1 / 57

Getting Hit by an 18-wheeler: Privacy & Anonymity in the Modern Age By: Cody Hofstetter

Getting Hit by an 18-wheeler: Privacy & Anonymity in the Modern Age By: Cody Hofstetter. Disclaimer. This presentation is for educational purposes only. I am not a lawyer even if I sound like one. Seek legal advice from someone who is. CC-BY-SA.

jonathanjordan
Télécharger la présentation

Getting Hit by an 18-wheeler: Privacy & Anonymity in the Modern Age By: Cody Hofstetter

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Getting Hit by an 18-wheeler:Privacy & Anonymity in the Modern AgeBy: Cody Hofstetter

  2. Disclaimer • This presentation is for educational purposes only. • I am not a lawyer even if I sound like one. Seek legal advice from someone who is.

  3. CC-BY-SA • Explicitly NOT covered by the CC-BY-SA in this presentation • All logos, trademarks , taglines , et al associated with any company.

  4. Red Eye Audience Participation

  5. Overview • Introduction • Privacy & Anonymity Differences • Top Level Ideas • Tracking • Privacy/Anonymity Enhancement Tools • Closing Points to Remember

  6. About Cody Hofstetter • From Software Pirate to Freedom Advocate

  7. Death of the Dino

  8. Privacy & Anonymity • Privacy concerns content. E.g. the contents of an email or text message. • Anonymity concerns your identity. E.g. the sender and recipient of an exchange.

  9. Privacy & Anonymity • When you’re communicating with your lover/girlfriend/wife (vice versa), you may not care who knows (anonymity) but you may want to keep the content of the messages between yourselves (privacy). • A whistle-blower may want their identity (anonymity) to remain anonymous for fear of reprisal, but they want the content (privacy) of their message to be known.

  10. Top Level 1 - Know Your Adversary • Individual • Corporation • Nation-state

  11. Getting hit by two 18-wheelersDropped out of a plane& Set on Fire: Your friendly Government & You

  12. Top Level 2 - If you aren’t paying for the product... YOU ARE THE PRODUCT

  13. Top Level 3 - Logs • If you don’t have logs, you can’t be compelled to produce them • If a company doesn’t have logs, they can’t be compelled to produce them • Know what you absolutely need to comply with the law and protect your yourself and customers as much as possible

  14. Tracking • MAC Address • Unique Browser Fingerprint • Email Collection • GPS (trilateration – distances) • Cellular (triangulation - angles) • Content Delivery Network (CDN)

  15. Media Access Control (MAC) Address • Used as a unique identifier for network interfaces - IEEE 802 technologies (e.g. Ethernet/Wifi/Bluetooth) • The first three octets (6 total) identifies the manufacturer aka the Organizationally Unique Identifier (OUI) • 00-03-93 | Apple88-12-4E | Qualcomm Atheros • Apple randomizes MAC addresses in iOS devices when scanning for networks

  16. Browsers • Internet Explorer/Edge (Just no) • Google Chrome • Firefox • Safari

  17. Unique Browser Fingerprint • Number of add-ons and extensions • Types of add-ons and extensions • Screen resolution • Timezone • Language • Platform • Fonts installed on the system • Touch support

  18. Surveillance Methodology • 1) You have an IP address • 2) Match IP address to location • 3) Traditional surveillance is brought in to monitor location • 4) Match access logs with presence of individual(s) • The US Government indicted 5 Chinese military officials using this technique

  19. Email Collection • Gmail • AOL - (yes some people still use it?) • Yahoo • If it’s unencrypted it’s being collected, parsed, and used to build your ad profile

  20. GPS • GPS requires three (3) satellites to determine a 2-dimensional position and four (4) satellites to determine a 3-dimensional position

  21. Google Maps https://maps.google.com/locationhistory

  22. IMSI-catchers • International Mobile Subscriber Identity-catchers • AKA Stingrays • Some models also pull content (call details, text messages, email, and more) • No discrimination. A stingray can gather information on anyone connecting to the tower, not just the target

  23. Baseband Processors • The device in your pocket is always talking and we don’t know what it’s saying • Proprietary codebase • No independent audits, no problem! We’ll just put our security holes and backdoors in there.

