. NoScript)\cite{mtg:rof}
|
||
- <4-> Turn off your device when not in use
|
||
- <4-> Keep device away from other media
|
||
|
||
#+BEGIN_COMMENT
|
||
This is termed ``Ultrasound Cross-Device Tracking'',
|
||
or simply ``Cross-Device Tracking''.
|
||
How do you go about mitigating this type of threat?
|
||
|
||
Well, researchers studying this issue wrote SilverDog,
|
||
a Chromium addon to filter HTML5 audio to remove ultrasonic frequencies.
|
||
That doesn't help with TorBrowser, though, which is FF-based.
|
||
The reserachers also propose a change to the Android permission system for
|
||
audio.
|
||
|
||
This type of thing only works when you're keeping some serious secrets.
|
||
That's easy to do with proprietary software.
|
||
Much riskier to do (but not impossible) with free software.
|
||
For websites, don't run untrusted JavaScript code;
|
||
block it with an addon like NoScript.
|
||
We'll get into that in a little bit.
|
||
|
||
You can also turn off the device when not in use,
|
||
and maybe keep it away from other media.
|
||
This is far from the only mobile threat;
|
||
you may want to take precautions for other things anyway.
|
||
#+END_COMMENT
|
||
|
||
|
||
*** READY Analytics [4/4]
|
||
**** READY Introduction :B_fullframe:
|
||
:PROPERTIES:
|
||
:BEAMER_env: fullframe
|
||
:DURATION: 00:00:15
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
#+BEGIN_LATEX
|
||
\only<1-3>{
|
||
{\Huge Data Analytics}
|
||
|
||
\uncover<2-3>{\LARGE (Building User Profiles)}
|
||
|
||
\uncover<3>{\large (Tracking)}
|
||
}
|
||
|
||
\only<4->{
|
||
{\Huge Spyware}
|
||
|
||
\uncover<5>{\LARGE (With Science)}
|
||
}
|
||
#+END_LATEX
|
||
#+END_CENTER
|
||
|
||
#+BEGIN_COMMENT
|
||
This all leads into a larger subject called ``data analytics''.
|
||
|
||
Which is really just building, analyzing, and aggregating user profiles.
|
||
|
||
Which is generally called tracking.
|
||
|
||
...which we usually just call spyware.
|
||
But this has science!
|
||
#+END_COMMENT
|
||
|
||
|
||
**** READY Trackers
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:15
|
||
:END:
|
||
|
||
- <1-> Website owners want to know what their visitors are doing
|
||
- <1-> That in itself isn't an unreasonable concept
|
||
- <2-> Methods and data define the issue
|
||
|
||
#+BEGIN_COMMENT
|
||
Website owners want to know what their visitors are doing.
|
||
That in itself isn't an unreasonable thing, broadly speaking,
|
||
but how you go about it and what types of data you collect
|
||
defines the issue.
|
||
#+END_COMMENT
|
||
|
||
|
||
**** READY Google Analytics
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:30
|
||
:END:
|
||
|
||
***** GA Dashboard
|
||
:PROPERTIES:
|
||
:BEAMER_col: 0.45
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
#+BEAMER: \only<1>{
|
||
#+ATTR_LATEX: :height 1.5in
|
||
[[./images/tp/ga-dashboard.png]]
|
||
|
||
\incite{google:ga:features}
|
||
#+BEAMER: }
|
||
#+BEAMER: \only<2>{
|
||
[[./images/analytics-usage.png]]
|
||
\incite{w3techs:analytics}
|
||
#+BEAMER: }
|
||
#+END_CENTER
|
||
|
||
***** Description
|
||
:PROPERTIES:
|
||
:BEAMER_col: 0.45
|
||
:END:
|
||
|
||
- <1-> User location, screen resolution, time on page, heatmap,
|
||
etc\cite{w:behavioral-targeting}
|
||
- <1-> Unique identifier assigned
|
||
- <1-> Fine-grained reporting for site owner
|
||
- <2-> Knows many sites user visited across Web\cite{w3techs:google}
|
||
|
||
#+BEGIN_COMMENT
|
||
Take Google Analytics for example.
|
||
It is one of the most widely distributed spyware programs in the world.
|
||
|
||
It collects a variety of user data.
|
||
A lot of it really is what website owners want to know:
|
||
geography, screen resolution, time on the page, heatmaps, etc.
|
||
Except...
|
||
|
||
All of this is known to Google.
|
||
And because services like GA, AdWords, etc are so widely used,
|
||
all of this can be used to identify users across the entire web.
|
||
#+END_COMMENT
|
||
|
||
|
||
**** READY Piwik
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:20
|
||
:END:
|
||
|
||
***** Dashboard
|
||
:PROPERTIES:
|
||
:BEAMER_col: 0.65
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
[[./images/tp/piwik-dashboard.png]]
|
||
|
||
\incite{piwik}
|
||
#+END_CENTER
|
||
|
||
|
||
***** Description
|
||
:PROPERTIES:
|
||
:BEAMER_col: 0.35
|
||
:END:
|
||
|
||
- <2-> Data on **your own servers**\cite{mtg:gitlab-piwik}
|
||
- <2-> Visitor privacy settings\cite{piwik:privacy}
|
||
- <2-> Privacy as a site owner
|
||
|
||
#+BEGIN_COMMENT
|
||
If you must track your users, consider using Piwik, which you can host
|
||
yourself.
|
||
This means that your visitor data aren't stored and accessible by Google or
|
||
other companies.
|
||
Pwik has some user privacy settings to anonymize, remove logs, respect DNT,
|
||
provide opt-out, etc.
|
||
It also gives website owners some privacy by not leaking paths and other
|
||
information about the website:
|
||
#+END_COMMENT
|
||
|
||
*** READY Social Networking
|
||
**** READY Like Buttons
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:30
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
#+ATTR_LATEX: :height 1.5in
|
||
[[./images/tp/fb-like.png]]\incite{w:fb-like-img}
|
||
#+END_CENTER
|
||
|
||
- <2-> Infecting the Web with trackers under guise of
|
||
community\cite{pnas:predict,w:behavioral-targeting,uld:fb}
|
||
- <2-> Tracks regardless of whether you are logged in to Facebook
|
||
\cite{bloomberg:belgum-fb,roosendaal:fb-like,networks-of-control}
|
||
|
||
#+BEGIN_COMMENT
|
||
Another popular example are "like buttons" and similar little widgets that
|
||
websites like Facebook offer.
|
||
It might help get the word out about your stuff,
|
||
but please don't fall into the trap of betraying your visitors.
|
||
Please don't fall into the trap of clicking it, either---
|
||
it's easy to infer a great deal of information about you from what you
|
||
"like".
|
||
|
||
If a user is logged into Facebook,
|
||
then Facebook now knows that they visited that website,
|
||
_even if they don't click on the button_.
|
||
|
||
But even if you don't have a Facebook account,
|
||
you are still being tracked.
