Power to the People: Effective Advocacy for Privacy and Security
2:49PM Jul 26, 2020
Welcome back everybody. I've never come across a situation where it's difficult for you to explain to your friends or family, the importance of locking their computer screen when they are away from the computer, or using two factor authentication for your logins when this talk is definitely for you, our tech community is generally unsuccessful in promoting and creating more awareness regarding privacy, security, to ordinary people. Today, we have an on orar, who is a privacy and security advocate and very passionate about creating more awareness to the non tech community about cyber security. This talk titled is power to the people, effective advocacy and privacy and security. So let's welcome him for delivering his desktop.
Hi, my name is Aidan proct, welcome to my presentation. Um, I noticed big PowerPoint thing, so I'll keep slides to minimum, you'll see demos and other things that may make more sense. Over the last five years or so I've been interacting a lot with different people about information security and privacy. I've had many discussions with colleagues and family members and friends, and I give training sessions and presentations and read a lot and heard a lot but mainly tried to figure out why regular people don't pay more attention to things that my friends in the information technology community sort of still philosophically struggle with. Most people don't fully recognize the scale and depth of the technology that is now. Really the fabric of modern society. And it's a problem because these people make uninformed decisions that have a deep and long term impact on all of us like deciding how our cities will behave, or who can dictate for us, how we perceive the world around us and how we interact with it. I've noticed that a lot of people who are not tech savvy have this intuitive understanding that some technological practices are disturbing. But they can't articulate the sort of underlying impact of them, and by extension why our society may want to reject or regulate them. I think if we give people the right knowledge and tools, then we can have a much more informed debate about how we want our society to look now and in the future. One thing that stood out to me was that we, and by we I mean the conscientious information security and privacy minded individuals. We are better at advocating and educating others, we got there in safe places like hope today. And when we do try to give people advice, we usually come off very paranoid, or unnecessarily complicating things to the point where the other person is just too confused. To follow our steps. So with all that in mind. I joined a few other good people and have said to create training sessions. Oh, just talking points that would convey important messages and teach best practices in an approachable way that makes sense, meaning no PowerPoint slides, no complications are irrelevant and keep it highly interactive and also don't sound paranoid. For the stock today. When I go over the training and exercises and some of the demos we give. I'll be putting on my instructor hat. I appreciate it. The majority of the audience on the presentation today already knows and understands these philosophical concepts of privacy and security, and also has a good strategic understanding of them, but I asked you to look at these exercises from the perspective of the layperson who is curious. But he's exposed to these for the first time. The nice thing about interacting with people who are not tech savvy, is that most of them are genuinely curious and have a sincere desire to understand the technology that's driving their lives. One of the common questions I get into training is, who knows what websites, I visit. And to answer that question. I try to first explain to them what is a website, and where and how it is hosted. And secondly, how do we interact with this website. What I do is I usually begin with what's a website and we start with this concept that we take a computer. Get rid of the screen keyboard flip it to the side, flatten it change it make a little faster. We take a bunch of these computers stack them on top of on top of one another place them in a wreck. Take these racks put them in a. These closets over here, take lots of closets put them in a room and this room is called Data Center. And, you know, it's kind of fast forwarding through the process but the underlying concept that the participants understand is that inside these fancy closets, are computers that are very similar to these computers that they have at home, takes about five minutes maybe 10 minutes at the end, they fully understand the process of connecting to a website and downloading information from it. But the participants ask, how does that request arrive from my computer
to the server.
