Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

Defence Against the Digital Dark Arts (Grade One) - LibTech 2014

This presentation introduces you to key online privacy concepts and proposes ways we can act as better stewards of our patrons' privacy, as well as our own.

Eric Stroshane

on 29 April 2014

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Defence Against the Digital Dark Arts (Grade One) - LibTech 2014

As librarians, we defend patron privacy through policy, action, testimony, legislation, and legal challenges

McCarthyism - http://goo.gl/qpkEED

DECAL/"Library Awareness" - http://goo.gl/7n58nt

CIPA - http://goo.gl/oDLIIR

PATRIOT ACT - http://goo.gl/te9CAJ

SOPA/PIPA - http://goo.gl/d2KCHK

CISPA - http://www.ala.org/advocacy/cispa
Disconnect (or Ghostery)
Adblock Plus
Be sure to check "Allow in Incognito" for these!

Advanced Settings:
Privacy: Content Settings: Block third-party cookies and site data

Extra Credit: Under Settings, Search: Change the search engine used from the omnibox to DuckDuckGoEssential
from: http://goo.gl/xfrc4E
Security is inseparable from privacy in digital arenas.

Online censorship is inseparable from surveillance.
We bank, shop, donate, research, communicate, and plan travel online.

Our habits, curiosity, conversations, contacts, finances, anatomy, and memories are online.

It doesn't take much to tie those disparate threads together.
Guide to introduced FISA AA and PATRIOT ACT reform legislation: http://goo.gl/PSW4ov

Other legislation in woeful need of reform to protect online privacy and speech:
ECPA - http://goo.gl/wfL5ts
CFAA - https://www.eff.org/issues/cfaa
Executive Order 12333 - http://goo.gl/JKUYZc

Contact elected officials: http://www.usa.gov/Contact/Elected.shtml
House staff directory: http://staffers.sunlightfoundation.com/
Install Zemana AntiLogger Free: http://goo.gl/j3jlnn
Turn on the Guest account in three easy steps:
Open the Start Menu, search for Guest Account, and select "Turn guest account on or off"
Click this:
Click Turn On
Your browser conveys information to every site it touches.
Your browser's fingerprint contains the following:

User Agent (browser, version, OS...)
Plug-ins and extensions
Time zone
Screen size and color depth
System fonts
If cookies are enabled
And more!

Did you click a link to get there? You also passed the URL you came from through an HTTP referer (sic).

Oh, and their web server likely logged your external IP address.
The Constitution protects free and anonymous speech, and guards against unreasonable search and seizure

Laws protect library patron privacy in all 50 states, D.C., and Guam (http://goo.gl/sXAeEg)

Libraries have patron confidentiality policies
Read more at: http://goo.gl/JCD4xP
An Interpretation of the Library Bill of Rights:

"Privacy is essential to the exercise of free speech, free thought, and free association. The courts have established a First Amendment right to receive information in a publicly funded library."
Pew Pew Pew
Defence Against the Digital Dark Arts (Grade One)
Privacy and the Library
Code of Ethics of the American Library Association:

"We protect each library user's right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired or transmitted."
Digital Privacy Matters, Because...
How much does it take to identify one of the 7.13 billion people on Earth? 32.73 bits of information (-log2(1/7130000000)).

Your birthday (day & month) is 8.51 bits.

Work in a library in the U.S.? 14.86 bits.

Reside in Bloomington, MN? 16.34 bits, less 4.49 since we already found out you live in the U.S., is a net of 11.85 bits.

Total: 35.22 bits of information.
Who Watches You While You're Online?
Your Internet Service Provider (ISP) and Domain Name System server (DNS)

Filtering software

Advertising firms

Services you use (email, search engines, social media, stores, etc.)*

Bad actors*

Your government
Presented by Eric Stroshane, ND State Library,
at the 2014 LibTech Conference in St. Paul, MN, on March 19th.

