It’s Worse Than It Sounds

In Orwell’s 1984, the citizens live with omnipresent telescreens that push propaganda and act as a monitoring camera and microphone. The screens hung on walls; today we carry them in our pockets and pay for the privilege of doing so.

I did a google image search for “retroscope” and look at this beauty!

A friend of mine wrote me about the geofence warrant – a warrant in which law enforcement sends a provider like Google a request for all of the activity from all of the cell phones in a certain area at a certain time. As you can imagine, that would be extremely interesting information for crime investigation, but it also points to a deeper underlying capability: the data must be there in long-term storage, where it can be requested at some future date. This is a query feature for the retro-scope.

There are a lot of problems with having a government agency keeping track of everyone and everything that they do, but this effectively outsources what would be an unconstitutional (maybe) level of tracking to a private entity that does it as part of their business. The tracking information becomes “data at rest” and “business records” that are subject to warranted searches or (presumably) subpoenas. Law enforcement is not intruding into your privacy and violating your 4th amendment rights – they are “politely asking a private company that already violated your privacy a long time ago.”

This is not a new thing. Law enforcement has a variety of methods for compromising citizens’ communications to track them, i.e.: “stingrays.” But why bother deploying a stingray when you can just ask Google and Facebook what the user was doing? There is no need to break the target’s encryption because the request is made against an entity that is inside the target’s encryption envelope. All of those tracking apps? Those.

As usual, with techbro-produced systems, we are currently experiencing a race to the bottom. Google, Facebook, and Apple have a great deal of this information (ditto AT&T, T-Mobile, Verizon, etc) and it is – literally – no skin off their ass to share it with law enforcement when asked. After all, “they have to.” There are companies that are specializing in this kind of thing as part of their business model; the only question is whether they’ll be able to build a precise enough picture that someone will pay for it, or whether it’s better to go to the source.

Read between the lines: [vice]

The bounty hunter sent the number to his own contact, who would track the phone. The contact responded with a screenshot of Google Maps, containing a blue circle indicating the phone’s current location, approximate to a few hundred metres.

Queens, New York. More specifically, the screenshot showed a location in a particular neighborhood – just a couple of blocks from where the target was. The hunter had found the phone (the target gave their consent to Motherboard to be tracked via their T-Mobile phone.)

The bounty hunter did this all without deploying a hacking tool or having any previous knowledge of the phone’s whereabouts. Instead, the tracking tool relies on real-time location data sold to bounty hunters that ultimately originated from the telcos themselves, including T-Mobile, AT&T, and Sprint, a Motherboard investigation has found. These surveillance capabilities are sometimes sold through word-of-mouth networks.

The play is the “Cambridge Analytica Maneuver” – the collector of the data (in that case: Facebook) allows an aggregator to query and retain a copy, which means they can build up a time-based archive of searchable facts. In the example from Vice, it turned out (surprise!) that most of the major telcos sell location data to a large number of aggregators and third parties, which make no guarantees at all what they’ll do with it. Back in the day I used similar aggregators doing computer security investigations – a private individual can’t just call AT&T’s compliance office and ask for a dump of who is connected to the cell tower in a certain area at a certain time, but they can call someone who has access to the commercial service(s) that maintain that data. The phone company can make a Big Sad Face and say “there’s nothing we can do about it” and the FCC, which is supposed to regulate that kind of thing (but doesn’t) can threaten an actual slap on the wrist for this sort of activity. [nyt]

The Federal Communications Commission has approved a proposal to fine T-Mobile, AT&T and two other cellphone carriers more than $200 million for selling customers’ location data to companies that allowed it to be misused by rogue law enforcement officers and others.

Ajit Pai: a small piece of the puzzle

Fining AT&T, T-Mobile, and two other cellphone carriers a whopping $200 million is like fining you or me the total collection of breadcrumbs in one corner of the bottom of our toaster. And, a small corner at that.

The businesses that massage that data into subpoenable marketable chunks are even more than a bit legit. For example, one might offer location-based fraud detection: they learn that Marcus Ranum’s phone tends to be in a certain variety of places and if someone tries to do a purchase using Marcus’ credit card information from what appears to be a smart phone in Romania, it’s probably a good idea to deny the transaction. Legit, right? This is that ‘Big Data” everyone was having a big wank-on about around 2010. Systems like Zumigo (just to name one) can act like an oracle if they allow automated queries:

  • Is that a legitimate transaction from Marcus Ranum?
  • If yes, is that a legitimate transaction from Marcus Ranum in New York State?
  • If no, is that a legitimate transaction from Marcus Ranum in Pennsylvania?
  • If yes is that a legitimate transaction from Marcus Ranum in Pittsburgh, Pennsylvania?
  • If no, is that a legitimate transaction from Marcus Ranum near Clearfield, Pennsylvania?

