Something of Doom: July 2022

Sunday, July 31, 2022

Phone Privacy at DEFCON 30!

So our workshop on smart (I will keep a straight face here, just saying) phone privacy was accepted by the Crypto and Privacy village at DEFCON 30. If you are there, we will be presenting it on Saturday Aug 13th. As it will be only one hour, we strongly recommend to first to folow the instructions in the co-author's github-based wiki; this link is also in the official DEFCON accouncement, but it is so important we would rather mention it a few times.

So, what is it all about?

Short version: how to make your smart phone more private and why you should care. I could elaborate on that, but this post is not about the contents of the workshop: go watch it and find out!

Anything useful you want to tell us?

People have told me I have some kind of fixation with bullet points; let's not disappoint them, shall we?

No pictures will be taken with my phone; I will be bringing a camera -- ancient but trusty Canon ELF -- to take some pictures of the event. Yes, compared to modern smart phones its resolution is pathetic. But, it has a real zoom, using real lenses, has no understanding of wireless file transfer (great during DEFCON), and does not keep you up at night when vendor stopped creating patches for it. As this will be a real camera, not smart phone, they will not be posted in real time.
I was comparing our abstract with the other presenters' and realized ours is gigantic by comparison! This is not a size competition, and I realized it may e nd up being a bit of a turnoff. But, there is some logic behind the madness: we really wanted to make sure people knew what to expect and that they need to prep are for the workshop. Which leads to...
The "talk" part of this workshop will be rather short because the main dish is the hands-on part.
If you to get your hands dirty, bring an Android phone. It's two main requirements are
- A phone you are fine if it is bricked. That can happen. And, you can find out if it does brick before attending the event because we put the setup instructions in the wiki.
- Ideally, you want to have a phone such as Google Pixel (3 and above), OnePlus, or Fairphone. Main reason is because a lot of Android phones have a closed source "blob" of code that is only updated for a brief period of time (a year? A week?), until not longer after replacement hit the shelves. However, we are not saying "for best experience you should have bought the latest $1000 phone" (bonus point if you know where I took that from). We do think everyone should be able to strive for a private focused phone (sounds like a tag line for a product, eh?). In fact, we will have a Pixel 4 to show things, but a Pixel 3 will work just fine and can be found for around $50 if you look hard enough. When I checked this morning, an used Pixel 4 was hoving around $100.
- FYI, I have issues with the Google Pixel phones, primarily how hard it is to repair it.
I would love if we could make the phone fully private from a GDPR (we tend to mention it a lot in this blog?) standpoint, but that won't happen. Compounding that, some countries do not take your efforts to protect your privacy in your phone very kindly.
I really would like to thank the Crypto and Privacy village for having us. This may sound the typical fake message you associate with Facebook and LinkedIn, but for a change it is real. One of the hints is that I am not starting this thread with "I am excited that;" the truth is that we have been working hard and long hours on this and the CPV crowd have put up with all of our stupid questions and rewrites and whatnots. And have not tried to strangle us!

Dude, I have an iPhone! What should I do?

Dude, I have no clue; I do not have an iPhone to research on!

Saturday, July 30, 2022

The private life of a privacy screen

Let's say you have a laptop which you take to libraries, coffee places, and other public locations to get fresh air and inspiration while you write away a new article or piece of code. How do you keep what you are doing to yourself?

You on the corner who said "VPN" (when you think aloud, you do think aloud), you are right. That helps with the network connection. But what about keeping the prying and curious eyes off other customers of the same establishment you are in? Yes, this time the answer is the privacy screen, which has not only been around for decades but also is the name of this post.

How good is a privacy screen

Some are really useless. I remember when I was in college one that was so bad the person using the computer could barely see what she was doing. It was just a step above bolting a steel plate to the front of the monitor; I guess if you the user cannot see what you are done, the same happens to the potential attacker, who then has to rely on keylogging and scanning the screen contents using software.

Others work well enough to be useful within some limitations. Case in point is the one I will be test driving today. It's brand is... well, I have no idea. I found it besides the trash can in an office once. It is one of the common polarized ones and had no scratches nor too many fingerprints on its surface. As it was larger than the (old) laptop monitor I wanted to use, I grabbed it. And then cut it to size and secured it using Scotch tape (I am calling the brand out here because that is the roll I have).

It is one of those garden-variety polazided screens, which blocks the light if you move too far from being perpendicular to it. How far must you move from looking straight at it before the privacy part of the privacy screen is "engaged"? It depends on the make. Let see how it works by simulating the kind of situation that can happen anywhere.

Here is a picture of it installed in the test laptop, which is currently setup to replicate that of Mort Villanous, an aspiring supervillain who is in some public library writing his current world domination plot. In fact, this would be the point of view of our evildoer in-the-making. Note the tape on the corners of the privacy screen.

From his point of view, he can clearly see the screen and, as a result, work on his important and secret document. The eagle-eyed members of the audience may have seen my exclusive and expensive camera cover; I will try to provide a link to it later on. But if you have to ask how much, you can't afford it.
Next let's pretend we are the Tom Goodfellow, secret agent tasked to observe what villanous things our villanous villain, Villanous, is up to. Wearing his trademark 30 gallon white hat, chaps, and 7 Gold Chains or Virtue, he discretely approaches Mort from the right, this is what Tom sees.
From his current point of view, the laptop looks as if it is turned off, as the surrounding background is reflected on its back screen. That won't do.
Knowing Mort has not noticed him yet, Tom heroically slides a bit closer to the aspiring villain. This time the privacy screen proves no match to the hero's eyes, as at this angle it exposes a hint of an evil deed in the making, namely a document is open and being worked on: he can see there are words written using different font sizes, but he still can't read them. These clues tell Tom he is dealing with a polarized privacy screen!
Embolded with confidence and knowledge of how this kind of screen works, our hero inches even closer to the villain. And he is rewarded with being able to finally begin read the contents of the document!
Unfortunately, the secret agent made the typical hero's mistake. Being a bit myoptic, he leaned too much towards the computer. As a result Mort Villanous not only heard the gently clanking of the secret agent's gold chain as it touched the table, but also felt it crushing his arm. Aware now of the presence of his enemy, Mort immediately closed the laptop, shouted "do you mind?" ignoring proper library ethiquette, and walked away.

Moral of the Story

Whether you are plotting to rule the world, or just trying to read email in peace at a public location, getting a privacy screen is not a bad idea. However, test it first to see how large is its "non-private" region so you can plan where you will be seating and what will be behind you.

About Me

Mauricio Tavares has worked in computer research, credit card and medical industry, leading to an interest in the behavioral aspect of data security and privacy. He has previously developed a security program for a $23M federally funded International research program and now helps companies reap the benefits of deploying a well planned data privacy strategy.

A TrustedCI Fellow, he has given talks and published in topics ranging from aerospace engineering to computer automation and data privacy at DEFCON, IEEE, ISSA, KVM Forum, OWASP, NSF Cybersecurity Summit, and AIAA.

About cookies used and data collected on this blog

I have put no ads or links that track you or collect your data on this blog. If you want me to know about you or what you think, do post a comment. What data Google is collecting from you is between you and Google.

Warning

Anything said here does NOT represent the opinions, policies, or tenets of any organization real or imaginary. This side up. Shake well before using. Clean up after use.