 Hi everybody. I know it's running off the edge, I apologize. But I think it'll be fine. Thank you for coming to Death of Anonymous Travel. Can everybody hear me okay? Uh-oh. A couple announcements before we start. This presentation is not on the conference CD. If you want a copy of it, we have separate CDs. They're available in the back and I have a few up front here which you can grab afterwards. So today we're going to talk about how the systems we use for communication and for payment have changed dramatically in the past 10 or 20 years so that we've reached the point where they're constantly generating geolocation information that's very individualized. And third parties are able to collect this information and analyze it, not just to figure out what your history was, what your behaviors have been in the past, but also to predict what your behaviors might be in the future. Who am I? My name is Sherry Davidoff. I am the co-author of San's network forensics class which is running this fall in San Diego. I'm also the author of philosophycurity.org, an online blog. I've been a security professional for about 10 years now. I started off on MIT's network security team and now I'm an independent consultant. I've done work for the healthcare industry, for law enforcement, for financial industries, manufacturing. I've been around a while. So as we run through this, some questions to keep in your mind. Who knows that you're here? Who knows you're in Las Vegas? Who knows that you're at this hotel at the Riviera? Who knows that you're attending the DEF CON conference? And who knows that you're in this room watching this presentation right now? The answers to these questions will depend on the methods that you've chosen to use for travel, the methods that you use for payment and for communication. Did you fly here? Did you rent a car? If you rented a car, where did you buy gas? How did you check into your hotel room? Did you use a credit card? How are you going to pay for it? What have you bought in this hotel? Did you buy a latte? Did you buy a drink at the bar? Have you used an ATM? Have you gambled with your debit card? Perhaps most importantly, are you carrying a cell phone? Those wonderful mobile tracking devices. Do you have a credit card that has an RFID chip embedded in it? Do you have an RFID passport? All these questions impact who knows you're here and what kind of geolocation information has been generated about you personally. Knowledge is power. The systems that we're going to talk about today include cell phones, credit cards, license plate tracking, RFID tracking, electronic fare systems that can track commuters when you go to work every day, travel or registration databases, things like the no fly list, and surveillance camera networks which are going up in cities all around the world. As we discuss these systems, we're going to talk about a programmer. Think about the error conditions that could happen, how we can detect them, and how we can handle them. Please turn off your cell phones. They're watching you. This was an article on the front page of the Wall Street Journal about a month ago, and it really caught my attention for a few different reasons. Obviously there's the very graphic image of a poor Iranian woman who was killed during a protest. The headline under the picture reads, Iran's web spying aided by Western technology. Iran has a central telecommunications choke point within their country which they use to monitor all communications that happen, and the article says that they're doing deep packet inspection, so they're monitoring the contents of emails, of IMs, and they're also using this to block certain websites. Iran, by the way, now has more journalists in prison than China. The second disturbing thing about this article is that it says European gear used in vast effort to monitor communications. So European countries have been facilitating the repression of free speech and the monitoring of people within Iran. Specifically, the article talks about Nokia Siemens, a European joint venture, and Nokia Siemens has sold Iran a monitoring center. Nokia Siemens put out a press release that says that the equipment that they sold Iran is not capable of deep packet inspection, and it's primarily used for the purposes of lawful intercept of phone voice communications. If you look at the marketing material, you see that it is marketed primarily for those purposes. The yellow box, it can be used in fixed networks, mobile networks, it can also intercept communications on IP networks. I know it's a little bit cut off, but one of the selling points is nationwide monitoring possible. I'd be interested in that. An interesting add-on to the monitoring center, it's a mobile location tracking component, which says it's an ideal solution to track, record, extrapolate, and anticipate the movements of mobile devices. As we're going to talk about in a little more in depth in a bit, your cell phone constantly generates geolocation information about where you are, and that information can be collected in mass, and there are a number of private companies offering software now that can analyze that information. The third disturbing thing about this article is something that was never said at all. It implies that the countries in which this software is being created are also using it to monitor their citizens' communications. Nokia Siemens has a product called the Intelligence Platform, and the monitoring center is only one component of the Intelligence Platform. A couple years ago, a sales presentation from Siemens was leaked onto the Internet. This is a screenshot of their intelligence desk, which is now just one component of the larger Intelligence Platform. You can see that geographical view is one component, and it can take a variety of sources of information, including vehicle tracking using toll road systems, so things like EasyPass, other electronic fare systems, location information of ATM machines, so when you use an ATM, there's geolocation information about that available, and mobile phone tracking, and all of that data can be overlaid on top of each other and correlated to create a pretty detailed picture of your activities. An important thing to recognize about this software and software like it is that it's not really being marketed to analyze one person's data, but to analyze many millions of people's information and pick needles out of haystacks. Another selling point from the brochure of the Intelligence Platform is the processing of mass data to enable comprehensive investigations. Here are examples of data sources that government law enforcement intelligence agencies can use to get your geolocation information. The first one is the Siemens Monitoring Center, and as we talked about, that takes in telecommunications information, traffic control points, so hidden traffic cameras, which are going up all over the world, credit card transactions, very important, bank account transactions, car rental databases, and car rental companies have started GPS tracking all of their cars as they drive around, which I think we'll talk about later as well. So the first primary technology which influences the detail in which we're tracked is cell phones. If you wanted to track a population of people, the first thing you would probably want to do is to try to get them to voluntarily carry around some tracking device all the time. That has happened. Your cell phone is fundamentally functioning as a tracking device right now. Cell phones have been able to provide general location information since they were created. So you could always find out based on what cell towers cell phone was communicating with approximately where it was. The granularity of information available from cell phones increased dramatically because of FCC regulations in the United States, which required starting in 2005 that carriers be able to trace calls to within 50 to 100 meters. So the initial impetus of this was because when you use your landline in the United States to call emergency responders, they'll get your address and emergency responders will be dispatched to the scene. Obviously, if you're using a cell phone, this is a problem, they might not know exactly where you're located. So the FCC wanted to make it so that emergency responders could find you if you called 911 in the event of an emergency. So now telecommunications companies, upon request, have to provide latitude and longitude to emergency responders and law enforcement in the event of an emergency. They had their choice of methods that they were going to use to implement this. Some of them chose to upgrade their networks and to add more receivers so that they could better triangulate your signal or figure out based on the time difference of arrival when your signal got to particular cell towers actually very closely to where you were located. Some of them also chose to use GPS in handsets. I was looking for a cell phone in 2005 or 2006 in the United States, and I was unable to find one that didn't have GPS in it. Interestingly, Egypt has banned the sale of iPhones that have GPS capabilities in them for national security reasons. So if you want to buy an iPhone in Egypt, it has to have GPS disabled. The telecommunications companies are trying to recoup their investments in these location-based enhancements by offering location-based services. So Verizon has a service called Chaperone. You can see in the screenshot here parents can use that to track their kids wherever they go and if their kids go outside particular zones it'll alert them. They also have a service called VZ Navigator which lets you get directions, figure out where you are if you're lost. Telecommunications companies are pretty straightforward about the fact that your wireless device determines its and your physical geographical location and they also say that software applications including those by third parties can get your geolocation information and send it back to the application provider or to other people. Google is one such third party. They have software called Latitude which enables you to automatically share your location from a phone and they'll put that up on Google Maps so all of your friends can find you wherever you are. When you sign up for these location-based services you have to really read the fine print because in a lot of cases you're signing over your rights to privacy with respect to your location. Employers and schools are getting in on the action. In New Jersey, Montclair State University required mandatory cell phones with GPS software for all students. The vendor that they're using is named Rave Guardian and the campus police have access to your GPS information so that in the event of an emergency they can find out where you are. It's kind of a pity that this graphic is cut off but it's from their marketing material and it's a picture of a little student stick figure that says, watch over me. That's of course what college students want. In New York, a carpenter who worked for the public school system named John Halpin was fired because his employer figured out that he was skipping out on work early. The way his employer figured this out was because he had given him a cell phone that had GPS software installed on it so they could track him wherever he went and he protested saying that he had never been informed that the cell phone had that capabilities but unfortunately he's still lost in court. There are a number of third-party SPIRA applications also that people can install on your phone either legally or illegally. Mobile SPI is one of these pieces of software. It's marketed as being for the Apple iPhone although it can work on other smartphones and this is a screenshot of their GPS location capabilities. If anyone who installs this software on your