|
||
#+END_COMMENT
|
||
|
||
|
||
*** READY Fingerprinting [3/3]
|
||
**** READY Summary :B_fullframe:
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:10
|
||
:BEAMER_env: fullframe
|
||
:END:
|
||
#+BEGIN_CENTER
|
||
\Huge Fingerprinting
|
||
#+END_CENTER
|
||
|
||
#+BEGIN_COMMENT
|
||
These methods are part of a broader topic called ``fingerprinting''.
|
||
It's just what it sounds like:
|
||
uniquely identify users online.
|
||
#+END_COMMENT
|
||
|
||
|
||
**** READY EFF Research :B_fullframe:
|
||
:PROPERTIES:
|
||
:BEAMER_env: fullframe
|
||
:DURATION: 00:00:20
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
#+BEAMER: \only<1>{
|
||
EFF Research, 2010:\cite{eff:browser-uniqueness-blog,eff:browser-uniqueness}
|
||
|
||
#+BEGIN_QUOTE
|
||
``In our analysis of anonymized data from around half a million distinct
|
||
browsers, 84% had unique configurations. Among browsers that had Flash or
|
||
Java installed, 94% were unique, and only 1% had fingerprints that were seen
|
||
more than twice.''
|
||
#+END_QUOTE
|
||
#+BEAMER: }
|
||
#+BEAMER: \only<2>{
|
||
That was seven years ago.
|
||
|
||
You're really screwed today.*
|
||
|
||
#+BEGIN_LATEX
|
||
\incite{eff:panopti2,eff:browser-uniqueness,mozilla:fingerprinting,%
|
||
chromium:identification,tor:browser-design,stanford:private-browsing,%
|
||
norte:tor-fingerprint,browserleaks,ars:fingerprint,hardware-fingerprint}
|
||
#+END_LATEX
|
||
#+BEAMER: }
|
||
#+END_CENTER
|
||
|
||
#+BEGIN_COMMENT
|
||
Back in 2010,
|
||
the EFF released a paper with results from their fingerprinting research
|
||
project Panopticlick.
|
||
Back then,
|
||
they had an 84% success rate;
|
||
even higher with Flash and Java.
|
||
|
||
But we ain't in 2010 anymore.
|
||
We have options.
|
||
Very creative ones.
|
||
#+END_COMMENT
|
||
|
||
|
||
**** READY Alarmingly Effective
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:45
|
||
:END:
|
||
|
||
- Panopticlick (EFF)\cite{panopti:about}
|
||
- User Agent, cookies, screen resolution, fonts, language, session storage,
|
||
canvas, WebGL, ad blocker, audio, keystrokes,
|
||
mouse movement,\nbsp{}\ldots\cite{ijcseit:biometric}
|
||
- Can even track separate browsers on the same
|
||
hardware\cite{hardware-fingerprint,ars:fingerprint}
|
||
|
||
#+BEGIN_COMMENT
|
||
Fingerprinting is alarmingly effective.
|
||
We don't have time to get into much detail on how it works;
|
||
I provided plenty of resources for that.
|
||
But there are some interesting ones.
|
||
|
||
We don't just have to rely on basic browser-provied information like user
|
||
agent, fonts, and cookies anymore.
|
||
How about tracking how the user moves her mouse and scrolls?
|
||
What about keystroke analysis?
|
||
Random noise from audio?
|
||
Time of CPU-intensive tasks like rendering 3D elements?
|
||
|
||
Some of these methods are hardware-based.
|
||
They can fingerprint even if the user opens a different browser,
|
||
or maybe even a different operating system,
|
||
on the same box.
|
||
|
||
Some are behavioral.
|
||
Keystroke patterns will persist wherever the user goes.
|
||
|
||
We'll get into some defenses in a bit.
|
||
#+END_COMMENT
|
||
|
||
|
||
|
||
*** READY Incentive to Betray [2/2]
|
||
**** READY Summary :B_fullframe:
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:30
|
||
:BEAMER_env: fullframe
|
||
:END:
|
||
|
||
- <1-> There is strong incentive to betray
|
||
- <2> Money (advertising)
|
||
- <2> Attention & praise
|
||
- <2> ``Business intelligence''
|
||
|
||
#+BEGIN_COMMENT
|
||
So how does tracking happen?
|
||
How does this tracking code _get_ on so much of the web?
|
||
|
||
Incentives to betray users.
|
||
|
||
Many websites make money through advertising.
|
||
It can be lucrative.
|
||
And it's _easy_ to do.
|
||
|
||
Others get addicted to attention and praise.
|
||
|
||
Others simply want to know what their visitors are doing on their website.
|
||
|
||
Most website owners don't think or know about these issues.
|
||
They're unknowing pawns in the Web of surveillance.
|
||
#+END_COMMENT
|
||
|
||
|
||
**** READY Web of Surveillance :B_fullframe:
|
||
:PROPERTIES:
|
||
:BEAMER_env: fullframe
|
||
:DURATION: 00:00:45
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
#+BEAMER: \only<1>{
|
||
#+ATTR_LATEX: :height 2.5in
|
||
[[./images/lightbeam-ex.png]]
|
||
|
||
\incite{moz:lightbeam}
|
||
#+BEAMER: }
|
||
#+BEAMER: \only<2>{
|
||
#+ATTR_LATEX: :height 2.5in
|
||
[[./images/lightbeam-ex-good.png]]
|
||
|
||
(After mitigations)
|
||
#+BEAMER: }
|
||
#+END_CENTER
|
||
|
||
|
||
#+BEGIN_COMMENT
|
||
And I do mean a Web of surveillance.
|
||
|
||
This is LightBeam.
|
||
It's an addon for Firefox that graphs first- and third-party sites that you
|
||
visit,
|
||
providing you with a visualization of the Web that's hidden from most
|
||
users.
|
||
I created a new FF profile and installed the addon;
|
||
none of my privacy settings or other addons I'm used to.
|
||
You can see at the top that I visited five websites:
|
||
Washington Post, NY Times from Google, Guardian, and---which you can't see
|
||
here because they're actually disjoint from this graph---The Intercept.
|
||
Good for them!
|
||
And yet,
|
||
it hit /86/ third party sites!
|
||
NYT alone connected to 47 different third parties!
|
||
|
||
I was blown away.
|
||
|
||
|
||
Some of these are trackers.
|
||
Some of them are remotely hosted scripts and fonts and media.
|
||
|
||
So let me show you what I'm used to seeing.
|
||
This is what happens when I try to mitigate some of these threats.
|
||
#+END_COMMENT
|
||
|
||
|
||
*** READY Mitigations & Anonymity [8/8]
|
||
**** READY Summary :B_fullframe:
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:05
|
||
:BEAMER_env: fullframe
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
\Huge How Do We Mitigate?
|
||
#+END_CENTER
|
||
|
||
#+BEGIN_COMMENT
|
||
So how do we do that?
|
||
|
||
Well, it depends on your threat model,
|
||
but let's start with the easy stuff.
