Can You Hide From Big Data?

[Music]

[Music]

[Music] all right what so my name is James and this is Kenny - big data what people like there are some things that you can use but you can never truly hide from it it's always been Hitler they're always going to collect something that no matter what you try to do it's not going to get it all but that being said to give you a couple outlines of what we're going to talk about I'm going to go over who's watching what they're looking for and some things that you can do about it so a couple things about me it's a first talk I've ever given if you'd like to go on skin it and give me some feedback

that you're really helpful I work at the IT company here in Knoxville and I'm an organizer for DC eight six five and a co-founder Tencent car we've got a booth over at ket and we're running the CTF this week so come check it out and I'm not here to promote fear the subject matter is dark it seems like there's nothing that you can do about it but I'm not here to promote foot it's just not how I roll I might probably sell you anything I'm not responsible for any nightmares you had tonight my own stock around ratso I'm gonna be instead there are some things that I want to make sure you're aware companies are stealing your data

and it's it's shocker with the things that's been in the news Facebook camera general that they've done this is your digital life all of these things have been in the news for a while and they've really been dominating this purity cycles but I've got some good news and what we are going to talk about is targeted marketing marketing in itself can be discriminatory but targeted marketing goes eluding temper this is actually a screenshot Facebook's Addison and you can go in and regularly specify what you want to look for and some of the things that a an article published by ProPublica found is that they were making discriminatory ads in the housing market they could look for rich white people

and that was wrong and it's still going on and it's not just a Facebook issue it's an issue with advertising and general because if you put people were not trying to use them ethically they're going to use them for whatever justifies their games not just go into the first subject is who's watching me like bat dad he's my favorite and you'd be surprised it's these guys has anyone ever seen this before you've seen it you can see it great so going over all of these would be pretty apartment instead or a cherry pick some from this just too so some of the companies that are following everything the view one of them is called Agnes

it's been around for a long time you may have seen the symbol before I haven't seen it on too many web pages here recently but it's been around the premise was pretty simple if you find an article or if you found a video that you like you can share it with your friends what that does is build a profile of your personality and they can then sell that data and then you have the mote mote is an analytics tool that you can upload your marketing videos to your commercials and you can track how they how they were perceived by public you can track how they do and there's another tool called Maximizer that works similarly there enough there's enough

difference in the two of them that they are different please this one instead of looking at an overall it's looking at the specific advertisement itself where are they zero in on it specifically we're in the ad campaign are they even looking at with their eyes and why are they looking at their another one you may come across is blue cop blue Kai Dilsey cookies and if you ever want to see something really creepy go to blue Kai calm slash register it will pull all the cookies from blue cod that are saved on your browser and then they tell you what Luke I thinks about you what it thinks that you are your interests things like that sometimes

they're frightening ly close and then we have crosswise cross fries is one of these really creepy companies where you just imagine dr. evil is running it and we're talking about their billions of dollars so Kratz wise works by mapping multiple devices to a single individual what that'll do is if you search for something on one device it'll then display ads for that product on a memory device people always talking about all of your cell phones listening to you Facebook tracks everything that you say gives you advertisements for it no that's been disproven several times but these companies know which devices you have so if you search for something over here and then you get ads for it over

there it's like magic but no and this is actually from an interview that was given across was it says cost-wise collects billions of non-personally identifiable data points like location being the domains browsers have to use age gender Wi-Fi hotspot' share high speeds of many others how many of those seem non-identifiable to you not many I know a lot of them look pretty identifiable and then you also have data logics data logics anybody here have a membership loyalty card to a grocery store yeah area so Dave the logics specifies they really focus in on these membership loyalty groups they do a lot of other things with something that you really well with referee chance knowing what

you buy what price point you buy so this is actually something that they focus in on they know ninety nine percent of all new car sales they have grocery chains and they know all of your transactions in that grocery chain and something that's really creepy is with beta logics they have 110 million US households data any guesses as to how many households are in the US no according to so they're only off by that's pretty carefully so what do all these have in common besides being really creepy yeah yeah and were clones a lot of other companies so here's a list of all the company's data I don't if you catch all that and it's

