Going Nuclear: Programmatic Protections against Extreme Vetting, Social Pressures, and Coercion

Tuesday, January 16, 2018 - 1:30 pm2:00 pm

Cara Marie, Offensive Security Lead, Datadog; Andy Grant, Regional Vice President, NCC Group

Abstract: 

It's become more common for individuals to be forced to grant access to their "personal" online accounts/devices. There has been recent media focus on border crossings where individuals are required to temporarily turn over laptops/devices, often being coerced into giving decryption secrets or biometrics. Similar demands are made when individuals are arrested. It's also been reported that some employers request employees' credentials for social media accounts—there has even been consideration of adding similar requirements to the U.S. visa application process.

These are all obvious invasions of privacy with at-best questionable legality, and yet not complying has dire consequences—prolonged detainment, missed work, or barred entry to the country. As these measures are put in place domestically, it's only reasonable to expect similar policies in other nations, particularly those with less individual freedoms.

What options are left for an individual? This talk explores three programmatic options to help activists, dissidents, travelers, foreign nationals, and everyday citizens better protect their sensitive data. These proof of concepts (released post-talk) focus on what should be done to implement a "nuclear" option: revoking access to everything—possibly while under threat—wiping data when necessary. These solutions are not intended to be answers to the issues at large, but proof of concepts that we hope will start a greater conversation in regards to acceptable (and legal) privacy investigations.

You can view an animated version of the slides that were used for this presentation here.

Cara Marie, Offensive Security Lead / Datadog

Cara Marie is an Offensive Security Lead at Datadog. Prior to joining Datadog, Cara Marie worked as a security consultant performing penetration tests against a wide variety of products, applications, environments, and infrastructure. Cara has performed security research in the following areas: linux rootkits, compression bombs, and browser security. She has given talks at Blackhat, InfoSeCon, ZonCon, and ShellCon. Cara has compiled and released a "bomb" arsenal (https://bomb.codes) which aids security researchers and developers performing compression bomb testing.

Andy Grant, Regional Vice President / NCC Group

Andy Grant is a Regional Vice President for NCC Group. While at NCC Group, Andy has worked on a wide-variety of projects. He has performed numerous mobile application assessments on Android, iOS and WP7, internal and external network penetration tests, web application security assessments, and widget/third-party platform reviews. Andy has worked with small tech start-ups, small and large software development groups, and large financial institutions. Andy has a BS in Computer Science and an Advanced Computer Security Certificate from Stanford University.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {208123,
author = {Cara Marie and Andy Grant},
title = {Going Nuclear: Programmatic Protections against Extreme Vetting, Social Pressures, and Coercion},
booktitle = {Enigma 2018 (Enigma 2018)},
year = {2018},
address = {Santa Clara, CA},
url = {https://www.usenix.org/node/208124},
publisher = {{USENIX} Association},
}