thewayne: (Default)
The Electronic Frontier Foundation has developed an open-source toolkit that, when installed in a very inexpensive portable hot spot, the device will report whether it sees any cell-site simulators (CSS) in your area.

CSS devices, also known as Stingrays, allow law enforcement to capture all identifying information in an area with great precision. It is blanket surveillance. The problem is that while they may have a warrant to surveil Suspect X, they don't have warrants to surveil and capture information on me, you, and everyone around us. Stingrays capture everyone's location information in their effective operating range and logs it. Also, we know very little about how these devices operate: this info is kept under very tight lockdown by the manufacturers and by the law enforcement agencies. There has been very little success in law suits filed to pry this information into direct sunlight.

Some CSS units can go beyond locating the suspect's phones and actually intercept communications. Whether they can intercept everyone's comms who it has sucked into connecting to it isn't known.

The concern is whether CSS is being used to surveil protests and religious gatherings, things that are protected by the First Amendment. There is some evidence that points to this, it is not known how widespread such surveillance may be.

This new toolkit by the EFF is called Rayhunter, i.e. hunting for stingrays. It requires the purchase of an Orbic WiFi hotspot, links in the article to Amazon and eBay show them available for $10-20. The software to turn the Orbic into a Rayhunter is available on the EFF site, but you must be running Linux or Mac OS to install it - no package for Windows at this time. I suppose you could probably run a Linux VM on Windows to install it that way. Once installed and running, in the presence of CSS a red line will appear on the top of the display and the event will be logged, otherwise a green line will show. Connecting to the device's browser will let you review the log file.

The device is not a counter-surveillance tool, it does nothing to interfere with CSS which would be against many FCC rules and probably against local and Federal law. The EFF believes that the Rayhunter is legal under U.S. law, but if you're not in the USA then you should talk to an attorney in your area to see what kind of risk that you might be taking.

Myself, I'd look into rehousing it into something else, like, say, a Gameboy box that also works as a Gameboy, as eventually The Powers That Be will be looking for people carrying this particular model of Orbic devices and plausible deniability might begin running thin. For the paranoids amongst us, perhaps having a tamper switch on the Gameboy that would fry the memory if it's opened incorrectly.

https://www.eff.org/deeplinks/2025/03/meet-rayhunter-new-open-source-tool-eff-detect-cellular-spying
thewayne: (Default)
YES! YES! YES!

My favorite quotes from the article was the line that it was "morally corrupt"!!!

Bands include Rage Against The Machine and Boots Riley!

https://www.rollingstone.com/music/music-features/tom-morello-zack-de-la-rocha-facial-recognition-concerts-boycott-1234775909/

https://entertainment.slashdot.org/story/23/07/02/0140223/100-bands-including-ratm-boycott-venues-using-facial-recognition-technology

FYI, Rolling Stone is really pushing for subscribers and has a limit on how many articles that you can view free. To bypass this, open a Private Browser Window and copy/paste the URL into it.
thewayne: (Default)
Very interesting. Facial recognition (FR) has problems, this is well-known. There are also attacks against it. It's been demonstrated that the Dazzle camouflage used on World War I navy ships is effective because it can't lock on to measure distances between eyes, nose, nostrils, etc to compute geometry.

This attack is different. They took twenty people and blacklisted all of them in the system so they would all be flagged immediately. Then they used a smartphone app to identify "heatmaps" of their faces, and a makeup artist went to work to make up their faces to shadow their faces naturally, and achieved a 98%+ success rate at spoofing the FR system! And their faces look completely authentic and real, even a bit glamorous.

Article on Vice discussing the attack:
https://www.vice.com/en/article/k78v9m/researchers-defeated-advanced-facial-recognition-tech-using-makeup

thewayne: (Cyranose)
PRISM is/was an NSA intelligence-gathering program. It has been widely speculated that friendly governments spy on other countries so that said country doesn't violate laws about spying on their own people. And this happened in NZ. The activist was from Fiji, and was very active in trying to get democracy for Fiji and get rid of the prime minister. So in sweeps the NSA and PRISM to try and find dirt on him, which they did not find.

First Confirmed Prism Surveillance Target Was Democracy Activist (fortune.com)

Posted by manishs on Monday August 15, 2016 @08:00AM from the truth-is-out-there dept.
A new report by Television New Zealand in collaboration with The Intercept, based on leaks of former U.S. National Security Agency worker Edward Snowden has for the first time named a target of the NSA's controversial Prism program. The target was a middle-aged civil servant and pro-democracy activist named Tony Fullman. Fullman, who is originally from Fiji but has lived in New Zealand for decades, is an advocate for democracy in Fiji and a critic of Fijian prime minister Frank Bainimarama, who took power in a 2006 coup.

