Resistance is futile, a Creative Commons Attribution Non-Commercial No-Derivative-Works (2.0) image from myxi photostream

Modern city dwellers are being tracked in hundreds of ways. From cell phone surveillance to DNS tracking.

Eleanor illustrates the vast numbers of records generated by Joe Sixpack as he travels from his home to his desk in the office. You have been awake all of 2 hours and at least 30 government agencies and double that amount of commercial agencies have stored information about you.

There are a few problems around surveillance:

• Secondary uses
• Buying and sharing data
• Sunk cost
• Opportunity leads to abuse
• Equality versus aggregation

A typical telco gets about one location request per 10 subscribers, excluding 911, secret service and law enforcement requests.

Once a city has spent millions on a CCTV system, there is huge pressure on them to make the most use of them they can, just to prove it was a justified expense. Even if the citizens of the city disagree.

Even if information is publicly available, aggregation of information that the subjects of the information had no intention of disclosing is happening all the time.

In summary, surveillance is complicated, but is it good or bad?

Surveillance can be a life saver. Take the example of pace makers that send real-time heart monitoring data, or the fall down detection for solitary industrial workers.

Surveillance for marketing is hard to rate. Mostly this data is used to sell subjects stuff they didn’t want, but it may also lead to them learning of things they will be interested in which they otherwise would have missed.

There is surveillance that guards the privacy of the rich and famous. And there is fraud detection, it is mostly used for good. Unfortunately the data from fraud detection is also sold for marketing purposes.

There is actually surveillance for the common good. Such as water quality monitoring or traffic monitoring for road repairs.

There is surveillance for personal protection, alarm systems, CCTV and on-site guards are all available for a price.

Only a small portion of the surveillance in a city is actually there to stop crime, even if that is the selling goal.

Surveillance can be good and bad. It is a refection of the powers that be.

So how do we fix this?

• Let’s document the problem
• Raise awareness
• Work directly with existing projects
• Subvert the system

Eleanor launched the Deployable Camera Competition: a contest that is aimed at designing a surveillance camera that can be used by civilians to do counter surveillance. The devices have to be released under an open source and open hardware license.

The competition can be found here: http://sldrc.com/projects/deployable

Eleanor’s slides are here: http://sldrc.com/talks/SIGINT10-privacy.pdf

Tor is really a community of developers and volunteers and is still looking for developers and volunteers to enhance themselves.

Top countries in the world in bandwidth:
•    Germany
•    USA
•    Netherlands
•    France
•    Sweden

Anonymity means different things to different people:
•    Private citizens – Privacy
•    Government – Traffic analysis resistance
•    Human rights activists – Reachability
•    Businesses – Network Security

Tor gives three anonymity properties by design, nto by policy:
1)    A local network can learn of influence your destination
2)    No single router can link you to your destination
3)    The destination or somebody watching it cannot learn you location

Tor is constantly being attacked, not by attacking the code, but by:
•    Blocking the directory authorities
•    Blocking relay IP addresses in the directory
•    Filtering based on Tor’s fingerprint
•    By preventing users from finding the tor software

Outers/IPS-es could filter on Tor’s signature in the past, but it now looks like Firefox talking to Apache. When the Tor download website was blocked, the Tor project test up a download tor by email service.

When the Peoples Republic of China turned 60 years, the censorship stepped up in preparation for it. Protecting the torproject.org website with an SSL certificate was good enough in the pas. They also took a snapshot of the network and blocked all its ip addresses for the day of the anniversary. Jacob showed a graph that showed us what suppression looked like.

As a reaction users where able to still get on the Tor network via bridge which you could get via email, or that is kept private.

There is quite a bit of censorship going on in the Western world, this is not something exclusively for evil regimes.

If you want to help the Tor project go to http://torproject.org and download and install the software.

To my surprise the interview turned out a lot better then I remembered it.

Rsnake and Jabra demonstrated client site exploits that will defeat common proxy techniques such as classic HTTP proxies, CGI proxies, SOCKS proxies, and Tor.

The installation of client certificates also exposes users. If you decide to offer you certificate to a site, you basically identify yourself to that site. Client site certificates are good for normal use, but the cert will tell an evil server who we are. Also, certificate can be sniffed from the wire and they will thus also expose an identity.

There is a very well known attack against the Tor network; by setting up an evil Tor node, researches where able to obtain at least 100 embassy usernames and passwords. If you use a proxy you have to decide which proxy to trust.

RSnake demonstrated a new IE attack called smbenum. By using file:// urls from javascript he can enumerate files on the user computer. The attack is still limited, because the browser is only capable of reading certain files. Smbenum learns the computer’s name by using environment variables in the url, which will expand.

Theoretically the smbenum attack can obtain the username, by searching for well known pictures in the user directory (e.g. adobe installs certain pictures in the user directory), but this attack is brute force and incredibly slow. A slower attack called res timing can be used to get more granular details. Find the right directory with smbenum, find the right file with res timing.

Another concern is the safe browsing feature firefox and chrome. This function evaluates the sites you server, this means it does a call home. Rsnake tested and found that his browser did about 30 requests per hour. Since Google users a unique non exipering cookie for each computer all the data on where you have been is in Google’s datacenter. Even if Google’s “do no harm” hold true, there could be a situation where the can be force to give it up. Safe browsing can be turned off about:config

Google’s Chrome is even worse; “Chrome 0wns Us”. Chrome’s automatic updates happen about once every 5hours. Chrome send machineID and UserID in each update request, “this is a real concern”

Jabra finished with a new 0-day java based shell code that cannot be stopped by the browser yet.