Deterring Spyware, Keyloggers, and Rogue Software Installation on PACs
Deterring Packet Sniffing, MitM, and Incidental Spying on PACs
Deterring Third Party Tracking on PACs
Homework: Teach These Sound Practices to Your Patrons
Privacy and Mobile Devices I: General
Device Settings:
Turn off Wi-Fi, Bluetooth, and NFC by default; turn on only when needed
Turn off location settings (wireless and GPS) when not in use
Turn off tethering and portable hotspots when not in use
Turn off "Back up my data" (under backup and reset)
If you wish, turn off caller ID
Learn how here: https://securityinabox.org/en/android_basic
Taking Action - II: Organizations
Dive Deep! Further Reading and Resources:
Defence Against the Digital Dark Arts - Grade Two++
Encrypting hard drives
Using OTR for secure messaging
Setting up a secure and encrypted email client with GPG
Setting up a secure and anonymous email account
Creating and using virtual machines
Increasing Concern About Digital Privacy
Privacy and Mobile Devices III: iOS
86% of internet users have taken steps online to remove or mask their digital footprints

55% of internet users have taken steps to avoid observation by specific people, organizations, or the government
from Pew Internet surveys conducted on September 5, 2013: http://goo.gl/k6Grko
and on May 21, 2013, Pew Internet Survey: http://goo.gl/HWaqM5
The Calculus of Privacy
(squishy PII version)
Tracking the
Trackers with Lightbeam
from: https://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/
Set the following Privacy settings (under Options):
Tell sites I do not want to be tracked
Accept third-party cookies: Never

Add these Extensions:
Disconnect - https://www.disconnect.me (or Ghostery) - blocks trackers
Adblock Plus (add the EasyPrivacy subscription under Filter Preferences for more protection!)
Set the following Privacy setting under Options:
Always use private browsing mode (removes add-on info. from user agent & keeps sessions private from user to user)

Add this Extension:
HTTPS* Everywhere
Enable SSL Observatory
Edit all browser shortcuts so Incognito mode is used:
Right click the desktop and/or taskbar shortcut
Click Properties
Go to the Shortcut tab
Append -incognito to the end of the text in target (... chrome.exe -incognito)

Add this Extension:
HTTPS Everywhere

Be sure to check "Allow in Incognito"
*HTTPS (Hypertext Transfer Protocol Secure) encrypts the flow of information between you and the site you're visiting, forfending several of the Digital Dark Arts

Visual aid: http://goo.gl/3k8L9R

Test browser SSL: https://howsmyssl.com

Test a site's SSL configuration: https://www.ssllabs.com/ssltest/

Get your site on SSL: https://startssl.com/?app=39
Food for thought: http://goo.gl/bNuRg6
Device Settings (many of these are new in iOS7):
Block Cookies from third parties
Disable Frequent Locations and Clear History
Disable Diagnostics & Usage tracking
Disable Location-Based iAds
Limit Ad Tracking (for app-based ads)
Limit what apps have access to your location or turn off Location Services entirely
Disable Notifications View and Today View's access from your lock screen
Disable the Control Center
Learn how here: http://goo.gl/XuCIcT
Home Computer/Laptop/etc.:
Use the aforementioned browser settings and extensions
Use http://mypermissions.org to easily manage 3rd party permissions on social media accounts
Check privacy settings on all internet-connected software you use
Don't post photos online without wiping Exif data: http://www.easyexifdelete.com/
Be vigilant when installing software - do not install bundled programs, toolbars, extensions, or add-ons
Use TrueCrypt to encrypt personal files and any sensitive material uploaded to cloud storage
If needed, you can do cross-browser cookie clean-up with BleachBit: http://bleachbit.sourceforge.net/
Disable Windows' Internet Connection Test: http://goo.gl/tWFZ8X
Public computer:
Use the On-Screen Keyboard to enter account credentials (if the Start menu is locked, mash the shift key five times, click Go to the Ease of Access Center, then click Cancel, and finally click Start On-Screen Keyboard)
Use a portable browser: http://goo.gl/eObIS7
Use a portable office suite: http://goo.gl/Itc0Oa
Use Tails: https://tails.boum.org/
Public Wi-Fi:
Change your DNS after you connect to avoid traffic monitoring and ad injection
Ideally, use a VPN or Tor: https://www.torproject.org/
In General:
Use two-factor authentication for any accounts you can
Have an email address used solely for password resets for other accounts (don't publicize or correspond with it)
Use a disposable email address for downloads and other ephemeral credential situations to avoid spam and junk newsletters - https://www.guerrillamail.com/
Create and store strong passwords with a password manager like KeePass or Password Safe (don't store passwords in your browser)
Don't click on stupid stuff; don't display graphics in e-mail by default; don't open unsolicited messages or garbage forwards; use a URL expander
Always scrub Exif data before posting images online (Easy Exif Delete is simple and free)
Use unshorten.com to see the true destination of shortened links
Use DuckDuckGo or StartPage for search
Home Computer/Laptop Extra Credit:
Change your DNS to one that doesn't log traffic - find one at: http://www.opennicproject.org/; directions: http://goo.gl/vrxddC
Use Tor intelligently for any matters warranting discretion, such as legal or business communications, activism, journalism, or anything else where privacy is tantamount: https://www.torproject.org/
Use a VPN
If you want temporary use of a piece of software (or just want to try it out), install and run it in a sandbox using Sandboxie: http://www.sandboxie.com/
If you're uncertain of a website, visit it from a sandboxed browser (Sandboxie works for this, too)
If you're unsure of the safety of a downloaded document, open it in a sandbox (once again, with Sandboxie)
Cookies - How Do They Work?!
Cookies get sent from sites you visit and are stored in your browser

