Blog‎ > ‎

32c3 comments, random ramblings, thoughts, notes, dump part VIII

posted Mar 19, 2016, 6:30 AM by Sami Lehtinen   [ updated Mar 19, 2016, 6:36 AM ]
Online banking and TAN numbers & security. NONCE / OTP code. Banking transaction MitM weaknesses. I've blogged about this several times. Security measures anti-debugging, device-fingerprinting, string-encryption, packed, library, anti-hooking. Root kit detection. High level system programming. Automatic Optimizations. Quantum Cryptography. Conspiracy Theories. Quantum Mechanics. Key Distribution. Position-Based Cryptography. Quantum Bit. Polarization of a Photon. Qubit. Rectilinear and Hadamard.  Measuring Collapses the Quantum State. Wonderland of Quantum Mechanics. Quanrum random number generator. Quantum Communication vs Quantum Computation. Efficient Classical Attack or Efficient Quantum Attack against AES, SHA, DiscLogs, Hash-Based Sign, McEliece - -, Lattice-based - -, Quantum Key Distribution - - (QKD). Quantum Hacking. Position-Based Cryptography. Position Verification. Distance Bouncing. Attacking Game. No-Cloning. EPR Pairs, entangled Qubits. Or "spooky action at a distance" as they say. Quantum Teleportation. No-Go Theorem. Technoogy and Mass Atrocity Prevention, Automatic Social Network Analysis. The Ultimate Amiga 500 talk... Love. Really great talk about Amiga 500 hardware and design. Even if was really retro stuff, but that's the time things were relatively simple. The architecture of street level panopticon. Street level surveillance is mass surveillance. Prevent, Expose, Empower. Centrally collecting data from private networked security cameras. Do you wan't cloud video monitoring to your home? Especially which stores all video data to the 'official service providers cloud'. Where you don't have control of it. Automated mobile finger printing program and biometric retina & iris scans with small devices comparable to current cell phones, all in the name of public safety. Hand telemetry, Scar recognition, tattoo recognition, etc. Voice & face recognition. Automated License Plate Readers (ALPR), which also photograph driver, passengers and car itself. Centralized video surveillance intelligence centers. ALPR's are also used to collect information who goes where and when and where they stay etc. There are cars quipped with mobile ALPR so they can easily collect information who's attending certain events and so on. Many video surveillance companies hand over video data to law enforcement on voluntary basis. Cell site simulators like StingRay II can be used for extensive surveillance operations based on mobile phones and also to inject malware to mobile phones. Anti Facial Recognition Makeup. Ha. Dazzle camouflage for your face. WiFi & Bluetooth device address identifier collection (BD_ADDR / Bluetooth MAC Address). Prediction and Control by Jennifer Helsby, Watching Algorithms. Human decision is slow, biased and not transparent. Algorithmic machine learning, automated tasks, distilling huge volums of data. Algorithms and machine learning can have serious implications. Collect: Financial records, criminal history, drivers license history, driving history, travel history, medical history, purchase history, social media posts and likes, social network analysis and so on. List goes on. It's also easy to forget that usually these activities are highly interlinked, so even if you wouldn't have all data, you can assume some areas based on some other data pretty reliably. This can be used to build citizen score or insurance score, credit score, and so on, employability score? Hidden imprinting of people. How do we assure privacy, fairness and transparency? Predicting actions from history data on individual level. Nothing new, if data is available, it will be analyzed and utilized. Is it about health, insurance, crime, jet engine or building maintenance, does basically no difference what so ever. Of course there's risk of data quality when systems are being trained. Cross-correlation can lead sensitive data being learned indirectly, even if it wouldn't be actually on learning task list. False positive flagging issues. Of course data can be used for something less vague purposes like targeted advertising etc. Who's in control of machine learning systems? Nobody? De-anonymizing 'anonymous' users. Filter bubble, where everything is personalized for everyone, but is that right? What are the down sides? Do you vote for something, because algorithms thought it would be a right thing to do and fed you related propaganda or 'selective information'? - Say hi to your new boss: How algorithms might soon control our lives. Theory, Algorithms, Machine Learning, Bid Data, Consequences for Machine Learning, Use of Algorithms Today and in the Future. Discriminating people with machine learning & algorithms. Creating persistent user identities by (accidental) de-anonymization. Strategies for Handling Data Responsibly. Data vs Model. Handling model discrepancy aka epsilon. Systematic errors, signal noise, hidden unknown variables not getting analyzed. Data Volume. Incorporate variables from hidden data into the model, reducing error. Decision Tree Classifier vs Neural Network Classifier. Low risk usage like: personalization of services and recommendation engines. Or individualized ad targeting, customer rating / profiling, consumer demand prediction. There are also medium risk usages like: personalized health, person classification (crime, terrorism, and other 'features'), autonomous cars / panes / machines, automated trading, service requests etc. High risk cases like: military intelligence / intervention, political oppression, critical infrastructure services, life-changing decision (about health). Examples of data "mishaps". Discriminating people with algorithms. Humans can be prejudiced but are algorithms better? Protected attributes like ethnicity, gender, sexual orientation, religion. Replacing a manual hiring process with an automated one? Would save a lot of time screening CVs by hand and probably result in improved candidate choice, basically decreased error rate. Training predictor. Support Vector Machine. Test Sample Data. Automatic vs automatic classification. Information leak. Using machine learning to de-anonymizing data. Data bucket analysis. Using 75% of data as training set and 25% of data as test set. Measure prediction success probability and identify users. All these using very naive and simple approaches without fine tuning or optimization. Grouping similar users, and so on. Where do you work, whom do you hang out during free time. The more data we have, the more difficult it is to keep algorithms from directly learning and using object identities instead of attributes. Our data follows us around! It's really hard to create a new identity which wouldn't be linked in some way to the old identity. Because you'll most probably have some attributes which still uniquely ID you even if you're using new ID. Data Scientists / Analysts / Programmers. Train data scientists in safety and risks of data analysis. Do not blindly trust decisions made by algorithms. Collect and analyze algorithm-based decision using collaborative approaches. Create better regulations for algorithms and their use. Force companies / organizations to open up black boxes. Overtraining and overfitting allows you to waste lot of resources and make the results only non-meaningfully better.

Yeah, this was the last post about 32c3 finally. Phew.