[Cryptography] DEA bulk spying, FBI Spy Planes, IMEI Catchers, NIST cryptography standards, and ALPR amendments to HR 2578
John Denker
jsd at av8n.com
Thu Jun 4 18:00:41 EDT 2015
This is an important subject. We need to discus
this more than we have. People talk endlessly about
the insecurity of basic internet protocols ... but
the /telephone/ network is in some ways even less
secure, and in some ways scarier in terms of its
impact on personal safety and privacy.
On 06/03/2015 03:06 PM, Jah Love wrote:
> There's some amazing stuff going into the US House of
> Representative's HR2578.
That's nice as far as it goes, but I would not
put all of my eggs in that basket, for multiple
reasons:
a) The bill might get watered down before passage in
the House.
b) It might not get passed at all in the House.
c) It will certainly face diehard opposition in the
Senate. (Without the patriot-act sunset, nothing
remotely resembling this week's "reforms" would
have made it through the Senate.)
d) It would most likely get vetoed.
e) The NSA, DEA, FBI, etc. have a loooong track
record of doing things that are expressly illegal.
Even if they were legal they would be unconstitutional,
and even if they were constitutional they would be
bad policy ... but none of that stops them.
f) There are lots and lots of phones outside the US,
where US law does not apply.
I suggest that it is useful, and in keeping with
the traditions of this list, to look for technical
solutions.
--> We need legislation also, if only to make sure
that proper technical solutions aren't outlawed.
When I argue against one extreme it does NOT mean
I am in favor of the opposite extreme. As a good
rule of thumb, all the extremes are wrong.
As a small step in the technical direction, let me
point out that there exist IMSI-catcher-catchers, e.g.
https://opensource.srlabs.de/projects/snoopsnitch
and
https://secupwn.github.io/Android-IMSI-Catcher-Detector/
I don't know much about either of those examples. Do we
know anybody who has taken a serious look? In particular,
snoopsnitch has both a front-end client and a back-end
server. The client code is open-source, which is nice
... but I see no way to rule out the possibility that
the server is a wholly-pwned subsidiary of the BND (or
worse).
The SecUpwN site has a wiki with links to some videos
on the subject:
https://github.com/SecUpwN/Android-IMSI-Catcher-Detector/wiki
Alas, their code seems to be in a pre-alpha state right
now.
Here are some desiderata and topics for further discussion:
-- IWBNI we had a defensive system that was local and
self-contained, not dependent on communication with
any back-end server.
-- OTOH it would be OK to make use of databases. In
particular, the latitude and longitude of all legitimate
FCC-licensed cell towers are well known,
http://wireless2.fcc.gov/UlsApp/UlsSearch/searchGeographic.jsp
so anything that pops up and/or moves will stick out like
a sore thumb.
-- IWBNI there was an optional, private, and secure
way to share statistics with somebody we trust, to get
an idea of how many stingrays are swimming around in
the wild.
-- IWBNI the detector was well integrated with the rest
of the phone OS.
-- In particular, IWBNI there was a mode that allowed for
/passive/ monitoring, i.e. with the phone's RF Tx section
shut down. This would result in the catcher-catcher
knowing more than the would-be catcher.
-- For that matter, IWBNI the underlying firmware had
some semblance of security. There are more than a few
"alternative" phone firmware packages:
http://en.wikipedia.org/wiki/List_of_custom_Android_firmwares
-- Keep in mind that stingrays are nowhere near the only
threat out there; SS7 is full of security holes.
http://events.ccc.de/congress/2014/Fahrplan/system/attachments/2493/original/Mobile_Self_Defense-Karsten_Nohl-31C3-v1.pdf
It seems to me this gives us what we euphemistically call
"an opportunity for improvement". And (non-euphemistically)
there seems to be a little bit of recent motion in the
right direction.
More information about the cryptography
mailing list