Recently in Activism Category

Dan Greer delivered the following speech at this year's (2014) BlackHat. The video and text are presented below. I have republished the text below but edited from original text format to be a bit more readable and printable.



[ nominal delivery draft, 6 August 2014 ]

Cybersecurity as Realpolitik
Dan Geer


Good morning and thank you for the invitation to speak with you today. The plaintext of this talk has been made available to the organizers. While I will not be taking questions today, you are welcome to contact me later and I will do what I can to reply. For simple clarity, let me repeat the abstract for this talk:

Power exists to be used. Some wish for cyber safety, which they will not get. Others wish for cyber order, which they will not get. Some have the eye to discern cyber policies that are "the least worst thing;" may they fill the vacuum of wishful thinking.

The Chaos Computer Club, a Germany based hacker collective with a rich history of publicly demonstrating security risks, published an article describing how it had broken the new iPhone Biometric authentication service. They used tools and techniques originally developed in 2004 to fool the iPhone fingerprint sensor. 

"The biometrics hacking team of the Chaos Computer Club (CCC) has successfully bypassed the biometric security of Apple's TouchID using easy everyday means. A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID. This demonstrates - again - that fingerprint biometrics is unsuitable as access control method and should be avoided."

The CCC hacker Starbug, who conducted much of the biometric research, said in 2007, "As we have said now for more than years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints."




On Thursday, March 1st, Google's new unified privacy policy goes into effect. Previously, all Google services maintained separate silos of data operating under separate privacy policies. This is no longer the case. Google is now unifying it's data and, ultimately, building rich stores of data about you. Below are a few actions you can take to mitigate the amount and type of data Google will have access to after the policy change goes into effect.

1. Do not perform Google Searches while signed into your account.

This is the simplest way to ensure Google does not capture search history associated with your user ID/profile. As an alternative, keep your Google account signed in on one browser (e.g. Firefox) and use another browser operating under privacy protection mode (e.g. Chrome's Incognito Mode) to conduct searches. This is not fool proof -- google can certainly be smart enough to identify signed in sessions and non-signed in sessions originating from the same IP address...but it's a start.

Please note all steps below assume you are signed into your Google account

2. Remove your Google History

If this is already disabled, you will see two buttons that read "No Thanks" and "Enabled Web History". Simply click "No thanks" and pat yourself on the back for being smart about your search privacy.

If web history is enabled:
  • Click the button says "View History"
  • Click "Remove All Web History"

Doing this automatically stops the future collection of web history. If you ever wish to resume history collection, simply click the "Resume" button.

3. Remove your YouTube History
  • Click on "YouTube" in the toolbar at the top of the page
  • On the right of the page, click your username and select "Video Manager"
  • On the left side of the page, click the "History" button
  • Click the "Clear Viewing History" button, confirm your choice when the pop-up displays
  • Refresh the page/click the "History" button again
  • Finally, click "Pause Viewing History"
4. Disable Google Chat/Talk History
  • In Gmail, click on the cog/wheel in the upper right corner
  • Click Mail Settings
  • Click Chat
  • Ensure "Never save chat" history is enabled

5. Remove old e-mail from Google

Navigate to https://mail.google.com/mail/u/0/?tab=wm#all/p99999 and look at the date on the e-mails, these are the oldest e-mails stored in your Google Account.Take a walk through memory lane...Scary, huh?

To remove these e-mails from Google Servers:
  • Click the cog/wheel in the upper right corner of Gmail
  • Select "Mail Settings"
  • Select "Forwarding and POP/IMAP"
  • Click "Enable IMAP"
  • Download a mail client such as Thunderbird, Outlook, Apple Mail, etc
  • Follow directions to setup mail client: http://support.google.com/mail/bin/answer.py?hl=en&ctx=mail&answer=75726
    • Using the mail client, create a local email storage file= such as an outlook PST or a Thunderbird local folder
    • Download all e-mails from Google to your local storage
    • Delete all e-mails from Google
    • Repeat this every month, ensuring only the last six months of e-mail stay on Google's Servers

6. Android Phone - Web Browser

  • Open your Web Browser
  • Click the Menu Key on your phone
  • Select "More"
  • Select "Settings"
  • Clear your history, cache, and location access.
  • Suggest disabling "Enabled location" to prevent future websites from accessing your location.

