for more information visit: ... · – you do not tell your love affairs to your mother, you do not...

12 Dec 2018 1Transition-Waedenswil.ch

For more information visit: https://pads.ccc-ch.ch/public_pad/waedi1212

https://pads.ccc-ch.ch/public_pad/waedi1212


Outline● Facebook, political manipulation● Surveillance, leaks, privacy● Identification mechanisms● Computer security● Privacy countermeasures● Ethical software


2012: laboratory test

● Is it possible to transfer emotional states to others leading people to experience the same emotions without their awareness and without direct human interactions?

● January 2012, 700’000 people● Facebook “News Feed” manipulated to

contain 10% more or less positive expressions

● ...


PNAS June 17, 2014 111 (24) 8788-8790; https://www.pnas.org/content/111/24/8788

https://www.pnas.org/content/111/24/8788


facebook (FB) – key facts

● 2.2 billion monthly-active uses ~30% of the planet

● equity: 74’000 million $. This is 33 $ for each user

● owns Instagram, WhatsApp, Oculus VR


Can FB influence elections?


https://www.republik.ch/2018/05/16/facebook-influenced-elections-in-66-countries


https://www.republik.ch/2018/05/16/facebook-influenced-elections-in-66-countries



<<NEW YORK/SAO PAULO (October 31, 2018).— A new poll commissioned by Avaaz shows the vast reach and impact of fake news in the Brazilian election. The survey, conducted by Ideia Big Data, asked voters if they saw and believed 5 of the most viral fake news stories that flooded social media during the final weeks of the election, [...]

Stunningly, 98.21% of Bolsonaro voters surveyed were exposed to one or more fake news stories, and 89.77% believed they were based on fact. [...]

https://secure.avaaz.org/act/media.php?press_id=918




Reacting to these results, Ricken Patel, Avaaz CEO and founder, said:

"Brazilian democracy is drowning in fake news. These stories were carefully crafted, toxic weapons designed to destroy a politician's electability. And with the help of Facebook and WhatsApp, they were as widely spread and believed as some of the top real news stories of the election.

"How many democracies need to die before Mark Zuckerberg stops this madness on his platforms? […] >>




Right to privacy

● The type of information shared depends from whom to share it with:– You do not tell your love affairs to your mother, you do not

tell your employer your health issues, you do not tell a police officer you drove too fast,...

● “Saying that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about freedom of speech because you have nothing to say.” [E. Snowden]


Source: http://us.macmillan.com/static/holt/greenwald/NoPlaceToHide-Documents-Uncompressed.pdf

http://us.macmillan.com/static/holt/greenwald/NoPlaceToHide-Documents-Uncompressed.pdf


GCHQ to the Five-eyes


Why?


Commerce


Identifying users from their biological/hardware/software

fingerprints


Every computer is unique

● Many hardware components have unique IDs● USB sticks:

● Computers save the ID of the visiting USB drives

● Can be used to identify users


WLAN’s fingerprint: MAC address

wlp4s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.6.48.45 netmask 255.255.240.0 broadcast 10.6.63.255 ether 00:19:d2:d6:29:2f txqueuelen 1000 (Ethernet) RX packets 1212007 bytes 1301758468 (1.2 GiB) RX errors 0 dropped 4 overruns 0 frame 0 TX packets 640489 bytes 108858690 (103.8 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

● Accessible to the operating system

● accessible to everybody on the same network

● is collected (whatsapp, iPhone,..) and stored


Most software is unique● Nearly infinite amount of options an personalization

render individual applications nearly unique

● For a browser: language, time zone, screen size and color depth, system fonts, installed plugins, version, operating system, cookies, time zone,

● Test your browser now: https://panopticlick.eff.org/

https://panopticlick.eff.org/


Keyboard fingerprinting

● Every human is unique in the way he types on the keyboard (timing between keystrokes)

● Several services (e.g. search engines) collect and send timing information to servers (part of autocompletion algorithm). This can be used to identify users.

● Browser add-ons like “Keyboard privacy”:https://paul.reviews/behavioral-profiling-the-password-you-cant-change/[see references herein]

● Mouse: similar problem

https://paul.reviews/behavioral-profiling-the-password-you-cant-change/

https://paul.reviews/behavioral-profiling-the-password-you-cant-change/


Computer security● A secure computer requires

– bug-free non-malicious software● Far away from it● Common Vulnerabilities and Exposures (CVE)

http://cve.mitre.org/

– bug-free non-malicious hardware● Very far away from it● Open-source silicon chips do not exist at all (yet)● Many very serious vulnerabilities known:

– Management Engine (CVE-2017-5689)– Spectre and Meltdown (CVE-2017-5715, CVE-2017-5753, CVE-2017-

5754)– ...

http://cve.mitre.org/


Trojans in hardware


Computer security● In short:

– if your threat-model (journalists, activists) includes powerful players such as governments then do not consider secure any internet-connected device