phone can use a web browser and go to their central website and find out the time, the latitude and longitude of the place you were at that time and then they can pull up a map that has your location so that they can track you. The iPhone as a side note also uses a third method in order to figure out where you are. There's a system called Skyhook which figures out what wireless access points you're near and what cell towers you're near and figures out your location based on that. I think when they originally started the program they had taxi drivers driving around in order to collect the information and generate a central database. Now they actually have a team of 500 people driving around cities to create that central map. The founders of the company say that it's self-healing so if your iPhone has an access point that wasn't there before it will automatically update the database and that's one of the reasons why the system works so well. AOL also uses it so that buddies can find out where they are where your buddy is and I find memory cards in your digital camera you may not realize this but sometimes memory cards and digital cameras figure out what location you're at and will stamp your pictures accordingly. There was a case a few years ago in 2006 where the FBI was monitoring an organized crime family the Genovese family and rather than installing a separate audio bug in order to listen in on their conversations they simply installed spyware on their Nextel cell phones. So the most interesting about this case to me was that the spyware functioned regardless of whether the cell phone was turned on or off and the same thing can be done with respect to GPS tracking someone can install spyware on your phone and that can send your location back to a third party regardless of whether your cell phone is turned on or off. So we're generating an enormous amount of geolocation all the time as we're walking around with their cell phones every time you make a phone call of course that reveals your location information but also as you walk around your cell phone will periodically communicate with cell towers in order to properly route your calls in the future. So how can this information be leveraged by intelligence agencies by government or by law enforcement? This is a screenshot from a demonstration that was done by Thorpe Glenn in 2008 and Thorpe Glenn is a British telecommunication spin-off. They make software they created software I think this was actually created while they were still part of British telecommunications to track people's locations and also do social profiling. In this demonstration they took cell records from 50 million Indonesian users and they crunched that data in order to identify small groups of people who were only calling each other so they found out that 48 million of these real cell phone users were part of one large call group and then 2 million of them were actually part of much smaller isolated cells that only called each other. In this part of the demonstration you can see that they take data from multiple cell phones from your laptop from your landline and they can use that to track the location. They also explicitly point out that they can detect that profile again even if the phone and SIM card are changed. So even if you throw away your cell phone and you get a completely new cell phone they still know that it's you and they can automatically track you because they're basing this not just on serial numbers of your phone but also where you're going you're still going the same places you're still calling the same people This is a screenshot from their geographic profiling example in the demonstration you can see in the yellow that's historical information about where this person has gone and then in the red you can see forced mobile location updates so they can take information that they're getting in real time and overlay it on top of the historical records and this is a screenshot from their social profiling page they can figure out who you have relationships with, what social groups you're going to get out of for this presentation that's not what's most interesting to me what was most interesting was the title bar you can see here that there's an IP address 81.143.55.50 that's a British telecommunications IP address and that makes sense because Thorpeglen is located in the UK in a tech park that's served by British telecommunications however in the title bar we see something else Telstra Big Pond Telstra Big Pond is the Australian ISP, the largest Australian ISP why are they in the title bar of of a Thorpeglen presentation it's possible that this could explain where the 50 million Indonesian users call records came from because Telstra Big Pond has partners located in Indonesia in any case for those of you who are Australian citizens I would be really interested to know what kind of relationship Telstra Big Pond has with Thorpeglen and what kind of products they're using to analyze your cell information could this happen in the United States what kind of software are our intelligence agencies and law enforcement agencies using to analyze call information is it possible that they're analyzing this information in mass and not just one person's information the first question is whether or not they have access to a large number of people's telecommunications information and I'm not going to touch on the topic of legality here I know the EFF has some cases about this and the questions up in the air but there is evidence that at least technically they could have access to mass domestic call information last year in February of 2008 a Verizon consultant Mr. Babak Pazdar said that he was hired by Verizon in order to upgrade their firewall configuration and while he was on site he was repeatedly told that there was one line of 45 megabit per second a DS3 digital line into Verizon which was not supposed to have any access to restrictions or any logging whatsoever he says that the users of this line could have unfettered access to voice, data and even physical location information of people using the Verizon network this was later reported in Wired Magazine as being part of the FBI's network this is a map also from Wired Magazine I think it was created by the ACLU of DCSnet the system that the FBI uses to conduct instant wire taps the FBI has their own separate network which taps into the domestic telecommunication system around the country it is maintained by Sprint and the software that they used for the instant wire taps is maintained by Booz Allen a couple of the systems that we know about include Red Hook the DCS3000 system which is used for pentrap and trace and digital form the DCS 6000 system which is used to conduct full wire taps these systems can also instantly determine the location of anyone making the call the ACLU documents also revealed that in 2003 there was an audit of these systems which did not go well it revealed a number of security management vulnerabilities including the fact that these windows systems that DCSnet runs on do not have antivirus software they have shared accounts so access systems cannot be traced back to one user they have inappropriate logging inappropriate password management and there's no limit on the number of times that a user can attempt to log in so it's possible that someone could be trying to brute force these accounts so we have some concerns about the security of these systems if you're interested by the way in security and lawful intercept systems you might want to look into the 2004 Greek Olympics case where the Greek lawful intercept was used by hackers and used to tap people's phone calls within Greece the NSA there is substantial evidence that the NSA has access tens of millions of domestic American cell records phone call records this is a map also by the ACLU of the places we suspect within the United States that they're tapping into systems a former AT&T telecommunications employee Mark Klein reported that there's a secret room in San Francisco at the Folsom Street quarters where the NSA is sniffing traffic off of AT&T's network and they're not just sniffing internal traffic they're also sniffing call information that goes across peering points so data that's being shared with that's going across other providers networks as well so to sort of recap what we know about mobile phone location data it was initially spurred by emergency regulations and intelligence agencies around the world governments have been using this to analyze communications location information around the world the telecommunications companies profit off of this for example, Quest has testified that the NSA offered them substantial compensation for access to their telecommunications data law enforcement connects wire taps and telecommunications companies also profit off of that the telecommunications companies are offering location based services and they also make money not just from selling these services directly but from offering various types of access to advertisers and people who write or use spyware either legally or illegally also benefit from this people tracking has been spurred I think by two primary technologies one is the advent of more geolocation information coming from cell phones and the other are the changes that have happened in payment systems so once upon a time people use these funny shiny metal things in order to pay for stuff we call these coins on the bottom here you can see some of the earliest coins ever created by humanity in the 6th century BC these are from Lydia on the left this is one of the earliest public transportation tokens used in the United States you can see one of these at the fair collection table after this talk it's an 1871 horse cart token from Oakland and here on the right you see a fuzio scent this is the first coin ever minted by the United States Continental Congress it was designed by Benjamin Franklin and appropriately the motto on it was mind your business very different from the payment systems we have today now we have credit and debit cards one of the differences between cash and credit and debit cards is that when you pay for something in cash there is no need for someone to know your name who you are your credit card itself is not in any way linked to you when you walk into Best Buy and you buy something with your credit card your name is encoded on the magnetic stripe of your card so even if you don't tell them who you are they swipe that card into their system and your name along with what you purchased, when you purchased it automatically goes into their computer database so it's linked to identification that can be tracked by third parties such as your credit card company or your bank and it can be controlled by third parties I don't know if you guys travel very much I travel a lot and it's very annoying because once in a while I'll try to use my credit card and it'll stop and I'll get a phone call from American Express saying are you in Wichita and I'll say yes I'm in Wichita and they'll say well you have to let us know before you travel it's kind of ridiculous I feel like they're my nanny they can also share that information with law enforcement so let's review who knows when you buy something this is a screenshot of a statement from a credit card company and you can see that when you purchase something when you stay at a hotel on the top or when you go to a restaurant they know not just how much you purchased what the restaurant was, where it was what the restaurant's phone number was how much you tipped so if you go to the pharmacy and you buy headache medicine you know about that the store clerk knows about that if you use your credit card to pay with it then you're recorded in the store's systems with that headache medicine if you're part of their frequent shopper list then