An “oracle” is a software entity that provides a true/false value to a question. If you have an oracle and are willing to ask enough questions on a directed tree, you can learn anything. It’s not as efficient as asking ‘where is Marcus Ranum’ but that’s just a matter of CPU and query bandwidth. As you can see from my example above, you can home in on a question fairly quickly, as long as you get true yes/no answers.

Ajit Pai, the F.C.C. chairman, said the move demonstrated that the agency was serious about privacy. “We took decisive action to protect American consumers, and we are confident in the balance that we struck,” he said at a news conference on Friday.

That’s Ajit Pai, FCC chairman, not Hasan Minhaj, comedian, who said that. But it was still comedy. Remember this stuff, whenever you hear the FBI start complaining that they need Apple’s help to unlock a phone. I should do a posting about that but you should assume, barring details, that that’s all more comedy. Another topic we won’t get into right now is the massive, unregulated, badly wrong databases of facial recognition data that are trawled through by search engines that are also badly wrong. But, if you have an oracle that will tell you when Marcus Ranum was approximately where, and you have an account on a facial recognition search engine then you need to do two parallel searches against two commercial services. What’s the problem? Law enforcement is not intruding on your privacy, they are buying the data from businesses that legitimately intruded on your privacy – maybe slap them on the wrist with a fine and then send then an open purchase order from the FBI.

This is how effective the system is: it sucks. [verge]

A Florida man who used a fitness app to track his bike rides found himself a suspect in a burglary when police used a geofence warrant to collect data from nearby devices, an NBC News investigation finds. Zachary McCoy had never been in the home where the burglary occurred, but by leaving his location settings on for the RunKeeper app, he unwittingly provided information about his whereabouts to Google, which placed him at the scene of the crime.

Since McCoy had biked past the house where the burglary took place three times on the day of the alleged crime – part of his usual route through the neighborhood – he was deemed a suspect. NBC News says Google’s legal investigations team contacted McCoy in January, notifying him that Gainesville police were demanding information from his Google account.

He was eventually cleared as a suspect, but not before hiring a lawyer to help him figure out exactly what data police were seeking. The geofence warrant – a type of search warrant – required Google to provide data from any devices it recorded near the scene of the burglary, including location. This data is usually drawn from Android location services; collection can be turned off from the “accounts” menu in settings.

Don’t go racing to change your location services. It’s a waste of time. If you use any WiFi, Google et all map the address range to their own geolocation database and cross-check it. There are companies that offer that as a service, don’t’cha know?

Last month, Google announced it was putting new restrictions on which Android apps can track location in the background, with all new Google Play apps that seek background access subject to a review process, beginning in August.

Last month, the barn owner took a look at the door, made sure there was no horse inside, and carefully locked it with a new high security lock.

What’s really going on is: capitalism fucked us all, again. Every app that has a “click wrap” license can include whatever tracking they want and they can call it “usage metrics” or something innocuous and you agreed to use it. That includes Google, itself, which is the granddady of “you agreed to use it” and Facebook, and Twitter, and AT&T, and, and, and…

When I was CSO at Tenable, this was my annual T-shirt design one year. Everyone loved it, especially the NSA guys.

This is just one example of many: it’s a totally legit app that appears to also be recording a bunch more data than it should. Want to be that it’s going into a Big Data Data Lake of Bits somewhere? [forbes]

In February, Google threw 600 apps out of its Play store. Amongst those was an app called Clean Master, a security tool promising antivirus protection and private browsing. It had more than 1 billion installs before it was evicted and, despite Google’s ban, is one of Android’s most downloaded apps ever and is  likely still running on millions of phones.

The company that produces Clean Master says that it’s totally legit that they track all the URLs their users go to; that way they can do reputation-based scoring and identify pop-up scam sites, and malware droppers. But the fact is: in order to do that, they are collecting everything they can. And you wonder where your bandwidth is going.

It isn’t just Clean Master that’s been watching over users’ Web activity, according to Cirlig. Three other Cheetah products – CM Browser, CM Launcher and Security Master – apps with hundreds of millions of downloads have been doing the same, according to Cirlig. He probed the apps last year to discover the behavior before sharing his research with Forbes. He found Cheetah was collecting the information from devices, encrypting the data and sending it to a Web server – ksmobile[.]com. By reverse engineering that encryption process, he was able to determine what data was being harvested from users’ phones.