From a Fortune report:
According to The Intercept, the NSA in 2012 monitored Fullman's communications through the Prism program and passed on information to the New Zealand intelligence services. Around the same time, the New Zealand authorities raided Fullman's home and revoked his passport. The New Zealand intelligence services were not themselves allowed to spy on Fullman, who was a New Zealand citizen. However, as Snowden has repeatedly described, the agencies of many Anglophone countries spy on each other's behalf, in order to bypass their national legal restrictions. Fullman suggested in the article that people in the group may well have said violent things about Bainimarama, but this was just venting, not a plot. According to the report, they never suspected someone was listening into their communications. The NSA was said to be helping by analyzing Fullman's Facebook and Gmail activities. The 190 pages of intercepted documentation seen by The Intercept apparently didn't reveal evidence of a plot.

https://yro.slashdot.org/story/16/08/15/1341241/first-confirmed-prism-surveillance-target-was-democracy-activist
thewayne: (Cyranose)
It was only his outbound calls and texts, still, the public was able to piece together a remarkably accurate profile of his life. They figured out where his parents live, when he left the country for foreign travel, when the drawbridge went up on his route to work, and when he moved to a new house to be closer to work. They produced heat maps of the area showing the most calls that were quite interesting.

They also made some wildly inaccurate guesses. This was just one half of the data: if they'd had access to more metadata, they would have made a much more exhaustive map. The article links to the original release of data which apparently you can still download and play with.

Australia law allows you to download your metadata from your cell provider.

http://www.abc.net.au/news/2015-08-24/metadata-what-you-found-will-ockenden/6703626


This is security expert Bruce Schneier's take on the data with some good comments from his reading faithful.

https://www.schneier.com/blog/archives/2015/09/what_can_you_le.html
thewayne: (Cyranose)
Stingrays are $100,000 devices that simulate cell phone towers and are used by law enforcement to capture a suspect's cell phone traffic. The problem is, it also captures EVERYONE ELSE'S TRAFFIC. There has been tremendous controversy about 4th Amendment rights because it's such a blanket capture of traffic. Many criminal cases have been dropped because the defense attorneys have pressed for details on the Stingrays and the prosecution abandoned the case under direction of the Federal Department of Justice to not reveal details.

Well, apparently they now they have smaller hand-held devices that are 1/20th the price and can filter for just a suspect's traffic. And the 4th Amendment problems remain.

http://www.wired.com/2015/08/security-news-week-police-use-mobile-cell-phone-trackers-avoid-court-orders/
thewayne: (Cyranose)
Every home. Every business. At eye height. "To help solve crime." I can understand that lots of surveillance footage might be of the top of people's heads, but this is ridiculous.

Does anyone know if it's illegal to wear a baseball cap in the UK filled with IR LEDs?

http://news.slashdot.org/story/15/03/09/1910202/scotland-yard-chief-put-cctv-in-every-home-to-help-solve-crimes
thewayne: (Cyranose)
I've written about Stingrays before, they're surveillance devices that force all of the cell phones in an area to connect with them, thus conducting yet another form of mass surveillance. And usually they're deployed without warrants.

Well, now they're in the air. The U.S. Marshall's Service have five Cesnas around the country that carry them. They're more powerful and sensitive, which means they're sweeping up a much larger area than a ground-based unit.

WHEEE!

http://www.wired.com/2014/11/feds-motherfng-stingrays-motherfng-planes/
thewayne: (Cyranose)
Very interesting tech. The ability to recover sound by bouncing a laser off of glass has been around for ages, this is different as it just uses a camera and would therefor be difficult to detect. You find a boundary, for example, between a blue and red object. Blue and red combine to make purple, and by watching how it shifts around purple you can reconstruct information.

It isn't easy. An ideal setup would have a camera that could record 2,000 to 6,000 frames per second (FPS), which is damn fast and requires a LOT of light: as the FPS goes up, so does the amount of light for a proper exposure. The real breakthrough by the researchers was to find a quirk in cell phone cameras, which top out at about 60 FPS but this glitch can be exploited to provide the same information.

The defense? Close the drapes.

Their findings will be presented at the Siggraph conference.

http://newsoffice.mit.edu/2014/algorithm-recovers-speech-from-vibrations-0804
thewayne: (Cyranose)
The concept is that you can algorithmically figure out what the person entered as a passcode with high accuracy for numeric codes and impressive accuracy for alphanumeric passcodes. The question is exactly how much of a threat does this thing represent, since you need a fairly clear view of the device that's being used.

http://www.wired.com/2014/06/google-glass-snoopers-can-steal-your-passcode-with-a-glance/
thewayne: (Cyranose)
The ACLU filed a public records request for all information about using stingray devices from the Sarasota PD and had an appointment to review the documentation, when the US Marshal Service went in and effectively raided the police department, taking all of the documents that the ACLU were going to view.