Peters yeah there's a few but one that you won't find on that list is a Raquin at frequent acquisition nine DNS and what's really creepy about all of this is lunch Oracle purchases a company they all go into the same David privacy Oracle will share information with other Oracle companies it's right there in their privacy policy anything that they gain from one of their corporations then transfer that information to another corporation that they can then set where they after their effort pretty much everything they want your home address they want preferences don't want to have demographics about you they want to know your age your sex your rapes they don't know anything everything they can get and then turn around and sell

about you and once they have all of this data what do they do with they put it all into something called portal graph ID and these slides aren't something that I created this came out of Oracle presentations marketing presentations for people that may know trying to sell this data to other companies they'll get information about you and they'll link it all together into a single ID so that they know that you who owned this device and maybe this device oh yeah and your work device all the linen heater at this location and these are your for instance this is a price point that you're willing to papers it's discrimination they they know so much about you

themselves don't do this but they provide the information to companies so pretty straight so let me introduce you to a tool called lightning it's another tool that's been around for a while anybody here know by beam anyone ever used it yeah things like if I can get you close so a lot of being is a Firefox plug-in and the way it works is it will search a router for cookies that were left behind from the website any visible cookies are indicated by triangles and websites are indicated by circles and the connection shows which website did which bit and as you can see here DC 8 6 5 s alone Abasi thermos we don't care but someone who

does care CNN they love them to put 73 cookies when visit so how does this work you go to a website like CNN and then you see net has full Qaeda though enlists the help of Martha Stewart look create cookie for you and then this is this cookie will have a unique ID and any website that also has blue cotton Abel will attract you so if you leave one website it will track you to the next website and it'll see what you click on what your likes and dislikes are weather so what does that look like and like being so this is my record gives Moga and it's just a big spiral remember cookies as you can see they're not all

of them linked together but most of them do they're all communicating with each other and each of these cookies represent a different so this is just these three websites what does this look like whenever you're just browsing normal day-to-day it's a lot it's a lot of cookies and it's not really something that people think about when you think about people tracking you you think about social media social media it really doesn't use cookies for the most part but static web pages or web pages where they try to sell you something they use cookies really something that really caught my attention is that deep in the center that's dental post they have more cookies than cement and that

same summit so that's all how they track you with cookies and how they track you on different devices but they also do something else it's not just the website as it gets this they get you with the cell phones so I'm gonna play a couple of videos for you and this next one is from a company called and this is their actual observation grab technology is a revolutionary way of understanding the real-world behavior of mobile users with products powered by observation graph you can deliver intelligent mobile experiences observation graph is built on factual's proprietary global places data which includes over 90 million local businesses and points of interest in 50 countries and is integrated into

leading applications such as Apple Maps Facebook Places and Microsoft Bing observation graph also uses demographic data event data and other geographic data to fully understand the physical world all of this data combined the signals from mobile devices enables factual to catalog real-world user behavior each day observation graph generates billions of discrete observations globally observation graph powers products that enable advertisers to create highly accurate mobile audiences by describing specific real-world behaviors [Music] retailers to get incredible insights on their customers and mobile developers to use real-world circumstance to prompt mobile users with a relevant action observation graph an unprecedented understanding of real-world user behavior it's also lulling you into a sense of security when they hold all the

keys so who uses this why is it on my phone and what can I do to get rid of it it's not actually an app that's on your phone instead companies who use it like these guys why does the Capital One need to know where you're at what you're doing that seems really creepy to me insurance wait uber but some of these others doesn't really make any sense and there's some work that all use factual factual doesn't install on your phone factual doesn't get data from your service provider because that would be illegal instead what they do is they sell these companies their API and whenever they build in their okay they call these api's and you give them

