Archive for the ‘Privacy’ Category

VA State Police Paid $585K+ For Cell Site Simulator – Your Price?

Sunday, December 4th, 2016

Virginia State Police releases cellphone surveillance logs Since May 2015, the VSP have used their DRTbox unit 12 times – 5 of which appeared ineffective by Curtis Waltman.

From the post:

As part of a nationwide FOIA census for cell site simulator surveillance devices, the Virginia State Police responded with new documents detailing their acquisition and use of the DRT 1183C. Made by Digital Receiver Technology of Maryland, the DRT 1183C is a device that is commonly referred to as a DRTbox. It is very similar to other cell site simulators like the Harris Corporation’s Stingray, except that DRTboxes can also intercept voice communication as well as GPS location and other metadata.

Astonishingly unredacted, these documents detail their 2014 purchase, which upgraded their obsolete DRTbox model to the smaller and more powerful 1183C. This cost the VSP $585,265, and came complete with a whole bunch of accessories, including a Chevrolet Suburban outfitted specifically to run the device.

Two questions:

  1. What features are offered by your home-brew cell site simulator?
  2. Estimated price (parts + labor)?

When law enforcement, judges, legislators, etc., join ordinary citizens in the smartphone gold fish bowl, effective privacy will be a goal of vendors.

Spies in the Skies [Fostered by Obama, Inherited by Trump]

Tuesday, November 29th, 2016

Spies in the Skies by Peter Aldhous and Charles Seife.

Post in April of 2016, it reads in part:

Each weekday, dozens of U.S. government aircraft take to the skies and slowly circle over American cities. Piloted by agents of the FBI and the Department of Homeland Security (DHS), the planes are fitted with high-resolution video cameras, often working with “augmented reality” software that can superimpose onto the video images everything from street and business names to the owners of individual homes. At least a few planes have carried devices that can track the cell phones of people below. Most of the aircraft are small, flying a mile or so above ground, and many use exhaust mufflers to mute their engines — making them hard to detect by the people they’re spying on.

The government’s airborne surveillance has received little public scrutiny — until now. BuzzFeed News has assembled an unprecedented picture of the operation’s scale and sweep by analyzing aircraft location data collected by the flight-tracking website Flightradar24 from mid-August to the end of December last year, identifying about 200 federal aircraft. Day after day, dozens of these planes circled above cities across the nation.

The FBI and the DHS would not discuss the reasons for individual flights but told BuzzFeed News that their planes are not conducting mass surveillance.

The DHS said that its aircraft were involved with securing the nation’s borders, as well as targeting drug smuggling and human trafficking, and may also be used to support investigations by the FBI and other law enforcement agencies. The FBI said that its planes are only used to target suspects in specific investigations of serious crimes, pointing to a statement issued in June 2015, after reporters and lawmakers started asking questions about FBI surveillance flights.

“It should come as no surprise that the FBI uses planes to follow terrorists, spies, and serious criminals,” said FBI Deputy Director Mark Giuliano, in that statement. “We have an obligation to follow those people who want to hurt our country and its citizens, and we will continue to do so.”

I’m not surprised the FBI follows terrorists, spies, and serious criminals.

What’s problematic is that the FBI follows all of us and then, after the fact, picks out alleged terrorists, spies and serious criminals.

The FBI could just as easily select people on their way to a tryst with a government official’s wife, or to attend an AA meeting, or to attend an unpopular church.

Once collected, the resulting information is subject to any number of uses and abuses.

Aldhous and Seife report the flights drop 70% on the weekend so if you are up to mischief, plan around your weekends.

When writing about the inevitable surveillance excesses under President Trump, give credit to President Obama and his supporters, who built the surveillance state Trump inherited.

Surveillance Self-Defense [Guide to creating “false” persona?]

Tuesday, November 15th, 2016

Surveillance Self-Defense – Tips, Tools and How-Tos for Safer Online Communications

From the webpage:

Modern technology has given those in power new abilities to eavesdrop and collect data on innocent people. Surveillance Self-Defense is EFF’s guide to defending yourself and your friends from surveillance by using secure technology and developing careful practices.

Select an article from our index to learn about a tool or issue, or check out one of our playlists to take a guided tour through a new set of skills.

Definitely a starting point that merits sharing.

One important topic that is missing: How to create a “false” persona?

A “false” persona that cannot be connected back to a user is far more valuable than two-factor authentication, strong passwords, etc.

Pointers to such resources?

Leaking and Whistleblowing in the Trump Era

Monday, November 14th, 2016

In the Trump Era, Leaking and Whistleblowing Are More Urgent, and More Noble, Than Ever by Glenn Greenwald.

From the post:

For the past 15 years, the U.S. Government under both parties has invented whole new methods for hiding what they do behind an increasingly impenetrable wall of secrecy. From radical new legal doctrines designed to shield their behavior from judicial review to prosecuting sources at record rates, more and more government action has been deliberately hidden from the public.

One of the very few remaining avenues for learning what the U.S. Government is doing – beyond the propaganda that they want Americans to ingest and thus deliberately disseminate through media outlets – is leaking and whistleblowing. Among the leading U.S. heroes in the War on Terror have been the men and women inside various agencies of the U.S. Government who discovered serious wrongdoing being carried out in secret, and then risked their own personal welfare to ensure that the public learned of what never should have been hidden from it in the first place.

Many of the important consequential revelations from the last two administrations were possible only because of courageous sources who came forward in this way. It’s how we learned about the abuses of Abu Ghraib, the existence of torture-fueled CIA “black sites,” the Bush warrantless eavesdropping program, the wanton slaughter carried out in Iraq and Afghanistan, the recklessness and deceit at the heart of the U.S. drone program, the NSA’s secret construction of the largest system of suspicionless, mass surveillance ever created, and so many other scandals, frauds, and war crimes that otherwise would have remained hidden. All of that reporting was possible only because people of conscience decided to disregard the U.S. Government’s corrupt decree that this information should remain secret, on the ground that concealing it was designed to protect not national security but rather the reputations and interests of political officials.