they can sell that list to advertisers and you could start receiving magazines offering ways to reduce migraines or things like that banks, credit card companies also know what you purchased when you purchased it and so do intelligence agencies I'm going to show you a little video here from Russell Tice this is from CounterPoint now a very public whistleblower thank you again for your time tonight sir good evening, thank you last night we discussed collection of phone and email data, envelope info like the length of the call, but also the content but the information they collected on journalists and other people this was more than just phone and email info well as far as the information the wiretap information that made it to NSA there was also data mining that was involved and at some point credit card records and financial transactions was married in with that information so the lucky US citizens tens of thousands of whom that are now on digital databases at NSA who have no idea of this also have that sort of information included on those digital files that have been warehouse throwing that kind of information in there too your credit card records where you have spent your money does that make it clear to you who used this information or why it was used or what the goal was of gaining it do you have any better idea of what all this stuff was used for well the obvious explanation would be that if you did have a potential terrorist you'd want to know where they're spending money and whether they purchased an airline ticket or something like that and that sort of thing but once again we're talking about tens of thousands of innocent US citizens that have been caught up in this trap that they have no clue you know for this thing could sit there for 10 years and then potentially it marries up with something else in 10 years from now they get put on a no fly list and they of course won't have a clue why so this information is being used there we go I'm glad he mentioned the no fly list because it's important to realize that monitoring of geolocation information is just one step from restricting where you're traveling and we can see we'll talk a little bit about TSA later and the management of the no fly list but credit reports and credit card transactions have been used as at least partially the basis for putting people on the no fly list so those of us who care about our privacy of course can just use those shiny round metal things and those paper things we call cash right? unfortunately not so much when I flew to DEF CON last year I flew without a wallet and after some excitement I actually managed to make it onto the plane and the stewardess came by and said headphones, headphones would you like to buy a headset it's only a dollar and I said yeah here's a dollar and she said oh we don't take cash we only take credit card a lot of places have started only accepting credit cards including JetBlue United and American flights there are a bunch of toll roads in the United States that have stopped accepting cash is this legal? I'm not a lawyer but what I gather from reading is that the coinage act of 1965 requires creditors to accept United States cash as legal tender for debts however if you're not servicing a debt if you're just walking into Best Buy and buying a hard drive or something like that they are perfectly within their rights to say sorry we only accept credit card payment processing companies credit card companies have gotten very good at analyzing what you purchase when you purchase it for a variety of reasons including advertising or figuring out what kind of risk you are and they want more information American Express filed a patent in 2007 called method and system for facilitating a shopping experience what this means in English is that they're going to put up or they would like to put up RFID readers to route stores inside of stores and make it so that somehow consumers are carrying an RFID device on their person so that when the consumer walks around the store they can track what aisles the consumers walking through, what products they're looking at, how that impacts what the consumer is buying and of course that's of interest to the store that's of interest to people who are marketing their products and that's of interest to AmEx how on earth could we get people to carry around an RFID card wherever they go? AmEx came out with the AmEx blue card which has an RFID chip embedded with it a few years ago how many people have this card? I had a bunch of people have this card the scariest thing about this is that it was being marketed not just for use in shopping centers but also schools, bus stations or other places of public accommodation this sort of thing is already happening in the UK there's a company called Path Intelligence that markets a system called Footpath Footpath picks up on cell phone signals as you walk around a shopping mall and they use that to figure out where shoppers are going they provide that information to the mall so that the mall knows where people are congregating they know how much to charge in rent for different stores, what locations are more popular than others obviously there's some privacy concerns in this they can tell your location not just when you make a call but also when your cell phone has periodic communications with the cell towers however they say that there are no privacy concerns whatsoever because these are not linked to shoppers names of course someone who independently knows some information about your cell phone or even stores in the mall that can correlate that information with purchases using for example your name on your credit card could potentially figure out who's who so why is this happening why are we seeing tracking coming out of purchasing it seems like this is sort of a self perpetuating system where you shop what you buy where you walk around in a store is valuable information and the companies that collect that information can sell it to other people it can be used for advertising it can be used for making credit decisions about you it can also be used by law enforcement not just to figure out where you've been that's part of predictive policing strategies and intelligence agencies can use this for mass analysis and I want to speculate here I don't know for sure but I would be willing to bet based on what's happening with the telecommunications industry that when intelligence agencies get this information from credit card companies the credit card companies are probably profiting off of it the basis for this project actually started in 2006 I was living in Boston at the time Boston has America's oldest subway system and it's been in the subway a lot in 2006 Boston went from the old token system to an entirely electronic fare system so they have two different ways you can pay for your fare there's the Charlie card which is a thick plastic RFID card which you've probably heard about if you were at DEF CON last year and there's the Charlie ticket the Charlie ticket has a mag stripe on it and it's meant to be more or less disposable you can refill it but it's not meant to last both of these have a unique serial number so as a traveler I was concerned that every time I went through a turnstile it would record my location the date and time of travel and that that could be stored in a central database where anyone could potentially access it years down the road and track me where I had been so in order to figure out whether this was happening I called up the MBTA and I said what happens with the information from each of these cards when it's swiped and the first people I spoke with at the call center said oh we don't keep track of that information don't worry about it, no privacy issues whatsoever so I didn't believe that so I kept calling and after about two weeks I finally reached the guy that maintains the database where all of your location, date and time information is stored so they are keeping track of that information they are keeping track of the rider histories as they relate to serial numbers and they have a separate database the financial database and every time you fill one of these cards your name and the serial number of the card are also tracked in that so if you have a Charlie card it's possible to obtain a Charlie card without giving them your name but if even one time you use a credit or debit card in that your name can be linked in their systems to that serial number and your entire travel history can be obtained as you can see they are not exactly encouraging the use of cash how does the MBTA treat that information I want to go into this in a little bit of depth because there aren't a whole lot of laws that protect your privacy when it comes to commuting and my hope is that over the next few years we'll start to have better privacy protections the MBTA says that they have two types of data they have personally identifiable information which includes your name, your address your financial information, your photograph and they have aggregate information which includes the travel patterns of your customers they do not consider the serial number of the card to be personally identifiable information that's in direct conflict to what Massachusetts law says Massachusetts law says that any identifying number is PII how does this relate to what happens with your information well first of all you cannot get access to your aggregate rider information if you have a Charlie card with a serial number on it that you've been carrying around for five years you can't find out what kind of information they have about your card they actually say they will not respond to requests for aggregate information you can under Massachusetts law get copies of records relating to your name or other personally identifiable information so there's nothing to worry about though the MBTA does share that aggregate information with third parties so it's possible for them to sell those databases of rider histories linked to serial numbers it's possible for them to give it to law enforcement to the Department of Homeland Security for data mining however they say rest assured that aggregate information will not allow anyone to identify you or determine anything personal except persons may be able to combine that information with other information they independently possess concerning you so if someone has seen your Charlie card and has seen the serial number on it or has seen a receipt that has the serial number on it just happens to have the list of aggregate information and knows your behaviors and can identify you in that list then they could also identify which serial number goes with you and track you the MBTA says they are not responsible for proper recipients later use of this information who else might know the serial number of your card well employers all over Boston as part of a corporate pass program are the ones responsible for assigning serial numbers to end users so if they had copies of the aggregate information then they could look up what times you were going to work what times you were leaving for work the MBTA makes a big song and dance about the fact that PII the financial transactions database your names stuff like that are stored in a separate database from the rider histories and so that should all make a sleep better at night however if you know anything about programming your databases you know that it's really not hard to link information from one database to another and in fact the MBTA says all the time as part of as part of combating fraud aggregate data your rider histories are stored indefinitely so 20 years down the line someone could get the past 20 years of your commuting history and analyze that PII they say is only stored for 14 months but in the fine print it says it's only stored for 14 months in active