A Brave New World


Published on

Presentation by Dominic White at the ITweb security summit 2010.

This presentation is about online privacy. The presentation begins with a discussion on behavioral tracking, Ways to prevent tracking such as DNT, TPL,googleSharing and opt out are discussed. The presentation ends with a series of disclussions on evercookie and nevercookie.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • This is where I got the name for the presentation from.
  • A brief overview of the industry
  • Why it’s a model to pay attention to
  • Why you should worryArrests from search data http://blog.searchenginewatch.com/080625-163842Overcriminalisation http://www.overcriminalized.com/Profiles sold http://online.wsj.com/article/SB10001424052748704648604575620750998072986.htmlGoogle employee fired for data abuse http://gawker.com/5637234/ FB snooping a staff „perk” http://www.theregister.co.uk/2007/10/29/facebook_staff_snoop/Google Aurora hack http://en.wikipedia.org/wiki/Operation_Aurora
  • If you aren’t worried, why you should be
  • Tons of DNT work, still very much in development http://www.freedom-to-tinker.com/blog/joehall/summary-w3c-dnt-workshop-submissions
  • FTC recommendations - http://www.ftc.gov/opa/2010/12/privacyreport.shtmSB 761 - http://info.sen.ca.gov/cgi-bin/casen/postquery_SDC?bill_number=sb_761&house=S&sess=CUR&site=SDCRockereller DNT Act - http://www.govinfosecurity.com/articles.php?art_id=3619
  • A bit too much FUD
  • http://singe.za.net/blog/archives/1027-Do-Not-Track-AP-News-Registry.html
  • http://ie.microsoft.com/testdrive/Browser/TrackingProtectionLists/
  • http://googlesharing.net/
  • 1984.za.net is running a GoogleSharing proxy on port 8080 & 8443
  • We’re working on some ways to spread it’s use.
  • http://samy.pl/evercookie
  • Gave a demo of the cookie and how resetting safari doesn’t clear it
  • A tool we’ve developed to make clearing it easier.
  • Demo how using the tool gets rid of the evercookie
  • http://modmyi.com/cydia/package.php?id=32881
  • Extensions to nevercookie being worked on
  • http://online.wsj.com/article/SB10001424052748704694004576020083703574602.html
  • How we can implement simple ad & tracker blocking & googlesharing use in a proxy.pac
  • This doesn’t give you identity pooling with GoogleSharing, and discloses where you’re going to me. Rather download the server code and run your own.
  • You need to jailbreak your phone.
  • A Brave New World