Some are essential throughout a session on a site (authentication)

You never need to retain cookies

Tracking cookies are used by 3rd parties to compile records of your personal browsing history

Example: Social media companies monitor browsing habits with cookies through like/share/favorite/follow/+1 elements on other sites
The Digital Dark Arts (Grade One)
Spyware & Adware


Packet Sniffing/Capture/Inspection*

Man-in-the-Middle Attacks (MitM)

Tracking Cookies, Beacons, and 3rd Party Elements*

Browser Fingerprinting*
Browser Settings (Chrome & FF guidelines):
Use private/incognito browsing (at minimum regularly erase your browsing data)
Turn off telemetry/usage/crash reporting
Turn on Do Not Track
Turn off autofill
Don't store passwords
Turn off search and URL suggestions
Don't accept third-party cookies
Turn off product announcements
Make DuckDuckGo your default search engine (FF only)
Adblock Plus for Android: https://adblockplus.org/en/android-about
AppOps (allows you to set app permissions; may require CM or other ROM)
DroidWall or NoRoot Firewall
Guardian Project: https://guardianproject.info/
Orbot (Tor for your Android)
Orweb (privacy conscious web browser - use with Orbot)
Ostel (encrypted phone calls)
Image Privacy (Exif* scrubber)
Secure Wipe (prevents recovery of deleted files)
Whispersystems: https://whispersystems.org/
TextSecure (encrypted text messages)
Secure your lock screen

Check App Permissions before installing anything

Check App Settings for installed apps - turn off settings that leak your stuff

Use an anti-theft app, so you can remotely wipe your phone or tablet if you lose it
Privacy and Mobile Devices II: Android
Turn AutoFill off
Turn Private Browsing on
Turn Block Pop-ups on
Turn Fraud Warning on
Turn Ad-Tracking off
Android Browser Settings
Use full device encryption (Android 4.0+ only)

Root and Flash a non-proprietary ROM: http://lifehacker.com/5789397/

Cyanogenmod is a great privacy-conscious ROM: http://goo.gl/rS5Kq3
Android Extra Credit
Android Privacy Apps and Developers
ExifRemover ($0.99 - numerous alternatives exist)
Wickr: encrypted text and image messages and secure file shredding; subscription service (https://www.mywickr.com/en/index.php)
The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License.
iOS Privacy Apps and Developers
iOS Browser Settings
Guides on selecting more private and open technologies:
Online privacy flashcards and training materials: https://tacticaltech.org/flash-training-materials






Taking Action - III: Legislative Guides and Directories
Sweeney, Latanya. Simple Demographics Often Identify People Uniquely. Pittsburgh: Carnegie Mellon University (2000). http://goo.gl/EkmTdl
Digital Privacy Matters, Because...
Identification from Location Data (We're Damnably Habitual)
Digital Privacy in the News
The NSA, FBI, & GCHQ are monitoring and recording everyone's:
Phone call metadata
Skype calls (video and voice)
Text messages
Social media activity
Cellular location data
And more!
60% of teen Facebook users keep their profiles private, and most report high levels of confidence in their ability to manage their settings
Snowden leaks primer: http://goo.gl/6zAv0x
Debunking the "nothing to hide" argument:
Wired: http://goo.gl/YuaUTg
ACLU: http://goo.gl/Jvy1LY
Falkvinge: http://goo.gl/h669Wd
Chronicle of Higher Ed.: http://goo.gl/eIcz26
BoingBoing: http://goo.gl/uvb5TD
The School of Privacy - http://www.school-of-privacy.com/
Doctorow, Cory.
"Censorship is Inseparable from Surveillance," theguardian.com, March 2, 2012. http://goo.gl/hFyg2Y
Homeland. New York: Tor Teen (2013).
Little Brother. New York: Tor Teen (2008).
Pirate Cinema. New York: Tor Teen (2012).
EFF on the NSA: https://www.eff.org/nsa-spying
Communications Security:
Reporters Without Borders: http://surveillance.rsf.org/en/
Ereader privacy chart:
Surveillance Self-Defense:
Censorship circumvention kit: https://www.wefightcensorship.org/online-survival-kithtml.html
from: https://secure.flickr.com/photos/buriednexttoyou/5095255302/
*Exif (Exchangeable image file format) is metadata that’s automatically added to digital photos, including:
focal length
model of camera/phone/device
a unique identifier for that device
date/time the photo was taken
GPS data of the precise location, if available