For that reason, when the Intercept was created, enabling safe and productive whistleblowing was central to our mission. We hired some of the world’s most skilled technologists, experts in information security and encryption, to provide maximum security for our journalists and our sources. We adopted the most advanced programs for enabling sources to communicate and provide information to us anonymously and without detection, such as Secure Drop. And we made an institutional commitment to expend whatever resources are necessary to defend the right of a free press to report freely without threats of recrimination, and to do everything possible to protect and defend our sources who enable that vital journalism.

Over the past two years, we have published several articles by our security experts on how sources (and others) can communicate and provide information to us in the safest and most secure manner possible, to minimize the chances of being detected. We’ve published interviews with other experts, such as Edward Snowden, on the most powerful tools and methods available for securing one’s online communications. As our technologist Micah Lee explained, no method is perfect, so “caution is still advised to those who want to communicate with us without exposing their real-world identities,” but tools and practices do exist to maximize anonymity, and we are committed to using those and informing the public about how to use them in the safest and most effective manner possible.

Considering the damage done to the Constitution by George W. Bush and Barack Obama, leaking/whistleblowing in the Trump era is not “more urgent, and more noble….”

That is to say leaking/whistleblowing is always urgent and noble.

Think about the examples Greenwald cites. All are from the Bush and Obama administrations with nary a hint of Trump.

Exposing murder, torture, war crimes, lying to allies, Congress and the American public. And that’s just the short list. The margin of this page isn’t large enough to enumerate all the specific crimes committed by both administrations.

By all means, let’s encourage leaking and whistleblowing in the Trump era, but don’t leak timidly.

Government officials, staffers, contractors and their agents (double or otherwise), have freely chosen to participate in activities hidden from the public. Hidden because they are ashamed of what they have done (think CIA torturers) and/or fear just prosecution for their crimes (waging wars of aggression).

Leak boldly, insist on naming all names and all actions being described.

Secrecy hasn’t prevented excesses in secret, perhaps severe and repeated consequences from bold leaks will.

Leak early, often and in full.

PS: We should not rely exclusively on insiders to leak information.

Hackers have an important role to play in creating government transparency, with or without the government’s consent.

Orwell: The surveillance game that puts you in Big Brother’s shoes [Echoes of Enders Game?]

Sunday, November 13th, 2016

Orwell: The surveillance game that puts you in Big Brother’s shoes by Claire Reilly.

From the post:

“Big Brother has arrived — and it’s you.”

As CNET’s resident privacy nark, I didn’t need much convincing to play a game all about social engineering and online surveillance.

But when I stepped into my role as a new recruit for the fictional Orwell internet surveillance program, I didn’t expect to find the rush of power so beguiling, or unsettling.

Developed by German outfit Osmotic Studios, Orwell sees you working as a new recruit in a surveillance agency of the same name, following a series of terrorist attacks in Bonton, the fictional capital of The Nation. As an agent, you are responsible for scraping social media feeds, blogs, news sites and the private communications of the Nation’s citizens to find those with connections to the bombings.

You start with your first suspect before working through a web of friends and associates. You’re after data chunks — highlighted pieces of information and text found in news stories, websites and blogs that can be dragged and uploaded into the Orwell system and permanently stored as evidence.

The whole game has a kind of polygon graphic aesthetic, making the news clippings, websites and social media feeds you’re trawling feel close to the real thing. But as with everything in Orwell, it’s viewed through a glass, darkly.

If you are a game player, this sounds wickedly seductive.

If your not, what if someone weaponized Orwell so that what appear to be “in the game” hacks are hacks in the “real world?”

A cybersecurity “Enders Game” where the identity of targets and consequences of attacks are concealed from hackers?

Are the identity of targets or consequences of attacks your concern? Or is credit for breaching defenses and looting data enough?

Before reaching that level of simulation, imagine changing from the lone/small group hacker model to a more distributed model.

Where anonymous hackers offer specialized skills, data or software in collaboration on proposed hacks.

Ideas on the requirements for such a collaborative system?

Assuming nation states get together on cybersecurity, it could be a mechanism to match or even out perform such efforts.

Another Day, Another Law To Ignore – Burner Drones Anyone?

Thursday, October 27th, 2016

Sweden bans cameras on drones, deeming it illegal surveillance by Lisa Vaas.

From the post:

Sweden last week banned the use of camera drones without a special permit, infuriating hobby flyers and an industry group but likely pleasing privacy campaigners.

Drone pilots will now have to show that there’s a legitimate benefit that outweighs the public’s right to privacy – and there are no exemptions for journalists, nor any guarantee that a license will be granted.

The cost of a license depends on variables such as the takeoff weight of the drone and whether it’s going to be flown further than the pilot can see, and none of the licenses are cheap. Costs range from an annual license fee of €1,200 right up to a maximum hourly fee of €36,000.

UAS Sweden (Unmanned Aerial System – SWEDEN) has objected to the ruling on the potential for loss of jobs.

The interests of the industry will be better met with development and advocacy of burner drones. Similar to a burner cellphone, it isn’t intended for recovery/re-use.

Burner drones are critical to reporting on government attacks like the one imminent on #NoDAPL camps (North Dakota).

Burner drones keep journalists beyond the reach of batons, tear gas and water canon, all good things.

Just searching quickly, Airblock has the right idea but its capabilities are too limited to make an effective burner drone for journalists.

Something on that order, with a camera, longer range/duration, modular is good, especially if you can add on parts that “bite.”