permission on your mobile device to track the things that they want to track then they'll send it back to factual they're good then given the information back to them so factual is not the only company and that's not the only way I was introduced to a new term that I had never heard before it was called MOA its mobile location awareness immolates really creepy it it doesn't use GPS at all it doesn't need your permission it doesn't need any accent instead MLA through these companies and I'm going to pick on Euclid in particular what the loot is they will reach out and they'll find your MAC address on your wireless device or Bluetooth and they'll track

that MAC address once you've hit a retail store that has Euclid it will log that and it'll keep the information will then propagate it to the other locations that use their service they can track what your shopping habits are they can track inside the store how long you stay at a particular place and then do some pretty other shady stuff I've got two videos they're shorter than factual so watch this pay attention to the key phrases local stores are at the heart of every community think of the coffee shop where everybody knows your name or even the stores where you buy your favorite shirts without them life just wouldn't be the same these days physical retail faces stiff

competition online stores are using the power of data to make shopping more convenient than ever that's where Euclid comes in we use today's digital technology to help local stores better serve their customers just like online stores do here's how it works smart phones are designed to look for nearby Wi-Fi networks as they do this they send out bits of non personal data Euclid combines this data to map out of stores overall shopping patterns stores can then use these anonymous insights to improve the shopping experience and get a competitive edge Euclid only uses anonymous aggregated information we never know your identity or collect any personal information think of a crowd of shoppers like an ocean of water

Euclid doesn't focus on individual drops we focus on the major currents in order to determine the best ways for shoppers and retailers to connect customer privacy is key to our business that's why Euclid only uses anonymous aggregated information we built Euclid with 100% customer privacy at its core and that's how we'll build it going forward to learn more visit Euclid analytics comm slash privacy

so the first time I actually got to railroad so everything is anonymous they take privacy very seriously whenever you hear a data breach on on media what's the first thing that they say we would take privacy very seriously they have any to make breach in any way this next one will show you exactly what they collect and you tell me what they do with Euclid you can collect unique first party data on shopper behavior through your existing store Wi-Fi and leverage it within your CRM or DMP to activate those high intent profiles across all your marketing and advertising platforms Euclid allows you to expand your known customer base with in-store acquisition create more relevant marketing with

behavioral targeting and measure the stores influence on the buying journey across channels so they don't collect anything but what do they do with the information that they collect do it but they don't have the email they don't collect the email but how did they get it they give it from the stores they they get it from SERN a mess CRM that has all that information about you the Oracle respondents it's Norma products so they have all horrible information with that device identification they can pull up crosswise find your device link it to your Oracle ID graph and then they have everything that they about you at their disposal so yeah they may not collect anything personally

identifiable if you don't consider your MAC address person some people may not if you change it frequently speaking of Apple iOS 8 whatever you're searching for the Wi-Fi it will periodically change the MAC address of your device virtually until it connects if it actually connects to something we'll go right into its actual MAC address and that doesn't change it's something that I really wish Android with you so the information that they gather because they still look rather information about you isn't linked back to that Oracle database and it's only about five to ten minutes worth of data and then it starts already so it's not as bad but it's still creepy what's more constant information how do they

distribute it out how do they give so with the Oracle data cloud we've got all these different vendors that volunteer information we've got a MetroCard with that Experian and TransUnion you notice the Equifax isn't up there I don't think anyone actually pays for that information it's so they got axiom which is actually a competitor and if you go to axioms website and you try to pull up information about yourself like you can do with look I they're looking at yeah yeah we'll keep you all the information we had about you but you have to send us a five dollar check can't be a money order can't be in cashier's check it has to be a personal check a shade that's

real shape so some of the other things that they do is they gather and synchronize data linked in so they have everything that you do for your job Twitter and the Instagram cos theta

you have a well emails you shouldn't let you do so what do you do once you have all of this information because you're really creeped out now on you're not sleeping pacing first thing you do is don't volunteer information for me but we do it all the time we really do especially with the data logics programs the membership loyalty cards so volunteering can be your mobile apps you'll have all those mobile apps they have different api's in to gather all of your information like your geo location those permissions can be set in the front itself so if you must have the device you must have an app on the device you can always bill within it