systems that information is actually archived for the retention period required by applicable public records laws of the Commonwealth when I spoke with them on the phone they were a little wishy washy and they didn't give me an exact amount of time that that was archived for my guess is that it's probably indefinitely so even many years later your travel histories can be mined if you're old or if you're disabled you do not have the right to privacy apparently you have to not only give them your PII to obtain benefits they will also take digital photographs of you and store those and store those electronically forever in order for you to receive your benefits so why does this matter well first of all as we talked about there's very little legal protection people have very little control over what happens to our commuting records and not only do we have very little control there's nothing that requires that we be notified if someone accesses them or if that data is shared intelligence agencies can grab that information to do data mining employers could track their employees subway officials could track you wherever wherever you go and anyone that access to how well are these systems secured and how do we know how well their systems are secured there have been a number of court cases involving data subpoenaed from from commuter records primarily easy pass which we'll get to later Amtrak in November of last year I grew up in New Jersey and so I used to take Amtrak a lot from Boston to York or from Boston to New Jersey and I was really surprised to visit New York City last year and find these signs which have a scary looking guy who seems to be carrying a weapon and a dog it says that they have employed uniformed police officers okay mobile security teams that sounds kind of scary canine units and they will conduct random passenger and carry on baggage screening so they could force you to open your bag and rifle through it they'll do identification checks if you try to travel on Amtrak without an ID and then there's a reasonable chance that they'll ask for your ID and if you don't show it you could be denied access to the trains so thrown off the trains Amtrak and TSA I thought they were I kind of didn't take that seriously I thought they were probably kidding they wouldn't do that sort of thing until I saw this picture on September 23rd of 2008 Amtrak and TSA conducted the largest joint simultaneous northeast rail security operation they had law enforcement officers from over 100 departments deployed to 150 rail stations during rush hour and they required commuters to show their identification to submit to baggage screening so commuters were forced to open their bags and the TSA or Amtrak or police officials would rifle through those bags TSA by the way is responsible not just for airline security but security in all modes of transportation security procedures you see at the airport now they could decide tomorrow to deploy at rail stations bus stations highways even bicycles they have that capability after I arrived at Penn Station I had a couple hours to kill I was in New York City in order to go to the MTA museum the transportation museum which is really interesting I definitely recommend it for anyone interested in fare collection I came out onto the street and I saw these camera or I saw these signs which said NYPD security camera in area I walked around and I saw that there were two or three of these on every block so I started looking around for the cameras I saw big cameras I saw little cameras I saw private cameras I saw license plate readers and finally I saw this it was a big camera emblazoned with the NYPD logo keeping tabs on a suspicious pretzel vendor who was obviously selling suspicious pretzels so again I had a little time to kill so I started looking at these cameras a little more closely and then I went online later and I started doing some more research to figure out what they were it turns out that these cameras are manufactured by a company called Total Recall Total Recall yeah Total Recall did security did surveillance for the Republican National Convention and these appear to be examples of the Crime Eye 505 cameras they have digital video recorders inside they work well during the day or at night they're all networked and they can all be accessed from one central location the marketing material says that they also each function as a wireless hotspot and authorized personnel can walk up to the street near them and use a web browser in order to access the video surveillance data stored on them so as a privacy geek we really wanted to know how well these systems were secured how well the web servers running on them were secured and there didn't seem to be any public information whatsoever regarding the audits that they obviously must have undergone how long data was stored how access was controlled so to understand a little bit better about why these cameras are here we have to review three different programs which have been advertised by the city of New York the first is securing the city's program a federal program the second is the Lower Manhattan Security Initiative and the third is Operation Sentinel so the securing the city's program is something that was funded by the DHS under President Bush the goal is to detect nuclear devices before they reach their targets so 29 million dollars out of 90 million dollars went to the New York City area for this program and as part of the implementation the New York City Police formed partnerships with law enforcement within a 50 mile radius they do routine vehicle scanning and vehicle tracking they can track license plates from helicopters 2,000 feet up and they have routine checkpoints and roadblocks on bridges, tunnels, waterways and boats going into and out of the city the Lower Manhattan Security Initiative is a little bit different it's a public-private partnership and it's modeled after London's Ring of Steel the goal is to have 3,000 cameras deployed all over the Lower Manhattan area 2,000 of these cameras are privately owned there are also 100 license plate readers not just stationary readers but also roving scanners any time a license plate is scanned by these readers it's automatically checked against government watch lists and that information is sent back to central facilities where it's stored for 5 years out of the 100 million dollars approximately that went to this program 10 million dollars from the department was from the Department of Homeland Security 15 million dollars was from the city of New York and the rest of it was from private companies and organizations that are concerned about the Lower Manhattan area the picture you see here is 55 Broadway on the 28th floor this is the Lower Manhattan Security Initiative Coordination Center all the license plate information and video surveillance information generated from this network of surveillance cameras and network of license plate readers goes here and they also say that they have a secret backup location I'm guessing it's underground one of the assistant police chiefs of New York City says that the goal of the program is to require first of all that new skyscrapers submit blueprints before they're built for review and that security is designed into new buildings in the Lower Manhattan area they would like to make it so that the lights, the air conditioning the internal surveillance cameras inside office buildings and the access control systems are all controlled centrally from the Lower Manhattan Coordination Center so what's happening with this information if you commute into New York if you drive around Lower Manhattan if you're one of the people as I was that worked in Lower Manhattan you probably want to know what's happening to your data how long it's being stored and who's accessing it well first of all in the New York City Police probably federal agents who have also helped in funding and setting up this program and stakeholders every private company who's involved in setting this up has a stakeholder representative that has access to the Lower Manhattan Security Initiative Coordination Center all of your license plate record data of any car driving around the area is stored for five years all of the video is stored for 30 days unless there's some reason to be stored for longer and most importantly if someone wants to use all this data that's being collected if someone wants access to the video surveillance data and they want to use it for some other purpose if they'd like to use the license plate records that are being collected over five years for some other purpose they can do that all it requires is approval from one or two people it does not require that that be publicly announced it does not require any sort of documentation there doesn't seem to be any requirement for auditing of what happens to that data later on the information collected on you can also be shared with third parties again it requires approval but not documentation, not publication there doesn't seem to be any reason why anyone would even find out that that information was being used by third parties that brings us to operation sentinel according to Mayor Bloomberg operation sentinel is a combination of the strategies for sharing the cities and the lower Manhattan security initiative the goal is to create a surveillance network like London's Ring of Steel pertaining to the entire city not just lower Manhattan so every vehicle going in and out of the city would be photographed and that includes the driver along with the timestamp your license plate information would be recorded a radiological signature would be taken and that would all be sent to the lower Manhattan Manhattan coordination center there are 80 fixed license plate readers and 36 roving readers that drive around the city capturing license plate information right now that's being deployed at 7 vehicle crossings including the Holland and Lincoln tunnels the George Washington bridge and the goal is to eventually send that to all vehicle crossings so every vehicle going in and out of Manhattan you would be photographed you would have your license plate captured and stored and the radiological signature stored and that information could be shared with third parties with only approval it could be used for secondary purposes and you would never know bus surveillance New York City also has bus surveillance but the leader in this initiative at least as far as I can tell is Chicago Chicago has a partnership with IBM the goal is to put cameras on 2100 buses there are 7 video surveillance cameras on each bus and a digital video recorder on board each bus acts as a wireless hotspot so any supervisory vehicle driving in a 3-4 block radius of the bus can access the video surveillance information again questions of how well are they securing this how often is it audited how do you know who's been accessing this information Chicago and IBM have also partnered on a project called Operation Virtual Shield this is a project where thousands of video surveillance access points are being deployed around Chicago I say access points because they're not just video cameras they're connected in a wireless mesh network and according to the marketing materials they have analytic software on them so that they can respond to incidents so if they hear a yell or if there's a sound of a gunshot or something like that the cameras can react and zoom in on a particular area and capture more information coming from that source they also have license plate readers which are similarly networked it's worth pointing out that as an IBM's first rodeo they worked with China to deploy over 200,000 surveillance cameras in Shenzhen a few years ago these surveillance cameras were disguised as lamp posts and the goal in China is to have 2 million cameras all connected