Privacy advocates miss the fact there is no privacy in the face of modern government surveillance. Banning drones only reduces the ability of people to counter-spy upon their less than truthful governments.

In case you are interested, the administrative court ruling in question:

The organization of camera on a drone but not for the camera in a car

Summary:

The Supreme Administrative Court has in two judgments found that a camera mounted on a drone requires a permit under camera surveillance law while a camera mounted behind the windscreen of a car or on a bicycle handlebar does not need permission.

Please ping me with notices of burner drone projects. Thanks!

Unmasking Tor users with DNS

Thursday, October 6th, 2016

Unmasking Tor users with DNS by Mark Stockley.

From the post:

Researchers at the KTH Royal Institute of Technology, Stockholm, and Princeton University in the USA have unveiled a new way to attack Tor and deanonymise its users.

The attack, dubbed DefecTor by the researchers’ in their recently published paper The Effect of DNS on Tor’s Anonymity, uses the DNS lookups that accompany our browsing, emailing and chatting to create a new spin on Tor’s most well established weakness; correlation attacks.

If you want the lay-person’s explanation of the DNS issue with Tor, see Mark’s post. If you want the technical details, read The Effect of DNS on Tor’s Anonymity.

The immediate take away for the average user is this:

Donate, volunteer, support the Tor project.

Your privacy or lack thereof is up to you.

Oversight Concedes Too Much

Wednesday, September 28th, 2016

It’s deeply ironic that the Electronic Frontier Foundation writes in: Police Around the Country Regularly Abuse Law Enforcement Databases:


The AP investigation builds off more than a year’s worth of research by EFF into the California Law Enforcement Telecommunications System (CLETS). EFF previously found that the oversight body charged with combatting misuse had been systematically giving law enforcement agencies a pass by either failing to make sure agencies filed required misuse data or to hold hearings to get to the bottom of persistent problems with misuse. As EFF reported, confirmed misuse cases have more than doubled in California between 2010 and 2015.

Contrast that post with:

NSA’s Failure to Report Shadow Broker Vulnerabilities Underscores Need for Oversight and What to Do About Lawless Government Hacking and the Weakening of Digital Security, both of which are predicated on what? Oversight.

Sorry, it is one of those “facts” everyone talks about in the presidential debates that both the Senate select Committee on Intelligence and the House Permanent Select Committee on Intelligence have been, are and in all likelihood will be, failures in terms of oversight of intelligence agencies. One particularly forceful summary of those failures can be found in: A Moon Base, Cyborg Army, and Congress’s Failed Oversight of the NSA by Eli Sugarman.

Eli writes:

Does the U.S. government have a moon base? How about a cyborg army? These questions were not posed by Stephen Colbert but rather by Rep. Justin Amash (R-MI) to highlight the futility of Congress’s intelligence oversight efforts. Amash decried how Congress is unable to reign in troubling NSA surveillance programs because it is not adequately informed about them or permitted to share the minimal information it does know. Congress is instead forced to tease out nuggets of information by playing twenty questions with uncooperative intelligence officials in classified briefings.

Oversight? When the overseen decide if, when, where and how much they will disclose to the overseers?

The EFF and others need to stop conceding the legitimacy of government surveillance and abandon its quixotic quest for implementation of a strategy, oversight, which is known to fail.

For anyone pointing at the latest “terrorism” attack in New York City, consider these stats from the Center for Disease Control (CDC, 2013):

Number of deaths for leading causes of death:

  • Heart disease: 614,348
  • Cancer: 591,699
  • Chronic lower respiratory diseases: 147,101
  • Accidents (unintentional injuries): 136,053
  • Stroke (cerebrovascular diseases): 133,103
  • Alzheimer’s disease: 93,541
  • Diabetes: 76,488
  • Influenza and Pneumonia: 55,227
  • Nephritis, nephrotic syndrome and nephrosis: 48,146
  • Intentional self-harm (suicide): 42,773

Do you see terrorism on that list?

Just so you know, toddlers with guns kill more people in the United States than terrorists.

Without terrorism, one of the knee-jerk justifications for government surveillance vanishes.

The EFF should be challenging the factual basis of government justifications for surveillance one by one.

Conceding that any justification for surveillance exists without contesting its factual basis is equivalent to conceding the existence of an unsupervised surveillance state.

Once surveillance is shown to have no factual justification, then the dismantling of the surveillance state can begin.

Tor 0.2.8.8 is released, with important fixes

Friday, September 23rd, 2016

Tor 0.2.8.8 is released, with important fixes

Source available today, packages over the next week.

Privacy is an active, not passive stance.

Steps to take:

  1. Upgrade your Tor software.
  2. Help someone upgrade their Tor software.
  3. Introduce one new person to Tor.

If you take those steps with every upgrade, Tor will spread more quickly.

I have this vision of James Clapper (Director of National Intelligence), waking up in a cold sweat as darkness spreads across a visualization of the Internet in real time.

Just a vision but an entertaining one.

Google Allo – Goodbye!

Thursday, September 22nd, 2016

Google Allo: Don’t use it, says Edward Snowden by Liam Tung.

From the post:

Google’s Allo messaging app and its Assistant bot have finally arrived, but Allo has been slammed for reneging on a promise that it would, by default, make it more difficult to spy on.

Because of the missing privacy feature, NSA-contractor-turned-whistleblower Edward Snowden’s first take of Allo after yesterday’s US launch is that it’s just a honeypot for surveillance.

The main complaints are that security is off by default and that chat logs are stored until deleted by users.

Google made a conscious choice on both of those features.

Now is your opportunity to make a conscious choice about Allo. Goodbye!

Don’t be mis-led into thinking end-to-end encryption ends the danger from preserving chat logs.