make it less harmful social media quizzes and post you don't need to answer 50 questions to find out what Hogwarts house you're in you're probably hufflepuff

remember stability programs in the big one you're getting a few cents off of your pack of tuna or whatever but they're getting so much more so much more it's the fitness trackers to like this this is nothing but a bracelet right now because I lost my charger two days ago and I can't find it but if it were working it could be tracking if it's not tracking me and you could track it so another thing that I found out reading some material don't be afraid to lie or say no Michael that yeah there was an article that I have read where someone to put himself in the right mindset if people were to go to a

restaurant and they asked him what to put his word I say if you went to Taco Bell I say what made you month remember don't tell them your name and it's not information that they actually use but it puts you in that mindset so try this out just has an experiment it's more difficult than you might think go to Taco Bell or wherever place your work and ask what your name is Frank Sarah I'll get some eyebrows raised if you're a guy that's harder than you think and whatever bears before is when you go to places like a candle or pet shop at Petsmart where they actually use the information that you give so if they ask

what your e-mail address is just I know there are a couple applications out there that can give you information pseudo another one is opting out so all of these different websites here are different ways to opt out and the way that most of these work are about cooking your browser cookies and if something happens to that opt out cookie your being tracking then you don't so opt out may not be the best option and it's also an honour basis so you say don't track me and they say okay sure send us that personal check so if you do want to go to opt out route works you want to go over any the tools that I'm

about to mention I did create a website on our DCA subscribe page called privacy and Yukon domain a Jeff under resources and it will have all the tools I'm about to talk about and a bunch of different techniques but all of the things that I want to go over it has something called an optically is anyone ever heard of an optic like you nice getting better so pen optically the way it works is you click on the button and it'll tell you how vulnerable your browser is and tell you if you have do not crack enabled taken fingerprint a browser it's really useful tool and it makes you really one of the absolutely aim down best tools

that you can use anyone use idle yeah so pothole is an absolute godsend you don't actually have to use it on Raspberry Pi hardware but it's cheap and why not so pothole if you install it it will create DNS sinkholes and they can't track you if they don't even know that you exist because you never actually went to their website you never really got cooking you may have that information on your browser but it can't reach out because with five-hole you can download lists from github that block all of these advertisers and then you can also get lists that block all the coin miners so that your browser isn't beating up CPU cycles because you're

visiting a web page it is a really useful tool and I can't recommend it I really can't so that tool that we used earlier lightning this is cement before hot water and this is seen it after Bible I could go back and add these websites but I mean Jesus Venice as a major reduction you went on seventy three to eight something else that you can do is if you're using a pot home at home if you're using a Bible at home you can use something like scribes and effective and create different types of VPN connections because maybe the Wi-Fi connection that you're at blocks typical VPN connections let's try that effect will open up multiple ports and different ways and

you can configure it how to write and then you could connect your mobile device if you wanted to run a weekend if you don't have time for that I recommend more Nord is great they are not the fastest they're not the cheapest but they do have a really good privacy policies in place en effet also has privacy badger for your browser so if you use pothole at home even then also use privacy badger on browsers if you really want to start getting into the tinfoil hat areas you can use tor for everything or you can use disposable VM cubes or tails you can even get so deep that you'd actually go in and Docs yourself Michael basil was

one of the people that I was thinking about earlier just my commands Olaf has a book called hide or hiding from the internet and it's really really awesome there's Vincent he talks about like you can you can purchase homes through shell corporations so that information and you can just really really get hermit crab on this thing it really comes down to what you're willing to live with when you have all that information out there it's up to you to decide what you want to hide and what you're willing to let loose but the fifth if if you don't care that struggle is taking your information whatever at least you know and most people know does