So here I'm asking a volunteer to visit her favorite website, we use a whiteboard to trace her internet traffic to the site, beginning with her phone which is connected to the office router via Wi Fi we traced that the traffic would have stopped it makes on the way. Going through the regional Comcast routing center, then a larger on national one, and over the underground cables crossing the ocean to Italy where the website is hitting a national Writing Center going through the same routing chain, eventually getting to that website's computer or server in Florence, and there's a lot of nice, aha moments in these training sessions and understanding the basic flow of internet traffic is definitely one of those, aha moments are for the participants. So we talk a little bit about how each routing junction on the way needs to know the final destination of that request that website influence, and also the origin of that request that person's computer in John's office in Philadelphia, so that the, that riding stop can route the traffic in the correct direction, and we take a closer look at one of the stops, for example, the one here in John's office where the training is taking place. This is actually a DD WRT device that have programmed to display a live view of the connections that pass through it on the way to the other nodes in the writing chain. And we do this exercise over here where I asked the participants to go to different websites that are connected to the DD WRT device, and they can see, and that's really cool. They can see live what websites they connect to. And also the category of the website. And this kind of demonstrates to them the triviality of flagging anyone who for example visits pornographic websites, assuming that you have access to the equipment that the internet traffic passes through. Another question that's frequently asked is, what's the danger in downloading some random stuff off the internet. To answer this question, we show how we take over a computer after one of the participants who volunteers for this exercise opens, what looks like a PowerPoint presentation, but it's actually a malicious script. And this is kind of exciting and scary for them at the same time, because we also give them full visibility and control over the remote access panel that I built for this exercise. So he talks, just like any other wrecked remote access Trojan, nothing is visible on the victims screen. This is their MacBook and here to our left is our command and control center that we created this is the user, looking for the camera on her MacBook and us as the bad guys seen whatever the camera is capturing. We've just switched to a view of her MacBook screen. We also demonstrate how we steal documents and photos and turn on the mic and remotely, move the mouse and everything else. So this is a really the first time that most participants, see this thing in action, and it definitely answers the question. What's the danger in downloading random stuff off the internet, we show the participants, a typical phishing attempt via email and SMS and how following its link opens a fake login page, same as in the rest of the training, we present the control panel of the fake website and explain through a live demonstration, how we capture user credentials, if they fall for fish. We then demo one of the common spyware programs for the phone. And we discuss how accessing someone's phone, these days is essentially accessing their lives in a way that is much more surprising than what most people think, so stick with me. This is what we'll cover next, and based on the feedback I've received is one of the more eye opening exercises in the training to demonstrate what apps can do when giving the right permission, I created this iPhone app that I call gametime. It's similar to any other app. However, on this one, users also get access to the back end system that's powering the app. We will run the app and simultaneously also tailor. These are friendly logs that the server, which the app is communicating with is generating for us. I wasn't able to record both the app and the logs at the same time. So instead, I'll mark that screenshot, with the timing of each event was generated it in the training, the logs are created, live
right I'm launching the game, and in a second. We'll see the registration screen. We start with this basic user information. Now there's no reason for us to know someone's name, if they just want to play a game, but we asked for it anyway so we can later perform some correlations against their identity. To perform this correlation. We'll also need something that uniquely identifies that person usually first and last name or are not enough. Social Security number would be a good candidate. But the data brokerage industry is avoiding it because it's adding a layer of compliance complexity and mostly because people think twice before, providing it cell phone number is actually common commonly used to associate users across different apps and services and platforms. People usually give it out without any issues. And really, when was the last time that you switched a cell phone number. Next is the camera, we find some justification to access the camera. In this case it's for the user to take the profile picture. And from this point on, we'll take a picture of the user, every couple of seconds 10 seconds or so, without prompting them. And we can use it to enhance our engagement measurement, a little better by performing sentiment recognition on the user especially facial expressions. So using our app. Next we'll upload all the user contacts. And we can use them to enhance a social map for the user and better identify people in the pictures that will later get from the user's phone, we'll also add this user's contacts to our global Contacts database which is populating from all the users of our different apps.
And this is where we get access to the user's photos on their iPhone,
there's a misconception that after you allow for photo access and select only one photo. The app, still depends on your permission to read other photos. And as we see here. Not only we upload all the pictures on the phone to our system. Immediately after being granted access. What we will do is it will also run a process that checks every 10 seconds or so for new four new photos, and we'll upload them as soon as it finds them. And this is all of course completely invisible to the user. We asking for the user location, under the guise of connecting them with other players.
