Neuromancer

Essays and rants on libraries, technology, webdev, etc. by Ruth Collings

Code4LibNorth 2014

This are my notes for the conference.

Security and Privacy
Activism, law, practises, & code
Reality - Model - Feelings

There's no such thing as completely secure, it is merely a matter of raising the cost of hacking you to the point where few people will bother.

Being a person

Being as completely secure and private as possible as an individual is a daunting and expensive task even for very technically-minded individuals. See: https://www.bestvpn.com/the-ultimate-privacy-guide/ & http://www.theonion.com/articles/after-checking-your-bank-account-remember-to-log-o,32260/

On a personal level, security is about trade-offs. Being anxious makes you more likely to react to potentially dangerous situations and avoid getting hurt. It also wastes energy by making you react to harmless situations just in case they are dangerous (false positives). What level of (expensive, tiring) paranoia are you willing to maintain in exchange for heightened privacy?

Your level of paranoia is directly related to your feeling of security. The reality of security might be very different. Determining the most appropriate level of paranoia for your environment requires knowledge of the reality of your security and ideas about what other people do. That is the model of security. It's the rational decisions that you make.

Reality

http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/
badBIOS

http://www.wired.com/2011/07/how-digital-detectives-deciphered-stuxnet/all/1

Stuxnet.

http://www.wired.com/2012/05/flame/
www.washingtonpost.com/world/national-security/us-israel-developed-computer-virus-to-slow-iranian-nuclear-efforts-officials-say/2012/06/19/gJQA6xBPoV_story.html

Flame.

http://brucesterling.tumblr.com/post/84306546293/malware-as-a-service

You can totally just buy malware and automated exploit kits online.

https://www.eff.org/deeplinks/2009/09/what-information-personally-identifiable

Gender, zip code, and birth date are enough to identify most people in the USA and has been since at least 1997.

http://qz.com/199209/londons-bike-share-program-unwittingly-revealed-its-cyclists-movements-for-the-world-to-see/

Bike-sharing program in London releases open data on bike use, accidentally makes it very easy to identify individuals, their patterns of travel, and lots of other personal stuff.

http://www.theverge.com/2014/4/14/5613928/fbi-facial-recognition-database-will-contain-52-million-images-by-2015

The FBI has a database of facial images called the "Next Generation Identification" made up of non-criminal photos. That is, 4.3 million people in the USA who may or may not have been arrested for anything are in this database and don't know it. Presumably, other metadata of theirs is in there too.

http://www.wired.com/2014/03/trustwave-target-audit/
http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data

You know how last Christmas Target lost a bunch of credit cards? They actually had a security audit performed right before then that said they were fine. That doesn't even mean anything though because there are no laws on how customer data should be handled by retailers or credit-card processing companies, just agreements with credit card companies to cover their asses. Target had breaches in 2005, 2007, and 2011 as well.

http://www.forbes.com/sites/kashmirhill/2013/07/26/smart-homes-hack/
http://www.wired.com/2014/04/hospital-equipment-vulnerable/
http://www.wired.com/2012/01/10000-control-systems-online/
http://www.wired.com/2012/02/home-cameras-exposed/
http://www.wired.com/2014/04/traffic-lights-hacking/

Tons of stuff has computers in it that you don't even think about. Elevators. Electrical substations. Security cameras. Pacemakers. Traffic lights. Guess how much time their developers spend on security?

http://pando.com/2013/10/26/i-challenged-hackers-to-investigate-me-and-what-they-found-out-is-chilling/

All of this is generic wide-focus stuff. If a hacker actually wanted to attack you, personally, you should not have any expectations of privacy. Info that can be found out about you online by an expert includes SIN, maiden name, family names, place and date of birth, chequing and savings account balances, where you live, where you shop, your passwords, your credit card number, etc etc.

http://www.cbc.ca/news/canada/canadians-with-mental-illnesses-denied-u-s-entry-1.1034903?cmp=rss

Think you're safe in Canada? Basically anything the RCMP have on you is available to Americans no question asked. This is also why even having laws that require the storage of personal data on local servers is fairly pointless.

http://news.nationalpost.com/2013/02/21/police-can-look-through-a-password-less-phone-without-a-warrant-says-ontario-court/

If your phone is unlocked, Ontario police don't need a warrent to look through it.