Security Best Practices for your Google Account

While not related to the impending privacy changes, the follow steps are two important functions to enable on your Google account.

7. Google Mail Connection

  • In the Gmail settings, click on the "General" settings tab
  • Ensure "Browser Connection" has "Always use https" enabled

8. 2-Step verification

2-Step verification is similar to what major banking websites are now using. This service provides stronger security protection on your account. The process is very simple: Once activated, you will need to verify the device(s) you frequently sign into your google account from. Your home computer, your work computer, your iPad, etc. To do this, Google will send you an SMS text message with a unique code. You will be required to enter both your password and this code to verify the device you are signing into Google with. This will prevent people from accessing your account from unauthorized devices/computers.

To enable:

SOPA Progress Slowed

| No Comments | No TrackBacks
It appears the anti-SOPA/PROTECTIP grassroots movement and lobbyists have struck a blow to the forward progress of the two bills. Over the weekend many Senators, Congressman, and the White House publicly announced their opposition to the bills or the DNS provisions.

Ars has a great write up by Timothy Lee: http://arstechnica.com/tech-policy/news/2012/01/under-voter-pressure-members-of-congress-backpedal-on-sopa.ars

MSNBC's "Up with Chris Hayes" hosted a debate about SOPA with NBCUniversal Executive Vice President and General Counsel Richard Cotton and Reddit.com co-founder Alexis Ohanian, as well as former Rep. Joe Sestak (D-PA) and former lobbyist Jack Abramoff. Rick Cotton and Alexis Ohanian dominated most of debate.




I found Richard Cotton's tactic in this debate to be hysterical and typical of the debate thus far: state your position loudly, frequently, and do not yield any ground to other arguments. Cotton spent the entire debate vehemently insisting that SOPA will not effect any U.S. websites/companies and frequently trying to talk over Alexis and Chris. He said some variation of "wholesale devoted to theft/illegal activity/thievery" 10 times, "devoted to foreign sites only" 6 times, and told someone their interpretation of the bill was flat out wrong twice within the roughly 18-minute long debate. Alexis and Chris made some good points.

Interesting debate -- especially seeing an NBC show host challenge and spar with an NBC VP over the stance the company has taken. Kudos to NBC for their openness...now just stop supporting this bill.

SOPA Hearing Transcript

| No Comments | No TrackBacks
The transcript (PDF) from the December 15, 2011 House Judiciary Committee markup of H.R. 3261, Stop Online Piracy Act (SOPA). This was one of the most infuriating sessions to watch live and reviewing the testimony and comments, in writing, a month later still boils my blood. There is a PrivacyWonk hosted copy available (PDF) in case the House moves the copy that is hosted there.

The markup session produced 495 pages of text, including the following gems:

Mr. Watt.  I thank the gentleman for yielding, and I just want to make a couple of points.  First of all, I want to go back to what my friend, Ms. Lofgren's comments she made and discourage any of us from talking about who has been bought off or even experts.  There has been a lot of money floating around in a lot of different places on this issue, and I just don't think it is worthy of us to be talking about who got bought off and who got hired by whom, especially when we start identifying the people.

Mr. Chaffetz.  Thank you, Mr. Chairman.  I have the greatest respect for you and for Ranking Member Conyers.  I do appreciate the manager's amendment.  I do think it is certainly better.   There is clearly a problem.  I understand that there is a problem, but I worry that this is the wrong remedy.  I was trying to think of a way to try to describe my concerns with this bill, but basically we are going to do surgery on the Internet, and we haven't had a doctor in the room tell us how we going to change these organs.  We are basically going to reconfigure the Internet and how it is going to work without bringing in the nerds, without bringing in the doctors.

Ms. Jackson Lee. ... And then, Mr. Chairman, if I might have a moment of personal privilege and just cite for my colleagues, because I do think that we should be respectful of each other, I am reading a tweet that has gone out from "GOP Rep King, Bored by the dialogue of Representative Jackson Lee."  I have no reason to think that anybody cares about my words, but I would offer to say that Mr. King owes the committee an apology, said that we are debating the Stop Online Piracy Act and that he is killing time by surfing the Internet.  I have never known Mr. King to have a multi-task capacity, but if that is his ability, I do think it is inappropriate while we are talking about serious issues, to have a member of the Judiciary Committee be so offensive.  So I am putting on the record, he is not here -- I -- 
Mr. Sensenbrenner.  Chairman, I demand the gentlewoman's words be taken down.  
Ms. Jackson Lee.  Well, I am not taking them down, so you can break this hearing because I am not.  I would ask Mr. --  ...

