Is Privacy Still A Thing?

okay uh hello everyone uh I'm Georgie boo also known as pandos and today I'm going to talk about privacy first of all uh who's interested in tracking you on the internet as we get to find out in the last year uh tracking you is a huge deal for the governments but the governments are not the only ones tracking you private companies also do it and who does it better is a good question so in case of governments tracking you is is mostly expenses because the data has to be intercepted stored somewhere analyzed and that's quite pricey uh if it's private companies they actually generate revenue from your data and they get it directly from you you'll be more than happy to

provide them with it uh so how do we track you exactly if we employ Mass there's only 7 billion people on this planet and uh that's 2 to power of 33 uh to get enough uh unique identifiers to identify every living person so how is this useful well uh we can use the reduction of entropy equation which is minus logarithm based two of the probability that some fact would be true for a random person for example let's say I know your birthday which is April 29 2014 uh that's uh there's 365 days in a year so that's 365th and if we put that into the calculator we'll find out that we have 8 and A2 bits of enthropy

already so how do we find out more cookies cookies are like Club cards they allow to see huh okay they allow to use seemingly random data and tie it to a person or in this case your browser uh so how do cookies work well imagine it's spring now and in the morning you're reading an article about gardening and while you're reading the article some news network uh some ads network is serving you ads and and if you've ever had to serve ads from an as Network you know that it's usually a piece of JavaScript you put in the page it phones back home retrieves the ads shows them to you but what actually happens here is two important things are

sent to the ad Network that's that holder of a cookie one 337 that's one uh is interested in gardening that's two the ads Network knows it now fast forward a few hours and over lunch you're reading a different article and this time the same ads network is serving you ads again already knows you're probably interested in gardening so the ads this time are going to be about gardening tools hey you might say uh so what because there's just some random number that's tyed to me and you may actually have wanted to buy the gardening tools but scary part is Google is the biggest ad provider and a search engine it's also social network now so

how difficult would it be to tie that data to your social network profile probably not very difficult Google also owns YouTube now and YouTube keeps asking you to use your full name another think uh so take home doing all this there is no need to wiretap you uh it was all done more or less legally uh it actually generates revenue and uh even though there is now the EU cookie law uh so what does the user do when he sees another nag screen saying that some evil Corporation has enslaved him nothing clicks okay uh even with that there's still flash cookies and there's HTML 5 local storage which isn't very trivial to disable you have to go to about config and it's not

tral uh it doesn't send at cookies because your browser is a gold mine with every HTTP request uh you're sending your browser information operating system information and I can retrieve a lot of stuff with JavaScript I can find out uh what plugins you have installed what phones are installed on your system and there is a nice JS fedal which which allows me to find your local network IP the one behind that works um so how do you think all these Services generate Revenue uh they generate Revenue by selling your data you are the product that's how they generate Revenue when was the last time you clicked this button probably not that long ago but uh

why did you click it because you liked something but okay you don't have to click it if you like something because you click it 10 minutes later you forget that you've clicked it but Facebook now knows a piece of important data about you and it's going to be stored forever so think about it next time uh the next big thing is there it has been F out that uh the way you move your mouse around the screen and click things it correlates with your eye movement with where your attention is and companies are already catching up with it uh they can generate heat Maps like this uh to see what you were interested in what

your where your attention was doesn't end there uh the sharing top of the cake is they want to be uh aware of who clicked it why he clicked it where he came from and where he went afterwards and here you could adjust some sliders and click on uh the dots and find out more about the users this system was operational over 5 years ago yep uh okay let's move away from the private companies and go into something that the governments would probably do more techy stuff so what can I find out about getting into your browser uh probably your IP address and a MAC address and either is enough to come to your ISP give them a subpoena and find

out who you are but that's not uh the end of it because uh there are open GE location databases available and uh you can just go word driving and find out where uh uh certain uh access points are and can track you there have you ever encountered spyware it often comes with free software bundled in opted in by default it can be tricky to remove uh entirely and uh it doesn't get picked up by AVS because it does not necessarily do anything outright malicious just sitting there collecting some data uh not detection uh in some cases uh it's possible to find out whether you're behind a n just by looking at the TTL on the packet uh and it also tells me what

operating system you're using because Linux and windows they have different default TL values mobile devices uh if your mobile things get even easier uh you probably remember this uh it was from iPhone geolocation log Scandal and uh as much as I don't understand why someone would want to keep their GPS on all day this is a real thing uh Snoopy Snoopy is another awesome Tool uh attracting things from your phone you probably saw it at 44 con uh it listens to the air and uh sees for your phones uh looking for the networks you have previously connected to then ties it uh with glocation data and it's possible to find out where you have been

