could googling take down a president a prime minister or an average citizen
Download
Skip this Video
Download Presentation
Could Googling Take Down A President, a Prime Minister, or an Average Citizen?

Loading in 2 Seconds...

play fullscreen
1 / 84

Could Googling Take Down A President, a Prime Minister, or an Average Citizen - PowerPoint PPT Presentation


  • 75 Views
  • Uploaded on

Could Googling Take Down A President, a Prime Minister, or an Average Citizen?. Greg Conti | United States Military Academy | [email protected]

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Could Googling Take Down A President, a Prime Minister, or an Average Citizen' - townsend


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
could googling take down a president a prime minister or an average citizen

Could Googling Take Down A President, a Prime Minister, or an Average Citizen?

Greg Conti | United States Military Academy | [email protected]

slide2

The views expressed in this presentation are those of the author and do not reflect the official policy or position of the United States Military Academy, the Department of the Army, the Department of Defense or the U.S. Government. 

The views expressed in this presentation are those of the author and do not reflect the official policy or position of the United States Military Academy, the Department of the Army, the Department of Defense or the U.S. Government. 

http://www.whitehouse.gov/omb/budget/fy2005/images/justice-7.jpg

the aol dataset debacle
The AOL Dataset Debacle

SIGIR – IR List (August 2006)

Subject: research.aol.com

AOL is embarking on a new direction for its business making its content and products freely available to all consumers. To support those goals, AOL is also embracing the vision of an open research community. To get started, we invite you to visit us at http://research.aol.com, where you will find:

  • 20,000 hand labeled, classified queries
  • 3.5 million web question/answer queries (who, what, where, when, etc.)
  • Query streams for 500,000 users over 3 months (20 million queries)
  • 2 million queries against US Government domains

Also, please feel free to provide feedback on the site, datasets you\'d like to see in the future, and any other comments about our vision.

the aol dataset debacle1
The AOL Dataset Debacle

SIGIR – IR List (August 2006)

Subject: research.aol.com

AOL is embarking on a new direction for its business making its content and products freely available to all consumers. To support those goals, AOL is also embracing the vision of an open research community. To get started, we invite you to visit us at http://research.aol.com, where you will find:

  • 20,000 hand labeled, classified queries
  • 3.5 million web question/answer queries (who, what, where, when, etc.)
  • Query streams for 500,000 users over 3 months (20 million queries)
  • 2 million queries against US Government domains

Also, please feel free to provide feedback on the site, datasets you\'d like to see in the future, and any other comments about our vision.

AOL Stalker

AOL Psycho

aol demo
AOL Demo
  • User #10291
  • User #2708
knowledge of the aol dataspill
Knowledge of the AOL Dataspill

Question

no

vaguely

somewhat

very

Are you familiar with the AOL data disclosure of August 2006?

84%

7%

7%

2%

knowledge of the aol dataspill1
Knowledge of the AOL Dataspill

Question

no

vaguely

somewhat

very

Are you familiar with the AOL data disclosure of August 2006?

84%

7%

7%

2%

outline
Outline
  • Information Disclosure
    • Computing Platform
    • Network Eavesdropping
    • Destination Websites / ISPs
  • Vectors
  • Cross-site Tracking
    • Advertising and Embedded Content
  • Where we are and where we are going
definitions
Definitions

googling: The full spectrum of free online tools and services (such as search, mapping, email, Web-based word processing and calendaring etc.)

web-based information disclosure: the information we disclose as we surf the web

slide12
“Free” web tools and services aren’t free, we pay for them with micropayments of personal information.
slide13
“Never talk when you can nod, and never nod when you can wink, and never write an e-mail because it\'s death. You\'re giving prosecutors all the evidence we need.”- Eliot Spitzer Two Years before his resignation

Eliot Spitzer

Former-Governor of New York

http://abcnews.go.com/Blotter/story?id=4424507&page=1

slide14
Maf54 (7:43:27 PM): well dont ruin my mental picture

Xxxxxxxxx (7:43:32 PM): oh lol...sorry

Maf54 (7:43:54 PM): nice

Maf54 (7:43:54 PM): youll be way hot then

Xxxxxxxxx (7:44:01 PM): haha...hopefully

Mark Foley

Former-US Congressman

http://abcnews.go.com/WNT/BrianRoss/Story?id=2509586&page=2

slide15
Can anyone help me please! This stalking thing is not funny at all. When I type my name in keyword it gives a list of places that show where I have been on aol on the net. This is nobodys business. I have not done anything wrong at all and I have contacted aol about this matter and they keep saying they will do something about it but never do. -Debbie