Something similar happened in Tallahassee after it was revealed that said department had used stingrays 200 times without telling a judge. The stingray manufacturer had made the police department sign non-disclosure agreements and the department thought that precluded telling judges. Interesting how corporations can now dictate law enforcement behavior.

A stingray is a piece of surveillance equipment that mimics a cell tower. It broadcasts a stronger signal than a tower which forces all of the cell phones in the area to link to it. By moving the tower around, you can triangulate and more accurately locate the phone with a specific number than is possible with tower information alone. The kerfuffle revolves around the detective getting a 'trap and trace' warrant which is effectively a phone tap, for deploying this stingray, rather than a probable cause warrant that is normally used with them.

http://www.wired.com/2014/06/feds-seize-stingray-documents/
thewayne: (Cyranose)
Thus spoke General Michael Hayden, former director of the NSA and the CIA. Metadata is information about information, in this case, collecting metadata about phone calls. It knows A called B on a certain date and time and for a certain amount of time. It then can go out 2-3 hops, A<->B is one, B then calls C is 2, C calls D E and F for three. So A never talks to F, but they are indelibly associated, so if one is labeled a terrorist, there's an extremely high chance the other is. But maybe it's just a neighborhood pizza joint that delivers.

And with every drone strike we radicalize more people to become terrorists, and we've given them an exceptionally bright and clear target: the USA. I guess winning hearts and minds is too wussy these days.

http://www.nybooks.com/blogs/nyrblog/2014/may/10/we-kill-people-based-metadata/
thewayne: (Cyranose)
It was called the Terrorist Surveillance Program, and apparently was superseded by PRISM.

Here's my question. I remember a few years ago a person proposed a program, I believe it was a retired Navy Admiral (are there any other kind? the Navy Admiral bit), and it was called the Total Surveillance Program. Both are TSP. It was rumored after the first TSP (Total, not Terrorist) was shut down that there were efforts to break it in to smaller pieces. I wonder if one of them is the Terrorist TSP in whole or in part.

http://www.npr.org/blogs/thetwo-way/2013/12/21/256101601/new-nsa-documents-make-case-for-keeping-programs-secret
thewayne: (Cyranose)
First, I didn't see it but apparently the weekly CBS news program 60 Minutes did a pure puff piece on the spy agency that held water about as well as my spaghetti strainer. I probably would have been throwing objects at my TV had I seen it.

http://www.wired.com/threatlevel/2013/12/60-minutes/


Meanwhile, a US District Court judge in Washington, DC, said that the NSA bulk collection of telephone metadata is blatantly unconstitutional. His decision seemed to hinge on two points. First, the case law that the government's arguments were predicated upon was from the late '70s, long before cell phones were ubiquitous, and things have changed. The case, in 1976, a purse-snatcher started calling his victim and harassing her, the police traced the calls without a warrant and the courts ruled that the thief had no reasonable expectation of privacy and upheld the non-warranted search. Now this judge, 34 years after the SCOTUS upheld that conviction, said that reasoning isn't really sensible any more, especially with the NSA siphoning so much information and retaining it forever.

The ruling included an order for the NSA to cease collecting this info, but he stopped short of ordering it implemented since it's obvious the government will appeal the ruling.

http://www.npr.org/blogs/thetwo-way/2013/12/16/251645205/federal-judge-rules-nsa-bulk-phone-record-collection-unconstitutional

http://www.wired.com/threatlevel/2013/12/bulk-telephone-metada-ruling/
thewayne: (Cyranose)
The Seattle police department has a proven track record of being less than forthcoming when they institute surveillance measures. They installed 30 cameras in the port district for 'security' without owning up to it or saying how they are used. Most recently, they've installed a mesh wireless network downtown. Each box contains for wireless access points, and they talk to each other. And they can track and triangulate a smartphone's WiFi radio.

The city council passed a regulation that all systems capable of surveillance have to have detailed usage plans before the council within 30 days of installation. The report is expected around Thanksgiving, and the new police network, from a vendor known as Aruba, will have been up for nine months at that point.