    1. 1. A Brave New WorldThe Politics & Technology of Online Privacy
    2. 2. /whois singe• Argumentative Catholic Hacker Geek• Consultant @ SensePost• Involved with ZaCon• Love Building Security, breaking it still fun• TinFoil is in this Winter• Blog at http://singe.za.net/• Tweet as @singe
    3. 3. A Brave New World Source: acceleratingfuture.com
    4. 4. Agenda• Behavioural Tracking Primer• Politics vs Tech – NAI Opt-Out – Do Not Track – Tracking Prevention Lists – GoogleSharing• Next Level – EverCookie – Mobile Protections
    5. 5. Behavioural Tracking• Analyse user interactions to build a profile• Third parties do this across multiple sites• $21.7 billion industry in US  $42.5 in 2015 (BAI/Kelsey U.S. Local Media Annual Forecast) – Behavioural only 7% of this by 2014• Popularised by Google, usurped by Facebook• The business model for online monetisation Picture Source: foture.net
    6. 6. Problems• People arrested• Data driven inferences could be wrong• Overcriminalisation• Profiles sold to third-parties• Employee abuse• Companies hacked
    7. 7. You have little to no control over this If you don’t care, will you forever?Does nobody have the right to care? What about your kids? Activists?
    8. 8. Politics & Tech
    9. 9. Opt Out• Advertisers realised they needed to do something to appease the growing noise• Network Advertising Initiative’s Opt-Out• Sets an “Out-Out” cookie for each participating third party• You still send data to the third party, just with one less unique identifier
    10. 10. Opt-Out Problems• Requires third-party cookies to be enabled• Only covers participating NAI members• Only un-sets one cookies (others remain)• The cookie still exists, some still with an UID• Only prevents targeting ads, data still stored• Only deals with todays problem• We only have the people we don’t trust’s promise
    11. 11. Do Not Track• Consumer, not advertiser driven (Stanford IETF draft)• Allows you to make a general statement to everyone• Sends a DNT=1 HTTP header, or sets DNT DOM flag• Requires receiving server to comply• A technical signal, not a technical protection• Backed by legislation• Currently only implemented by Associated Press Analytics• Firefox 4, Internet Explorer 9 & Safari (no Chrome)
    12. 12. Legislation• DNT submitted to FTC [Industry efforts to address privacy through self- regulation] “have been too slow, and up to now have failed to provide adequate and meaningful protection.”• SB 761 California “Do Not Track” proposal at Appropriations Committee• Do Not Track Act of 2011 introduced on Mon
    13. 13. Response• The trackers got mad: – “California Senate Bill 761 would create an unnecessary, unenforceable and unconstitutional regulatory burden on Internet commerce.” – “It would stop California’s information economy in its tracks” – “The measure would negatively affect consumers who have come to expect rich content and free services through the Internet, and would make them more vulnerable to security threats.”• Google, Facebook, Yahoo, TimeWarner, MPAA, NAI & many others
    14. 14. Do Not Track ProblemsProblems:• Requires cooperation from trackers• Not as verifiable as they claim e.g. AP News• Limited granularity• DOM implementation could be hackedBenefits:• Law is a big, if slow, stick• Expresses preference to all• Works with other techniques
    15. 15. Tracking Protection Lists• Microsoft driven (W3C draft)• Technically a DNT implementation• Extension of AdBlock Plus approach• Detailed list of domains, URLs & paths• Provides blocking & allow statements• Prevents blocked content from loading• Multiple providers of lists – EasyList, PrivacyChoice, Abine, TRUSTe
    16. 16. TPL Pros/ConsProblems:• Blacklist, enumerating badness• Only blocks third-parties Enumerating Badness• Needs legislationBenefits• Granular No Idea Very Bad• Transparent/Verifiable• Not a signal, an enforcement• Blocks active content, prevents further leaks
    17. 17. GoogleSharing• Built by the very smart Moxie Marlinspike• Active Subversion & Unblockable• Pools identities, lets you use a random one• Proxies requests, over SSL• No need to trust the proxy• Tools provided to run your own• This can be extended
    18. 18. Active Subversion• Why must we accommodate trackers? Take back our privacy by force if we must• Muddies trackers data sets – One user is many users – Looks like a NAT – Unblockable, undistinguishable• Increases cost of tracking• Keeps you safe – Network location is kept secret – No trackinghttp://1984.za.net/
    19. 19. Next Level
    20. 20. Beyond Cookies• Cookies are only one way to track• Flash Local Storage Objects have been used for years, but that’s not all• Samy Kamkar came up with 13 methods in total• Also, a way to use one method to restore the others The Evercookie
    21. 21. Evercookie• Normal Cookies • HTML5 Session Storage• Flash LSO • HTML5 Local Storage• Silverlight Isolated • HTML5 Global Storage Storage • HTML5 Database• WebHistory Storage• Etags • Internet Explorer• WebCache userData• window.name cache • Force cached PNG http://samy.pl/evercookie/
    22. 22. NeverCookie
    23. 23. NeverCookie• Deletes normal/HTML5/Flash/Silverlight “cookies”• Can prevent setting of future Flash & Silverlight objects – Sets a binary Adobe Preferences Object – Touches a disabled.dat Silverlight file• GUI written by Willem @ SensePost• OSX & Safari only currently, plan to extend
    24. 24. NeverCookie
    25. 25. Mobile EverCookie• On Apple iOS, each application is in a sandbox• Every app allowing “surfing” is vulnerable to the evercookie• There could be hundreds of evercookies!• Built-in settings only clear some of MobileSafari’s cache
    26. 26. ResetSafari• Jailbreak SBSettings application by Sea Comet• Based on my code release• Deletes all Cookies as NeverCookie but for all apps• Nevercookie for Mobilehttp://modmyi.com/cydia/package.php?id=32881
    27. 27. Proxy.Pac• GoogleSharing if (shExpMatch(host,"*google.*")) { return proxy_GoogleSharing; }• Ad & Tracking Block (simple) if ( shExpMatch(host,"*googlesyndication.*”)|| shExpMatch(host,"*googleadservices.*")|| shExpMatch(host,"*google-analytics.*”)|| shExpMatch(url,"*facebook.com/plugins/like.php*”)){ return proxy_BlackHole; }
    28. 28. Blackhole Problem• Blackholes are handled differently• WebKit fails to DIRECT• Need a blackhole proxy server• Implemented a simple Twisted HTTP server than responds with HTTP 200 OK to everything• Thanks Gert @ SensePost
    29. 29. Available At http://1984.za.net/proxy.php ?proxy=<> - sets default proxy&port=<> - sets default proxy port&socks – makes it a SOCKS proxy Don’t trust us
    30. 30. Enabling on iPhone• Wifi network .pac can be configured normally• 3G doesn’t allow proxy settings via Interface• /Library/Preferences/SystemConfiguration/prefer ences.plist <dict> <key>HTTPEnable</key> <integer>0</integer> <key>HTTPProxyType</key> <integer>2</integer> <key>HTTPSEnable</key> <integer>0</integer> <key>ProxyAutoConfigEnable</key> <integer>1</integer> <key>ProxyAutoConfigURLString</key> <string>http://1984.za.net/proxy.php</string> </dict>
    31. 31. Summary & Conclusion• Behavioural Tracking is big business• We need control of our data• Opt-out is highly politicised, in-flux & requires legistlation• Subversion should be built in the mean-time• Watch out for what’s coming next (or now)• These tools are easy to build, get started
    32. 32. Thank You Questions?sensepost.com/blogdominic@sensepost.com