Presentation by Dominic White at the ITweb security summit 2010.
This presentation is about online privacy. The presentation begins with a discussion on behavioral tracking, Ways to prevent tracking such as DNT, TPL,googleSharing and opt out are discussed. The presentation ends with a series of disclussions on evercookie and nevercookie.
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
A Brave New World
1. A Brave New World
The Politics & Technology of Online Privacy
2. /whois singe
• Argumentative Catholic Hacker Geek
• Consultant @ SensePost
• Involved with ZaCon
• Love Building Security, breaking it still fun
• TinFoil is in this Winter
• Blog at http://singe.za.net/
• Tweet as @singe
3. A Brave New World
Source: acceleratingfuture.com
4. Agenda
• Behavioural Tracking Primer
• Politics vs Tech
– NAI Opt-Out
– Do Not Track
– Tracking Prevention Lists
– GoogleSharing
• Next Level
– EverCookie
– Mobile Protections
5. Behavioural Tracking
• Analyse user interactions to build a profile
• Third parties do this across multiple sites
• $21.7 billion industry in US $42.5 in 2015
(BAI/Kelsey U.S. Local Media Annual Forecast)
– Behavioural only 7% of this by 2014
• Popularised by Google, usurped by Facebook
• The business model for online monetisation
Picture Source: foture.net
6. Problems
• People arrested
• Data driven inferences could be wrong
• Overcriminalisation
• Profiles sold to third-parties
• Employee abuse
• Companies hacked
7. You have little to no control over this
If you don’t care, will you forever?
Does nobody have the right to care?
What about your kids? Activists?
9. Opt Out
• Advertisers realised they needed to do
something to appease the growing noise
• Network Advertising Initiative’s Opt-Out
• Sets an “Out-Out” cookie for each
participating third party
• You still send data to the third party, just with
one less unique identifier
10. Opt-Out Problems
• Requires third-party cookies to be enabled
• Only covers participating NAI members
• Only un-sets one cookies (others remain)
• The cookie still exists, some still with an UID
• Only prevents targeting ads, data still stored
• Only deals with todays problem
• We only have the people we don’t trust’s
promise
11. Do Not Track
• Consumer, not advertiser driven (Stanford IETF draft)
• Allows you to make a general statement to everyone
• Sends a DNT=1 HTTP header, or sets DNT DOM flag
• Requires receiving server to comply
• A technical signal, not a technical protection
• Backed by legislation
• Currently only implemented by Associated Press
Analytics
• Firefox 4, Internet Explorer 9 & Safari (no Chrome)
12. Legislation
• DNT submitted to FTC
[Industry efforts to address privacy through self-
regulation] “have been too slow, and up to now have
failed to provide adequate and meaningful
protection.”
• SB 761 California “Do Not Track” proposal at
Appropriations Committee
• Do Not Track Act of 2011 introduced on Mon
13. Response
• The trackers got mad:
– “California Senate Bill 761 would create an
unnecessary, unenforceable and unconstitutional
regulatory burden on Internet commerce.”
– “It would stop California’s information economy in its
tracks”
– “The measure would negatively affect consumers who
have come to expect rich content and free services
through the Internet, and would make them more
vulnerable to security threats.”