|
||
#+END_COMMENT
|
||
|
||
|
||
**** READY Disable the Damn JavaScript!
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:50
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
#+ATTR_LATEX: :height 1.5in
|
||
[[./images/tp/noscript.png]]
|
||
#+END_CENTER
|
||
|
||
#+BEAMER: \only<2-3>{
|
||
- <2-3> Preempt most sophisticated and damning fingerprinting methods
|
||
- <2-3> Stop hardware profiling
|
||
- <2-3> Stop keystroke/mouse analysis\cite{ijcseit:biometric}
|
||
- <3> Remember those audio beacons?\cite{bleep:ultrasound-tor}
|
||
#+BEAMER: }
|
||
#+BEAMER: \only<4-5>{
|
||
- <4-> Running arbitrary untrusted, unsigned, ephemeral code
|
||
(/also\nbsp{}from many third parties/)\cite{mtg:rof}
|
||
- <4-> /Restore Online Freedom!/ (My LibrePlanet 2016 talk)
|
||
- <5-> LibreJS blocks non-free, but free doesn't mean free of malice
|
||
#+BEAMER: }
|
||
#+BEAMER: \only<6>{
|
||
- NoScript blocks JavaScript based on URL patterns\cite{noscript}
|
||
- /Warning:/ Allows some sites by default!
|
||
- Also blocks media and fonts; provides XSS and clickjacking prevention
|
||
#+BEAMER: }
|
||
|
||
#+BEGIN_COMMENT
|
||
Okay, I can't say this enough.
|
||
Disable the damn JavaScript!
|
||
The Web isn't broken without it,
|
||
they're breaking the web /with/ it!
|
||
I write a lot of JavaScript for a living.
|
||
My GNU project is ease.js, which is a JavaScript library.
|
||
And yet,
|
||
/I only allow JavaScript to execute on a few websites!/.
|
||
Even on most websites I trust, I don't.
|
||
Some people run LibreJS,
|
||
and I support that project.
|
||
But note that free software doesn't mean free of malice;
|
||
LibreJS solves a different problem than the one I'm describing---
|
||
when you /do/ allow JS to run, it should be free.
|
||
|
||
It's probably obvious from the logo that I'm talking about the NoScript
|
||
addon.
|
||
It does more than just block JS---
|
||
it also blocks media, custom fonts, protects against certain types of XSS
|
||
and clickjacking attacks, and more.
|
||
If you don't know those are, that's okay.
|
||
#+END_COMMENT
|
||
|
||
|
||
**** READY LightBeam NoScript :B_fullframe:
|
||
:PROPERTIES:
|
||
:BEAMER_env: fullframe
|
||
:DURATION: 00:00:15
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
#+BEAMER: \only<1>{
|
||
#+ATTR_LATEX: :height 2.5in
|
||
[[./images/lightbeam-ex.png]]
|
||
|
||
(Before NoScript)
|
||
#+BEAMER: }
|
||
#+BEAMER: \only<2>{
|
||
#+ATTR_LATEX: :height 2.5in
|
||
[[./images/lightbeam-ex-noscript.png]]
|
||
|
||
(After NoScript with /no whitelist/)
|
||
#+BEAMER: }
|
||
#+END_CENTER
|
||
|
||
#+BEGIN_COMMENT
|
||
So this is our graph again before NoScript.
|
||
|
||
And here it is after running NoScript with no whitelist.
|
||
Without any other mitigations.
|
||
|
||
Obviously results will vary depending on the website.
|
||
|
||
We're going to get back to JS soon.
|
||
#+END_COMMENT
|
||
|
||
|
||
**** READY Block Ads and Trackers
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:45
|
||
:END:
|
||
#+BEGIN_CENTER
|
||
#+ATTR_LATEX: :height 0.75in
|
||
[[./images/tp/privacy-badger.png]]
|
||
#+ATTR_LATEX: :height 0.75in
|
||
[[./images/tp/ublock0.png]]
|
||
#+ATTR_LATEX: :height 0.75in
|
||
[[./images/tp/sdcookies.png]]
|
||
#+END_CENTER
|
||
|
||
- /Privacy Badger/ blocks trackers\cite{eff:privacy-badger,lp:2016:privacy-badger}
|
||
- /uBlock_0/ filters (primarily) ads\cite{gh:ublock-origin}
|
||
- /Self-Destructing Cookies/ clears cookies and
|
||
LocalStorage\cite{moz:sd-cookies}
|
||
|
||
#+BEGIN_COMMENT
|
||
The issue surrounding Ad Blockers is framed such that we're waging war
|
||
against advertisers.
|
||
No---they're waging war against /us/.
|
||
|
||
You'll find that the bulk of what these addons handle is related to ad
|
||
networks.
|
||
Privacy Badger works to block sites that appear to be tracking you.
|
||
Cooper Quintin---developer of Privacy Badger---gave a great talk last year
|
||
here at LP; go check it out.
|
||
uBlock Origin describes itself as a ``wide-spectrum blocker'',
|
||
but it serves primarily as an ad blocker.
|
||
Self-Destructing cookies clears out a site's cookies and LocalStorage once a
|
||
tab is closed.
|
||
There may be better options out there;
|
||
this seems to be useful for me.
|
||
|
||
I don't have time to go into technical details, unfortunately.
|
||
#+END_COMMENT
|
||
|
||
|
||
**** READY Anonymity :B_fullframe:
|
||
:PROPERTIES:
|
||
:BEAMER_env: fullframe
|
||
:DURATION: 00:00:15
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
#+BEAMER: \only<1>{
|
||
#+BEAMER: {\Huge Anonymity}
|
||
|
||
\bigskip
|
||
Origin is unknown to server; no unique identifier known
|
||
by\nbsp{}server\incite{whonix:donot}
|
||
#+BEAMER: }
|
||
#+BEAMER: \only<2>{
|
||
#+BEAMER: {\Huge Pseudonymity}
|
||
|
||
\bigskip
|
||
Origin is unknown to server; unique identifier /is\nbsp{}available/
|
||
to\nbsp{}server\incite{whonix:donot}
|
||
#+BEAMER: }
|
||
#+END_CENTER
|
||
|
||
#+BEGIN_COMMENT
|
||
Another way is to be anonymous or pseudononymous.
|
||
In the latter case,
|
||
you assume a pseudoynm online and perform only activities that should be
|
||
associated with that pseudonym.
|
||
In the former case,
|
||
there should be no way to ever correlate past or future actions with your
|
||
current session.
|
||
#+END_COMMENT
|
||
|
||
|
||
**** READY IANAAE :B_fullframe:
|
||
:PROPERTIES:
|
||
:BEAMER_env: fullframe
|
||
:DURATION: 00:00:15
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
#+BEAMER: {\Huge IANAAE}
|
||
|
||
(I Am Not An Anonymity Expert)
|
||
#+END_CENTER
|
||
|
||
#+BEGIN_COMMENT
|
||
This is a difficult topic that's pretty dangerous to give advice on if you
|
||
have strong need for anonymity---for example, if you are a dissident or
|
||
whistleblower.
|
||
If your life depends on anonymity,
|
||
please do your own research.
|
||
I provide a number of resources to get you started.