There is much more contained within the transcript. It is an almost 500 page demonstration of special interest lobbying, willful ignorance of the outside-the-beltway world and the internet.

For more on SOPA, please see the opposition letter. Please use this letter and send to your representatives to add your voice to the debate.


My SOPA Opposition Letter

| No Comments | No TrackBacks
I like participating and love what the Center for Democracy and Technology and others are doing at the American Censorship Project. However, this is an issue I feel very strongly about and decided to sit down and compose my own letter & e-mail to my representative. There are two versions of the letter -- one for you to read and interact with on this blog and one for you to copy and paste and send to your representative. The second version removes formatting to ensure sources (URLs) transition through the "Write your Representative" pages.

To the Honorable <<Representative>>,

I am writing to express my staunch disapproval to H.R. 3261: Stop Online Piracy Act (SOPA) and S. 968: Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act of 2011 (PROTECTIP). There is no substantial disagreement with the goal of combating the online infringement of copyrights and trademarks; that is a valid and important aim. However, these bills are incredibly dangerous to the country. Some of the specific provisions are far more controversial and would do far more damage than the authors (the MPAA and other lobbying arms of the entertainment industry) of the bill or the "expert" testimony would suggest. A Politico article by Jennifer Martinez titled "Shootout at the digital corral" published on November 16, 2011, provides excellent detail on the bills and the simple fact that the entertainment lobby has outspent the technology lobby for the past two years. The entertainment lobby has bought and paid for these bills, spending over $200M in 2010 and 2011, that will substantially harm the still growing and increasingly important digital economy: making it impossible to innovate, killing start-ups, and any jobs associated with them.

The public reaction to these bills in the United States has been visceral. Opponents of the bill include: Google, Yahoo!, Facebook, Twitter, AOL, LinkedIn, eBay, Mozilla Corporation, the Brookings Institution and human rights organizations such as Reporters Without Borders, the Electronic Frontier Foundation, the ACLU, Human Rights Watch, and the Center for Democracy and Technology.

Sandia National Laboratories, a part of the U.S. Department of Energy, concluded that the SOPA legislation would "negatively impact U.S. and global cybersecurity and Internet functionality." Sandia joins Republican Representative Dan Lungren, who also worried that SOPA would undercut efforts to secure the internet with DNSSEC.

Harvard Business Review blogger James Allworth wrote, "Is this really what we want to do to the internet? Shut it down every time it doesn't fit someone's business model?" concluding that the bill would "give America its very own version of the Great Firewall of China." I do not believe this quote is hyperbole. The bill will significantly impair the freedom of the internet that we as a country have advocated very publicly. See Hillary Clinton's speech on Internet Freedom at GW University.

There has also been international outcry to the bills. The European Parliament passed (by a large majority) a resolution criticizing SOPA. The resolution emphasizes "the need to protect the integrity of the global Internet and freedom of communication by refraining from unilateral measures to revoke IP addresses or domain names." The United States has great allies in Europe and we would not be doing ourselves any favors by passing a bill that does *nothing* to protect us and everything to antagonize Europeans.

We cannot legislate an internet that protects everyone, everywhere, at every second. But we also cannot take the interests of a few companies' antiquated business models over the interest and rights of our citizens. SOPA and PROTECTIP are bad pieces of legislation. This fact is highlighted in the poor grasp of internet technology the bills put forward; the entertainment industry spent millions of dollars to produce pieces of legislation that *break* the internet. These bills represent the last throes of an industry failing to adapt to a new marketplace. These companies would have done better to take their $200M+ of lobbying and invest it in innovation, research and development, and job creation around that R&D.

Please help stop this bill.

