Upload
thoughtworks
View
430
Download
0
Embed Size (px)
DESCRIPTION
Brazil, March, 2014 This presentation talks about the various ways that the technology of the Internet does not currently suit our needs for privacy and anonymity, and some ways we can combat these issues. We will discuss everything from the layout of cables and physical infrastructure to the issues with application layer systems. We might also spend some time discussing what legislation and policy measures are necessary as a complement to technical solutions.
Citation preview
Ola Binicomputational metalinguist & paranoia principal
[email protected] https://olabini.se/blog
698E 2885 C1DE 74E3 2CD5 03AD 295C 7469 84AF 7F0C
The Internet Is Broken
Threat models
What's really happening
Why is it important?
Weak points
Internet Exchanges
DNS
Not widely deployed
Users trained to disregard certificate errors
TLS 1.0 deployed, TLS 1.2 not widely supported
Most of the 1.0 ciphers have been broken
CA system is hierarchical (you trust ca 650 auths)
Including the China Government
Known attacks: BEAST, CRIME, BREACH
HTTPS
NSA tactics
Attacking cryptoCompromise standards
Sneak in weaknesses in implementations
Force downgrade to weaker algorithms
Attack crypto directly
Attack weak random number generators
Force providers to give out their keys
Attack the endpoints and bypass completely
Attacking endpointsBackdoors in software
Hardware implants (a wide variety of them)
Guessing passwords
Attacking nearby routers and use to listen
Using baseband attacks and backdoors in cell phones
Active attacksMan-on-the-side attacks
0days, primarily in browsers
Spear phishing
Crypto basicsAlgorithms
Keys
Symmetric encryption
Asymmetric encryption
Hashing
Random numbers
Kerckhoffs's principle
How To Fight Back
PrinciplesFLOSH – Free and Libre Open Software and Hardware
Decentralization
End-to-end encryption
Fighting back as developersLearn cryptography
Use opt-in share buttons
Learn safe and secure coding practices
Use content security policies
Build decentralized systems
Build free software
Do not use Google-hosted JavaScript etc
Get into open hardware
Fighting back as adminsDeploy only HTTPS
Use HTTP Strict Transport Security (HSTS)
Use Perfect Forward Secrecy
Use Piwik and locally hosted analytics
Fighting back as individualsProtest
Inform others
Use Tor
Learn to use encrypted email
Learn to use OTR for chats
Move away from centralized services
Use Jitsi instead of Skype
Learn safe password usage
Use ad-blockers
Use open source
What does the world need?Decentralized services
An anti-browser revolution
Email/Voice/IM federated all over the world
A privacy haven
Transport and naming security
Free software and hardware
Safe payment processing
Non biased search engines
An alternative to cell phones
Privacy haven?