Intelligence agencies have long argued knowing who calls who is more important than the content of phone calls. Same is true for chats.

Google has chosen a side other than consumers, that’s enough to avoid it whenever possible.

Tails [Whatever The Presidential Race Outcome]

Tuesday, September 20th, 2016

Tails – theamnesicincognitolivesystem

From the about page:

Tails is a live system that aims to preserve your privacy and anonymity. It helps you to use the Internet anonymously and circumvent censorship almost anywhere you go and on any computer but leaving no trace unless you ask it to explicitly.

Whatever your prediction for the US 2016 presidential election, Hairy Thunderer or Cosmic Muffin, you are going to need Tails

For free speech and/or privacy in 2017, get Tails.

It really is that simple.

Investigatory Powers Bill As Amended In Committee

Tuesday, September 13th, 2016

For those of you watching the UK’s plunge into darkness, the Investigatory Powers Bill, as amended in committee, has been posted online.

Apologies for the lite amount of posting today but a very large data dump was released earlier today that distracted me from posting. 😉

Invite Government Into The Cellphone Fish Bowl

Monday, September 12th, 2016

Long-Secret Stingray Manuals Detail How Police Can Spy On Phones by Sam Biddle.

Sam summarizes the high points from around 200 pages of current but never seen before Harris instruction manuals. Good show!

From the post:


Harris declined to comment. In a 2014 letter to the Federal Communications Commission, the company argued that if the owner’s manuals were released under the Freedom of Information Act, this would “harm Harris’s competitive interests” and “criminals and terrorist[s] would have access to information that would allow them to build countermeasures.”

Creating countermeasures?

Better, treat these documents as a basis for reverse-engineering Harris Stingrays into DIY kits.

False promises from known liars on use of “Stingray”s or “IMSI catchers are not going to combat government abuse of this technology.

Inviting governments to join the general public in the cellphone fish bowl might.

Can you imagine the reaction of your local sheriff, district attorney, judge, etc. when they are being silently tracked?

Not just in their routine duties but to mistresses, drug dens, prostitutes, porn parlors and the like?

We won’t have to wait long for the arrival of verifiable, secure cellphones.

Cop Stuff Catalog (dated, from 2014)

Thursday, September 1st, 2016

Introduction to Cobham Tactical Communications and Surveillance (PDF)

As a world-leader in its field, providing products and integrated surveillance solutions to law enforcement, military, national security and border patrol agencies, Cobham Tactical Communications & Surveillance offers innovative video, audio, tracking, locating, sensor, and covert surveillance solutions for government and civil agencies. (from page 2 of the PDF)

This catalog, described as “confidential” in Leaked Catalogue Reveals a Vast Array of Military Spy Gear Offered to U.S. Police started circulating on Twitter, 1 September 2016.

The catalog is a hoot to read but if you follow the URL at the bottom of each page, www.cobham.com/tcs, you will be taken to later, public information on the same products.

More recent information I might add, as the catalog does not list the High Bandwidth Mesh – P5 (PDF), which is listed on the website.

I did not see online video concealment suggestions:

cobham-01-460

So, perhaps the catalog is more useful than its date might indicate.

I understand the emphasis on U.S. police but this type of equipment is used by governments worldwide.

Counter measures and/or duplicating these capabilities so the watchers can be watched are always a good idea.

PS: The outdoor trash can looks way too clean to be plausible. Besides, there are ways to create surprises with outdoor trash cans.

“…without prior written permission…” On a Public Website? Calling BS!

Saturday, August 27th, 2016

I mentioned in Your assignment, should you choose to accept it…. that BAE Systems has been selling surveillance technology to the United Arab Emirate, the nice people behind the attempted hack of Ahmed Mansoor, a prominent human rights activist.

Since then, Joseph Cox posted: British Companies Are Selling Advanced Spy Tech to Authoritarian Regimes.

From his post:

Since early 2015, over a dozen UK companies have been granted licenses to export powerful telecommunications interception technology to countries around the world, Motherboard has learned. Many of these exports include IMSI-catchers, devices which can monitor large numbers of mobile phones over broad areas.

Some of the UK companies were given permission to export their products to authoritarian states such as Saudi Arabia, the United Arab Emirates, Turkey, and Egypt; countries with poor human rights records that have been well-documented to abuse surveillance technology.

“At a time when the use of these surveillance tools is still highly controversial in the UK, it is completely unacceptable that companies are allowed to export the same equipment to countries with atrocious human rights records or which lack rule of law altogether. There is absolutely a clear risk that these products can be used for repression and abuses,” Edin Omanovic, research officer at Privacy International, told Motherboard in an email.

Joseph’s report explains the technology and gives examples of some of the sales to the worst offenders. He also includes a link to the dataset of export sales.

Joseph obtained a list of the exporters from the UK Department for International Trade. But that list is included as an image. I created this HTML list from that image:

In an attempt to seem fierce, Cellxion Ltd has this unfriendly greeting at the bottom of their public homepage:

Your IP address, [**.**.**.**], has been recorded and all activity on this system is actively monitored. Under US Federal Law (18 U.S.C. 1030), United Kingdom Law (Computer Misuse Act 1990) and other international law it is a criminal offence to access or attempt to access this computer system without prior written authorisation from cellXion ltd. Any unauthorised attempt to access this system will be reported to the appropriate authorities and prosecuted to the full extent of the law. Your IP address has been recorded and all activity on this system is actively monitored. Under US Federal Law (18 U.S.C. 1030), United Kingdom Law (Computer Misuse Act 1990) and other international law it is a criminal offence to access or attempt to access this computer system without prior written authorisation from cellXion ltd. Any unauthorised attempt to access this system will be reported to the appropriate authorities and prosecuted to the full extent of the law. (emphasis added, I obscured my IP number)

What does Dogbert say? Oh, yeah,

Cellxion, kiss my wager!