• Google, Facebook, Yahoo, TimeWarner,
MPAA, NAI & many others
14. Do Not Track Problems
Problems:
• Requires cooperation from trackers
• Not as verifiable as they claim e.g. AP News
• Limited granularity
• DOM implementation could be hacked
Benefits:
• Law is a big, if slow, stick
• Expresses preference to all
• Works with other techniques
15. Tracking Protection Lists
• Microsoft driven (W3C draft)
• Technically a DNT implementation
• Extension of AdBlock Plus approach
• Detailed list of domains, URLs & paths
• Provides blocking & allow statements
• Prevents blocked content from
loading
• Multiple providers of lists
– EasyList, PrivacyChoice, Abine, TRUSTe
16. TPL Pros/Cons
Problems:
• Blacklist, enumerating badness
• Only blocks third-parties
Enumerating Badness
• Needs legislation
Benefits
• Granular No Idea Very Bad
• Transparent/Verifiable
• Not a signal, an enforcement
• Blocks active content, prevents further leaks
17. GoogleSharing
• Built by the very smart Moxie
Marlinspike
• Active Subversion & Unblockable
• Pools identities, lets you use a
random one
• Proxies requests, over SSL
• No need to trust the proxy
• Tools provided to run your own
• This can be extended
18. Active Subversion
• Why must we accommodate trackers? Take back our
privacy by force if we must
• Muddies trackers data sets
– One user is many users
– Looks like a NAT
– Unblockable, undistinguishable
• Increases cost of tracking
• Keeps you safe
– Network location is kept secret
– No tracking
http://1984.za.net/
20. Beyond Cookies
• Cookies are only one way to track
• Flash Local Storage Objects have been used
for years, but that’s not all
• Samy Kamkar came up with 13 methods in
total
• Also, a way to use one method to restore the
others
The Evercookie
21. Evercookie
• Normal Cookies • HTML5 Session Storage
• Flash LSO • HTML5 Local Storage
• Silverlight Isolated • HTML5 Global Storage
Storage • HTML5 Database
• WebHistory Storage
• Etags • Internet Explorer
• WebCache userData
• window.name cache • Force cached PNG
http://samy.pl/evercookie/
23. NeverCookie
• Deletes normal/HTML5/Flash/Silverlight
“cookies”
• Can prevent setting of future Flash &
Silverlight objects
– Sets a binary Adobe Preferences Object
– Touches a disabled.dat Silverlight file
• GUI written by Willem @ SensePost
• OSX & Safari only currently, plan to extend
25. Mobile EverCookie
• On Apple iOS, each application is in a sandbox
• Every app allowing “surfing” is vulnerable to
the evercookie
• There could be hundreds of evercookies!
• Built-in settings only clear some of
MobileSafari’s cache
26. ResetSafari
• Jailbreak SBSettings application by Sea Comet
• Based on my code release
• Deletes all Cookies as
NeverCookie but for all apps
• Nevercookie for Mobile
http://modmyi.com/cydia/package.php?id=32881
27. Proxy.Pac
• GoogleSharing
if (shExpMatch(host,"*google.*")) {
return proxy_GoogleSharing; }
• Ad & Tracking Block (simple)
if ( shExpMatch(host,"*googlesyndication.*”)
|| shExpMatch(host,"*googleadservices.*")
|| shExpMatch(host,"*google-analytics.*”)
|| shExpMatch(url,"*facebook.com/plugins/like.php*”)
){
return proxy_BlackHole; }
28. Blackhole Problem
• Blackholes are handled differently
• WebKit fails to DIRECT
• Need a blackhole proxy server
• Implemented a simple Twisted HTTP server
than responds with HTTP 200 OK to
everything
• Thanks Gert @ SensePost
29. Available At
http://1984.za.net/proxy.php
?proxy=<> - sets default proxy
&port=<> - sets default proxy port
&socks – makes it a SOCKS proxy
Don’t trust us
30. Enabling on iPhone
• Wifi network .pac can be configured normally
• 3G doesn’t allow proxy settings via Interface
• /Library/Preferences/SystemConfiguration/prefer
ences.plist
<dict>
<key>HTTPEnable</key>
<integer>0</integer>
<key>HTTPProxyType</key>
<integer>2</integer>
<key>HTTPSEnable</key>
<integer>0</integer>
<key>ProxyAutoConfigEnable</key>
<integer>1</integer>
<key>ProxyAutoConfigURLString</key>
<string>http://1984.za.net/proxy.php</string>
</dict>
31. Summary & Conclusion
• Behavioural Tracking is big business
• We need control of our data
• Opt-out is highly politicised, in-flux & requires
legistlation
• Subversion should be built in the mean-time
• Watch out for what’s coming next (or now)
• These tools are easy to build, get started
32. Thank You
Questions?
sensepost.com/blog
dominic@sensepost.com
Notas del editor
This is where I got the name for the presentation from.
A brief overview of the industry
Why it’s a model to pay attention to
Why you should worryArrests from search data http://blog.searchenginewatch.com/080625-163842Overcriminalisation http://www.overcriminalized.com/Profiles sold http://online.wsj.com/article/SB10001424052748704648604575620750998072986.htmlGoogle employee fired for data abuse http://gawker.com/5637234/ FB snooping a staff „perk” http://www.theregister.co.uk/2007/10/29/facebook_staff_snoop/Google Aurora hack http://en.wikipedia.org/wiki/Operation_Aurora
If you aren’t worried, why you should be
Tons of DNT work, still very much in development http://www.freedom-to-tinker.com/blog/joehall/summary-w3c-dnt-workshop-submissions