Category: Technology

Public-Private Surveillance Partnership

People often split surveillance into public and private. Public surveillance is perform directly by the State and is headed by agencies such as the National Security Agency (NSA), Federal Bureau of Investigations (FBI), and Central Intelligence Agency (CIA). Private surveillance is performed by corporations such as Harris Corporation, Facebook, and AT&T. Some libertarians and neoconservatives like to express a great deal of concern over the former because it’s being performed by the State but are mostly accepting of the latter because they believe private entities should be free to do as they please. However, the divide between public and private surveillance isn’t so clean cut. Private surveillance can become public surveillance with a simple court order. Even worse though is that private surveillance often voluntarily becomes public surveillance for a price:

Investigators long suspected Charles Merritt in the family’s disappearance, interviewing him days after they went missing. Merritt was McStay’s business partner and the last person known to see him alive. Merritt had also borrowed $30,000 from McStay to cover a gambling debt, a mutual business partner told police. None of it was enough to make an arrest.

Even after the gravesite was discovered and McStay’s DNA was found inside Merritt’s vehicle, police were far from pinning the quadruple homicide on him.

Until they turned to Project Hemisphere.

Hemisphere is a secretive program run by AT&T that searches trillions of call records and analyzes cellular data to determine where a target is located, with whom he speaks, and potentially why.

[…]

n 2013, Hemisphere was revealed by The New York Times and described only within a Powerpoint presentation made by the Drug Enforcement Administration. The Times described it as a “partnership” between AT&T and the U.S. government; the Justice Department said it was an essential, and prudently deployed, counter-narcotics tool.

Before you decide to switch from AT&T to Verizon it’s important to note that every major cellular provider likely has a similar program but they haven’t been caught yet. We know, for example, that Sprint has a web portal to make law enforcement access to customer data quick and easy and Verizon has a dedicated team for providing customer information to law enforcers. Those are likely just the tips of the icebergs though because providing surveillance services to the State is lucrative and most large companies are likely unwilling to leave that kind of money on the table.

At one time I made a distinction between public in private surveillance insofar as to note that private surveillance doesn’t lead to men with guns kicking down my door at oh dark thirty. It was an admittedly naive attitude because it didn’t figure how private surveillance becomes public surveillance into the equation. Now I make no distinction because realistically there isn’t a distinction and other libertarians should stop making the distinction as well (neoconservatives should also stop making the distinction but most of them are beyond my ability to help).

You’re Not the Customer, You’re the Product

There ain’t no such thing as a free lunch (TANSTAAFL). Whenever somebody appears to be giving you something for free it likely means you’re the product, not the customer. Social media is a prime example of this. A lot of people claim that social media sites such as Facebook and Instagram are Central Intelligence Agency (CIA) products meant to surveil the populace. I personally don’t believe any government agency is clever enough to come up with a successful product like Facebook. But I also know they don’t care because they understand that Facebook exists to mine and sell information so they can forego the expenses of starting a service and just buy the data.

Geofeedia was recently caught selling social media data to law enforcement departments. The company managed to get its hands on this data by simply becoming a paying customer for sites such as Facebook and Twitter. Once the company was a paying customer it could grab user data, which is the real product, and package it up to sell to law enforcement departments.

But United States law enforcers aren’t the only buyers of social media data. Government agencies across the blog pay top dollar for surveillance data. The British Transport Police were also buying social media data:

The BTP, meanwhile, has purchased software called RepKnight. According to the company’s website, RepKnight can help identify, investigate or prevent political unrest, criminal activity, and activists. It can also be used to investigate DDoS attacks.

As well as searching Facebook, Reddit, Twitter and other social networks, RepKnight can be used for “sentiment analysis,” which presents users with “an instant summary of the mood across your search results, letting you quickly spot if something’s going wrong,” RepKnight’s site reads. Customers can use the service through a normal web browser, as well as on tablets and mobile phones.

In all, the BTP has spent £41,400 ($50,500) on purchasing the software and annual licenses for its use since July 2014, according to figures published by the Department for Transport.