If that doesn’t make your veins run with icewater, maybe you don’t understand the situation. The immutable laws of how cryptography work say it’s a very difficult problem to transmit that kind of data without making it readable by someone who intercepts it. In this case, it sounds like their “encryption” was shit. I’ve looked at apps like this, and malware command/control code, and it’s got the same issue: key management. Most of the time some coder reads Bruce Schneier’s Applied Cryptography in the Cliffs Notes version and obfuscates a secret key in the code, somewhere. Anyone who knows how to drive a debugger can rip the key out of a running instance of the code and then they have access to all the data. NSA specializes in that. I used to know Brian Snow, the commandant of the US Cryptologic Academy – the teaching arm of NSA cryptographers – and he once casually remarked that breaking that kind of stuff is a boring introductory exercise that takes someone skilled less than a couple hours.

You can expect some serious complaining to come from the US side of the globe, though, because Clean Master is Chinese and you know how those people can’t be trusted to collect data. They might build backdoors in, like Cisco, Apple and Microsoft Huawei. And once the data’s collected, it’s forever.

Watching the US veer from insanity to worse, I have pondered often “how would you run a revolution?” Even setting up underground cell structures would be difficult because you’re either constantly tracked or you’re a black hole that can be detected by its absence of signal. Once you had the cells set up, you could use the kind of tricks that Van Riper used in Millennium Challenge 2000 [stderr] – but it’s basically impossible to recruit anyone new without risking gobbling a “barium meal.” The neo-nazi fascists know this, by the way, which is why they mostly promote “lone wolf terrorists” instead of collective action; they know these capabilities exist because a lot of them are cops.

There’s a cyberwar, all right. It’s on us.

------ divider ------

With all this capability, I keep thinking “it ought to be impossible to do crimes.” Except, clearly, it’s not. The trick is to overload the system (an [RCA]) or have a friend be the attorney general. So, why are there still crimes and spies? Apparently, because the cops suck: they have all this data and they can’t seem to use it effectively.


  1. Pierce R. Butler says

    It shouldn’t take very long to link the “exposed to coronavirus” database to a “who’d they share a space with” database – except that’s a public health issue, and therefore probably won’t have much of a $$$ incentive to go with it.

  2. komarov says

    Remember this stuff, whenever you hear the FBI start complaining that they need Apple’s help to unlock a phone. I should do a posting about that but you should assume, barring details, that that’s all more comedy.

    Could it even be a clever devious bit of marketing? We’ll pay you a tidy sum of money – so tidy noone ever finds it* – and every so often, we’ll put on a show together how difficult it is to crack our stuff and how we reluctantly, under great pressure, maybe sort of give in to your demands, threats and general posturing. Or not, as the case may be. All the other times we just don’t talk about, ever.

    And just to make sure it’s worth the effort on your part, please accept these Dapple shares I happen to have in my pocket. Oh, and by the way, we are always looking for board members, chairfolk and other corporate functionaries or appendages who have shown they have Dapple’s best interests at heart. I mention this just in case you happen to find yourself retiring at some point.

    *Or not, just in case someone does notice after all – instead just focus on the other renumeration.

  3. says

    When the two idiots committed the murder in Taiwan two years ago, they were identified quickly by their cell phones and trackable bike rentals. My first thought was, “you idiots were ex-military and didn’t think to use walkie-talkies or buy cheap department store bikes as disposable getaway vehicles?” among other obvious ways to avoid tracking (i.e. staying away from surveillance cameras).

    Last year, I bought a made-in-Taiwan 4G dumb/T9 phone without GPS for the reasons given above (minimal trackable data). I also keep track of where I can use free wifi with a VPN. I don’t expect to need it, but better to have it before it’s needed.

  4. sonofrojblake says

    ” I bought a made-in-Taiwan 4G dumb/T9 phone that I think doesn’t have GPS”

    Fixed it for you.

  5. says

    Whether the phone has or does not have GPS, it can still be geolocated based on the IP egress point. There are large and very valuable databases that map egress points to geo points (Google has one, naturally) by remembering and correlating smart phones that do have GPS and attach to a particular WiFi. So any WiFi that has ever been used by a smartphone is geolocated.

    That’s what I’m talking about: you cannot hide and you cannot run.

  6. neroden says

    Revolution is trivial. All you need is a supermajority of people on your side, and the surveillance crap isn’t worth squat to the tiny minority of people who are still trying to prop up the existing system. When most of the people they’re trying to employ as enforcers don’t support the system, the system falls.

    Legitimacy is everything, and it’s a matter of *public opinion*.

    Remember, the NSA *ticked off Apple and Google* by threatening the security of *business transactions*. Way to lose public opinion.

Leave a Reply