As you already know, use TAILS, Tor and VPN as you pursue these leads.

Good hunting!

Germany and France declare War on Encryption to Fight Terrorism

Friday, August 26th, 2016

Germany and France declare War on Encryption to Fight Terrorism by Mohit Kumar.

From the post:

Yet another war on Encryption!

France and Germany are asking the European Union for new laws that would require mobile messaging services to decrypt secure communications on demand and make them available to law enforcement agencies.

French and German interior ministers this week said their governments should be able to access content on encrypted services in order to fight terrorism, the Wall Street Journal reported.
(emphasis in original)

On demand decryption? For what? Rot-13 encryption?

The Franco-German text transmitted to the European Commission.

The proposal wants to extend current practices of Germany and France with regard to ISPs but doesn’t provide any details about those practices.

In case you have influence with the budget process at the EU, consider pointing out there is no, repeat no evidence that any restriction on encryption will result in better police work combating terrorism.

But then, what government has ever pushed for evidence-based policies?

Your assignment, should you choose to accept it….

Friday, August 26th, 2016

You may (may not) remember the TV show, Mission Impossible. It had a cast of regulars who formed a spy team to undertake “impossible” tasks that could not be traced back to the U.S. government.

Stories like: BAE Systems Sells Internet Surveillance Gear to United Arab Emirates make me wish for a non-nationalistic, modern equivalent of the Mission Impossible team.

You may recall the United Arab Emirates (UAE) were behind the attempted hack of Ahmed Mansoor, a prominent human rights activist.

So much for the UAE needing spyware for legitimate purposes.

From the article:


In a written statement, BAE Systems said, “It is against our policy to comment on contracts with specific countries or customers. BAE Systems works for a number of organizations around the world, within the regulatory frameworks of all relevant countries and within our own responsible trading principles.”

The Danish Business Authority told Andersen it found no issue approving the export license to the Ministry of the Interior of the United Arab Emirates after consulting with the Danish Ministry of Foreign Affairs, despite regulations put in place by the European Commission in October 2014 to control exports of spyware and internet surveillance equipment out of concern for human rights. The ministry told Andersen in an email it made a thorough assessment of all relevant concerns and saw no reason to deny the application.

It doesn’t sound like any sovereign government is going to restrain BAE Systems and/or the UAE.

Consequences for their mis-deeds will have to come from other quarters.

Like the TV show started every week:

Your assignment, should you choose to accept it….

Secret Cameras Recording Baltimore’s…. [Watching the Watchers?])

Wednesday, August 24th, 2016

Secret Cameras Recording Baltimore’s Every Move From Above by Monte Reel.

Unknown to the citizens of Baltimore, they have been under privately funded, plane-based video surveillance since the beginning of 2016.

The pitch to the city:

“Imagine Google Earth with TiVo capability.”

You need to read Monte’s article in full and there are names you will recognize if you watch PBS:

Last year the public radio program Radiolab featured Persistent Surveillance in a segment about the tricky balance between security and privacy. Shortly after that, McNutt got an e-mail on behalf of Texas-based philanthropists Laura and John Arnold. John is a former Enron trader whose hedge fund, Centaurus Advisors, made billions before he retired in 2012. Since then, the Arnolds have funded a variety of hot-button causes, including advocating for public pension rollbacks and charter schools. The Arnolds told McNutt that if he could find a city that would allow the company to fly for several months, they would donate the money to keep the plane in the air. McNutt had met the lieutenant in charge of Baltimore’s ground-based camera system on the trade-show circuit, and they’d become friendly. “We settled in on Baltimore because it was ready, it was willing, and it was just post-Freddie Gray,” McNutt says. The Arnolds donated the money to the Baltimore Community Foundation, a nonprofit that administers donations to a wide range of local civic causes.

I find the mention of Freddie Gray ironic, considering how truthful and forthcoming the city and its police officers were in that case.

If footage exists for some future Freddie Gray-like case, you can rest assured the relevant camera failed, the daily data output failed, a Rose Mary Wood erasure accident happened, etc.

From Monte’s report, we aren’t at facial recognition, yet, assuming his sources were being truthful. But we all know that’s coming, if not already present.

Many will call for regulation of this latest intrusion into your privacy, but regulation depends upon truthful data upon which to judge compliance. The routine absence of truthful data about police activities, both digital and non-digital, makes regulation difficult to say the least.

In the absence of truthful police data, it is incumbent upon citizens to fill that gap, both for effective regulation of police surveillance and for the regulation of police conduct.

The need for an ad-hoc citizen-based surveillance system is clear.

What isn’t clear is how such a system would evolve?

Perhaps a server that stitches together cellphone video based on GPS coordinates and orientation? From multiple cellphones? Everyone can contribute X seconds of video from any given location?

Would not be seamless but if we all target known police officers and public officials…, who knows how complete a record could be developed?

Crowdsourced-Citizen-Surveillance anyone?

Tor 0.2.8.7 is released, with important fixes

Wednesday, August 24th, 2016

Tor 0.2.8.7 is released, with important fixes

From the post:

Tor 0.2.8.7 fixes an important bug related to the ReachableAddresses option in 0.2.8.6, and replaces a retiring bridge authority. Everyone who sets the ReachableAddresses option, and all bridges, are strongly encouraged to upgrade.

You can download the source from the Tor website. Packages should be available over the next week or so.

For some reason, a link to the Tor website was omitted.

Upgrade and surf somewhat more securely. (Security never being absolute.)

Defame the French Police Today!

Wednesday, August 24th, 2016

Nice Officials Say They’ll Sue Internet Users Who Share Photos Of French Fashion Police Fining Women In Burkinis by Mike Masnick.