Potentially reveals: other photos you've taken, your home address, the fact that you’re on vacation, John McAfee's location to Guatemalan authorities, etc.

Keep in mind that those you photograph are entitled to their privacy and may have good reason not to want this data shared (abusive exes, stalkers, etc.)
Bruce Schneier on all things security related (and squid): https://www.schneier.com/
Proprietary software with known backdoors: https://www.gnu.org/philosophy/proprietary-back-doors
*This is what Bruce Schneier calls the "free service in exchange for psychological manipulation" business model.

It is a tradeoff - know what you're giving up and weigh it against what you're getting.

Opt out of information-sharing when you can!
Sunlight on Surveillance: http://privacysos.org/
from Bill Barnes and Gene Ambaum's Unshelved: http://www.unshelved.com/2007-12-31
However, libraries and our legal framework haven't kept pace with the privacy needs of our age.
from: http://www.smbc-comics.com/index.php?db=comics&id=2434
Lightbeam: http://goo.gl/SGVDx3
Mobility Pattern (cell. metadata): Four locations are sufficient to uniquely identify >90% of us.
Extra Credit
Check keyboard ports regularly*
Automate updates: http://goo.gl/rcJ2GN
Install and configure EMET: http://goo.gl/CZt6uY
Use drive-imaging/disk-dump tools
Extra Credit:
Privacy Settings:
Manage search engines: add DuckDuckGo Plus; remove Google, Yahoo, and Bing
browser.display.use_document_fonts value = 0 (removes system fonts from your fingerprint)
Extensions (tricky to configure):
about:config settings:
broswer.search.defaultenginename & browser.search.selectedEngine value = DuckDuckGo
network.http.sendRefererHeader value = 1 (0 completely prevents passage of site referrerers, but may break some sites)
Explore your browser's fingerprint here: http://noc.to/
Encrypto Patronum
Teaching Kids About Online Privacy: http://goo.gl/HNMLWi
Locking Down iPads and iPhones for kids: http://goo.gl/cioIGh
*Guide to NoScript: http://goo.gl/QW0bL1
Extra Credit:
Use CCleaner to automate temporary file and jumplist cleanup: http://goo.gl/HS7EBs
The Internet is Broken - Act Accordingly: http://goo.gl/URaVO9
Taking Action - I: Push Library Vendors for Better Privacy Protection
Put statements in RFPs requesting that...

Steps are taken to maintain privacy and confidentiality of users' searches and results (e.g.: HTTPS implementation)

Patron account credentials are stored securely and ask for methodology - here's a primer: http://goo.gl/Z5zOuC
The Grugq's guide to OPSEC: http://grugq.github.io/blog/categories/opsec/
Tumblr: http://grugq.tumblr.com/
Computerphile video channel: https://www.youtube.com/user/Computerphile
"How the NSA Threatens National Security: http://goo.gl/g9c50O
Source UT Health Center, San Antonio: http://goo.gl/PYXZ9o
A Proud History of Librarian Resistance
"The weakness of mass surveillance is that it can very easily be made much more expensive through changes in technical standards: pervasive, end-to-end encryption can quickly make indiscriminate surveillance impossible on a cost-effective basis. The result is that governments are likely to fall back to traditional, targeted surveillance founded upon an individualized suspicion." ~Edward Snowden

Layers of Privacy Safeguards
A guide to the End User License Agreements of some widely-used services: https://myshadow.org/lost-in-small-print
The // Intercept: https://firstlook.org/theintercept/
Not long after 8:00 that morning...
By the time I took my morning break:
Full transcript