to one central network it's probably safe to say that any contractor such as IBM that's working on projects like this city-wide surveillance projects is probably taking the information they learned by setting this up in one country and using it for other countries so the same types of programs that IBM is deploying in China they're also deploying here in the United States moving on to cars this is a screenshot from the Siemens intelligence desk that we discussed earlier and the very first thing that they pointed out was that they could capture information that comes from toll road systems so once upon a time this is what toll boots look like you would drive up and there would be a basket and you'd take this round shiny metal thing and you would throw it into the basket and hopefully a little bar would go up and you would be able to drive through it was also beautifully simple nowadays all over the United States actually all over the world we have cashless toll systems systems like Fastlane or EasyPass which are connected to the registered vehicle owner's identification every time you drive through one of these toll boots it will record not just who you are but how fast you're going, what time you went there all of this information has been used in hundreds of court cases and there's also differential pricing so people have a real financial incentive to move to these systems unfortunately we're paying for that in our privacy if you care about your privacy you could still pay in cash right unfortunately not in some places such as the Bush turnpike at the beginning of July stopped accepting cash entirely if you're driving along on the highway and you come to a toll booth or not a toll booth, a toll area on the Bush turnpike you have two options first you can pay with your Texas toll tag you can browse the fare collection table afterwards I have a Texas toll tag if you want to look at it or you can pay in zip cash zip cash unlike what its name implies is not cash what it means is that they do optical character recognition of the car's license plate and they will then mail a bill to the registered owner so if you're a driver and you would like to pay for tolls without the registered vehicle owner having to deal with it you don't have that option and unfortunately I think that probably also discourages ride sharing as an environmentalist I would really like to encourage people to share cars and not discourage them that brings us to an important question when it comes to either violations or tolls, who's liable is the driver liable is it alright to say that the owner is liable for tolls when it was actually the driver that incurred them it really depends on what state you're in in states like Georgia, Delaware, Washington D.C., New York, North Carolina the owner is explicitly liable by law for violations in other states the driver in states like California, Colorado and Virginia the driver is explicitly liable for violations so that sort of sets some precedent for whether or not the owner of the driver could be liable for tolls there was an interesting case involving the Minnesota Supreme Court Minneapolis started installing hidden traffic cameras and the Minnesota Supreme Court struck that down because of a statewide uniformity principle which says that both drivers and owners should be able to expect the same type of treatment regardless where in the state they're driving so it's not okay for them to drive through one city and suddenly have a totally different liability than in other cities so it struck down the hidden traffic camera program because of uniformity and also for a few other reasons if you're a privacy geek you probably saw this coming in April of 2009 New York City deployed easy pass transponders on the Brooklyn Bridge and in Lower Manhattan not for the purposes of tolling but for monitoring traffic and as part of this it calculates the routes that cars are taking and also their travel times and it stores that in a central database and then analyzes that presumably for the purposes of controlling traffic flow some people are understandably concerned about privacy and the powers that be have waived those concerns away saying that well these systems can't read license plates so don't worry about it of course easy pass identifiers can also be linked to an individual in the UK there are one step ahead of us in the United States the UK has a system called automatic number plate recognition they have over 2,000 cameras deployed already and the system can read up to 50 million plates a day all that data is stored for 5 years at the National ANPR data center it includes the location that you were driving, the date and the time and it's clear from some of the events that have occurred that they're mining this information there was a couple a father and daughter couple they were pulled over not too long ago and arrested because data from the system had captured their license plate driving near a demonstration so as a result they were pulled over and brought into custody the UK has also deployed RFID license plates implemented by a company called ePlate the RFID plates broadcast information for up to 300 feet and they've had the system since 2005 I'm sorry I don't know if we run out of CDs in the back there are a few up here and the presentation will also be available on the web afterwards they've deployed active RFID systems there's only 15 of them so they're probably already gone don't bother getting it up vultures so the benefit of RFID systems for tracking license plates is that they can be hidden easier than optical character recognition optical character recognition systems they don't have to be visible in Brazil they've employed government mandated GPS tracking devices on every car I don't fault them for this they have a real problem with vehicle theft in Brazil so that's why they've employed these GPS tracking devices on all cars one of the most interesting things about these tracking devices is that they do more than tracking the police can actually shut the vehicle down remotely so you could be driving along in your car let's say it's a stolen car you're driving along in and the police could figure out where you are and shut it down the same thing is available in the United States OnStar was installed in GM cars and it tracks not just your GPS location and your speed the idea behind OnStar one of the selling points is that in the event of an emergency or if you're lost you can press a button on your car and communicate with people at their central location who can help you figure out where you are or dispatch people if you need some assistance in order to do this they track a lot of information about your car and where you are how fast you're going sometimes even things like the fuel intake the fuel level of your car when you brake stuff like that all this information is stored on their central systems how well do they control it there are some privacy exceptions that they're very explicit about they say that they can disclose your information to protect their rights or property or the safety of you or others or to troubleshoot presumably really if they feel like it all the information from OnStar goes across Verizon's network so the FBI already has access to it and there's also something called stolen vehicle slow down if OnStar or if law enforcement want to stop your car remotely they can do that just by sending a signal and that will stop the fuel intake and your car will stop wherever it is what could go wrong with this system somebody could shut down your car against your will remotely I don't know how vulnerable it is to hackers I don't know what kind of security it has that information isn't really public but accidents could be caused remotely and also anyone with access to OnStar system or the Verizon network could potentially track you wherever you go moving on to traffic enforcement systems red light cameras have exploded in popularity all around the world this is a map from a site called dot com of all the red light cameras that are just in the New York area they have been described by journalists as cash machines for the local government their safety is questionable there are indications that they do reduce the number of people that run red lights there are also indications that they increase the number of people who slam on the brakes and then get smacked by the car behind them a Canadian journalist pointed this out and was subsequently stalked by the Canadian police red light cameras can also be used for national surveillance the way most of these systems work is that they deploy multiple cameras at any particular intersection so they get multiple shots of the cars they can see not just your license plate not just a picture of your car but also images of the driver they can have not just digital still photographs but also video surveillance of the car red flex and American traffic solutions have been actively shopping their systems around national surveillance networks to local and federal law enforcement they also have license plate tracking capabilities one of the reasons why these systems would be useful for national surveillance capabilities is because they bypass all of the GPS tracking restrictions that have been so legally questionable these days we've seen a number of cases in the past few years where law enforcement tries to install a GPS tracking device in or on a car and in some cases the judge rules that's okay in some cases it's not okay whether or not they need a warrant is in question if you have a dense network of cameras that can read license plates and put that all in a central database all throughout the country you don't need to use GPS to track a vehicle you can get that information from the network itself I'm proud to say as a Montana that Montana outlawed hidden traffic cameras in May my representative Bill Nune was the one sponsoring the bill and our governor signed it into law in May Jonathan Hamm and I had the opportunity to go to the Montana State House in Helena in February where we expressed our support for this bill this is a picture of our representative reading my note of support so if you care about these issues please do contact your representatives and encourage them to pass laws that properly manage your information because we can make a difference on these topics some concerns about the ways information is being handled RedFlex is going to be we're going to go into a little detail about a company called RedFlex RedFlex according to them are the largest manufacturer of hidden traffic cameras in the United States and they do more than just install and manage the equipment used for enforcement they also capture they also do citation processing so they have things like your name your address your height your weight your gender driver's license number which in some cases is still your social security number and they correlate all that to driver videos and images most of the companies that we're talking about we don't have the ability to actually access their systems and evaluate whether or not they're secure in RedFlex in RedFlex's case when I was doing the research for this presentation I came across a publicly available site which is used by law enforcement all over the country to evaluate violations and you could see just by looking at the source code of the publicly facing page that it has some serious security problems the information contained in it your motor vehicle information could potentially be mined by anyone and there's no accountability or public oversight so we're about to go into detail on these vulnerabilities the reason I'm disclosing them is because it's important for average citizens to know about this so that we can understand how our data is important for law enforcement to know about this so that they understand