From the post:

This seems pretty ridiculous on all sorts of levels, but never think things are so ridiculous that some politicians can’t make them worse. Guillaume Champeau from the excellent French site Numerama alerts me to the news that the deputy mayor of Nice, Christian Estrosi is threatening to sue those who share these images over social media. Yup, France, a country that claims to pride itself on freedom is not just telling women that they can’t cover themselves up too much on the beach, but that it’s also illegal to report on the police following through on that. Here’s is the awkward Google translation of the French report:

Christian Estrosi … has published a press release by the city of Nice, to announce that he would file a complaint against those who would broadcast pictures of municipal police verbalize women guilty of exercising what they believed to be their freedom to dress from head to feet on the beaches.

” Photos showing municipal police of Nice in the exercise of their functions have been circulating this morning on social networks and raise defamation and threats against these agents ,” the statement said.

Wait. Showing accurate photos creates defamation against the police? How’s that work? Estrosi apparently says that legal actions have already been filed, though Numerama was unable to confirm any legal actions as yet. The article also notes that despite Estrosi implying otherwise, police do not have any sort of special protections that say they cannot be photographed while in public.

It’s not clear if you have to take the picture or merely share the picture.

Just in case sharing is enough, here is the picture from Mike’s post:

nice-burkini-01-460

There are a number of variations on this image. I suppose all of them count as far as “defamation” of the police.

If reposting isn’t sufficient to defame the French police enforcing the burkiki ban, please consider this post an active request for images of French police enforcing that ban.

What is a Stingray?

Monday, August 22nd, 2016

Pitched at an adult Sunday School level, which makes this perfect for informing the wider public about government surveillance issues.

Share this video far and wide!

For viewers who want more detail, direct them to: How IMSI Catchers Work by Jason Hernandez.

Every group has a persecution story so tie present day government surveillance to “…what if (historical) X had surveillance…” to drive your point home.

Report of the Bulk Powers Review

Friday, August 19th, 2016

Report of the Bulk Powers Review (PDF) by David Anderson Q.C. Independent Reviewer of Terrorism Legislation. (Web version)

From its webpage:

This report includes the findings of the independent review of the operational case for bulk powers, which will inform scrutiny of the Investigatory Powers Bill.

If you find yourself dissatisfied with the sound bite and excerpt commentaries on this report, you may find the two hundred and three (203) full version more to your likely. At least in terms of completeness.

I have glanced at the conclusions but will refrain from commenting until reading the report in full. It is possible that Anderson will persuade me to change my initial impressions, although I concede that is highly unlikely.

How To Detect and Find Rogue Cell Towers

Wednesday, August 10th, 2016

How To Detect and Find Rogue Cell Towers by Brian Benchoff

Great promise but less than great delivery. Detection rig is described in general terms, but so general that replication would be quite time consuming.

A generally available solution to detect rogue cell towers has yet to appear.

When they do, will this sign be useful?:

No_cellphone.svg-460

What about custom balloons with that logo?

Think of detection and warning of rogue cell towers as a civic duty.

Telephone Metadata Can Reveal Surprisingly Sensitive Personal Information

Wednesday, August 3rd, 2016

Stanford computer scientists show telephone metadata can reveal surprisingly sensitive personal information by Bjorn Carey.

The intelligence community assertion that telephone metadata only enables “connecting the dots,” has been confirmed to be a lie.

From the post:

Most people might not give telephone metadata – the numbers you dial, the length of your calls – a second thought. Some government officials probably view it as similarly trivial, which is why this information can be obtained without a warrant.

But a new analysis by Stanford computer scientists shows that it is possible to identify a person’s private information – such as health details – from metadata alone. Additionally, following metadata “hops” from one person’s communications can involve thousands of other people.

The researchers set out to fill knowledge gaps within the National Security Agency’s current phone metadata program, which has drawn conflicting assertions about its privacy impacts. The law currently treats call content and metadata separately and makes it easier for government agencies to obtain metadata, in part because it assumes that it shouldn’t be possible to infer specific sensitive details about people based on metadata alone.

The findings, reported today in the Proceedings of the National Academy of Sciences, provide the first empirical data on the privacy properties of telephone metadata. Preliminary versions of the work, previously made available online, have already played a role in federal surveillance policy and have been cited in litigation filings and letters to legislators in both the United States and abroad. The final work could be used to help make more informed policy decisions about government surveillance and consumer data privacy.

The computer scientists built a smartphone application that retrieved the previous call and text message metadata – the numbers, times and lengths of communications – from more than 800 volunteers’ smartphone logs. In total, participants provided records of more than 250,000 calls and 1.2 million texts. The researchers then used a combination of inexpensive automated and manual processes to illustrate both the extent of the reach – how many people would be involved in a scan of a single person – and the level of sensitive information that can be gleaned about each user.

From a small selection of the users, the Stanford researchers were able to infer, for instance, that a person who placed several calls to a cardiologist, a local drugstore and a cardiac arrhythmia monitoring device hotline likely suffers from cardiac arrhythmia. Another study participant likely owns an AR semiautomatic rifle, based on frequent calls to a local firearms dealer that prominently advertises AR semiautomatic rifles and to the customer support hotline of a major firearm manufacturer that produces these rifles.

One of the government’s justifications for allowing law enforcement and national security agencies to access metadata without warrants is the underlying belief that it’s not sensitive information. This work shows that assumption is not true.

See Carey’s post for the laypersons explanation of the Stanford findings or dive into Evaluating the privacy properties of telephone metadata by Jonathan Mayera, Patrick Mutchler, and John C. Mitchell, for more detailed analysis. (Thankfully open access.)

