Presentation by Dominic White at the ITweb security summit 2010. This presentation is about online privacy. The presentation begins with a discussion on behavioral tracking, Ways to prevent tracking such as DNT, TPL,googleSharing and opt out are discussed. The presentation ends with a series of disclussions on evercookie and nevercookie.

1. A Brave New World
The Politics & Technology of Online Privacy

2. /whois singe
• Argumentative Catholic Hacker Geek
• Consultant @ SensePost
• Involved with ZaCon
• Love Building Security, breaking it still fun
• TinFoil is in this Winter
• Blog at http://singe.za.net/
• Tweet as @singe

3. A Brave New World
Source: acceleratingfuture.com

4. Agenda
• Behavioural Tracking Primer
• Politics vs Tech
– NAI Opt-Out
– Do Not Track
– Tracking Prevention Lists
– GoogleSharing
• Next Level
– EverCookie
– Mobile Protections

5. Behavioural Tracking
• Analyse user interactions to build a profile
• Third parties do this across multiple sites
• $21.7 billion industry in US  $42.5 in 2015
(BAI/Kelsey U.S. Local Media Annual Forecast)
– Behavioural only 7% of this by 2014
• Popularised by Google, usurped by Facebook
• The business model for online monetisation
Picture Source: foture.net

6. Problems
• People arrested
• Data driven inferences could be wrong
• Overcriminalisation
• Profiles sold to third-parties
• Employee abuse
• Companies hacked

7. You have little to no control over this
If you don’t care, will you forever?
Does nobody have the right to care?
What about your kids? Activists?

8. Politics & Tech

9. Opt Out
• Advertisers realised they needed to do
something to appease the growing noise
• Network Advertising Initiative’s Opt-Out
• Sets an “Out-Out” cookie for each
participating third party
• You still send data to the third party, just with
one less unique identifier

10. Opt-Out Problems
• Requires third-party cookies to be enabled
• Only covers participating NAI members
• Only un-sets one cookies (others remain)
• The cookie still exists, some still with an UID
• Only prevents targeting ads, data still stored
• Only deals with todays problem
• We only have the people we don’t trust’s
promise

11. Do Not Track
• Consumer, not advertiser driven (Stanford IETF draft)
• Allows you to make a general statement to everyone
• Sends a DNT=1 HTTP header, or sets DNT DOM flag
• Requires receiving server to comply
• A technical signal, not a technical protection
• Backed by legislation
• Currently only implemented by Associated Press
Analytics
• Firefox 4, Internet Explorer 9 & Safari (no Chrome)

12. Legislation
• DNT submitted to FTC
[Industry efforts to address privacy through self-
regulation] “have been too slow, and up to now have
failed to provide adequate and meaningful
protection.”
• SB 761 California “Do Not Track” proposal at
Appropriations Committee
• Do Not Track Act of 2011 introduced on Mon

13. Response
• The trackers got mad:
– “California Senate Bill 761 would create an
unnecessary, unenforceable and unconstitutional
regulatory burden on Internet commerce.”
– “It would stop California’s information economy in its
tracks”
– “The measure would negatively affect consumers who
have come to expect rich content and free services
through the Internet, and would make them more
vulnerable to security threats.”
• Google, Facebook, Yahoo, TimeWarner,
MPAA, NAI & many others

14. Do Not Track Problems
Problems:
• Requires cooperation from trackers
• Not as verifiable as they claim e.g. AP News
• Limited granularity
• DOM implementation could be hacked
Benefits:
• Law is a big, if slow, stick
• Expresses preference to all
• Works with other techniques

15. Tracking Protection Lists
• Microsoft driven (W3C draft)
• Technically a DNT implementation
• Extension of AdBlock Plus approach
• Detailed list of domains, URLs & paths
• Provides blocking & allow statements
• Prevents blocked content from
loading
• Multiple providers of lists
– EasyList, PrivacyChoice, Abine, TRUSTe