A lot of people mistakenly believe their personal information isn’t worth anything. These are the people that usually say “Nobody cares what I do, I’m boring.” or “If they spy on me they’ll be bored.” or something else along those lines. But BTP forked out $50,000 just to surveil the seemingly mundane lives of everyday people. In other words, even the most boring person’s data is valuable.

What’s interesting is RepKnight seems to have some interesting capabilities. Geofeedia seems to be tailored towards surveillance but RepKnight seems to be tailored towards crushing political dissidence by allowing customers to go so far as launch a distributed denial of service (DDoS) attack.

As more of our lives move online the public-private surveillance partnership will continue to grow. Don’t be surprised if you’re pulled over in the near future and the law enforcer drags you out of your vehicle and beats the shit out of you because the surveillance software on his car’s laptop pulled up a negative commend you made about the police (the software, of course, will be loaded to enhance officer safety).

How to Use a IMSI Catcher

International Mobile Subscriber Identity (IMSI) catchers have remained one of the State’s more closely guarded secrets. In order for local law enforcers to gain access to one of the devices the Federal Bureau of Investigations requires them to sign a nondisclosure agreement. The FBI is even willing to drop cases rather than reveal how the surveillance devices work. But as Benjamin Franklin said, “Three may keep a secret, if two of them are dead.” With multiple agencies having access to information about IMSI catchers it was inevitable that information such as the user manuals would leak:

HARRIS CORP.’S STINGRAY surveillance device has been one of the most closely guarded secrets in law enforcement for more than 15 years. The company and its police clients across the United States have fought to keep information about the mobile phone-monitoring boxes from the public against which they are used. The Intercept has obtained several Harris instruction manuals spanning roughly 200 pages and meticulously detailing how to create a cellular surveillance dragnet.

I haven’t read through the manuals yet but the highlights posted by The Intercept shows the software tools provided with the catchers to be robust and so simple even a cop can use them.

One might be compelled to ask why the State is so dead set on keeping this technology secret. Especially when anybody with the money can acquire one through the black market. The answer to that question is that the State is like any other criminal organization in that it tries to keep its operations as secret as possible. Sure, it maintains a public face just as Al Capone maintained soup kitchens. But the nitty gritty stuff is always hidden behind a veil of fancy words like “classified”. This is because the State knows what it’s doing is morally repugnant and wouldn’t be enjoyed by the people who think the State serves them. Fortunately the State’s secrets always leak out eventually.

Technology Empowers Individuals

In all regions of the planet having sex is legal. But in many regions being paid to have sex is illegal. Some of those areas to have a caveat where you can legally be paid for sex but you have to be filmed doing it. Either way, governmental restrictions on sex work have made the trade more dangerous. Many sex workers have been relegated to operating under the authority of abusive pimps. However, technology is changing that:

Soon after Kate ran into trouble at the nightclub—like many other fresh-faced high school girls in Hong Kong today—she discovered online forums to run her own business as a sex worker. On HK Big Man and HK Mensa, where ads are proliferating everyday, so-called “compensated daters” offer their services without the help of a middleman.

Bowie Lam Po-yee, who runs an organization called Teen’s Key that provides outreach for these girls, says that it’s common for one girl to find an ad she likes, and then copy it—with just minor adjustments. Then, girls leave their contact information and negotiate where they’ll meet and how much they’ll charge. It’s easier to evade the cops that way: they’re less likely to be caught for solicitation if they’ve checked a client out to see if he’s legitimate. Police can be obvious as to their identity when it comes to brokering a deal over a chat app.

The job of a pimp has been to market out sex workers and they often use their position abusively. Ubiquitous communication technology allows sex workers to market themselves. Forums, smartphones, and chat applications allow sex workers to cut out the middle man, which allows them to keep all of the profits as well as not be reliant on an abusive individuals.