How do I get stuff removed from aol stalker? Can anyone tell me? Aol won\'t respond even though they claim willingness to remove data when requested. Someone, anyone, please help! -Sally

http://blogs.ittoolbox.com/security/investigator/archives/aol-stalker-website-unleashed-11133

in the news
In the news…
  • Administration Demands Search Data; Google Says No; AOL, MSN & Yahoo Said Yes
    • http://blog.searchenginewatch.com/blog/060119-060352
  • Hit Pause On The Evil Button: Google Assists In Arrest Of Indian Man
    • http://www.washingtonpost.com/wp-dyn/content/article/2008/05/18/AR2008051800657.html
  • Moroccan Man Jailed For Fake Facebook Profile
    • http://www.techcrunch.com/2008/02/07/moroccan-man-jailed-for-fake-facebook-profile/
  • Group: Yahoo Assisted China With Torture
    • http://origin.foxnews.com/wires/2007Apr19/0,4670,YahooChina,00.html
  • Google ordered to give YouTube user data to Viacom
    • http://afp.google.com/article/ALeqM5hty1hXgakr7zoviTVNKalsStgSOw
data collection
Data Collection

3000

Number of

Times Data

is Collected

on Each

Visitor in a

Month

(Average)

Yahoo MySpace AOL Google Facebook Microsoft Ebay Amazon

http://www.nytimes.com/2008/03/10/technology/10privacy.html?pagewanted=1&_r=1&hp / Comscore

unique visitors
Unique Visitors

180

Millions

Unique

Visitors

per Month

Yahoo MySpace AOL Google Facebook Microsoft Ebay Amazon

http://www.nytimes.com/2008/03/10/technology/10privacy.html?pagewanted=1&_r=1&hp & Comscore

global computing statistics
Global Computing Statistics
  • World Population ~6.6 Billion
  • Cell Phones ~3.3 Billion
  • Personal Computers ~1.2 Billion
  • MP3 Players ~220 Million
  • Digital Cameras ~120 Million
  • Webcams ~100 Million
  • PDAs ~85 Million
  • DVRs ~44 Million
  • Servers ~27 Million

Kevin Kelly, “The Planetary Computer.” Wired, 16.07, July 2008, pp52-55

data retention anonymization
Data Retention/Anonymization
  • Ask “hours”
  • Google 18 months
  • Microsoft 18 months
  • Yahoo 13 months
  • Other logs…
  • Other companies…
  • The cookie fallacy.
  • ISPs?

http://www.webmonkey.com/blog/Yahoo_Trumps_Google_With_New_Data_Retention_Policy

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9027924&source=rss_news50

profiling
Profiling
  • Google hackers
  • Security researchers
  • Political activists
  • Company XXX employee
  • Corporate leaders
  • Law enforcement officer
  • Government official

“Career Watcher”

“Active Gamer”

Tacoda, The Home of Behavioral Targeting, http://www.tacoda.com/

isps vs large online companies
ISPs vs. Large Online Companies

Online Company

  • Sees global traffic from many customers
    • domain specific
  • Advertising and embedded content brings in additional information
  • Limited knowledge of user identity
  • Extensive datamining

ISP

  • Sees all traffic from its set of customers
    • except encrypted traffic
    • traffic analysis
  • Limited to no visibility on non-customers
  • Knows identity and location of accounts
  • Ability to manipulate network flows
    • DNS
    • blocking P2P
isps vs large online companies1
ISPs vs. Large Online Companies

Online Company

  • Sees global traffic from many customers
    • domain specific
  • Advertising and embedded content brings in additional information
  • Limited knowledge of user identity
  • Extensive datamining

ISP

  • Sees all traffic from its set of customers
    • except encrypted traffic
    • traffic analysis
  • Limited to no visibility on non-customers
  • Knows identity and location of accounts
  • Ability to manipulate network flows
    • DNS
    • blocking P2P
isps vs large online companies2
ISPs vs. Large Online Companies

Online Company

  • Sees global traffic from many customers
    • domain specific
  • Advertising and embedded content brings in additional information
  • Limited knowledge of user identity
  • Extensive datamining

ISP

  • Sees all traffic from its set of customers
    • except encrypted traffic
    • traffic analysis
  • Limited to no visibility on non-customers
  • Knows identity and location of accounts
  • Ability to manipulate network flows
    • DNS
    • blocking P2P
slide48
Rogers ISP

http://lauren.vortex.com/rogers-google.jpg

myriad disclosure vectors
Myriad Disclosure Vectors
  • Search
  • Communications
    • Email / IM / SMS…
  • Advertising Networks / Purchasing
  • Other Web 2.0 innovations
    • Web office suites
    • Mashups
    • Location based services
    • Social networking
  • Cloud computing
map quest
Map Quest

Mapping sites reveal locations of interest, allowing diverse groups of users to be linked.

everyscape
Everyscape

http://www.everyscape.com/sanfrancisco-ca.us.aspx

linked in
Linked In

Social networking sites know your contacts and your contacts’ contacts. Old friends will find you and let the site know of the relationship.

rot 13
rot 13

Even the most innocent appearing services should be considered as collecting your data

cross site tracking
Cross-site Tracking
  • Referer values
  • Click-through tracking
  • Cookies
  • Information sharing agreements
  • Advertising networks
  • Web bugs
  • Third-party content and services
    • Videos
    • Affiliate networks
    • Analytics services
embedded advertising
Embedded Advertising