that the systems they're using may not be as reliable as they would like when I notified the vendor about these vulnerabilities they responded very promptly and they removed publicly accessible links right away so RedFlex traffic systems they're deployed in over 240 cities in the United States they are the largest red light and speed enforcement provider in North America according to their marketing materials installed at any intersection that they're monitoring so they can get digital stills or full video of passing motorists they have a system on the back end called smart ops they use this to process the citations and we can get a little bit more information by looking at the contracts that local governments have put online which describes which describe how the systems are used here you can see this is from the city of daily city in California and it says RedFlex will place an electronic file containing printed original and nominated citation information on the RedFlex FTP site each day for court retrieval so if you're a security geek you probably did a little what when you realize that this information was potentially being transmitted unencrypted over the internet hopefully they didn't really mean that it also says in 31 and 32 RedFlex shall place offenses in the police authorization queue within six days of the violation so as soon as a red light or hidden traffic camera sends up an alert that goes to their smart ops processing system they create citations and then they allow police to access those citations the local police will review that and will determine whether to approve or reject each of the citations if they approve it then RedFlex mails out the citations to individuals and they have access to your name and address and other driver information so they can mail those citations out the same information that they have we've already run through this a little bit first name, middle name, last name, birth date height, weight, hair color, eye color gender, address your license plate number in some cases that is still people's social security numbers driver's license state a description of where you were the location, what your offense description was your license plate and all that is correlated with driver images and video when I ran this presentation by Jennifer and I found this information right away which is where are they getting this information I had kind of assumed that they were probably getting it from the towns but I did a little bit of research and I found that that wasn't the case companies like RedFlex and OnStar and other companies are partners in the international justice and public safety information sharing network they're partners in the international justice and public safety information sharing network so all these companies have what you can see on the website securely limited access to motor vehicle registration information necessary for the enforcement of traffic related violations well, how well are they securing this information presumably they get periodically audited to make sure that they're keeping all this private and that it's all their systems are up to date right okay well if you google for RedFlex and SmartOps their back end processing system the first site comes up is the RedFlex traffic systems webops site this is a screenshot of it you can see there are two links violation authorization presumably that's where police officers will go on and view a list of incidents and figure out which ones they want to approve and which ones they want to reject the second one is online reports at the bottom it says if the flash buttons and logo do not show up above you may use these links to get to the capital S secure sites and then there's a link to violation authorization online reports and then you can see there's a cute little verisign secure logo which makes me feel much more confident of course if you actually view the source of that page or click on the links you'll see that this login page doesn't actually use SSL it just sends a username and password unencrypted across the internet the other page violation authorization does use SSL if you right click and view the source of the page there is an enormous amount of information in there let's go through some of it here we see just by the variable names you can see that they're processing some very sensitive information and public the public link to this page is no longer available each incident for each incident the variables include birth date, hair eyes, weight, gender height, driver's license number in some cases still a social security number driver's license state license plate number, jurisdiction and in the code they also have things like image pass so they're correlating this information with images of the car and driver and presumably in some cases also video depending on what the camera is capable of if you go down a little bit further you'll see some sequel statements which give information about their database so here the comment is get contracts that this user has permission for they create what's going to become a URL and in that URL is a select statement a sequel select statement and then they do an asynchronous request they get a list of contracts back and a list of variables back and they store that on the client side and they use this XML object, these XML objects as client side permissions so as a private citizen I'm getting a little bit worried because if all this data is stored on the client side then the end user could potentially modify them and bypass any access restrictions here we see they're doing client side authorization this comment is if the record can be authorized and the user is allowed to then show the accept-reject stuff so if the variable police user for example is yes and that's taken from the client side then you would show the accept-reject buttons not that you need the accept-reject buttons because you can just create the correct URL and make a request that way you can also see here there are media redacted users don't display the active reports links for the media redacted user that depends on the attribute police user being equal to D at the bottom we see S URL equals and then they get an incident list so that's how they get the list of incidents they make another asynchronous request filtering as security geeks know filtering is one of lack of appropriate filtering is one of the reasons why SQL injection attacks work so here you can see they're removing invalid characters from the license plate they're doing this in the client side code so anyone with access to Paris proxy or probably who just creates the correct URL could bypass this filtering and request make requests which include other characters there are also indications of who their clients are and what the processes are that law enforcement use with respect to license violations here it says for the city of Chicago apparently one of their clients display only license state so that the pre-approving officer and supervisor can enter a license plate in jurisdiction blah blah blah but again if an end user wanted to they could bypass this restriction and it also appears that this code depends on setting a variable called schema name to Chicago in this case CHI what would happen if you set that to Albany or New York or Atlanta or something else could you view lists of incidents from other sites all the information that I gathered was simply based on observation this has not been tested out but the vendor has been notified of this and hopefully they will correct the internal problems as quickly as possible the reason that I wanted to cover this in this presentation is because Redflex is not alone Redflex is one of many many government contractors that stores sensitive personal information every company that was on that list of partners that we displayed a little while ago has access to the same types of information these companies are not subject to routine audits if you look at the contracts that are out there you can see that their books can be regularly audited but it says nothing about their IT systems it says nothing about how well their systems have to be secured who they can share their information with a lot of this is because people in local government who are assigning these contracts don't know a whole lot about IT security and they're not employing IT professionals to look at these systems before they hire the companies there's a lack of accountability and we really need to do a better job all over the country in protecting citizens private data moving on to airlines I don't know if you guys remember back in 2002 or 2003 JetBlue was publicly flogged for giving 5 million passenger records to a government contractor by the name of Torch what happened was Torch was doing an airline passenger risk assessment they were working with TSA and they approached companies they approached companies like American Airlines and Delta to get lists of passenger records American and Delta rejected them and then TSA wrote a letter on their behalf to JetBlue and JetBlue provided their contact information with 5 million passenger records including not only itineraries but your name, your address, your contact information Torch then purchased a supplemental Axiom database which included Social Security numbers, all the different places you've lived, address histories how far you live from airports, things like that and they used that to demonstrate that airline passenger and reservation data can be clustered take information from credit reports from address histories and look at passenger itineraries passenger names and use that to identify groups of passengers who are part of the mainstream and then groups of passengers who are different this is similar but not directly related to the CAHPS2 system which used credit reports in order to determine whether or not you would be on terrorist watch lists or the no fly list so I don't know if you can see because graphic very well but the idea behind it is that a passenger makes a reservation they pay for the reservation and then before the passenger ever gets to the airport a background check is conducted on them and on their method of payment so if you're not part of the mainstream maybe if you're flying one way or if you live really far from the airport or if you've moved around a lot then you might be flagged and when you get to the airport they use that information to determine if you're allowed to pass through so whether or not you're on a watch list doesn't depend on whether you've tried to bring explosives to an airport it can depend simply on how often you've moved Torch has a little description of their project which I thought was interesting you can see they made initial overtures to airlines to get the data they were rejected, they were given assurances that they would have the database being used by the CAHPS2 contractors they did not receive that they did not receive the JetBlue database this was a very limited database because JetBlue only flies to particular locations and they have sort of an unusual segment of the traveling population they don't have as many business travelers Torch then purchased the credit database on passenger demographics they displayed for example anomalous demographic information that they had about one passenger they did not black this information out this poor person there are people whose records have been mixed up there are social security numbers and address histories have been on the internet for something like 7 years now but I thought I'd be nice and black this information out stuff like a messed up credit report could potentially get you flagged by their system as anomalous and these people could have trouble getting through an airport security here's an example of one of their passenger stability indicators that they