This isn’t just true for sex workers. Online communication technology has also made the drug trade safer. Technology often acts as a balance to the State. When the State makes a market more dangerous by declaring it illegal technology helps make it safe again.

You Ought to Trust the Government with the Master Key

The Federal Bureau of Investigations (FBI) director, James Comey, has been waging a war against effective cryptography. Although he can’t beat math he’s hellbent on trying. To that end, he and his ilk have proposed schemes that would allow the government to break consumer cryptography. One of those schemes is call key escrow, which requires anything encrypted by a consumer device be decipherable with a master key held by the government. It’s a terrible scheme because any actor that obtains the government’s master key will also be able to decrypt anything encrypted on a consumer device. The government promises that such a key wouldn’t be compromised but history shows that there are leaks in every organziation:

A FBI electronics technician pleaded guilty on Monday to having illegally acted as an agent of China, admitting that he on several occasions passed sensitive information to a Chinese official.

Kun Shan Chun, also known as Joey Chun, was employed by the Federal Bureau of Investigation since 1997. He pleaded guilty in federal court in Manhattan to one count of having illegally acted as an agent of a foreign government.

Chun, who was arrested in March on a set of charges made public only on Monday, admitted in court that from 2011 to 2016 he acted at the direction of a Chinese official, to whom he passed the sensitive information.

If the FBI can’t even keep moles out of its organization how are we supposed to trust it to guard a master key that would likely be worth billions of dollars? Hell, the government couldn’t even keep information about the most destructive weapons on Earth from leaking to its opponents. Considering its history, especially where stories like this involving government agents being paid informants to other governments, there is no way to reasonably believe that a master key to all consumer encryption wouldn’t get leaked to unauthorized parties.

Americans aren’t Ready for Most Things

One of the worst characteristics of American society, which is probably common in most societies, is the popular attitude of resisting change. Many Americans resist automation because they’re afraid that it will take people’s jobs. Many Americans resist genetically modified crops because they think nature actually gives a shit about them and therefore produces pure, healthy foodstuffs. Many Americans resist wireless communications because their ignorance of how radiation works has convinced them that anything wireless causes cancer.

With such a history of resisting advancement I’m not at all surprised to read that most Americans are resistant to human enhancement:

Around 66 and 63 percent of the respondents even said that they don’t want to go through brain and blood enhancements (respectively) themselves. They were more receptive to the idea of genetically modifying infants, though, with 48 percent saying they’re cool with making sure newly born humans won’t ever be afflicted with cancer and other fatal illnesses. Most participants (73 percent) are also worried about biotech enhancers’ potential to exacerbate inequality. Not to mention, there are those who believe using brain implants and blood transfusions to enhance one’s capabilities isn’t morally acceptable.

The concern about exacerbating inequality really made me guffaw. Few pursuits could reduce inequality as much as biotech. Imagine a world where paralysis could be fixed with a quick spinal implant. Suddenly people who were unable to walk can become more equal with those of us who can. Imagine a world where a brain implant could help people with developmental disabilities function as an average adult. Suddenly people suffering from severe autism can function at the same level as those of us not suffering from their disability. Imagine a world where a brain implant can bypass the effects of epilepsy or narcolepsy. Suddenly people who cannot drive due to seizures or falling asleep uncontrollably can drive.

Human enhancement can do more to create equality amongst people than anything else. Physical and mental disparities can be reduced or even eliminated. Anybody who can’t see that is a fool. Likewise, any moral system that declares self-improvement immoral is absurd in my opinion. Fortunately, the future doesn’t give two shits about opinion polls and the technology will advance one way or another.

All Full-Disk Encryption isn’t Created Equal

For a while I’ve been guarded when recommending Android devices to friends. The only devices I’ve been willing to recommend are those like the Google Nexus line that receive regular security updates in a timely manner. However, after this little fiasco I don’t know if I’m willing to recommend any Android device anymore:

Privacy advocates take note: Android’s full-disk encryption just got dramatically easier to defeat on devices that use chips from semiconductor maker Qualcomm, thanks to new research that reveals several methods to extract crypto keys off of a locked handset. Those methods include publicly available attack code that works against an estimated 37 percent of enterprise users.