Would law enforcement and national security agencies think telephone metadata is not sensitive if hackers were obtaining it from telecommunication companies and/or from the electromagnetic field where communication signals are found?

If you were interested only in law enforcement, national security agencies and governments, a much smaller set of data for tracking and processing.

Sounds like a business opportunity, depending on what country, their degree of technology, market conditions for pro/anti government data.

U.S. government satellites collect such data but it is shared (or not) for odd and obscure reasons.

I’m thinking more along the lines of commercial transactions between willing sellers and buyers.

Think of it as a Rent-An-NSA type venture. Customers don’t want or need 24×7 rivals for power. Properly organized, they could buy as much or as little intelligence as they need. Exclusive access to some intelligence would be a premium product.

The Right to be Forgotten in the Media: A Data-Driven Study

Wednesday, July 27th, 2016

The Right to be Forgotten in the Media: A Data-Driven Study by , , , , .

Abstract:

Due to the recent “Right to be Forgotten” (RTBF) ruling, for queries about an individual, Google and other search engines now delist links to web pages that contain “inadequate, irrelevant or no longer relevant, or excessive” information about that individual. In this paper we take a data-driven approach to study the RTBF in the traditional media outlets, its consequences, and its susceptibility to inference attacks. First, we do a content analysis on 283 known delisted UK media pages, using both manual investigation and Latent Dirichlet Allocation (LDA). We find that the strongest topic themes are violent crime, road accidents, drugs, murder, prostitution, financial misconduct, and sexual assault. Informed by this content analysis, we then show how a third party can discover delisted URLs along with the requesters’ names, thereby putting the efficacy of the RTBF for delisted media links in question. As a proof of concept, we perform an experiment that discovers two previously-unknown delisted URLs and their corresponding requesters. We also determine 80 requesters for the 283 known delisted media pages, and examine whether they suffer from the “Streisand effect,” a phenomenon whereby an attempt to hide a piece of information has the unintended consequence of publicizing the information more widely. To measure the presence (or lack of presence) of a Streisand effect, we develop novel metrics and methodology based on Google Trends and Twitter data. Finally, we carry out a demographic analysis of the 80 known requesters. We hope the results and observations in this paper can inform lawmakers as they refine RTBF laws in the future.

Not collecting data prior to laws and policies seems to be a trademark of the legislative process.

Otherwise, the “Right to be Forgotten” (RTBF) nonsense that only impacts searching and then only in particular ways could have been avoided.

The article does helpfully outline how to discover delistings, of which they discovered 283 known delisted links.

Seriously? Considering that Facebook has 1 Billion+ users, much ink and electrons are being spilled over a minimum of 283 delisted links?

It’s time for the EU to stop looking for mites and mole hills to attack.

Especially since they are likely to resort to outright censorship as their next move.

That always ends badly.

Gasp! “The Jihadists’ Digital Toolbox:…”

Tuesday, July 26th, 2016

The Jihadists’ Digital Toolbox: How ISIS Keeps Quiet on the Web by Jett Goldsmith.

From the post:

As the world dives deeper into the digital age, jihadist groups like ISIS and the Taliban have taken increasingly diverse measures to secure their communications and espouse their actions and ideas across the planet.

Propaganda has been a key measure of any jihadist group’s legitimacy since at least 2001, when al-Qaeda operative Adam Yahiye Gadahn established the media house As-Sahab, which was intended to spread the group’s message to a regional audience throughout Pakistan and Afghanistan.

Over the years, jihadist propaganda has taken a broader and more sophisticated tone. Al-Qaeda published the first issue of its digital newsmagazine, Inspire, in June of 2010. Inspire was aimed at an explicitly Western audience, and intended to call to jihad the would-be mujahideen throughout Europe and the United States.

When ISIS first took hold in Iraq and Syria, and formally declared its caliphate in the summer of 2014, the group capitalized on the groundwork laid by its predecessors and established an expansive, highly sophisticated media network to espouse its ideology. The group established local wilayat (provincial) media hubs, and members of its civil service distributed weekly newsletters, pamphlets, and magazines to citizens living under its caliphate. Billboards were posted in major cities under its control, including in Raqqah and Mosul; FM band radio broadcasts across 13 of its provinces were set up to deliver a variety of content, from fatwas and sharia lessons to daily news, poetry, and nasheeds; and Al-Hayat Media Center distributed its digital newsmagazine, Dabiq, in over a dozen languages to followers across the world.

Jeff covers:

  • Secure Browsers
  • Proxy Servers and VPNs
  • Propaganda Apps (read cellphone apps)
  • Encrypted Email
  • Mobile Privacy Apps
  • Encrypted Messages

That Jihadists or anyone else are using these tools maybe a surprise to some Fortune or Economist readers, but every conscious person associated with IT can probably name one or more instances for each category.

I’m sure some Jihadists drive cars, ride hoverboards, or bicycles, but dramatic recitations on those doesn’t advance a discussion of Jihadists or their goals.

Privacy software is a fact of life in all walks and levels of a digital environment.

Crying “Look! Over there! Someone might be doing something we don’t like!” isn’t going to lead to any useful answers, to anything. Including Jihadists.

1960’s Flashback: Important Tor Nodes Shutting Down

Tuesday, July 19th, 2016

Swati Khandelwal reports the departure of Lucky Green from the Tor project will result in the loss of several critical Tor nodes and require an update to Tor code. (Core Tor Contributor Leaves Project; Shutting Down Important Tor Nodes)

Here’s the Tonga (Bridge Authority) Permanent Shutdown Notice in full:

Dear friends,

Given recent events, it is no longer appropriate for me to materially contribute to the Tor Project either financially, as I have so generously throughout the years, nor by providing computing resources. This decision does not come lightly; I probably ran one of the first five nodes in the system and my involvement with Tor predates it being called “Tor” by many years.

