[Cryptography] DEA bulk spying, FBI Spy Planes, IMEI Catchers, NIST cryptography standards, and ALPR amendments to HR 2578

John Denker jsd at av8n.com
Thu Jun 4 18:00:41 EDT 2015


This is an important subject.  We need to discus
this more than we have.  People talk endlessly about
the insecurity of basic internet protocols ... but
the /telephone/ network is in some ways even less 
secure, and in some ways scarier in terms of its 
impact on personal safety and privacy.

On 06/03/2015 03:06 PM, Jah Love wrote:
> There's some amazing stuff going into the US House of
> Representative's HR2578.

That's nice as far as it goes, but I would not
put all of my eggs in that basket, for multiple
reasons:
 a) The bill might get watered down before passage in
  the House.
 b) It might not get passed at all in the House.
 c) It will certainly face diehard opposition in the
  Senate.  (Without the patriot-act sunset, nothing
  remotely resembling this week's "reforms" would
  have made it through the Senate.)
 d) It would most likely get vetoed.
 e) The NSA, DEA, FBI, etc. have a loooong track 
  record of doing things that are expressly illegal.
  Even if they were legal they would be unconstitutional,
  and even if they were constitutional they would be
  bad policy ... but none of that stops them.
 f) There are lots and lots of phones outside the US,
  where US law does not apply.

I suggest that it is useful, and in keeping with 
the traditions of this list, to look for technical
solutions.
  --> We need legislation also, if only to make sure
   that proper technical solutions aren't outlawed.
   When I argue against one extreme it does NOT mean
   I am in favor of the opposite extreme.  As a good
   rule of thumb, all the extremes are wrong.

As a small step in the technical direction, let me
point out that there exist IMSI-catcher-catchers, e.g.
  https://opensource.srlabs.de/projects/snoopsnitch
and
  https://secupwn.github.io/Android-IMSI-Catcher-Detector/

I don't know much about either of those examples.  Do we
know anybody who has taken a serious look?  In particular,
snoopsnitch has both a front-end client and a back-end 
server.  The client code is open-source, which is nice 
... but I see no way to rule out the possibility that
the server is a wholly-pwned subsidiary of the BND (or 
worse).

The SecUpwN site has a wiki with links to some videos
on the subject:
  https://github.com/SecUpwN/Android-IMSI-Catcher-Detector/wiki
Alas, their code seems to be in a pre-alpha state right 
now.  

Here are some desiderata and topics for further discussion:
 -- IWBNI we had a defensive system that was local and 
  self-contained, not dependent on communication with 
  any back-end server.
 -- OTOH it would be OK to make use of databases.  In
  particular, the latitude and longitude of all legitimate
  FCC-licensed cell towers are well known,
    http://wireless2.fcc.gov/UlsApp/UlsSearch/searchGeographic.jsp
  so anything that pops up and/or moves will stick out like
  a sore thumb.
 -- IWBNI there was an optional, private, and secure 
  way to share statistics with somebody we trust, to get
  an idea of how many stingrays are swimming around in 
  the wild.
 -- IWBNI the detector was well integrated with the rest
  of the phone OS.
 -- In particular, IWBNI there was a mode that allowed for
  /passive/ monitoring, i.e. with the phone's RF Tx section
  shut down.  This would result in the catcher-catcher 
  knowing more than the would-be catcher.
 -- For that matter, IWBNI the underlying firmware had
  some semblance of security.  There are more than a few 
  "alternative" phone firmware packages:
    http://en.wikipedia.org/wiki/List_of_custom_Android_firmwares
 -- Keep in mind that stingrays are nowhere near the only
  threat out there;  SS7 is full of security holes.
    http://events.ccc.de/congress/2014/Fahrplan/system/attachments/2493/original/Mobile_Self_Defense-Karsten_Nohl-31C3-v1.pdf

It seems to me this gives us what we euphemistically call
"an opportunity for improvement".  And (non-euphemistically)
there seems to be a little bit of recent motion in the 
right direction.


More information about the cryptography mailing list