And here's an example of how the user takes more photos.
I just took some random runs ones over
here, and the app almost immediately uploads them to our server.
Alright, I'm going to step away from the app for just a brief moment I want to explore some other topics which in the training sessions come up at different times and sort of build on top of each other, and real return to the app in just a second. If you remember, we've asked the user to give us location services access. So we can find other users around them, who also use the app. obtaining location information allows us to make a lot of meaningful conclusions about the users, which is why I asked the training participants to think about what the places that they frequent reveal about their lives. I sometimes use this map of a city in a person's coordinates. To demonstrate, we start with this first location where the phone stayed from yesterday at seven in the evening, until this morning at eight every couple of minutes, the app sends us an updated location. Combining these pieces together creates what looks like a commute route between three meaningful places, our app tells us that one is a residential address, another is a daycare. And the third is an insurance company. After repeating observations, our system concludes that the user leaves in this 22 Acacia Avenue address has a toddler, that's registered at the Springfield daycare, and that they work for the Jones insurance company, because we have access to the user's information location information at all times. We also see them attending the gym, going to the theater grocery shopping worshiping. And this reveals certain life habits, economic and social status, etc. Combining this individual data with other users locations, we can now, establish social relationships. People who meet at the same places together, leaving the same household work for the same company. Interestingly, we can also flag deviations from the routine. Like how one day, our users change their commute to spend a couple of hours at a new destination, which our map tells us is an abortion clinic. We can also figure out extramarital affairs fun gatherings of specific groups of people, etc etc. The New York Times did a good introductory article about the location industry. They contacted some data brokers and purchased a data set of 200 and 30 million unique locations that were collected over a couple of days from different people. This animation can be found in that article. It shows the movement of one person through the location data that the Times had purchased.
At this point in the training we check the permissions, we granted different apps to access our location. There are not a lot of reasons in app would need to access your locations at all times, even when you're not using that app. The cell phone carriers are also in the business of selling location data. And yes lately, we are seeing some attempts to discourage the practice of selling our locations, law enforcement agencies, also use location data pretty extensively. The ACLU has a map showing the status of location data protection by state. Some states allow le A's, to obtain it without a warrant, some have partial protections. Some have no protections.
We spoke about user location. Let's talk about photos. If you remember the app allows the user to change the default background to a picture from their phone, and it requested photo access for this. The app, then uploaded all hundred and 60 something pictures from the phone, and it kept checking for new ones without explicitly telling the user that it does so the app would later perform image analysis on these photos to automatically create some conclusions about the user. Before diving into image analysis in the training. We take a step back and ask, What is an image. We bring up something like Microsoft Paint and look at the pixel composition, and how we can kind of program the computer to distinguish shapes, based on the color and shading and also how fast forward, we are now in a place where we can fully recognize objects and faces and text and have the computer, describe the picture for us. I touch on the image analysis that apps perform, and that the principle around it naturally extends to other things like physical security cameras. And I've learned from my interactions that conceptually, most people still view security cameras like those 1980s CCTVs. I tried to express two distinctions. The first is that the old cameras were under your physical control. So they were not connected to a to a public network, and ultimately the decision to sharing the tape with footage was up to you. And unauthorized access to your footage was uncommon. Back then, the second distinction is that the old cameras were dumb mechanical instruments, whereas the new ones that we use today are complex computers that are capable of performing all these image analysis. And that's how, for example, they know to record only when movement is when movement is detected. So this perception change is something that I try to communicate because it impacts how we view the functions of security cameras. It's always funny to me when my neighbors across the street install something like ring or nest. And these devices, light up every time I leave the house or have guests coming over. I notice it more when I walk across the street and every other house on my blog has a ring camera. Interesting. Interestingly, most people that I speak to really believe with all their hearts that they are the owners and have full control over the footage, or the statistical conclusions that are made from that footage. By the way, speaking of uninvited cameras, and this is a complete side note, but I attended a workshop once and one of the guys said that as a parent, he asks his kid for permission before taking their picture.