  24. Content Delivery Network (CDN) • You make a request to the website • A CDN geographically closer responds to the request • The webpages and other content load faster for the user • A referer HTTP header reveals to the CDN what page you are looking for • Your IP address and browser fingerprinting can be used to determine your identity

  25. Damn Extremists • Leaked 2014 XKeyscore configuration shows you were suspected as an "extremist" for searching: • Linux • IRC • TAILS • Tor • Truecrypt

  26. You Watching Your Smart TV Watching You

  27. Start Simple 1) Evaluate your needs 2) Evaluate the needs of your family 3) Make a solution that fits within each person’s needs

  28. Panopticlick • Test your browser against: • Ad-blocking • Trackers • Fingerprinting • https://panopticlick.eff.org/tracker

  29. Browser Extensions • HTTPS Everywhere • Privacy Badger • Ublock Origin • NoScript (Firefox) • Self Destructing Cookies (legacy – replacement is Cookie Autodelete)

  30. CDN Redirection • Redirects requests for CDN providers to local resources • Decentraleyes • Bundled with commonly used files and serves them locally whenever a site tries to retrieve them from a CDN. Saves bandwidth and protects your anonymity/privacy. • Supported Networks: Google Hosted Libraries, Microsoft Ajax, Yandex, Baidu CDN, CDNJS (Cloudflare), etc

  31. CDN Redirection

  32. Signal • Wickr/Telegram/WhatsApp • Secure Messaging App • Encrypted communications (end to end and perfect forward secrecy) • Disappearing messages

  33. KeePass • A password manager stores all the passwords • KeePassDroid - Android • MiniKeePass – iOS • Difference between LastPass and KeePass

  34. F-Droid • F-Droid repo is like the Google Play Store • OpenCamera (FANTASTIC job) • Document Viewer/LibreOffice Viewer • NextCloud

  35. Recommended Email Providers • Protonmail • Riseup

  36. Recommended Email Providers – Continued • Darkmail - (Ladar Levison) • Ladar’s company (Lavabit) was the email provider for Edward Snowden and rather than give access to the Feds, he shut down his company. • DIME (Dark Internet Mail Environment) • Magma, DIME capable free and open source mail server - https://github.com/lavabit/magma

  37. Live USB D D Command • TAILS • Rufus • UnetBootin • DD command (be extremely careful with this command)

  38. Proxy • User → Proxy → Website • The website will see the IP address of the proxy not the user • The proxy operator will be able to see all unencrypted traffic passing through • If the website/service uses encryption, the proxy operator can see where you are going but not what you are looking at

  39. Proxy • Most proxies uses HTTP/HTTPS and SOCKS (Socket Secure) protocols • SOCKS 4 vs 5 – SOCKS4 only supports TCP applications while SOCKS5 also supports UDP, DNS, and various authentication methods

  40. Proxy Chains • No Proxy • User → Webpage • Proxy • User → Proxy → Webpage • Proxy Chain • User → Proxy →Proxy → Proxy → Webpage

  41. Virtual Private Network (VPN) • User creates an encrypted tunnel to the VPN server • All internet traffic goes through this tunnel • Unless you have a DNS leak

  42. VPN vs Proxy • Proxies are designed to protect browser traffic whereas VPNs are designed to protect all traffic • Proxies must be configured for each application (browser, email, third-part apps, etc) • If a single proxy in the chain is broken, the entire chain crashes

  43. Free Proxies/VPNs • DO NOT USE THEM • YOU ARE THE PRODUCT • IT IS HIGHLY LIKELY THEY ARE: 1) Collecting browsing data to sell 2) Injecting HTML or Javascript to monetize by showing you ads.

  44. Recommended VPNs • Private Internet Access • TorGuard • ProtonVPN • RiseupVPN

  45. Access through the TorBrowser (a modified version of Firefox) or TAILS • Works by encrypting each hop in the network and randomly choosing the servers connected to • The final connection point at the last relay in the chain can be compromised if the requested site does not use SSL.

  46. VPNs and TOR • VPNs and TOR may be used together • The main drawback is the connection will be slowed significantly

  47. Domain Name Service (DNS) • Translates IP addresses into human readable addresses • What is 8.8.4.4 and 8.8.8.8? • Google Public DNS

  48. Domain Name System Security Extensions (DNSSEC) • Provides origin authentication • Authenticated denial of existence (to prevent zone enumeration) • Data integrity • Does not provide • Encryption • Availability • Confidentiality

  49. DNSCrypt • Designed by OpenDNS to provide encrypted DNS queries • DNSCrypt is the wrapper providing encryption and DNSSEC sits inside proving authentication • List of DNSCrypt resolvers • https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv

  50. DNS Caching Server • Dnsmasq • Provides small network infrastructure (DNS, DHCP, router advertisement and network boot) • apt-get install (distribution specific) dnsmasq • Edit /etc/resolv.conf with wanted nameservers (2) • /etc/init.d/dnsmasq start • Test with “dig (website name)” twice. If the second returns a query time of 0 msec it works!

More Related