Nonetheless, I feel that I have no reasonable choice left within the bounds of ethics, but to announce the discontinuation of all Tor-related services hosted on every system under my control.

Most notably, this includes the Tor node “Tonga”, the “Bridge Authority”, which I recognize is rather pivotal to the network

Tonga will be permanently shut down and all associated crytographic keys destroyed on 2016-08-31. This should give the Tor developers ample time to stand up a substitute. I will terminate the chron job we set up so many years ago at that time that copies over the descriptors.

In addition to Tonga, I will shut down a number of fast Tor relays, but the directory authorities should detect that shutdown quickly and no separate notice is needed here.

I wish the Tor Project nothing but the best moving forward through those difficult times,

–Lucky

As I mentioned in Going Dark With Whisper? Allies versus Soul-Mates it is having requirements other than success of a project that is so damaging to such efforts.

I could discover that IS is using the CIA to funnel money from the sales of drugs and conflict diamonds to fund the Tor project and it would not make any difference to me. Even if core members of the Tor project knew that and took steps to conceal it.

Whether intended or not, the only people who will benefit from Lucky’s decision will be opponents of personal privacy and the only losers will be people who need personal privacy.

Congratulations Lucky! You are duplicating a pattern of behavior that destroyed the Black Panthers, the SDS and a host of other groups and movements before and since then.

Let’s hope others don’t imitate Lucky’s “I’ll take my ball and go home” behavior.

Securing A Travel iPhone

Tuesday, July 5th, 2016

Securing A Travel iPhone by Filippo Valsorda.

From the post:

These are dry notes I took in the process of setting up a burner iPhone SE as a secure travel device. They are roughly in setup order.

I believe iOS to be the most secure platform one can use at this time, but there are a lot of switches and knobs. This list optimizes for security versus convenience.

Don’t to use anything older than an iPhone 5S, it wouldn’t have the TPM.

Needless to say, use long unique passwords everywhere.

There are more than forty (40) tasks/sub-tasks to securing a travel iPhone so you best start well ahead of time.

No security is perfect but if you follow this guide, you will be more secure than the vast majority of travelers.

Breaking Honeypots For Fun And Profit – Detecting Deception

Monday, July 4th, 2016

by Dean Sysman & Gadi Evron & Itamar Sher

The description:

We will detect, bypass, and abuse honeypot technologies and solutions, turning them against the defender. We will also release a global map of honeypot deployments, honeypot detection vulnerabilities, and supporting code.

The concept of a honeypot is strong, but the way honeypots are implemented is inherently weak, enabling an attacker to easily detect and bypass them, as well as make use of them for his own purposes. Our methods are analyzing the network protocol completeness and operating system software implementation completeness, and vulnerable code.

As a case study, we will concentrate on platforms deployed in real organizational networks, mapping them globally, and demonstrating how it is possible to both bypass and use these honeypots to the attacker’s advantage.

The slides for the presentation.

This presentation addresses the question of detecting (identifying) a deception.

Detection of the following honeypots discussed:

Artillery: https://github.com/BinaryDefense/artillery (Updated URL)

BearTrap: https://github.com/chrisbdaemon/BearTrap

honeyd: http://www.honeyd.org

Dionaea: http://dionaea.carnivore.it/ (timed out on July 4, 2016)

Glastopf: http://glastopf.org/

Kippo: https://github.com/desaster/kippo

KFSensor: http://www.keyfocus.net/kfsensor/

Nova: https://github.com/DataSoft/Nova

Identification of an attack was argued to possibly result in the attack being prevented in all anti-attack code, whereas identification of an attacker, could have consequences for the attack as an operation.

Combining an IP address along with other dimensions of identification, say with a topic map, could prove to be a means of sharpening the consequences for attackers.

Of course, I am assuming that at least within an agency, agents share data/insights towards a common objective. That may not be the case in your agency.

While looking for other resources on honeypots, I did find Collection of Awesome Honeypots, dating from December of 2015.

Thomas Jefferson (Too Early For Tor – TEFT)

Monday, July 4th, 2016

Official Presidential portrait of Thomas Jefferson (by Rembrandt Peale, 1800)

Thomas Jefferson lived centuries before the internet and the rise of Tor but he is easy to see as a Tor user.

He was the author of the Declaration of Independence, which if you read the details, is a highly offensive document:


He has affected to render the Military independent of and superior to the Civil Power.

He has combined with others to subject us to a jurisdiction foreign to our constitution, and unacknowledged by our laws; giving his Assent to their Acts of pretended Legislation:

For quartering large bodies of armed troops among us:

For protecting them, by a mock Trial from punishment for any Murders which they should commit on the Inhabitants of these States:

For cutting off our Trade with all parts of the world:

For imposing Taxes on us without our Consent:

For depriving us in many cases, of the benefit of Trial by Jury:

For transporting us beyond Seas to be tried for pretended offences:

He is at this time transporting large Armies of foreign Mercenaries to compleat the works of death, desolation, and tyranny, already begun with circumstances of Cruelty & Perfidy scarcely paralleled in the most barbarous ages, and totally unworthy the Head of a civilized nation.

Update the language of “For transporting us beyond Seas to be tried for pretended offences” to “Transporting people to Guantanamo Bay prison for unlawful detention” and you have a good example of what FBI wants discussed in clear text.

Make no mistake, the FBI of today, working for George III, would have arrested Thomas Jefferson if it caught wind of the Declaration of Independence. At that time, Jefferson was not the towering figure of liberty that he is today. Then he was the opponent of a nation-state.

Jefferson was too early for Tor but he is the type of person that Tor protects.

Do you want to be on the side of George III or Jefferson in history?

Support Tor!