Amazon MP3 Clips Widget

a visit to msnbc
A Visit to MSNBC

255.255.255.255

0.0.0.0

a visit to msnbc1
A Visit to MSNBC

255.255.255.255

0.0.0.0

slide64
a365.ms.akamai.net
  • a509.cd.akamai.net
  • ad.3ad.doubleclick.net
  • amch.questionmarket.com
  • c.live.com.nsatc.net
  • c.msn.com.nsatc.net
  • rad.msn.com.nsatc.net
  • context3.kanoodle.com
  • global.msads.net.c.footprint.net
  • hm.sc.msn.com.c.footprint.net
  • msnbcom.112.2o7.net
  • prpx.service.mirror-image.net
  • wrpx.service.mirror-image.net
  • switch.atdmt.com
  • view.atdmt.com
  • www-google-analytics.l.google.com
  • 16 third-party sites
  • 10 separate companies

http://www.msnbc.msn.com/

trackmenot and beyond
TrackMeNot and Beyond…
  • http://mrl.nyu.edu/~dhowe/trackmenot/
  • http://mrl.nyu.edu/~dhowe/words.html
  • http://www.schneier.com/blog/archives/2006/08/trackmenot_1.html
progress
Progress
  • Attempts at increasing user awareness
  • Data leak prevention
  • Search query anonymization
  • Malware warnings
user awareness
User Awareness

http://www.google.com/privacy_ads.html

challenges
Challenges
  • Electronic discovery
  • Phoning home
  • Dependency
  • New products and services
  • Corporate consolidation and death
  • Web 2.0 / Interaction tracking
  • Trend away from desktop
  • Multiple privacy policies
threat spectrum
Threat Spectrum

ISP

manipulation

Service

eliminated

Search resultranking manipulation

Cross-site tracking

DNSRedirection

User profiling

Third-partysharing

User fingerprinting

Redirect to

malicious sites

Governmentcollaboration

Targeted advertising

Data Spills

Less Likely

Likely

threat spectrum1
Threat Spectrum

ISP

manipulation

Service

eliminated

Search resultranking manipulation

Cross-site tracking

DNSRedirection

Digital

Assassination

Redirect to

malicious sites

User profiling

Third-partysharing

User fingerprinting

Governmentcollaboration

Targeted advertising

Data Spills

Less Likely

Likely

threat spectrum2
Threat Spectrum

ISP

manipulation

Service

eliminated

Search resultranking manipulation

Cross-site tracking

DNSRedirection

Digital

Assassination

Redirect to

malicious sites

User profiling

Third-partysharing

User fingerprinting

Governmentcollaboration

Targeted advertising

Data Spills

Less Likely

Likely

threat spectrum3
Threat Spectrum

ISP

manipulation

Service

eliminated

Search resultranking manipulation

Cross-site tracking

DNSRedirection

Digital

Assassination

Redirect to

malicious sites

User profiling

Third-partysharing

User fingerprinting

Governmentcollaboration

Targeted advertising

Data Spills

Less Likely

Likely

threat spectrum4
Threat Spectrum

ISP

manipulation

Service

eliminated

Search resultranking manipulation

Cross-site tracking

DNSRedirection

Digital

Assassination

Redirect to

malicious sites

User profiling

Third-partysharing

User fingerprinting

Governmentcollaboration

Targeted advertising

Data Spills

Less Likely

Likely

acknowledgements
Acknowledgements

3efd09cddc148ee790d17e35ae323852, Kulsoom Abdullah, Sergey Bratus, Defcon, Georgia Tech, HOPE, Interz0ne, New Security Paradigms Workshop, Anna Shubina, Ed Sobiesk, StankDawg, Symposium on Usable Privacy and Security

more information
More Information...
  • E. Sobiesk and G. Conti; "The Cost of Free Web Tools;" IEEE Security and Privacy, May/June 2007.
  • K. Abdullah, G. Conti and E. Sobiesk; "Self-monitoring of Web-based Information Disclosure;" Workshop on Privacy in the Electronic Society; October 2007.
  • G. Conti and E. Sobiesk; "An Honest Man Has Nothing to Fear: User Perceptions on Web-based Information Disclosure;" Symposium on Usable Privacy and Security (SOUPS); July 2007.
  • G. Conti; "Googling Considered Harmful;" New Security Paradigms Workshop; October 2006.
  • G. Conti; Googling Security. Addison-Wesley. ~October 2008
davix jan monsch and raffy marty
DAVIX(Jan Monsch and Raffy Marty)

DAVIX Workshop

DEFCON Breakout Room

Sunday 2PM-4PM

http://www.secviz.org/node/89

slide81
“Free” web tools and services aren’t free, we pay for them with micropayments of personal information…

But we also pay for them by tolerating evil interfaces.

Survey

could googling take down a president a prime minister or an average citizen1

Could Googling Take Down A President, a Prime Minister, or an Average Citizen?

Greg Conti | United States Military Academy | [email protected]

ad