anybody have any questions besides can I have a king

so the question is do you get any reduction or blocking of websites if you're using these tools and perhaps you've entered you may because it works on the browser but with pothole I don't believe so it's not so much that it's blocking it it's just it says where is this website I don't know I can't find it because it literally can't find it you're you're using it as a DNS server and it just doesn't have that entry so I I really don't think that it would be the same thing but if you have a lot of entries on there you may see a slight lag in a long time but it's nothing compared to going to see net without it

yep anything else

it was I would stick with EF f if you like another product head but you mentioned ghostery industry is owned by an ad company at one point so yeah they were blocking competitors they were selling that information is appreciated but they have since been purchased again I believe by a German company and as I understand they're not doing that anymore as I understand

yeah [Music] so when it comes to your browser itself you can go in and make sure that any CD's if you're going to worry about from China cut those out and then you can use other later insecurities on top of that by the PI of them but I don't know of any things specifically from the browser to I can make it that way yeah I'll make it that way 20 20 minutes anything else

we put that on the website do you ever see that he's our zuriat' I've got in every chemistry review with the Dimity so Zack said that he has an additional media of every source that he would like to put on the website that's perfectly fine and if anybody has any suggestions this is how you can reach me I'd be more than glad to look it over add it to the website I want to make sure that these resources

No yeah yeah if you that might be told at the beginning of the presentation we don't have any cookies and it's not even it's not even like a wordpress site it's just static HTML 5 with PHP so it is that stripped down as it could possibly

DC and six five means your question is a local Def Con group is Knoxville's Def Con birth they they have them all over major cities and we meet once a month we go over presentations we have CTFs review projects and we work with our security groups and community we actually have a 10 X Type image so if you're in DC its exponent you go down to the bottom of the media we have a slack page and that slack isn't just these cx5 it's actually 10 SEC and the best East Tennessee has a bunch different spirit communities and instead of each of us having a slack it's all in one and then we can have separate channels underneath

that I mean it just makes communication so much easier if we're trying to work as a team and student community with each other and I think that's the goal

scrubbing beta is a completely different talk I wish that I were reversed enough to answer your question but really this this previous Michael buys a lot I can't recommend enough he's the man there are other resources out there but definitely check

I'm sorry speak up okay so so their fifth day a website she's saying that can scrub the data for you she'll give me that information we can check it out I'll definitely put it on the page anything else guys looks like we got some time I don't he wants to know if there are any mac address changers that I have and I don't have any of those and whenever it comes to the MLA devices the best case that you could do is turn your Wi-Fi Bluetooth from around the house that battle game because they without those enabled they can't get the MAC address it's just impossible

so hiding your MAC address within Linux tools that's great and and I'm sure there are a lot of solutions out there for it but I doubt many people are under health Linux there are other tools that you could use I'm sure I'm just not this incognito so incognito mode doesn't necessarily prevent people from tracking you it just prevents your browser from storing that information so whether you are worried about people tracking inside your network or whether you're worried about their company's tracking what you browse it'll still happen they'll still cookie it but as soon as you close that session it's gone so it won't track you outside of that

so tour and the CIA uber I yeah I'm sure the government has many fingers in many pies but I'm really not sure you would have to ask you know I heard that that's not the case and the FBI did a raid on a bunch of stuff that wasn't only building inside the Firefox it was fun yeah they do yeah the FBI does run summits it knows but I'm sure that it's a drop in the bucket as to how many are out there and really that's just one part of it

yeah in excess no I got one thing one left give me a good question

so the GDP are gonna answer the question how will that change things I don't think the GPR will necessarily change how you're being tracked gbbr if if I'm correct is just your right to be forgotten so you would still need to reach out to those companies and have that information is correct if that answers your question all right guys if that's it we've still got CTF running over at Casey come on out you don't need the VM for most of the flat that's some of the flags there are five flags that you don't even need a VM for and last time I checked there was only one flag didn't even big catcher and there are 15 we've

got some hacker boxes to give away and be size glass for anybody [Applause]