[Cryptography] Response to "I don't have anything to hide"

[Jason Cooper]

Hi Mattias,

Sorry for the long email.  I usually strive for brevity in responses.
But, ask an open-ended question... :)

On Thu, Feb 25, 2016 at 04:49:24PM -0800, Matthias Wulfeck wrote:
> I figure I would toss this question out and seek advice from the general
> community. How do you respond to "I don't have anything to hide"? How do
> you explain to non-technical (and non-paranoid) friends of what's really at
> stake?

The first thing I do is to try to put myself in their shoes.  *Everyone*
has a threat model.  Based on the statement, it doesn't include USG.
But the same person will get creeped out if someone looks over their
shoulder while they're trolling FB in $coffee_shop.

Privacy is relative and means different things to different people.
Teenagers don't care about USG/FBI/NSA, but they *do* care about
parents/teachers/school admins.

Non-technical folks get physical privacy.  Don't look over my shoulder,
don't ask how much something costs, etc.

And, there are some folks who genuinely don't care.  The open books.
They'll share their password for a piece of candy.  It's not that
they're dumb, they simply trust anyone.  I like to think they are so
fortunate to never have had their trust violated.

If the person is an 'open book', I smile and move on.  No point wasting
energy.

All the others are where I focus my energy.  Once I figure out what
their threat model is, I frame the problem in their terms.  At this
point, it gets very specific, so I'll just give some examples:

Web Browsing
------------

Ask about their favorite website.  Open a normal, non-locked down
browser.  Go to an adult website, or a singles hookup site.  Close the
browser.  Open back up and go to $favorite_site.  Why is there an ad for
Adult Friend Finder? or similar?

Install NoScript.  Reload the page, you may have to allow scripts for
the main page.  Now show the *long* list of advertisers wanting to run
scripts in your browser.  Why are they there?  Did you think 47 people
were here in the room with you while you read that page?  Not just
watching you, but recording it and selling it.

Open other pages to show how the same advertisers are present across the
Internet.

Solution: Ad blocker of choice, lock down browser config.

Login Passwords and Data
------------------------

"If your laptop is stolen, what protects your data on the laptop?"  Ask
them to put a file on their Desktop with a secret in it.  Shutdown the
laptop.  Boot from an Ubuntu CD.  Open the internal drive, open the
file, read the secret to them.  Bonus: go into the browser cache and
start pulling browsing history for them.

Solution: TrueCrypt, BitLocker, FileVault, PGP WholeDisk, etc.

The Deletion problem
--------------------

Take a brand new thumbdrive or SD card.  Ask the user to put some photos
on it and eject the drive.  Then, ask them to plug the drive back in and
delete the photos.  Last, ask them to eject the drive and hand it to
you.

Install PhotoRec or similar recovery tool.  Scan the drive.  Show them
the photos.

Stress that this isn't just a problem on thumbdrives, works on hard
drives, and applies to websites also (different reasons).  If it comes
up, I dig up the FB subpoena posted online which shows all 'deleted
posts' and 'deleted photos'.

Solution: Secure erase tool, free space wipe, and/or whole disk encrypt.
Don't post shit on the net you'll regret.  Period.

WiFi Broadcasts
---------------

Typically, the above scenarios have been performed while the user is on
a wifi network I own.  With their consent, I've been recording since the
beginning with tcpdump on the gateway, or wireshark/kismet/airmon on
wifi.  tcpdump gives better results.  But wireshark/kismet/airmon better
demonstrates that *anybody* near them can do this.

Show the list of the SSIDs their computer is probing for.  Filter for
the list of DNS requests (I add a column to wireshark showing the time
delta between displayed packets, helps show what the user initiated).
Show how that alone reveals a *ton* of info on their browsing habits.

Look for unencrypted traffic (thankfully, there's much less these
days), extract some pictures.  If possible (typically ISP email
servers), show email syncing connections that are in the clear.
Locate email password if possible.  Show advertiser unique identifiers
and other cookie-type data.  Also any location data or personal data you
may come across.

For some balance, show https connections to google and other sites.
That's what everyone is *supposed* to be doing.  iow, wireshark and
kismet aren't the problem, they're simply a tool.  The problem is
failure to encrypt at all times.

Solution: Delete old wifi networks, install httpsEverywhere.  Possibly
Tor, depending on the user.  Rename home wifi to something generic.

Summary
-------

The most important thing I tell them is that these tools are just that,
free tools.  *Anybody* can do what I've demonstrated.  Hell, these
aren't even hacking tools.  The only thing preventing random joe from
doing this is knowledge.  Last I checked, attempts to limit knowledge
fail miserably.

I also tell them that technology providers need to do a better job
protecting users.  They'll only do that if a significant portion of
users demand it.  Which users will only do if they understand the
problems.  Hence, the solution is education.

So, I guess the shorter answer is to demo the vulnerabilities with their
own gear.  :-)


Hope this helps,

Jason.