A blog post published Thursday revealed that in stark contrast to the iPhone’s iOS, Qualcomm-powered Android devices store the disk encryption keys in software. That leaves the keys vulnerable to a variety of attacks that can pull a key off a device. From there, the key can be loaded onto a server cluster, field-programmable gate array, or supercomputer that has been optimized for super-fast password cracking.

[…]

Beniamini’s research highlights several other previously overlooked disk-encryption weaknesses in Qualcomm-based Android devices. Since the key resides in software, it likely can be extracted using other vulnerabilities that have yet to be made public. Beyond hacks, Beniamini said the design makes it possible for phone manufacturers to assist law enforcement agencies in unlocking an encrypted device. Since the key is available to TrustZone, the hardware makers can simply create and sign a TrustZone image that extracts what are known as the keymaster keys. Those keys can then be flashed to the target device. (Beniamini’s post originally speculated QualComm also had the ability to create and sign such an image, but the Qualcomm spokeswoman disputed this claim and said only manufacturers have this capability.)

Apple designed its full-disk encryption on iOS very well. Each iOS device has a unique key referred to as the device’s UID that is mixed with whatever password you enter. In order to brute force the encryption key you need both the password and the device’s UID, which is difficult to extract. Qualcomm-based devices rely on a less secure scheme.

But this problem has two parts. The first part is the vulnerability itself. Full-disk encryption isn’t a novel idea. Scheme for properly implementing full-disk encryption have been around for a while now. Qualcomm not following those schemes puts into question the security of any of their devices. Now recommending a device involves both ensuring the handset manufacturers releases updates in a timely manner and isn’t using a Qualcomm chipset. The second part is the usual Android problem of security patch availability being hit or miss:

But researchers from two-factor authentication service Duo Security told Ars that an estimated 37 percent of all the Android phones that use the Duo app remain susceptible to the attack because they have yet to receive the patches. The lack of updates is the result of restrictions imposed by manufacturers or carriers that prevent end users from installing updates released by Google.

Apple was smart when it refused to allow the carriers to be involved in the firmware of iOS devices. Since Apple controls iOS with an iron fist it also prevents hardware manufacturers from interfering with the availability of iOS updates. Google wanted a more open platform, which is commendable. However, Google failed to maintain any real control over Android, which has left uses at the mercy of the handset manufacturers. Google would have been smart to restrict the availability of its proprietary applications to manufacturers who make their handsets to pull Android updates directly from Google.

The Phones Have Ears

the-walls-have-ears

Smartphone are marvelous devices but they also collect a great deal of personal information about us. Data stored locally can be encrypted but data that is uploaded to third party servers is at the mercy of the security practices of the service provider. If your mobile phone, for example, uploads precise location information to Google’s servers then Google has that information and can be compelled to provide it to law enforcers:

So investigators tried a new trick: they called Google. In an affidavit filed on February 8th, nearly a year after the initial robbery, the FBI requested location data pulled from Graham’s Samsung Galaxy G5. Investigators had already gone to Graham’s wireless carrier, AT&T, but Google’s data was more precise, potentially placing Graham inside the bank at the time the robbery was taking place. “Based on my training and experience and in consultation with other agents,” an investigator wrote, “I believe it is likely that Google can provide me with GPS data, cell site information and Wi-fi access points for Graham’s phone.”

That data is collected as the result of a little-known feature in Google Maps that builds a comprehensive history of where a user has been — information that’s proved valuable to police and advertisers alike. A Verge investigation found affidavits from two different cases from the last four months in which police have obtained court orders for Google’s location data. (Both are embedded below.) Additional orders may have been filed under seal or through less transparent channels.