figured out how long you've lived someplace but you've only lived some place for a year that might get you flagged for extra screening or stuff like that so a little history of the no fly list the no fly list was created on September 11th there was actually a no transport list that the FBI had by 2006 there were 44,000 people on the no fly list and credit reports were one of the factors that were used in assessing risk nowadays the terrorist watch list has over a million names and some of the people who have been obviously mistakenly on things like the no fly list are children, small kids and Senator Ted Kennedy unfortunately there was a terrorist out there who went by the name Ted Kennedy so Senator Ted Kennedy got flagged and had trouble flying part? yeah so this month the secure flight system goes into effect on August 15th coming after August 15th you will be required when you make a reservation to provide not just your name as it is listed on your government issued ID not that you're required in the United States to have a government issued ID but you have to provide your name as it's listed on your government issued ID your date of birth and your gender in order to book travel that information is shared by the airlines with TSA and TSA will then use that to determine information about how you're treated and how you board you can see this is a graphic from TSA the passenger sends their extra information including date of birth and gender to the airlines the airlines send that to the secure flight system secure flight sends boarding pass instructions back and that impacts how you board interesting thing to note here you can see it says passenger information will be sent securely between the airlines and secure flight and boarding pass instructions will be sent securely back and your gender makes their reservation and sends all that extra information to the airline there's no guarantee of any extra security I think one of the first things we learn as security geeks is that a chain is only as good as its weakest link TSA has claimed that secure flight is exempt from a number of normal requirements they are exempt from requirements which relate to your ability to request access to your records and correct the records that they have about you you don't have that right they're exempt from the requirement to collect only relevant and necessary information so they can collect whatever they want they're exempt from the requirement to maintain all of the records that they use in making a determination about whether you should be searched or detained or allowed to pass through or however they want to treat you and as a result it makes it very difficult to audit their systems and they're exempt not that we're allowed to audit their systems they're exempt from the requirement of judicial review so they've basically thrown checks and balances out the window and I have to thank the EFF for calling this out publicly they've really done an enormous amount of work to publicize these exemptions why is all of this happening why are people being put on no-fly lists why are we being monitored why is our data being gathered in mind one of the words that keeps coming up especially in TSA literature is terrorism we're trying to prevent terrorists we're trying to prevent terrorist attacks so given the amount of money and time and effort that's being put into all of this you would assume that terrorism is a really big problem so I got some death statistics and terrorism statistics the year that I could get full statistics for that was the most recent was 2006 you can see that terrorism is the first actually heart disease is the first cause the leading cause of death in the United States but terrorism is actually new plasms are the second cause of death in the United States and it looks like influenza and pneumonia are number 8 suicide is number 11 essential hypertension and assault all of these things killed tens and in some cases even hundreds of thousands of United States citizens each year the number of United States citizens killed worldwide as a result of terrorism in 2006 was 28 so a thousand times more people are killed by suicide than terrorism in the United States five times as many people are killed by plane crashes and almost twice as many people are killed by lightning so what could explain the TSA's priorities it appears that if the TSA spent more time screening for influenza rather than explosives or mining your credit reports then fewer people would die just to take a little bit more of a global view on this I know as a United States citizen I'm kind of United States centric but even globally the terrorism statistics are surprisingly low you can see that since the 90s they've hovered around actually under 5,000 people in the entire world whose deaths can be attributed to terrorism there was a little bump around September 11th but other than that it's been relatively steady fly clear your biometric information in order to help you move more quickly through the security line at airports private companies are capitalizing on this so intelligence agencies and places like TSA are able to use terrorism as an excuse to get more information on people and private companies are benefiting as well unfortunately FlyClear the company behind FlyClear didn't do so well they had a system where people's biometric information was collected and that could be used to facilitate airport security so you could go faster through airport security FlyClear went out of business and a lot of people have been wondering what is going to happen to their biometric information because they don't want it to be shared one of the questions on FlyClear's FAQ is will personally identifiable information be sold they don't answer this question directly all they say is that your biometric information will only be used by another registered traveler program with the TSA so it implies that the answer is yes your biometric information is now an asset of a company that has gone out of business and it can be sold to other companies you don't know their privacy policies you don't know what this information is used for and unfortunately you don't have any control you don't have any way to opt out finally the last section we're going to go through is personal tracking devices Verichip was the FDA's first approved implantable identification system it has a unique 16 digit number and there's a great blogger if you look on the presentation I have a full link to his site he calls it essentially a glorified dog tag and he was able to sniff the 16 digit code off of his friend's Verichip and then clone it so that he had one just like it wolves when wolves attack herds of animals they generally start by attacking the very young or the very old and Verichip seems to have the same strategy under a company called Xmark they have they have been marketing the hugs system the hugs system is a system where as soon as a baby is born at a hospital it gets an ankle tag and then every 10 seconds the ankle tag broadcasts an RFID pulse which is picked up by the halo supervisory system moms can also get kisses tags which can tell if the right infant is with the right mother staff they can also get special staff tags and their marketing material points out that it's really easy for staff to wander around with babies they say that if a staff picks up a baby they can walk through a door without having to press any buttons the door will automatically unlock and let them through so hopefully staff tags are a little harder to clone than the initial implantable Verichip product Rome Alert is their system for elderly folks this is being marketed to nursing homes for wonder prevention so as your grandma walks around her nursing home they can track her centrally they not only track her as we talked about tracking people is really just one step away from restricting where they go so if grandma walks into a particular area the doors can automatically lock the elevator can automatically lock and all the systems are hidden so she'll never know that they exist there is an enormous potential for travel restriction for travel restrictions and for purchasing restrictions especially because these systems that we're talking about aren't just used to track where you go but when you get on the subway this is your pass this is what enables you to get onto the subway if I ran in another 20 years let's say had access to systems like this to mature technologies we might never see pictures like this appearing in the newspaper because dissidents might not be allowed out of their house if they were allowed out of the house they might not have any access to public transportation they might find if they try to drive on their highway that their cars are automatically stopped they might not be allowed to fly they might be locked out of their offices or locked out of their office buildings which could happen if systems like the lower Manhattan security initiative have their way they could be blocked for making cell phone calls probably more likely their cell phone calls will be monitored and they could find their bank accounts frozen or their credit cards frozen so there is enormous potential not just for tracking people but for restricting how people can communicate and where we can go in any free society people should have certain rights we have to be able to control the systems that are being used to monitor us tracking systems should be well understood and transparent people and our representatives should have control over what personal information is tracked and shared if that information is shared with shared parties or if it is used for secondary purposes we should know about it and finally in a free society electronic payment and communication systems should be capable of supporting private transactions so you and I and the millions of other Americans who are not criminals are not terrorists have the option of going about our daily business without big brother watching us this is a picture of the United States seal here is the front with everybody recognizes and I love the all-seeing eye on the back of it my name is Sherry Davidoff I am the author of philosecurity.org and the co-author of sands network forensics which is being launched in September and I think we have some extra time so if people want to have a discussion I would love to hear your opinion on these systems and how you feel they should be controlled or how you feel we should manage them thank you very much hi Sherry can we get the mic on can we get the mic on that was a great presentation I am really more angry than I was when I walked in so I just wanted to say your terrorism statistics were off by several orders of magnitude specifically you forgot to include the fact that the United States killed more than half a million Iraqis and I think the thing that people need to think about here is that what we are doing is creating a worldwide police state I just went to Shenzhen and I saw these cameras you were talking about I mean it's incredible IBM did the same thing during the holocaust exactly the same thing and we have to stand up to it so if anyone in this room works at places where you have information like this you should send it to WikiLeaks and leak this information the only way we can fight this is if the people that are actually supporting it and paying for it with their tax dollars stands up and says fuck this we are not going to take it anymore we are not going to do that and you should actively compromise the systems like this that are running don't disclose vulnerabilities own them and leak that shit that's the only way we will be able to stop it that's it thanks Jake along the lines of IBM there is a great book called IBM in the holocaust which talks about IBM's involvement in the holocaust and points out that