Let's go back to the app and take a look at its dashboard,
this dashboard is a collection of conclusions that the system makes about the user after performing some calculations on the data, the app uploaded, like location photos contacts in the training we use live information that we extract from a user's phone for this talk I'm using pre populated data. For example, After reviewing the different photos that were stored on the phone. Our system would conclude that the user is politically liberal and is likely to support Bernie Sanders to arrive at that conclusion. If reviewed picture content, the location the pictures were taking it, and in some cases the sentiments of the people in the picture. We can see that a few pictures were taking in a specific time and location correlated with other events and figured out to be a Bernie Sanders rally reef. What the image analysis identified as bare as Bernie Sanders signs and the user's face, showing excitement, or approval systems are quite good at doing this computation at large scale. and with enough data, you draw accurate conclusions related to the user's stance on current issues or figure out the user's health situation financial status interests, really anything that you can automatically extract, and then package with others, other people's data, and then sell. It's interesting that when you show these two people they're a bit taken back, so you need to guide them slowly through this. To illustrate the image recognition technology that's powering this whole thing. I asked him to search, their own phone photos for objects like cat or house or fish or to look at any app that translates your facial expressions into some animation.
If you paid attention before you've probably noticed that the user photos, also contain receipts, images, shopping preferences can also reveal a lot about a person. In fact, there's an entire industry, dedicated to extracting meaningful information around buying habits in the training. I spend a bit of time on this, and how
correlate consumer behavior based on consistent identifiers, like a club membership or a credit card number for the participants in the training this demo and getting this behind the scenes view is a bit of an eye opener, especially when we realized that there's a thriving and highly profitable industry around this, which means that there's an incentive to develop this further, especially considering that this industry is largely unregulated throughout the training. We also talk about some of the possible dangers in this great new world that Silicon Valley is building for them. I mean for us. One obvious issue is that all these flow of intimate conclusions about my life can be used against me, if it lands in the wrong hands. Another potential danger is when the company that collects my information and makes all these conclusions about myself. Starts rain ranking me based on what they deem to be good or bad, and then package and sell my profile to my landlord, insurance companies HR departments. Dating services, the neighborhood association, and whether this ranking system is implemented in the private sector, or by government, like in China with our national social credit system. In other case, this process enforces conformity to some social norms, which I personally had no say in defining. However, the big driver behind this push to collect personal data and analyze it and extract meaningful conclusions about people is actually something else.
We also talk about the dangers in letting something else recommend, how we should or shouldn't live our life and also how did someone position themselves between us and pretty much everything else. So, we discussed how this friendly robot over here needs to get to know me, so to speak, before they are in a position of arranging my life. Which is why so much money is being poured into this industry of collecting and analyzing our personal information in the training I sometimes use an example to illustrate how the friendly robot, who gets paid for its effort, can be effective in convincing us to move in a certain direction. Let's say that we want to increase the rate of adoption for a certain product. This product can be a mayoral candidate, like this one in the picture, but it can also be a toilet paper, a political theory, and you housing development in the suburbs. Doesn't really matter. In the old days, you would send your message across the either and kind of hope that it would catch on your audience understanding was limited, not to mention that you had to adopt a broad persuasion strategy to a largely heterogeneous audience. Now imagine that, you know, each and every person that you're trying to convince you know about their ambitions and their likes and dislikes and what their childhood was like, and what triggers them and what appeals to them. You know the social financial and medical status, you know their circle of friends. You know, every intimate detail about their lives. Let's focus on one of our political consumers, let's call him, Adam. How do we convince Adam, without being too obvious about it, that our political candidate is the right choice for him. Well, turns out that Adam lives in a neighborhood that our candidate helped in the past. They both have the same. They both have some affinity to Japan, and they also struggle with the same gambling addiction. Turns out that our candidate will speak at a rally at just the right time and place for Adam to attend, and also a few of Adams friends are also considering attending. This is where the friendly robot may help communicating all this information to Adam, in the form of search results, articles, news