This problem isn’t unique to location data on Android devices. Both Android and iOS have the ability to backup data to “the cloud” (Google and Apple’s servers respectively). While the data is encrypted in transport it is not stored in an encrypted format, at least no an encrypted format that prevents Google or Apple from accessing the data, on the servers. As Apple mentioned in the Farook case, had the Federal Bureau of Investigations (FBI) not fucked up by resetting Farook’s iCloud password, it would have been feasible to get the phone to backup to iCloud and then Apple could have provided the FBI with the backed up data. Since the backed up data contains information such as plain text transcripts of text messages the feature effectively bypasses the security offered by iMessage. Android behaves the same way when it backs up data to Google’s servers. Because of this users should be wary of using online backup solutions if they want to keep their data private.

As smartphones continue to proliferate and law enforcers realize how much data the average smartphone actually contains we’re going to see more instances of warrants being used to collect user information stored on third party servers.

If It Isn’t Broken, Don’t Fix It

When it comes to effective technology the federal government has a dismal record. Recently news organizations have been flipping out over a report that noted that the federal government is still utilizing 8″ floppy disks for its nuclear weapons program:

The U.S. Defense Department is still using — after several decades — 8-inch floppy disks in a computer system that coordinates the operational functions of the nation’s nuclear forces, a jaw-dropping new report reveals.

The Defense Department’s 1970s-era IBM Series/1 Computer and long-outdated floppy disks handle functions related to intercontinental ballistic missiles, nuclear bombers and tanker support aircraft, according to the new Government Accountability Office report.

The department’s outdated “Strategic Automated Command and Control System” is one of the 10 oldest information technology investments or systems detailed in the sobering GAO report, which calls for a number of federal agencies “to address aging legacy systems.”

I’m not sure why that report is “jaw-droping.” There is wisdom in updating systems incrementally as key components become obsolete. There is also wisdom in not fixing something that isn’t broken.

This reminds me of the number of businesses and banks that still rely on software written in COBOL. A lot of people find it odd that these organizations haven’t upgraded their systems to the latest and greatest. But replacing a working system that has been debugged and fine tuned for decades is an expensive prospect. All of the work that was done over those decades is effectively thrown out. Whatever new system is developed to replace the old system will have to go through a painful period of fine tuning and debugging. Considering that and considering the current systems still fulfill their purposes, why would an organization sink a ton of money into replacing them?

The nuclear program strikes me as the same thing. While 8″ floppy disks and IBM Series/1 computers are ancient, they seem to be fulfilling their purpose. More importantly, those systems have gone through decades of fine tuning and debugging, which means they’re probably more reliable than any replacement system would be (and reliability is pretty important when you’re talking about weapons that can wipe out entire cities).

Sometimes old isn’t automatically bad, even when you’re talking about technology.

Fly, You Fools

In addition to creating fake terrorist attacks so it can claim glory by thwarting them, the Federal Bureau of Investigations (FBI) also spends its time chasing brilliant minds out of the country:

FBI agents are currently trying to subpoena one of Tor’s core software developers to testify in a criminal hacking investigation, CNNMoney has learned.

But the developer, who goes by the name Isis Agora Lovecruft, fears that federal agents will coerce her to undermine the Tor system — and expose Tor users around the world to potential spying.

That’s why, when FBI agents approached her and her family over Thanksgiving break last year, she immediately packed her suitcase and left the United States for Germany.

Because of the State’s lust for power, the United Police States of America are becoming more hostile towards individuals knowledgable in cryptography. The FBI went after Apple earlier this year because the company implemented strong cryptography so it’s not too surprising to see that the agency has been harassing a developer who works on an application that utilizes strong cryptography. Fortunately, she was smart enough to flee before the FBI got a hold of her so none of its goons were able to slap her with a secret order or any such nonsense.

What’s especially interesting about Isis’ case is that the FBI wouldn’t tell her or her lawyer the reason it wanted to talk to her. It even went so far as to tell her lawyer that if agents found her on the street they would interrogate her without his presence. That’s some shady shit. Isis apparently wasn’t entirely dense though and decided it was time to go while the going was good. As this country continues to expand its police state don’t be afraid to follow her example.