The whole thing was funded by the Department of Homeland Security and feeds an intelligence fusion center, among other recipients.

http://www.thestranger.com/seattle/you-are-a-rogue-device/Content?oid=18143845

http://mobile.slashdot.org/story/13/11/09/060253/seattle-pd-mum-on-tracking-by-its-new-wi-fi-mesh-network


There's a concept called geofencing. In it, a geographic point is defined, such as 'my parent's house', and under iPhone's iOS 6 and later you could tell it 'remind me to open the vent in the bedroom when I get to my parent's house.' I would imagine that Android phones have similar capability. It'd be cool if you could tell it 'Disable WiFi when I leave home, turn it on when I return.'
thewayne: (Cyranose)
The NSA, PRISM, and trying to keep your information private and secure

This is a whole bunch of links that I've been accumulating that talks about a lot of different facets of what's been going on since Edward Snowden blew the lid off of the PRISM spying and what the NSA and federal government has been doing.

First up, my fav security guy, Bruce Schneier. In this article “How to Remain Secure Against the NSA”, Bruce talks about precautions that you can take to improve your security, while acknowledging that if the NSA et al wants information about you, there's precious little that you can do about it.

https://www.schneier.com/blog/archives/2013/09/how_to_remain_s.html


Here we have a story by a man who was Microsoft's privacy chief from 2002 to 2011 who says he no longer trusts the company since the existence of PRISM was revealed. ”In the two years since leaving Microsoft, Bowden has ceased carrying a cell phone and become a staunch open source user, claiming that he no longer trusts a program unless he can see the source.”

There's only one problem with that: 99%+ of people can't read source code or really have the expertise to understand it and to also understand all of the other source code that it ties in to, as you have to evaluate every single part of the system to know whether or not it's secure. So we have to rely on others to tell us that this code is secure. Linux is probably secure, but lots of its code that relates to cryptography and communications is being reevaluated to look for back doors and a lot of the crypto code is being replaced with code that is more public and not backed by NIST.

http://hothardware.com/News/Former-Microsoft-Privacy-Chief-Says-He-No-Longer-Trusts-The-Company/

MUCH more under the cut
Read more... )
thewayne: (Cyranose)
Yesterday, a thread appeared on Slashdot talking that a private company's recycle bins, a dozen all over London, were electronically sniffing you as you walked by. If you had a smart phone, it grabbed your WiFi's MAC address and logged your movement relative to the can. The long-term purpose was targeted advertising since it is difficult, if not impossible, to change this number.

In two test runs, four days in May and eight in June, "...over four million events were captured, with over 530,000 unique devices captured. Further testing is taking place at sites including Liverpool Street Station." The 'event' would be four million people walking by one of their bins, the 'unique devices captured' would be the 8% of those people with smart phones in their pocket. The company, Recycle Now, has around a hundred such recycling bins all over London that also incorporate digital ad boards. They were working towards a Minority Report advertising ecosystem.

According to the firm's CEO, "...As long as we don't add a name and home address, it's legal." He also told Wired UK that "We collect anonymised and aggregated MAC data -- we don't track individuals or individual MACs. The ORBs aggregate all footfall around a pod for three minutes and send back one annonymised aggregated report from each site so the idea that we are tracking individuals again is more style than substance," says Memari in an email. "There are applications in the future which Quartz focused on but during the trial period we are only looking at anonymised and aggregated MAC data."

He adds, "as some of the technology we will be testing will be on the boundaries of what is regulated and discussed it is our intention to discuss it publicly and especially collaborate with privacy groups like EFF to make sure we lead the charge on [adding necessary protections] as we are with the implementation of the technology."


http://www.wired.co.uk/news/archive/2013-08/09/recycling-bins-are-watching-you

The company has a web site that allows you to enter the MAC address of your phone to opt-out of the tracking, which I would think the site would just take and aggregate the data for future use since in the initial version the bins aggregate the data before sending it back to the mother server, which means the individual MAC addresses are not there. They might push an ignore list out to the bins, but I doubt that.

Well, the City of London Corporation has told Renew Now to stop running the program.

http://www.techweekeurope.co.uk/news/recycling-bin-firm-denies-tracking-london-phones-with-wi-fi-124461


FYI, a MAC address is a unique identifier built-in to the networking part of your equipment. Your smart phone or tablet has one if it can access the internet, any network card or a computer with a built-in network card has one, which is pretty much all computers made today. So does your DVR, your networked printer, your BluRay player, etc. It's a two-part number consisting of six hexadecimal digits, normally each digit is represented with a colon separator, like this: 01:23:45:67:89:ab. The first three digits identify the manufacturer, the last three are unique to the card. This gives a total number of unique values of 247 x 10 to the 14th. A unique MAC address is essential to network routing, that is, getting the packets that your computer sends to a specific web site returned back to you and not to someone else. In Windows and Mac PCs, you cannot change this number. In Linux machines, even though the number is burned in to a read-only memory chip, it can be changed if you want to tinker at that level. I don't know if you can change it on an Android smart phones whose operating system is based on Linux.