in the last half a year or a year or so or there's a different approach uh I could just put a pair of Croc Clips on your ethernet cable put a Raspberry Pi or a wireless router there and come in at any time I like connect to it and listen on your traffic uh there are also some really good tools for man in middling VI like Interceptor uh why this one is special uh it's available for all operating systems you can put it on iPhone you can put it on Android Linux windows and uh it also knows how to reconstruct files that were sent over the network and presents them to you in a nice way it's not the only one of its

kind either because uh there is also uh drift net which just reconstructs the images Cent over the network so you can just track images and other tools are available as well uh so what do I need to do now I just need to set up an evil twin hotspot uh throw and Snoopy and Interceptor and G and I'm controlling your internet uh data counter measures which are available well not so many really uh there's reliable end to end encryption but it wouldn't be the panasia as heart bed has reminded us recently um you can avoid browser tracking by disabling certain features in your browser but that again has its own drawbacks because some pages will

not be rendered properly and you'll have to enable it or you may want to use something like discuss for discussing article and it comes with a bunch of trackers attached to it so there's not much choice but uh when you're going into the physical layer uh not the physical layer but uh techy stuff uh you could of course use VPN and socks uh to hide who you are from the remote server you're connecting to but uh in case of global adversary scenario it's very vulnerable to timing attacks and because uh all the VPN and Sox providers already have to install legal interception equipment uh in their data centers uh it's not that difficult to imagine that actually

working um so have a go with social engineering your VPN provider who brags about not keeping any logs and see if they deny the existence of those logs right away say you're a bank employee or police officer but I will not be legal legally responsible for this if you do it for any consequences disclaimer there uh it also depends on your threat model uh in case of global adversary scenario uh the political tents and language barriers uh can be actually exploitable and they can be more useful than something else then there are things everyone has heard about uh there store which does a really good job at uh keeping your communication secret but it's also vulnerable to timing

attacks there's itop and honestly this is the simplest diagram I could find that explains itop and to explain it in all the details it would take another talk and there's a reason for that these guys have done an amazing job at considering every possible scenario but even in their threat model document they do say there's only this much you can do reasonably against a powerful Global adversary uh and uh if you think uh about what the history of internet has taught us it is that the users they will not be using something overly complicated they will not sacrifice their convenience they're they will always pick the path of least resistance and you can uh see that by looking at

how many people are using T ITP or no measures at all you could always set up a dark net or a meshnet but that would be very limited just to your local peers so that doesn't work well but let's go back to the real world and what you can do about browser tracking there's of course no script which is really good uh it blacklists everything and operates on a whit list basis so you have to explicitly allow every website where you want to enable JavaScript and it's really good because it also disables access to HTML5 local storage among other things uh there's ghost three uh which is a slightly different uh Works in slightly different way here uh it

operates on a black list so there's a list of known trackers so instead of blocking everything it filters only known trackers uh it also filters uh cookie trackers uh so it's has some features that no script doesn't have uh and ad block plus is great because uh it has a really flexible system of rules and exceptions for blocking or allowing something and it's really good now what are what are our future perspectives here well things do not seem to be getting any better because there's really huge money in breaching your privacy and there's surprisingly little money in protecting your privacy uh you may remember the open SSL team I think there is only five people on the team

right and they're asking for funding recently but there's another uh side to this point because uh on one hand big companies could bring more money into protecting your privacy on the other hand that would give them more influence in protecting your privacy and that's not a good thing um so what do you care at all about your privacy well uh you might care when uh your prospective employer will be doing a background check you on you or if you apply for a job at police office or something and you need government clearance but a more realistic scenario is there was a Reddit thread recently uh and this was a video of how to set up a router uh by some

local ISP and as you can see there someone stopped at the right frame and saw the recent documents and you wouldn't want to do that that might land you in trouble if you do this at work uh but there's not just this uh would you like your family members to find out what's your favorite dildo size uh as a final note I'd like to remind you that privacy is a binary quality you cannot give up a little bit of your privacy as long uh as far um sorry as soon as you've done that you you've given up your privacy you've lost it and keeping that in mind is privacy still a thing thank

you questions do you think the EU should introduce a law Banning what these companies are doing especially selling your information your private information on for advertising from money I don't think that would work well but it might be worth doing but you agree to it you explicitly agree when you sign up yeah but most people most people don't understand what they what they're agreeing to in that situation in this situation it may be a case that you need an EU wide law saying right this shouldn't be allowed you're not allowed to do this people are just not aware of it actually how many people reach a small TR the terms of service before they sign up yeah probably not reason

why you probably need a law in that to protect the Citizens insurance I haven't ever seen sorry I haven't never seen law fixing anything yet we can't get them to pay their taxes that might be more complicated the other question is how many users would go on R would say you have to pay for the search Eng

whatever okay so good to move on last