|
||
#+END_COMMENT
|
||
|
||
|
||
**** READY The Tor Network
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:45
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
#+BEAMER: \only<1>{
|
||
#+ATTR_LATEX: :height 1in
|
||
[[./images/tp/tor.png]]
|
||
#+BEAMER: }
|
||
#+BEAMER: \only<2>{
|
||
[[./images/tp/tor-diagram.png]]\incite{tor:overview}
|
||
#+BEAMER: }
|
||
#+END_CENTER
|
||
|
||
- <1> The Onion Router (Tor)\cite{tor}
|
||
- <1> Helps defend against traffic analysis
|
||
|
||
#+BEGIN_COMMENT
|
||
Most here have probably heard of Tor.
|
||
Its purpose is to protect against certain kinds of traffic analysis.
|
||
|
||
"Tor" stands for "The Onion Router",
|
||
which describes how it relays data through the Tor network.
|
||
|
||
The packet is routed through a number of servers,
|
||
encrypted with the public key of each server such that the first hop
|
||
strips off the first layer and so on,
|
||
like an onion.
|
||
The exit node reveals the packet and delivers it to the destination,
|
||
then begins relaying the reply back to through the network to the
|
||
requesting user.
|
||
|
||
As long as a sufficient portion of the network can be trusted and has not
|
||
been compromised by an adversary,
|
||
it should not be possible to figure out that path.
|
||
|
||
The most common use of Tor is to route web traffic.
|
||
|
||
There are lots of other details that I don't have time to get to here,
|
||
but I provide a number of resources for you.
|
||
#+END_COMMENT
|
||
|
||
|
||
**** READY TorBrowser, Tails, and Whonix
|
||
:PROPERTIES:
|
||
:DURATION: 00:01:30
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
#+BEAMER: \only<2>{
|
||
#+ATTR_LATEX: :height 1in
|
||
[[./images/tp/torbrowser.png]]
|
||
#+BEAMER: }
|
||
#+BEAMER: \only<3>{
|
||
#+ATTR_LATEX: :height 1in
|
||
[[./images/tp/tails.png]]
|
||
#+BEAMER: }
|
||
#+BEAMER: \only<4>{
|
||
#+ATTR_LATEX: :height 1in
|
||
[[./images/tp/whonix.png]]
|
||
#+BEAMER: }
|
||
#+END_CENTER
|
||
|
||
#+BEAMER: \only<1>{
|
||
- Also need to change browsing habits\cite{whonix:donot}
|
||
#+BEAMER: }
|
||
#+BEAMER: \only<2>{
|
||
- Browser needs to be hardened
|
||
- Remember: browser leaks a lot of
|
||
data\cite{panopti:about,eff:browser-uniqueness}
|
||
- TorBrowser is a hardened Firefox derivative\cite{tor:browser,tor:browser-design}
|
||
#+BEAMER: }
|
||
#+BEAMER: \only<3->{
|
||
- <3-> Operating System needs to be hardened
|
||
- <3-> Tails---The Amnesic Incognito Live System\cite{tor:tails}
|
||
- <4> Whonix---Multi-layer isolation in VMs\cite{whonix}
|
||
#+BEAMER: }
|
||
|
||
#+BEGIN_COMMENT
|
||
But Tor alone isn't enough to secure your anonymity.
|
||
You also have to change your browsing habits.
|
||
That is difficult and nuanced advice to give,
|
||
let alone in a mention in a talk,
|
||
so I defer to my citations.
|
||
|
||
For some people, that's enough.
|
||
If your threat model involves only advertisers and other snoopers,
|
||
you might be okay with Tor and privacy extensions.
|
||
For nearly all of my Web traffic,
|
||
that's what I care about.
|
||
|
||
But if you're a dissident,
|
||
and your life is in danger,
|
||
you have more work to do.
|
||
If you are worried about government surveillance or cracking,
|
||
you have more work to do.
|
||
|
||
It's hard to secure a web browser.
|
||
|
||
TorBrowser is a hardened version of Firefox.
|
||
The Tor browser recommends that you don't rely on a vanilla Firefox for
|
||
anonymity with Tor.
|
||
|
||
The operating system needs hardening.
|
||
There are two major options.
|
||
The first one is Tails: The Amnesic Incognito Live System.
|
||
It is an ephemeral OS that you can simply boot from USB on any PC.
|
||
It routes all traffic through the Tor network.
|
||
|
||
The second is Whonix.
|
||
It is not ephemeral: it requires a host OS (or hypervisor) and runs two VMs:
|
||
one is the guest that the user uses as a desktop,
|
||
and the other is the VM it routes all traffic through,
|
||
which goes through Tor.
|
||
If the guest the user is using is compromised,
|
||
an attacker cannot subvert the Tor network.
|
||
|
||
There's obvious tradeoffs there for both;
|
||
I encourage you to look into both before deciding which is best for your
|
||
threat model.
|
||
#+END_COMMENT
|
||
|
||
|
||
** AUGMENT Data and Profiling [4/4]
|
||
*** READY Introduction :B_ignoreheading:
|
||
:PROPERTIES:
|
||
:BEAMER_env: ignoreheading
|
||
:END:
|
||
**** READY Introduction :B_fullframe:
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:05
|
||
:BEAMER_env: fullframe
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
#+BEAMER: \only<1>{
|
||
\Huge ``Big Data''
|
||
|
||
(/Your/ Big Data)
|
||
#+BEAMER: }
|
||
#+BEAMER: \only<2>{
|
||
\Huge ``Business Intelligence''
|
||
#+BEAMER: }
|
||
#+END_CENTER
|
||
|
||
#+BEGIN_COMMENT
|
||
We've seen adversaries with different motives.
|
||
Let's explore what some of them do with all those data.
|
||
|
||
This is a ``big data'' problem.
|
||
You might also hear this called ``business intelligence''.
|
||
#+END_COMMENT
|
||
|
||
*** READY Those Who Spy
|
||
**** READY Data Brokers
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:15
|
||
:END:
|
||
|
||
***** Lightbeam Reminder
|
||
:PROPERTIES:
|
||
:BEAMER_col: 0.50
|
||
:END:
|
||
|
||
[[./images/lightbeam-ex.png]]
|
||
|
||
***** Summary
|
||
:PROPERTIES:
|
||
:BEAMER_col: 0.50
|
||
:END:
|
||
|
||
- Ghostery lists *over 3,000 companies receiving web/app
|
||
data*\cite{ghostery:companies}
|
||
|
||
|
||
#+BEGIN_COMMENT
|
||
Back to that Lightbeam graph of third parties.
|
||
Ghostery has a list of third parties receiving web and app data.
|
||
There's over 3,000 of them.
|
||
|
||
Looking at this graph from a few sites,
|
||
that might not be too surprising.