feeds, personal assistants recommendations schedule arrangements, and really any other way that the friendly, that a friendly robot can think of. As we mentioned the friendly robot needs to know enough about Adam to be effective in its persuasions. So the friendly robot forcefully inserts itself into areas in Adams life, which Adam did not invite the friendly robot into a rally around listing example for this is how some companies track people's browsing habits across different websites, which we also examine in the training in line with not sounding paranoid. One thing I like to do is I have the people who attend the trainings, check things for themselves. So we visit different websites like Google Analytics, or Facebook for business, and a bunch of other ones. We also look at how companies track our activity across the internet using third party cookies. So we talk cookies a little bit. And then we visit completely random websites and using ublock origin, and the built in browser network monitor interface. The participants, see for themselves, live. Some of the tracking that is happening in the background. up no user training will be complete without a visit to the darker side of the internet. We'll discuss how security. Security sometimes stands in opposition to faster development, and that in many cases, it's the consumers who get the shorter end of the stick when a company is breached. We pay a visit to a few marketplaces, where we are offered stolen credit cards and sensitive information about people. This is like a really interesting eye opening experience for a lot of the participants. We also look at some mandatory breach reporting trackers like this one from the Department of Health and Human Services, the extent and prevalence of the breaches that never make it to the public eye but directly touch user data. In this case of protected health care information,
it's it's it's sort of staggering and also very surprising to some participants in the training. All right. This was a demonstration of some of my efforts to make security and privacy concepts, more open and accessible. I'd like to thank you for your time. And as next steps, please feel free to get in touch if you want to share any feedback or collaborate. Thank you.
audience if you have any questions, please do send it across in the matrix. Great q&a channel.
And one thing before we start answering the q&a I just want to give some credits to people who have worked with me on this Alexis Burnham, and David Garcia. Thank you so much for are both of them, been a terrific help in this journey.
All right. I have one question to ask you, in your experience in creating awareness, advocating more of privacy and security. What kind of people, is it more challenging to create that awareness is it senior citizens, or is it you know, people who work in the shops, or banks and what is your views, who do you think is more challenging to you know make them understand the importance of it.
Well, I think the first thing is to understand why someone would want to attend your training session, and the goal. What is it you're trying to get out of it, and sort of adapt your training accordingly. If I approached the training is sort of one vinita training in same training would be presented to everyone. There will be a mistake, and then it will bring up the challenges to to describing. I think the approach the better way to do it would be to think of the audience in advance adopt the training a little bit, maybe have a pre session with one or two of them see what kind of things bother them in the daily life, what they think about what they don't think about and sort of take it from there. So that that's that's that's that that's hopefully the right approach for that. And we'll also remedy some of the challenges that you mentioned,
we have one question please tell us more about jumping out of airplanes.
Yeah, so, um, well, you know that's that's a whole different presentation with lots of videos in in slides. No, so my, my description has me as a jumping out of networks and other planes or something like that. And that's both practices and I like to do. Every once in a while I jump between virtual networks. So the ones that are created by switches and routers and jump out of physical planes, the ones that fly in the sky in your junk former in our 13,000, it's
alright we have another one. Would you summarize, any key takeaways from this presentation of yours that we could communicate with our friends and family members.
That's a i think i think the the.
That's a really good question. I think they, the, the key points is not so much the message as much as the way we and they were I mean the conscientious security community or tech community, the way we approach it. It's much more important in my perspective, either we change our approach to that, as opposed to you know come up with like very specific points which I can give in a second but I'd like to just discuss my belief about the goals beyond his training which may answer that question. So I really come up with two different goals for this training the first one would be more of a tactical goal, which this answering the question would be applicable to answer that question. So in this tactical approach. What we try to do is give people immediate and concrete steps to improve their privacy and security like changing location settings on your phone to only allow access when an app is in use, that was part of the video on starting at a tracking blocker on their internet browser. It's really super simple stuff that things people can do so quick, relatively simple steps that provide a bang for the buck.