16. TPL Pros/Cons
Problems:
• Blacklist, enumerating badness
• Only blocks third-parties
Enumerating Badness
• Needs legislation
Benefits
• Granular No Idea Very Bad
• Transparent/Verifiable
• Not a signal, an enforcement
• Blocks active content, prevents further leaks

17. GoogleSharing
• Built by the very smart Moxie
Marlinspike
• Active Subversion & Unblockable
• Pools identities, lets you use a
random one
• Proxies requests, over SSL
• No need to trust the proxy
• Tools provided to run your own
• This can be extended

18. Active Subversion
• Why must we accommodate trackers? Take back our
privacy by force if we must
• Muddies trackers data sets
– One user is many users
– Looks like a NAT
– Unblockable, undistinguishable
• Increases cost of tracking
• Keeps you safe
– Network location is kept secret
– No tracking
http://1984.za.net/

19. Next Level

20. Beyond Cookies
• Cookies are only one way to track
• Flash Local Storage Objects have been used
for years, but that’s not all
• Samy Kamkar came up with 13 methods in
total
• Also, a way to use one method to restore the
others
The Evercookie

21. Evercookie
• Normal Cookies • HTML5 Session Storage
• Flash LSO • HTML5 Local Storage
• Silverlight Isolated • HTML5 Global Storage
Storage • HTML5 Database
• WebHistory Storage
• Etags • Internet Explorer
• WebCache userData
• window.name cache • Force cached PNG
http://samy.pl/evercookie/

22. NeverCookie

23. NeverCookie
• Deletes normal/HTML5/Flash/Silverlight
“cookies”
• Can prevent setting of future Flash &
Silverlight objects
– Sets a binary Adobe Preferences Object
– Touches a disabled.dat Silverlight file
• GUI written by Willem @ SensePost
• OSX & Safari only currently, plan to extend

24. NeverCookie

25. Mobile EverCookie
• On Apple iOS, each application is in a sandbox
• Every app allowing “surfing” is vulnerable to
the evercookie
• There could be hundreds of evercookies!
• Built-in settings only clear some of
MobileSafari’s cache

26. ResetSafari
• Jailbreak SBSettings application by Sea Comet
• Based on my code release
• Deletes all Cookies as
NeverCookie but for all apps
• Nevercookie for Mobile
http://modmyi.com/cydia/package.php?id=32881

27. Proxy.Pac
• GoogleSharing
if (shExpMatch(host,"*google.*")) {
return proxy_GoogleSharing; }
• Ad & Tracking Block (simple)
if ( shExpMatch(host,"*googlesyndication.*”)
|| shExpMatch(host,"*googleadservices.*")
|| shExpMatch(host,"*google-analytics.*”)
|| shExpMatch(url,"*facebook.com/plugins/like.php*”)
){
return proxy_BlackHole; }

28. Blackhole Problem
• Blackholes are handled differently
• WebKit fails to DIRECT
• Need a blackhole proxy server
• Implemented a simple Twisted HTTP server
than responds with HTTP 200 OK to
everything
• Thanks Gert @ SensePost

29. Available At
http://1984.za.net/proxy.php
?proxy=<> - sets default proxy
&port=<> - sets default proxy port
&socks – makes it a SOCKS proxy
Don’t trust us

30. Enabling on iPhone
• Wifi network .pac can be configured normally
• 3G doesn’t allow proxy settings via Interface
• /Library/Preferences/SystemConfiguration/prefer
ences.plist
<dict>
<key>HTTPEnable</key>
<integer>0</integer>
<key>HTTPProxyType</key>
<integer>2</integer>
<key>HTTPSEnable</key>
<integer>0</integer>
<key>ProxyAutoConfigEnable</key>
<integer>1</integer>
<key>ProxyAutoConfigURLString</key>
<string>http://1984.za.net/proxy.php</string>
</dict>

31. Summary & Conclusion
• Behavioural Tracking is big business
• We need control of our data
• Opt-out is highly politicised, in-flux & requires
legistlation
• Subversion should be built in the mean-time
• Watch out for what’s coming next (or now)
• These tools are easy to build, get started

32. Thank You
Questions?
sensepost.com/blog
dominic@sensepost.com