Privacy countermeasures-from simple to advanced


https://www.woz.ch/system/files/epaper/woz/pdf/woz_digi-ratgeber_okt18.pdf

https://www.woz.ch/system/files/epaper/woz/pdf/woz_digi-ratgeber_okt18.pdf


Browser add-on: uBlock originhttps://en.wikipedia.org/wiki/UBlock_Origin

https://en.wikipedia.org/wiki/UBlock_Origin


Browser add-on: EFF privacy badgerhttps://www.eff.org/privacybadger

https://www.eff.org/privacybadger


Enigmabox● https://enigmabox.net/

● Swiss-made. Creators at ccczh.zh

● Exit nodes in several countries

● 80.- hardware

● 120.-/year abo

https://enigmabox.net/


Offline computer

● Always a good idea● The only method to possibly

have secure data..

..and not even yet:– side-channel attacks, but very

difficult and sophisticated


An effective safety measuree.g. for online activism (Snowden)

● One-use computer– buy a cheap laptop

– open it, and remove the battery

– “castrate” it (remove microphone, speakers, webcam, antennas -anything not strictly necessary)

– There (still) are non password protected WiFi cafes. Turn on the computer only then.

– Type with two fingers. Do not speak. Do not visit websites which may identify you.

– Get the job done, and get rid of the laptop

– … do not trust these instructions


Ethical software


Ethical software - Free software● Free software

– originally defined and promoted by Richard Stallman

– “free as in freedom”, the four freedoms

– copyleft, General Public Licence (GPL)

– google, apple,... do not like it

● open source software– careful: without “free” it is generally meant

“permissive” (permits companies to close it again)

– may allow the creators to sue users for patent infringement

– open source is free software without freedom

– google, apple,... like it

https://www.fsf.org/ https://www.gnu.org/ https://www.eff.org/

https://www.fsf.org/

https://www.gnu.org/

https://www.eff.org/


Free software alternatives

● Major sites advertising alternatives:

● https://switching.social/

● https://framasoft.org/en/

● https://degooglisons-internet.org/en/alternatives/

https://switching.social/

https://framasoft.org/en/

https://degooglisons-internet.org/en/alternatives/

https://degooglisons-internet.org/en/alternatives/


Videoconferencing● Encrypted by default

● can be easily installed and hosted on own server

● Apache license (open source)

● No need to install any client – a browser is sufficient

● Just go on https://meet.jit.si/and start a call

● Try it now: https://meet.jit.si/waedi123

https://meet.jit.si/

https://meet.jit.si/waedi123


Social media

● joinmastodon.org● federated,

decentralized● similar to twitter,

but more text● can (easily) be

self-hosted


owncloud or nextcloud

● Free-software (AGPLv3)● alternative to google

drive/dropobox● private● can be easily installed on a

server


dudle

● a privacy-respecting doodle replacement

● Free-software (Affero GPL, AGPL)

● can be very easily installed on a server

● to try: https://dudle.ccc-mannheim.de

https://dudle.ccc-mannheim.de/

https://dudle.ccc-mannheim.de/


Mediawiki

● Free-software (GPL)● gratis alternative to

Microsoft wikis● great tool to organize

groups and collect knowledge

● very easy to host on own server or own laptop


own email, own domain

● get your own email [email protected]

● ~15.-/year, email account included

● https://gandi.net , or several others

https://gandi.net/


Create your own server

● Renting a Virtual Private Server with 1 fixed IP (v4+v6) address and unmetered bandwidth can be as cheap as 4Eur/month

● https://scaleway.com● Several pre-installed

programs

https://scaleway.com/


Search engines

● https://swisscows.ch -possibly the best available in terms of privacy. Shows interesting results that sometimes other engines do not show. Not quite as powerful as google

● https://startpage.com -basically a clone of google, but no (evident) personal targeting

● https://duckduckgo.com -they say they respect privacy (but are hosted on amazon)

https://swisscows.ch/

https://startpage.com/

https://duckduckgo.com/


Want to pass to linux?

Gentoo

Possibly best entry level for less technical users. Sponsored by Red Hat:

Full of spyware,not fsf.org approved:

The largest software collection in the world. Default at linux distribution at ETH-Zurich

Advanced

High security:

Bests community, best tutorials


Want to pass to linux?● Tutorials and help for

nearly everything can be found online, but the clarity is not always the best

● a good guide accelerates significantly the learning speed

● for example:https://kofler.info/buecher/linux/

https://kofler.info/buecher/linux/

https://kofler.info/buecher/linux/


What to do

● “Lobby” ZHAW to host instances of jitsi, mastodon, etherpad, etc.. under https://jitsi.zhaw.ch , etc..

● Join one of the many gratis services available

● Set up your own server● Spread the voice!

https://jitsi.zhaw.ch/


Literature


Thank you