So there will be sort of the one goal that I have technical goal.
Second one, I would say is,
most eight strategical. So as we know most of the people on the call today are technical. And I think as technical people we default to technical solutions to solve problems. And that's why we come up with solutions that are effective against very specific best practice. So for example, the other day, I read about a tool that makes tiny changes to pictures or the throw of facial recognition systems, which I think is good and I'll definitely check out the store I think everyone on this call should, but in a year from now, the facial recognition systems will probably catch up. And this tool won't be effective anymore. And in the store which, by the way, I'm using as an example of a good and effective, but tactical response that tool doesn't address the root of the problem in this case, which is not the facial recognition technology is that this tool is, is, you know, sort of tried to fight. It's, it's that we as a society adopts what we consider sometimes maybe invasive technologies that are changing how we govern ourselves, and also how we perceive the world around us. And there's little meaningful public discussion around this, and this is why we need to engage people outside the, you know, sort of our conscientious tech community, and engage them, as I said before in a way that makes sense that's approachable. And that leads me to, you know, sort of sunrise in the second goal for training which is more strategic in nature. I want to get people to understand on a deeper, and probably a more philosophical level, the, the implications of certain practices that may seem convenient and solve immediate problems, but in the long run, are likely to hurt us as a society. It's kind of like you know maybe the message I'm trying to convey and I was thinking about it the other day, is that, you know, smoking a cigarette, if we can make an analogy, smoking cigarettes feels good today. But increases your chances of getting a cancer. and you know so building on the analogy cigarettes are addictive. So, you know if I would say if he introduced any specific message that I want to get get out of that is that.
So, hopefully it answers the question. All right.
So I think one of the key takeaways you mentioned is how to make people paranoid, that's good. There's another question is. So how do we create awareness at an institutional level for educational institutes and kids, because what we are trying to create is, you know, Amanda's with the younger generation who will know more about privacy and security.
So, I don't have the answers to everything. Hopefully, out of the storm one things will come up as a you know sort of broader discussion of how we can collaborate together. Just as people who care about things in order to institute changes on a much larger level, but specifically there's you know I read about some some good things people are doing for example, and I mentioned in the video, I went to a conference and someone said that whenever they take pictures of their kids. They're asking them for permission. And that kind of gives the kids a sense of control over who can or cannot take an image of them what happens with the image. I think that is really important thing is to expose people to the behind the scenes of the technology and the practices. I can't emphasize the eye opening impact of someone seeing the remote control panel of a, you know, remote access Trojan a Rex. When something is running on their machine. We keep telling people in the in this in the community. We keep telling regular people that they're going to be targeted with targeted ads, they're going to see targeted ads on their computer. They're going to be a monitor the daily. You know we ever had these phrases that we're bringing but we never show the real impact behind the scenes. So I'm thinking one of the first things that we need to do, speaking specifically about, you know, how do we reach out to the next generation, making sure that they're, they're more aware of that. You just showed them the behind the scenes when they're playing with the phone, what is happening in the background. You don't see it as a user, so that they'll definitely be a step in the right direction. As far as the more sort of general strategy of how do we make sure that you know we feed this this this curriculum into schools and kindergartens know that that's a separate discussion of the another call another another talk.
Alright, enough, thank you so much for spending time with us at both 2020
and four for having me. In, you know, again if anyone wants to collaborate get in touch his feedback specific questions, anything at all, I'd love to, you know, sort of, communicate, be in touch. So you can reach me in, is that okay fine and sort of put this contact right now. So, two ways, two best ways to contact me in depth on the slide last slide in the, in the video. One is on Twitter, where is Biggles. The next one is an email that's a long dots confit pm.me, it's both in this on the last slide.
All right. Thank you so much, audience, please state you, we would have our next talk very soon, so until then take care and stay safe. Thank you Ilan again. Thanks
again for having me. Thanks.