|
||
#+END_COMMENT
|
||
|
||
**** READY Oracle Identity Graph
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:30
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
#+ATTR_LATEX: :height 1.90in
|
||
[[./images/tp/oracle-id-fuu.png]]
|
||
#+END_CENTER
|
||
|
||
#+BEGIN_QUOTE
|
||
\footnotesize ``Aggregates and provides insights on over $2\nbsp{}trillion in
|
||
consumer spending from 1,500 data partners across 110 million US
|
||
households''\cite{oracle:datalogix-acq}
|
||
#+END_QUOTE
|
||
|
||
#+BEGIN_COMMENT
|
||
Look how happy she is to be tracked!
|
||
I'm kidding of course.
|
||
If we put some random person's picture in her place,
|
||
they might feel a bit uncomfortable.
|
||
|
||
Alright, Oracle Identity Graph.
|
||
<Read quote>
|
||
|
||
Look at that last bullet point there.
|
||
``Deliver a more relevant customer experience''.
|
||
#+END_COMMENT
|
||
|
||
|
||
**** READY All About the Experience :B_fullframe:
|
||
:PROPERTIES:
|
||
:BEAMER_env: fullframe
|
||
:DURATION: 00:00:05
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
\Huge ``More Relevant Customer Experience''
|
||
#+END_CENTER
|
||
|
||
#+BEGIN_COMMENT
|
||
More relevant customer experience.
|
||
You hear that a lot from advertisers,
|
||
especially to justify.
|
||
#+END_COMMENT
|
||
|
||
|
||
**** READY Target Pregnancy Prediction
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:25
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
#+ATTR_LATEX: :height 1in
|
||
[[./images/tp/target-logo.png]]
|
||
#+END_CENTER
|
||
|
||
- <1-> Records purchases, credit cards, coupons, surveys, refunds, customer
|
||
helpline calls, email, website visits, \ldots\cite{networks-of-control}
|
||
- <1-> Purchase more information from third parties\cite{networks-of-control}
|
||
- <2-> Identified 25 products to create a ``pregnancy prediction'' score and
|
||
estimate due date\cite{nyt:learn-secrets}
|
||
- <2-> Quantities of types of lotions, soaps, cotton balls,
|
||
supplements,\nbsp{}etc
|
||
|
||
#+BEGIN_COMMENT
|
||
One of the most popular examples of these types of analytics is a case where
|
||
a father received coupons for baby clothes in the mail for his daughter.
|
||
Target successfully predicted that she was pregnant based on certain items
|
||
that she purchased,
|
||
like quantities of certain lotions,
|
||
and even things like cotton balls.
|
||
They call this a ``pregnancy prediction''.
|
||
It's creepy.
|
||
It's lucrative.
|
||
#+END_COMMENT
|
||
|
||
|
||
**** READY Transparency Needed
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:40
|
||
:END:
|
||
|
||
***** Trustev Graph
|
||
:PROPERTIES:
|
||
:BEAMER_col: 0.50
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
[[./images/tp/trustev-graph.png]]
|
||
|
||
\incite{trustev:tech}
|
||
#+END_CENTER
|
||
|
||
***** Summary
|
||
:PROPERTIES:
|
||
:BEAMER_col: 0.50
|
||
:END:
|
||
- *Let users see their data in this graph!*
|
||
- Erase nonpublic information that they don't want to be known
|
||
- Let them correct what is wrong
|
||
- <3> Also a problem with law enforcement / government
|
||
- <2-> Let them *opt out!*
|
||
|
||
#+BEGIN_COMMENT
|
||
Look, at the end of the day,
|
||
some people do legitimately want this.
|
||
They want to have this ``relevant customer experience''.
|
||
|
||
What we need is transparency.
|
||
|
||
Companies like Oracle should let you see your data in this graph.
|
||
Let you correct it if it's wrong.
|
||
Erase it if it's nonpublic information that you don't want to be known.
|
||
And allow you to /opt out/!
|
||
|
||
We talked about government surveillance a while ago.
|
||
This is a problem there as well.
|
||
What if you're flagged as suspicious?
|
||
Put on some no-fly list or terrorism watch list?
|
||
What if it were based on completely wrong information inferred by some
|
||
algorithm?
|
||
|
||
Let's look at that graph on the left a little more closely.
|
||
#+END_COMMENT
|
||
|
||
|
||
*** READY These Data Affect Your Life!
|
||
**** READY Trustev Fraud Detection
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:25
|
||
:END:
|
||
#+BEGIN_CENTER
|
||
[[./images/tp/trustev-graph.png]]
|
||
|
||
\incite{trustev:tech}
|
||
#+END_CENTER
|
||
|
||
#+BEGIN_COMMENT
|
||
This is a graph of sources for TransUnion's fraud prevention system.
|
||
There are a lot of data sources here.
|
||
And look at the node at the bottom---
|
||
``machine learning''.
|
||
|
||
What if this were wrong?
|
||
You'd be flagged as a fraud.
|
||
This could be inconvenient---
|
||
like not being able to make an online purchase.
|
||
But what if you are denied a loan because of things like this?
|
||
Or...denied employment?
|
||
#+END_COMMENT
|
||
|
||
|
||
**** READY LexisNexis
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:45
|
||
:END:
|
||
#+BEGIN_CENTER
|
||
#+ATTR_LATEX: :height 0.25in
|
||
[[./images/tp/lexisnexis.png]]
|
||
#+END_CENTER
|
||
|
||
- Risk management for insurance, finance, retail, travel,
|
||
government, gaming, and healthcare\cite{networks-of-control}
|
||
- Data on over 500 million customers
|
||
- TrueID---34 billion records from over 10,000 sources\cite{lexisnexis:trueid}
|
||
|
||
#+BEGIN_QUOTE
|
||
``We help insurers assess their risk and streamline the underwriting process
|
||
in 99% of all U.S. auto insurance claims and more than 90% of all homeowner
|
||
claims.''
|
||
#+END_QUOTE
|
||
|
||
#+BEGIN_COMMENT
|
||
There's a ton of these companies;
|
||
we only have time for a few.
|
||
LexisNexis is another popular one.
|
||
And it's fun to say.
|
||
|
||
They handle risk management for various industries.
|
||
And they pull from a pool of data of over 500 million customers.
|
||
|
||
<read quote>
|
||
|
||
To give you an idea of their scale:
|
||
they also have a system called TrueID,
|
||
which does identity verification for fraud detection.
|
||
They aggregate tens of billions of records from over ten thousand sources.
|
||
#+END_COMMENT
|
||
|
||
**** READY Palantir
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:25
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
#+ATTR_LATEX: :height 1in
|
||
[[./images/tp/palantir.png]]
|
||
#+END_CENTER
|
||
|
||
- Co-founded by Peter Thiel of PayPal
|
||
- CIA, DHS, NSA, FBI, the CDC, the Marine Corps, the Air Force, Special
|
||
Operations Command, West Point, the Joint IED-defeat organization and
|
||
Allies, the Recovery Accountability and Transparency Board and the
|
||
National Center for Missing and Exploited Children.\cite{techcrunch:palantir}
|
||
|
||
#+BEGIN_COMMENT
|
||
Another highly controversial one is Palantir.
|
||
It was started by one of the co-founders of PayPal, Peter Thiel,
|
||
for terrorism intelligence.