every act of extermination was preceded by an act of registration and we decided who to kill yes awesome presentation I have a question in doing your research did you come across or collect any information about what I assume is out there but I haven't seen you know these days all of us use several email accounts so that we can kind of divide and categorize other organizations interact with us I'm wondering if presently or in the future we're all going to get into trying to have sort of multiple identities so that we can have a little bit of control over this too obviously when it comes to these sort of human systems for tracking it's much more involved I'm wondering if you know any more about that well I think we touched on that a little bit if you look you should look up Thorpe Glenn's presentation it's available on the web and it talks about how they can track people even if they're using multiple cell phones even if they're using multiple email or IM identities there's just a lot of information that can help them merge different identities together and I think that's one of the selling points that private companies are using to market to intelligence agencies one of the things that I saw that I was very interested in is that when you're going to third party companies not just looking at ones that that are getting aggregated information from them alone we do that at the same time like if we pay a traffic ticket online like specifically if you do traffic school online I used to work for one of those companies and the security is so minimal like I when I was just when I first started working for them when I didn't really have any information they're like please check out what we do I looked and the first thing I saw was just incredible amounts of security vulnerabilities you find the login which was not secure at the time it was after I started working for them you could get access not just to your information but to anyone who had ever been using those sites to people who had been using it you could just look up by their email or by their name or by their driver's license and get any information possible about their past inquiries and that's the thing is that when you're using any sort of database you should really be careful as to why you're using it like a lot of people use those for convenience but really make sure to look at the companies you're submitting your own information to that's one thing that we can personally control and people just don't even think about it they're just like oh this is easy click click click we're done and nobody takes pause to say hey is this information going to be secure and that company had like the verisign and the Cobra logos I mean they really did that so people felt secure but it really just wasn't catch up afterwards I'm interested in hearing more about that thank you hey Sergei what's some talk so supposing that the government actually gets its hands on the healthcare records for whatever reason say to make sure that physicians are only prescribing the right kinds of medicines at the right kind of price do you see any obstacles to personal health records being used for profiling within the same systems no I think that's probably already happening in the United States we have things like I think the medical information database they track all prescriptions that you fill and now especially that the FTC has implemented the red flag identification rule that requires you to present ID whenever you go to a hospital or a doctor's office actually it doesn't require that but a lot of times it's being implemented it's harder and harder for people to get anonymous or pseudonymous medical treatment so I think that's a really great point and I think it's something we should be very very concerned about medical records being married in with all the other information about us thank you thank you very much for your presentation I really enjoyed it I have a couple things I'd like to raise first I'd like to know what your opinion is about for instance the green have you heard of the green dot credit cards they have I've heard of that can you remind me what that is well basically the way it's supposed to work I haven't used one myself but rather than using your own credit card with attached to your credit line you essentially buy this card so it's like a check card you put 500 bucks down on this card and then you use it through that the idea is so that credit card fraud anything like that they get that number it's not linked to your actual credit I was just wondering if you know any of the privacy issues with that if it's linked to your name in that way or anything like that I have heard about that when I was trying to research what anonymous credit cards were available the only one I could find that was truly anonymous were the visa vanilla cards I think I read a website which said that the green dot cards you were required to link that to your identification in order to activate them don't quote me on that but I do remember reading that the only card I think that is you can use truly anonymously are the visa vanilla cards but they only go up to $100 there are things like one time credit card numbers also that you can use to help prevent fraud but again those are still linked to your identity I noticed a lot of your presentation you mentioned you know Chicago and New York I'm from LA do you have any information about the surveillance state in LA and anything like that or do you know any groups that do anything I haven't specifically looked into LA especially because I'm from the New York, New Jersey area I do know that many cities in California are using the red flex traffic systems so that's something that you might want to look into specifically okay great thank you very much thanks so that was a great presentation I worked for the ACU of Northern California on very similar topics sorry I worked for the ACU of Northern California on a really similar topic and my question for you and everyone else here is everyone in this room is a deaf kind of attendee and is interested in the topic and it's a great audience how do we take this to the broader world how can we use our technical skills our knowledge that this is a real important issue and make the public aware so that we can actually get lawmakers to pay attention so we can get companies to pay attention so we can change the system that's a really good pardon that's a really good point how can we make a difference the EFF I know has expressed interest in following up on the red flex traffic system stuff probably we just need to get more organized if you're interested in helping out if you're interested in volunteering on helping push a better legislation or better privacy protections please email me my email address is on the CDs I also have business cards and you can find me on the web and drop me a line hopefully we can be in touch and come find me too thank you for an informative and disturbing presentation I have what might be a rhetorical question because I think I know where you stand on this but given the events well given what we know of the events and the activities of our government for the last decade and really for the last 40 years how much faith do you have that legislation can actually have an impact on the types of privacy problems that you've described I think if legislation is enforced it can have an enormous impact for example there's a big difference and I know this isn't legislated but the payment card industry program has made a difference in the way companies do auditing and in the fact that some companies are required to undergo external audits whereas I think if we legislate systems which require that people publicize which provide proper incentives for companies to secure their systems then it is possible for us to make a difference if we make legislation that says this is illegal then it's probably not going to do a whole lot as a forensic analyst someone who's worked on a lot of incident response cases I can see that a very small percentage of actual data breaches are even detected because companies don't have incentives to detect them and those that are detected are not reported because companies will weigh the potential fines versus the more likely reputational damage that would happen if they were disclosed and they say this is for us to risk fines if we're caught so you're right legislation can sometimes legislation can make no difference at all but if it's enforced, if people are really pushing on it, if it makes it so that systems are more visible that we if we have a right to transparency and to find out what happens with our information then it can make a difference so it gets back to the previous questioner's point about how we carry this message out thank you I apologize if you've already answered this question the entire presentation on the disk my presentation is not available on the DEF CON disk but it is available the entire presentation is available on the disk that we passed out by the water coolers and it will be available on the web on DEF CON after this presentation and probably on my website as well if you need a copy of it and you don't find out if you don't find it on those sites then just drop me an email thank you a week later it'll be on the DEF CON site I just want to share my experiences with anonymous credit cards I've had the best experience with US Bank if you walk into a US Bank and ask for a one-time use credit card they will sell you one without verification of identification for up to $1,000 the fee for this is $3.95 and I'll just give them a fake name they do ask for a name but they don't make you verify it my experience with Riviera was I use this card number and then when they on the card US Bank when they ask me for a name I just made up one and it ran it and it ran through just fine so apparently they do not verify the name with the card as long as you have the security code on the back of the card US Bank's always worked really well for me but you do have to pay that $4 fee to use it every time that's really interesting did they require you to show identification at the hotel no if you can drop me a line after this I would love to get some more information thank you the question is where did the $1,000 come from that he put on the card if you give him cash they'll take it for up to $1,000 for the card it was $1,000 $1,000.95 because of the surcharge that's great thank you I just wanted to make a comment on what's going on in the state of Florida regarding traffic cameras basically it's it's illegal for the state of Florida to issue citations that are violations of Florida statutes on evidence based on traffic cameras a lot of cities are using the traffic cameras to enforce city ordinances and local ordinances in order to bypass the state level and there's legislation in the state of Florida right now to legalize the use of cameras to issue state statute violations and essentially the legislation is coded to allow computers the discretion of whether or not a law was broken and once if that passes in Florida which it probably will kind of warms anybody who lives in Florida talk to this guy great presentation in this day of outsourcing and offshoring will you be having a study on how much of our private information resides outside the United States you mean physically resides outside the United States yes anything above where a lot of the laws that we have here may not apply to foreign countries or governments that's a great question and I don't know the answer to that but I'm curious to know my guess is that a lot of our information resides outside the United States Germany they had a case where they found out that their health information was in India very interesting and available for sale I'll have business cards up here thank you all for coming