Institutional security

So a patron comes into the library and they sit down at one of our computers and they use Internet Explorer 6 to browse the web. What can we do about this?

Based on the Feeling - Model - Reality model we have two vectors of attack. We can't do anything about what somebody feels about something, that's internally generated. We can, however, effect change on their model and their reality.

Reality: Uninstall IE from library computers. Only have the most recent version of IE available. Keep IE, but hide it in the Programs and keep Firefox and Chrome on the desktop with all the appropriate settings and add-ons installed.

Model: Teach patrons in all your "Computers 101" courses not to use late models of IE. Encourage them to use Firefox or Chrome and which add-ons to install. Teach patrons how to avoid picking up malware, recognize unsafe sites, etc.

Hopefully this creates the effect of lowering their sense of security in the library when they're on a computer while simultaneously raising the security in reality so that they become more equal and therefore more accurate.

So in library-language there are two aspects of security: informational literacy and IT. Despite the fact that it is very easy to just list out a ton of ways in which you can improve the digital security of your library, there are a lot of institutional barriers to making changes in library IT just based on bureaucracy.

One of the other barriers to updatingy your IT infrastructure is that it's not about the software, it's about the implementation. I'm going to repeat that again: it's not about the software, it's about the implementation.

Some pieces of security are more plug-and-play than others, and the frankly embarressing levels of security at libraries would benefit from those kinds of software immediately, but once you get past the very beginner level stuff it's more about how you use something than what you use. Back at the very beginning I said there was no absolute security, only security that was too much of a hassle to hack. The corollary to this is that security is a hassle to implement, from all three angles of the model. It's fairly accurate to say that security is not static, it's a constant battle between the defender and the attacker. The defender is also at a permanent disadvantage: you can't just put up a wall and walk away, but the attacker can attack at any time, from any angle.

So considering how much work it is to implement and maintain security, why bother? I've been working from the point of view that libraries are ethically responsible for the safety of people using it's services, but that's really up to you to decide.

One area I haven't talked about so far in modifying reality is the bigger reality: law and politics. In my opinion, libraries should be activists for privacy and get public and noisy about this stuff. The American government has decided it doesn't need anybody's permission to take a good look at their personal life, but somehow RDA is more central to our mission as librarans than patron privacy?

Implementation

One of the thought patterns it's easy to fall into is that either patrons don't have any information that is worth stealing or if they do have really secure stuff they should do it at home on their own tech. This is the opposite of true. People who use libraries as their only sources of internet and computing are likely the most vulnerable to predation. Even if they know it's not safe to bank on public wifi, what choice do they have?

Don't buy software or hardware without figuring out what the vendor's plans are for security and privacy of users. Giving vague hand-wavy promises like "we use the same encryption banks do!" should be taken as the BS it is.

Develop authentication tokens rather than giving vendors access to your patron records or telling patrons to sign up for yet another account on the vendor's site with their barcode.

Use reliable, well-known, and large public vendors. Doing things in-house or contracting out is the WRONG IDEA when it comes to security! Big companies are not immune from failure, but you should only use things that have been tested by lots of other people first.

Do the kind of basic security and privacy stuff you'd do for your own computer on library public-access computers (ad-blocker, .disconnect, private browsing, do-not-track, etc). Do your patrons deserve less privacy than you do?

Lend out computers with Tails as the OS

Beware of "respecting patron's wishes" when it comes to making lazy decisions when it comes to privacy. Just like how some public spaces are scent-free, if someone wants to use the library computers they need to use Firefox.

Takeaway

Librarians should advocate for their patron's privacy whenever possible and hold vendors and yourselves to high standards.

Demonstrations

VuFind security: https://vufind.org/wiki/security
Hashing is off by default!!!!!!!

Access to the main Admin interface is on by default and found open on the internet at [vufindurl.com]/Admin/Home

Positive example: PaperCut

Wireshark

Further Reading

Rebooting Library Privacy in the Age of the Network - David Weinberger

Choose Privacy Week from ALA (this week?)

Just Delete Me is a FAQ for deleting your account on multiple sites

SHODAN is a search engine for open ports on the internet -- mostly stuff that shouldn't be open

Mat Honan's targeted hack

Blogs:

Comment @collingsruth