|
||
It's now used for its powerful analytic capabilities
|
||
by not only private corporations,
|
||
but numerous government agencies,
|
||
a few of them being the CIA, DHS, FBI, and the NSA itself.
|
||
|
||
Yeah.
|
||
What if these data are wrong?
|
||
#+END_COMMENT
|
||
|
||
|
||
*** READY More Information
|
||
|
||
**** READY Networks of Control :B_fullframe:
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:15
|
||
:BEAMER_env: fullframe
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
#+ATTR_LATEX: :height 2in
|
||
[[./images/tp/networks-of-control.png]]
|
||
|
||
\incite{networks-of-control,33c3:surveil}
|
||
|
||
Shock and Awe
|
||
#+END_CENTER
|
||
|
||
#+BEGIN_COMMENT
|
||
If this topic interests you,
|
||
you need to read the paper Networks of Control.
|
||
One of the authors gave a talk at the recent Chaos Communication Congress,
|
||
and I was in both shock and awe.
|
||
I've only had the chance to skim the paper.
|
||
Both are referenced here.
|
||
#+END_COMMENT
|
||
|
||
** LACKING Policy and Government [0/6]
|
||
*** DRAFT Introduction [0/1] :B_ignoreheading:
|
||
:PROPERTIES:
|
||
:BEAMER_env: ignoreheading
|
||
:END:
|
||
**** DRAFT Introduction :B_fullframe:
|
||
:PROPERTIES:
|
||
:DURATION: 00:00:30
|
||
:BEAMER_env: fullframe
|
||
:END:
|
||
|
||
- <1-> Governments have a duty to protect their people
|
||
- <2-> Governments have a duty to protect citizens' rights
|
||
|
||
#+BEGIN_LATEX
|
||
\vspace{2ex}
|
||
\only<3>{
|
||
\begin{center}
|
||
These duties are often at odds
|
||
\end{center}
|
||
}
|
||
#+END_LATEX
|
||
|
||
#+BEGIN_COMMENT
|
||
Where to begin.
|
||
|
||
Governments have a duty to protect their people.
|
||
But they also have a duty to know their bounds;
|
||
to protect citizens' rights and privacy.
|
||
|
||
We know how that story goes.
|
||
#+END_COMMENT
|
||
|
||
|
||
*** LACKING Surveillance [0/7]
|
||
**** DRAFT History of NSA Surveillance
|
||
:PROPERTIES:
|
||
:DURATION: 00:02
|
||
:END:
|
||
|
||
- <1-> EFF has been fighting NSA domestic spying
|
||
since 2005\cite{eff:nsa:timeline,mtg:uproar}
|
||
- <1-> AT&T technician Mark Klein
|
||
- <1-> Dragnet surveillance; NSA-controlled ``SG3 Secure Room''
|
||
- <2-> Hepting v. AT&T (2006)
|
||
- <2-> Government and AT&T retroactive immunity through FAA (2008)
|
||
- <2-> Jewel v. NSA (2008)
|
||
- <2-> Summary of Voluminous Evidence
|
||
|
||
#+BEGIN_COMMENT
|
||
When we think of the term ``surveillance'',
|
||
the NSA usually comes to mind.
|
||
|
||
The Electronic Frontier Foundation has been fighting the NSA
|
||
in court since 2006.
|
||
In 2005, a former AT&T technician Mark Klein provided ``undisputed
|
||
evidence'' about an NSA-controlled room at AT&T named ``SG-3'', through
|
||
which all traffic passed.
|
||
|
||
The EFF filed Hepting v. AT&T in 2006.
|
||
But in 2008, both the government and AT&T were awarded retroactive immunity
|
||
through the FISA Amendments Act.
|
||
The case was dismissed in 2009, along with dozens of other lawsuits.
|
||
|
||
In response,
|
||
the EFF filed Jewel v. NSA.
|
||
The case also benefitted from three additional whistleblowers.
|
||
#+END_COMMENT
|
||
|
||
|
||
**** DRAFT PRISM
|
||
- 6 June 2013---Guardian leaks slideshow describing PRISM
|
||
|
||
- All companies denied involvement
|
||
|
||
#+BEGIN_COMMENT
|
||
But it didn't end there!
|
||
Well, obviously, we know that now.
|
||
|
||
One day later,
|
||
the Guardian releases a leaked slideshow that describes PRISM.
|
||
|
||
All companies eventually denied involvement in this program.
|
||
#+END_COMMENT
|
||
|
||
|
||
**** DRAFT Snowden
|
||
:PROPERTIES:
|
||
:DURATION: 00:01
|
||
:END:
|
||
|
||
- 9 June 2013---The Guardian reveals Edward Snowden as the whistleblower
|
||
|
||
- Smear campaign
|
||
|
||
|
||
#+BEGIN_COMMENT
|
||
These were serious leaks.
|
||
They still are.
|
||
And three days later---to our surprise---the source of the leaks was
|
||
revealed.
|
||
|
||
And the world came to know Edward Snowden through a huge smear campaign.
|
||
They pointed out that his girlfriend was a pole dancer.
|
||
They tried to discredit his role at the agency.
|
||
They tried to paint him as this social loner, and downplay his skills.
|
||
|
||
Fortunately, that conversation didn't last long, and did not succeed.
|
||
I'm not sure how many of you were here last year,
|
||
but Snowden gave the opening keynote to LP2016.
|
||
He received a minute-long standing ovation.
|
||
The energy in that room was incredible.
|
||
#+END_COMMENT
|
||
|
||
|
||
**** DEVOID Tools
|
||
:PROPERTIES:
|
||
:DURATION: 00:02
|
||
:END:
|
||
|
||
TODO
|
||
|
||
#+BEGIN_COMMENT
|
||
- XKeyscore and others
|
||
- Exploits
|
||
- Hardware
|
||
- Intercepting shipments
|
||
- Etc.
|
||
#+END_COMMENT
|
||
|
||
|
||
*** LACKING Crypto Wars [0/6]
|
||
**** DRAFT Introduction :B_fullframe:
|
||
:PROPERTIES:
|
||
:DURATION: 00:00
|
||
:BEAMER_env: fullframe
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
\Huge History repeats itself
|
||
#+END_CENTER
|
||
|
||
#+BEGIN_COMMENT
|
||
All of that happened behind our backs.
|
||
|
||
But there is also a war being waged in public.
|
||
As if we haven't learned from the past.
|
||
The Crypto wars.
|
||
#+END_COMMENT
|
||
|
||
|
||
**** DRAFT Export-Grade Crypto
|
||
:PROPERTIES:
|
||
:DURATION: 00:01:30
|
||
:END:
|
||
|
||
- <1-> Cryptography classified as munitions (Arms Export Control Act; ITAR)
|
||
- <1-> ``Export-grade'' cryptography
|
||
- <2-> Lotus Notes
|
||
- <2-> 40-bit export-grade symmetric key
|
||
- <3-> Agreement with NSA: 64-bit export, but 24 of those bits a "workload
|
||
reduction factor" for the NSA
|
||
- <4-> Phil Zimmerman: PGP (\geq 128 bits)
|
||
- <4-> Formal investigation by US government in 1993
|
||
- <4-> Published source code in a book, which could be OCR'd
|
||
- <5-> Still suffer long-term effects today
|
||
(downgrade attacks, e.g. POODLE)\cite{poodle:paper}
|
||
|
||
#+BEGIN_COMMENT
|
||
Back in the 1990s,
|
||
cryptography was classified as munitions.