In this case, Renew Now claimed that they were just gathering the manufacturer code of the MAC address, so it wasn't tracking you, it was tracking who made your smart phone. Marketers like to make assumptions about people based on branding, for example, some web sites look to see if you're accessing them from a Mac, and if so, they charge you a higher price because they know you'll pay more money for some types of computer hardware. It's a very broad brush that they're painting with, and I think it's fallacious when it comes to smart phones. If someone drives a Ferrari, yes, you can assume they're wealthy. Smart phones, not so much. I was making less than $30k annually when my wife bought me my iPhone, that ain't wealthy.


The only way to truly block tracking like this is to either turn off the WiFi on your phone when you're out in public, or turn off your phone altogether. How many people could or would actually do that? It's funny to think about 20 years ago when almost no one owned a cell phone.
thewayne: (Cyranose)
A very cogent take from conservatives in another country as to the PRISM et al surveillance state that was slid in to our country with little knowledge of the citizenry.

I especially liked the first comment: "...ONLY credible suspicion should drive surveillance."

http://www.economist.com/news/leaders/21579455-governments-first-job-protect-its-citizens-should-be-based-informed-consent
thewayne: (Cyranose)
Excellent article from the former director of application security at Twitter.

It focuses on several points. First, Federal criminal statute is spread over 27,000 pages. Even the Feds don't know how many laws there are, but it's estimated to be in excess of 10,000. For example, it is illegal to poses a lobster under a certain size. Doesn't matter how you got it, and ignorance of the law is no excuse. It also talks about the sometimes necessity of violating the law to encourage change. In Minnesota, sodomy was illegal until 2001, they recently approved same-sex marriage. If we had 100% effective law enforcement, it would be extremely difficult to get such laws changed because everyone who would benefit from that change would be a branded criminal.

Another: manpower. It used to require law enforcement to commit one or more persons to follow someone. Now we all carry our very own tracking devices, and last year cell carrier Sprint, by itself, responded to 8 million tracking requests from law enforcement. That's pretty much the entire city of New York. It's much easier for law enforcement to relax their standards and be profligate in their information requests since they don't have to invest the manpower resources to follow someone. Myself, I've become tempted to put my phone in to airplane mode just to screw up my tracking data. I have no reason to believe that law enforcement would be interested in me, but I also see no reason to make their jobs easier if they do take an interest. Of course, the question then becomes would me turning off their ability to track me pique their interest in me?

She also mentions license plate scanners. I actually saw those in use in El Paso, 100 miles south of me and a place that we visit every couple of months. If I ever see Phoenix or any of the places that I regularly spend time in getting them, I'm buying one of those LED license plate frames.


I especially like two paragraphs in her conclusion: Some will say that it’s necessary to balance privacy against security, and that it’s important to find the right compromise between the two. Even if you believe that, a good negotiator doesn’t begin a conversation with someone whose position is at the exact opposite extreme by leading with concessions.

And that’s exactly what we’re dealing with. Not a balance of forces which are looking for the perfect compromise between security and privacy, but an enormous steam roller built out of careers and billions in revenue from surveillance contracts and technology. To negotiate with that, we can’t lead with concessions, but rather with all the opposition we can muster.
.


I was recently discussing this topic with a friend, who is part of the "I have nothing to hide" attitude. He surfs porn on the internet. He's also a teacher. I have no idea what flavors of porn he's interested in, and I'm sure they're perfectly kid-safe. But what would happen to his career if that information were released? It could certainly be a career-ending revelation.

I don't have anything in my computers that I'm particularly ashamed of, including browser history, but I don't want it to become public knowledge. The fact that I have nothing in particular to hide doesn't give law enforcement or anyone else the right to stick their nose in it without probable cause and a search warrant. My laptop is encrypted, so is my desktop and all of my backups, also my iPhone backups which do not back up to the cloud. I will not allow my equipment to be casually examined. I will not go gently in to that good night if they take an interest in me, they're going to have to produce a valid search warrant before I unlock anything.


http://www.wired.com/opinion/2013/06/why-i-have-nothing-to-hide-is-the-wrong-way-to-think-about-surveillance/

July 2025

S M T W T F S
   1 2345
6789101112
13141516171819
20212223242526
2728293031  

Syndicate

RSS Atom

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Jul. 5th, 2025 09:01 pm
Powered by Dreamwidth Studios