Thank you,
<<Name>>
Reforming government takes a long time, it rarely happens overnight. It can often takes years of negotiation, grassroots campaigning, and lobbying to effect change. That's our system, for better or worse. Right now, one such issue working its way through the process is reforming the 25-year old, and very stale, Electronic Communications Privacy Act (ECPA) of 1986. Over the past year, there has been substantial activity around the issue. Big companies and advocacy groups from both the left and right have come together to demand updates to the electronic surveillance laws. The laws no longer work with our current technological environment and offer very little privacy protection to individuals. It also puts companies who handle  information in difficult positions: protecting consumer data or disclosing information to government without clear guidelines. Center for Democracy and Technology (CDT) has put together a great primer on the history of ECPA, the privacy concerns, the technological changes that have occurred since 1986, and why reform is needed.

Over a year ago, there was a a lot of activity around ECPA reform, including a hearing held by the Senate Judiciary Committee and Google helping form the Digital Due Process Coalition. The coalition is comprised of many big tech companies and advocacy groups "[t]o simplify, clarify, and unify the ECPA standards, providing stronger privacy protections for communications and associated data in response to changes in technology and new services and usage patterns, while preserving the legal tools necessary for government agencies to enforce the laws, respond to emergency circumstances and protect the public." Additional background from Alex Howard at O'Reilly Radar.

ECPA reform has made its way into the Congressional records with draft legislation put forward. On May 17, 2011 Senator Patrick Leahy (D-VT) introduced a bill to modernize and update the ECPA titled Electronic Communications Privacy Act Amendments Act of 2011 (PDF) (S. 1011).

CDT has recently formed a group of both left and right organizations to support a petition for privacy law reform, specifically targeting ECPA. The site, "Not Without A Warrant" allows individuals to electronically sign the petition and add their voice to the reform movement.

PrivacyWonk has signed the Not Without A Warrant petition. Will you?
Content Delivery Network (CDN) giant Akamai and advertising-industry self-regulation platform provider Evidon (nee Better Advertising) have teemed up to provide more robust privacy notices to individuals. Akamai will provide the distribution network -- most likely using Edge Side Includes (ESI) (wikipedia, Akamai) -- for "Evidon's privacy and compliance services for the management of the Industry Self-Regulatory Program in the US, the European ePrivacy Directive, and its corollary self-regulatory effort for Online Behavioral Advertising."

I can't wait to see this in action and I hope Evidon pushes out in new directions for privacy notice/choice. I'd love to see Evidon build on Aza Raskin's privacy icon project. Evidon and its partners will reach a large audience and can use their bully pulpit to advance changes in the standard idea of notice and consent (choice). More granular control over opting-in/opting-out or programs? Something even more radical? This is a big technological step forward for providing smart notice/choice, why not try out more new ideas?

I would also like to see Evidon and its partners use this platform for testing new approaches to advertising, information collection, notice, and choice. For example:

Testing the impact of a truly opt-in model on ad impressions: "Would you like to see ads on this site?"
Testing the impact of opt-in information collection: "Advertising network XYZ would like to collect browsing habits: Yes/No."

We've only been able to speculate on the outcome of this type of granular control, perhaps Evidon could give us some proof.
Mozilla has a great resource for webapp and website developers: The Mozilla Secure Coding Guidelines.

These guidelines will help create a more secure app/site. However, they will not, by themselves, decrease privacy risks. Design your app/site to be privacy-conscious.

Facebook cookies and sharing

| No Comments | No TrackBacks
They are never tasty and now they leave a potentially never ending after taste. Nik Cubrilovic (@nikcub) has a intriguing write up on his blog about a potential for expanded tracking by facebook through their social plugins (comments, likes, APIs, etc) even after a user has logged out. Facebook has denied the potential threat. Interesting discussions in the comments (disqus platform, no less) section of his blog, including facebook's response, and on his twitter page.

I love seeing research like this surface and I give Nik credit for approaching facebook multiple times before publishing. His post is fairly technical but his intro boils it down nicely into layman's terms.

It seems Dave Winer's (@davewiner) post titled "Facebook is scaring me" may have prompted Nik's post after sitting on the data for more than a year. And all of this, of course, after the recent announcements at F8, which prompted renewed privacy concerns regarding facebook's new timeline profile and frictionless sharing features.

It amazes me how often the privacy pot gets stirred, even with pending legislation looming over a largely unregulated industry. You'd think they might lay low on making these drastic and norm-challenging changes.