|
||
|
||
If you wanted to export it to other countries,
|
||
you essentially had to make it crackable by the NSA.
|
||
|
||
Lotus Notes is often used as an example of the negative effects of such
|
||
regulation.
|
||
Interestingly, it was actually the first widely used software to use
|
||
public-key cryptography.
|
||
Due to export restrictions,
|
||
the maximum symmetric key size they could support was 40 bits.
|
||
This was easily crackable by the NSA,
|
||
but also feasible for other adversaries.
|
||
They compromised with the NSA:
|
||
64-bit keys, but 24 of those bits would be encrypted specially for the NSA
|
||
as a "workload reduction factor".
|
||
So you had protection against most adversaries,
|
||
but not the US government.
|
||
|
||
Then we have Phil Zimmerman, author of PGP.
|
||
He didn't consult the NSA.
|
||
Instead, he published the source code for PGP in a book with MIT Press,
|
||
and widely distributed it.
|
||
If someone wanted to use PGP,
|
||
they could unbind the book, OCR the pages, and compile it with GCC.
|
||
The US government opened a formal investigation into the case in 1993;
|
||
the charges were dropped years later.
|
||
|
||
We are still observing the fallout from export-grade crypto today.
|
||
They are called "downgrade attacks",
|
||
where a program such as a browser is tricked into using a weaker
|
||
cipher or keysize,
|
||
allowing an attacker to MitM the connection.
|
||
POODLE is an example of this.
|
||
#+END_COMMENT
|
||
|
||
|
||
**** DRAFT Bernstein v. United States
|
||
:PROPERTIES:
|
||
:DURATION: 00:01
|
||
:END:
|
||
- <1-> 1995: Bernstein v. US Department of Justice\cite{eff:bernstein:doj}
|
||
- <1-> Argued that restrictions violated First Amendment
|
||
- <2-> **Code Is Speech**
|
||
- <1-> 1996: Bill Clinton Executive Order 13026 transferred to Commerce
|
||
Control List\cite{fedr:export-controls}
|
||
- <1-> Department of Commerce relaxed rules in 2000\cite{doc:rev-export-reg}
|
||
|
||
#+BEGIN_COMMENT
|
||
In order to publish information on encryption algorithms and the like,
|
||
you had to get permission from the government.
|
||
|
||
In 1995, Daniel Bernstein---then a graduate student---wanted to publish the
|
||
source code and mathematical papers for his encryption algorithm
|
||
/Snuffle/.
|
||
Like Zimmerman,
|
||
Bernstein thought export restrictions to be a violation of his First
|
||
Amendment rights.
|
||
But instead of blatant defiance,
|
||
he decided to sue the US government.
|
||
He was represented by the EFF.
|
||
The Ninth Circuit Court of Appeals ruled in his favor.
|
||
|
||
The following year, President Bill Clinton signed an executive order that
|
||
removed encryption from the munitions list,
|
||
and in 2000 the Department of Commerce relaxed export restrictions.
|
||
|
||
You might have heard the term "code is speech".
|
||
Bernstein v. United States case had wide-reaching consequences,
|
||
not just for cryptography.
|
||
Source code is protected under the First Amendment.
|
||
|
||
(See also Junger v. Daley.)
|
||
#+END_COMMENT
|
||
|
||
|
||
**** DRAFT The First Crypto Wars
|
||
:PROPERTIES:
|
||
:DURATION: 00:01
|
||
:END:
|
||
|
||
- <1-> These incidents part of the first Crypto Wars\cite{w:crypto-wars}
|
||
- <2-> DES Originally 64-bit key; NSA wanted 48 bits; compromised at 56.
|
||
- <2-> Two version of the browser: 128-bit "U.S. edition" and effective
|
||
40-bit "international".
|
||
- <3-> **Clipper Chip** was a hardware backdoor that employed a key escrow
|
||
system
|
||
- <3-> Complete failure
|
||
- <3-> Terribly insecure (property of key escrow in general)
|
||
- <3-> Opposite effect: spurred development of Nautilus and PGPfone
|
||
|
||
#+BEGIN_COMMENT
|
||
These incidents are classified into a period of time informally described as
|
||
the "Crypo Wars".
|
||
|
||
There's a couple other good examples that I don't have time to get into:
|
||
The DES encryption algorithm, for example, was originally 64-bit;
|
||
the NSA wanted 48-bit, but compromised with 56.
|
||
Netscape had /two versions of their browser/: one with 128-bit SSL and the
|
||
other with 88 of those bits exposed to meet export regulations.
|
||
This sounds insane today---because it is.
|
||
|
||
But there's even more insanity.
|
||
|
||
The Clipper Chip!
|
||
It was the US government's attempt to backdoor communications with hardware.
|
||
It used a key escrow system,
|
||
and the algorithm they devised---called Skipjack---was classified,
|
||
and so could not be reviewed by crypto experts at the time.
|
||
Backlash was large.
|
||
It failed miserably.
|
||
Later cryptanalysis yielded scathing flaws,
|
||
as is generally the case with key escrow cryptosystems.
|
||
It even had the opposite effect:
|
||
it spurred the development of encrypted communication programs like
|
||
Nautilus and PGPfone (the latter being proprietary).
|
||
|
||
So,
|
||
why did I go into so much history in a talk meant to deal with today's
|
||
privacy and security threats?
|
||
#+END_COMMENT
|
||
|
||
|
||
**** DRAFT Re-repeats Itself :B_fullframe:
|
||
:PROPERTIES:
|
||
:DURATION: 00:00
|
||
:BEAMER_env: fullframe
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
\Huge History repeats itself
|
||
#+END_CENTER
|
||
|
||
#+BEGIN_COMMENT
|
||
Because history repeats itself.
|
||
|
||
Today's attempted legal/policy assault on privacy and security are enormous.
|
||
We've already covered some.
|
||
I don't have time to cover more than a small fraction of them.
|
||
#+END_COMMENT
|
||
|
||
|
||
**** DRAFT Modern Crypto Wars :B_fullframe:
|
||
:PROPERTIES:
|
||
:BEAMER_env: fullframe
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
\Huge ``Going Dark''
|
||
#+END_CENTER
|
||
|
||
|
||
#+BEGIN_COMMENT
|
||
But the big phrase you hear today is "going dark".
|
||
Government agencies are fearful of broadening use of encryption
|
||
because they can't read many of those communications.
|
||
#+END_COMMENT
|
||
|
||
|
||
**** DEVOID ``Going Dark''
|
||
|
||
#+BEGIN_COMMENT
|
||
Apple v. FBI
|
||
VEP
|
||
#+END_COMMENT
|
||
|
||
|
||
*** LACKING Espionage [0/1]
|
||
**** DEVOID US Can't Keep Its Own Secrets
|
||
:PROPERTIES:
|
||
:DURATION: 00:01
|
||
:END:
|
||
|
||
TODO
|
||
|
||
#+BEGIN_COMMENT
|
||
- Office of Personnel Management
|
||
- DNC
|
||
- VEP
|
||
#+END_COMMENT
|
||
|
||
|
||
*** LACKING Subpoenas, Warrants, NSLs [0/1]
|
||
**** DEVOID National Security Letters
|
||
:PROPERTIES:
|
||
:DURATION: 00:01
|
||
:END:
|
||
|
||
TODO
|
||
|
||
#+BEGIN_COMMENT
|
||
- Gag orders
|
||
- Prior restraint
|
||
- Canaries
|
||
#+END_COMMENT
|
||
|
||
|
||
*** LACKING Law [0/1]
|
||
**** DEVOID Summary :B_fullframe:
|
||
:PROPERTIES:
|
||
:DURATION: 00:01
|
||
:BEAMER_env: fullframe
|
||
:END:
|
||
|
||
TODO
|
||
|
||
#+BEGIN_COMMENT
|
||
- DMCA
|
||
- Risks to security researchers
|
||
- Draconian
|
||
- CFAA
|
||
#+END_COMMENT
|
||
|
||
|
||
** LACKING Your Fight [0/1]
|
||
*** LACKING Headings [0/6]
|
||
**** DRAFT Feeding :B_fullframe:
|
||
:PROPERTIES:
|
||
:DURATION: 00:00
|
||
:BEAMER_env: fullframe
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
We're feeding into all of this!
|
||
#+END_CENTER
|
||
|
||
|
||
**** DEVOID SaaSS and Centralization
|
||
:PROPERTIES:
|
||
:DURATION: 00:01
|
||
:END:
|
||
|
||
TODO
|
||
|
||
#+BEGIN_COMMENT
|
||
- Be sure to mention Cloudbleed and S3
|
||
- Who has access to your data?
|
||
- The "Cloud"
|
||
#+END_COMMENT
|
||
|
||
|
||
**** LACKING Corporate Negligence
|
||
:PROPERTIES:
|
||
:DURATION: 00:01
|
||
:END:
|
||
|
||
- Companies balance security and privacy on their balance sheets
|
||
|
||
|
||
#+BEGIN_COMMENT
|
||
Companies don't care.
|
||
They'll balance _costs_ of failure to comply with regulation.
|
||
Is it cheaper just to pay up in the event of a data breach?
|
||
|
||
Governments try, sort of.
|
||
They need to catch up with the times.
|
||
<<sec regulations>>
|
||
|
||
<<large-scale breaches>>
|
||
|
||
(Tie into SaaSS)
|
||
#+END_COMMENT
|
||
|
||
|
||
**** DRAFT Status Quo
|
||
:PROPERTIES:
|
||
:DURATION: 00:02
|
||
:END:
|
||
|
||
- Do people care more about privacy and security since the Snowden leaks?
|
||
- (Cite)
|
||
- ``I have nothing to hide''
|
||
- ``Report anything suspicious''
|
||
- Chilling effects
|
||
|
||
|
||
#+BEGIN_COMMENT
|
||
You would think after the Snowden revelations that people would be more
|
||
privacy-centric.
|
||
|
||
Some are.
|
||
Many aren't.
|
||
There is complacency with the status quo.
|
||
Everything is so _convenient_.
|
||
|
||
"I have nothing to hide."
|
||
A common argument.
|
||
One that can be notoriously hard to address.
|
||
|
||
"Report anything suspicious."
|
||
(Example of mathematician on plane.)
|
||
|
||
These all have chilling effects, conscious or not.
|
||
<<Wikipedia articles>>
|
||
#+END_COMMENT
|
||
|
||
|
||
**** DRAFT Status Quo Cannot Hold :B_fullframe:
|
||
:PROPERTIES:
|
||
:BEAMER_env: fullframe
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
**The status quo cannot hold.**
|
||
#+END_CENTER
|
||
|
||
#+BEGIN_COMMENT
|
||
I hope I've convinced you that the status quo cannot hold.
|
||
That even people who aren't that privacy- or security-conscious recognize
|
||
that there are risks not only at a personal level,
|
||
but also national and global.
|
||
#+END_COMMENT
|
||
|
||
|
||
**** DRAFT Push Back :B_fullframe:
|
||
:PROPERTIES:
|
||
:DURATION: 00:01
|
||
:BEAMER_env: fullframe
|
||
:END:
|
||
|
||
#+BEGIn_CENTER
|
||
#+BEAMER: \only<1>{We need to push back}
|
||
#+BEAMER: \only<2>{\emph{You} need to push back}
|
||
#+END_CENTER
|
||
|
||
#+BEGIN_COMMENT
|
||
- Good crypto; no trust
|
||
- Lawmakers: this is not something we can win while we fight with our
|
||
governments.
|
||
#+END_COMMENT
|
||
|
||
|
||
** Thank You :B_fullframe:
|
||
:PROPERTIES:
|
||
:BEAMER_env: fullframe
|
||
:END:
|
||
|
||
#+BEGIN_CENTER
|
||
Mike Gerwitz
|
||
|
||
[[mailto:mtg@gnu.org][=mtg@gnu.org=]]
|
||
|
||
\bigskip
|
||
|
||
**References Available Online**
|
||
|
||
[[https://mikegerwitz.com/talks/sapsf]]
|
||
|
||
\vfill
|
||
|
||
Licensed under the Creative Commons Attribution ShareAlike 4.0
|
||
International License
|
||
#+END_CENTER
|
||
|
||
|
||
** References :B_appendix:
|
||
:PROPERTIES:
|
||
:BEAMER_env: appendix
|
||
:END:
|
||
|
||
\printbibliography
|
||
|
||
|
||
* Exporting
|
||
You should be able to simply export this buffer as a Beamer presentation
|
||
(=C-c C-e l P=) and get a slideshow.
|
||
|
||
Note that this requires =ox-extras=, which is part of Org Mode's
|
||
=contrib/=. Without it, the =:ignore:= tag will not be recognized and the
|
||
rendered slides will have incorrect depth.
|
||
|
||
* Local Variables
|
||
# Local Variables:
|
||
# org-todo-keyword-faces: (("DRAFT" . org-upcoming-deadline) \
|
||
# ("DEVOID" . (:inherit org-warning \
|
||
# :inverse-video t)) \
|
||
# ("LACKING" . org-warning) \
|
||
# ("REVIEWED" . "yellow") \
|
||
# ("AUGMENT" . (:foreground "yellow" :bold t :underline t))
|
||
# ("READY" . (:inherit org-scheduled :bold t :underline t)))
|
||
# eval: (ox-extras-activate '(ignore-headlines))
|
||
# End:
|