This reminds me of the comment from the NSA a while ago in which it said that Snowden's documents have already changed many people's behaviour. I'm on a reliable 4G network in London and (mostly) only go to places I'm familiar with. The result being that location service, WiFi, Bluetooth and NFC are permanently turned off. My girlfriend has had location services turned off since she first got an iPhone 3GS. And she won't let me use my Kinect when she's home.
Justified or not, these things are coming up in conversation at work and with friends a lot lately, which I find encouraging.
When the Snowden documents were released, I got into a heated debate with a friend, who argued that he has nothing to hide.
He said he couldn't believe anyone was naïve enough to think the government wasn't monitoring everything already, and that we elected them, so we should trust them. He said that privacy concerns sound pretty trivial compared to preventing incidents like the Boston Marathon bombings or apprehending the suspects, and that he'll gladly cooperate to help stop the bad guys.
We pretty much ruined lunch for everyone with our arguing, but he has since spent more time looking into the nuances of the topic and has said he has changed his mind. The thought of not being able to trust the government is really depressing to him.
When the Snowden documents were released, I got into a heated debate with a friend, who argued that he has nothing to hide.
I heard Bruce Schneider being interviewed, and he said that people frequently challenge him by saying they have nothing to hide. His two-second retort, especially on call-in shows, is simple: "What's your salary?"
Yep, but that's only true for some of those things. Others, like salary and photos of your kids, have other reasons for staying hidden (impact on social situations and safety).
Eh, if I didn't think my company would be upset with me telling you what I make, I'd let you know. It's not a big deal to me. You could probably figure it out based on where I live and what I do with my free time anyway.
As for pictures of my kids, I don't have any. But it's a pretty terrible argument because it perpetuates the false idea that you must want to hide something for privacy to be necessary.
I'd bet large sums of money Bruce Schneier has never used this line of defense against the "nothing to hide" argument.
If you work somewhere that's anything like places I've ever worked, then I think knowing your salary might have a bigger impact on some of your colleagues than you might think, eventually causing some blowback to come your way. Just my observation from past experience.
I'd also like to point out that I promised not to give that information away, and regardless of the privacy implications, I can't in good consciousness break my own word.
Hiding salary information is usually because it can often create awkward tension in your social groups. Like if your poor friends or family know you make a lot more money than you let show.
I know it's not the only reason for privacy, but it's a common and significant one.
Then tell them: "You're uninteresting then, it's not about you".
And add:
"Interesting people that shake up the status quo and make this world a better place, from Ghandi to MLK, HAVE had lots of stuff to hide from the government".
"Not to mention that in your shallow mind you only imagine an ever benevolent government. Would you have something to hide if Anna Frank's family asked to stay in your apartment?"
Why? The 4g network is tracking you via cell town triangulation the whole time anyway. Might as well use the phones wifi when you can save some bandwidth on the slower cellular network.
Maybe I'm an ass for pointing this out, but it's trilateration, not triangulation. I set out to learn the mathematical concept, and not knowing the right term had me waste an entire evening looking at something more closely related to tessellation, than spatial position locating.
You don't sound like an ass at all. Hell, if I had wasted the better part of an evening due to a simple nomenclature mix-up, I'd post it as well when the right concept comes up. It might save others some time.
Funny thing is I'm really familiar with the tech - I did COIN in the bush war in Angola, where we did a lot of triangulation (old school, using an oscilloscope). I've given up trying to explain the difference.
Because GSM, GPS and WiFi combined are, bar GPS, more accurate and pervasive together than any one in isolation. Also because when location services are off, photos don't get tagged with my location coordinates, and apps can't use my location either.
PRISM was "unlikely to happen" too. The ability to conduct surveillance through consumer devices, however, is something that already exists (cell phones [1]). Given that the NSA record private phone conversations en masse, as well as many other types of data, why would you assume it "silly fearmongering" to suggest that they'll continue to develop and improve their system's capabilities?
I'm using your words, it's not a matter of "likeliness", it's simply a thing of which we have zero evidence or indication that it is going to occur.
So yes, I do think it is "silly fearmongering" to suggest that they'll continue to develop and improve their system's capabilities in the specific way you're suggesting.
>I do think it is "silly fearmongering" to suggest that they'll continue to develop and improve their system's capabilities in the specific way you're suggesting.
Why would they not exploit a capability that they have indicated interest in exploiting given that they've already crossed the line into illegally collecting as much private information as they can?
They sold the AT&T facilitated phone tapping as something they would do selectively, with FISA warrants. It turns out they were conducting mass collection of conversations and conversation-related data without warrants. Why would they show restraint with the ability to listen through consumer devices? Talking about scenarios that are likely to happen isn't "fearmongering" it's rational vigilance given where we're at.
How is it not technically possible to collect information from consumer devices that are connected to the Internet and where the vendors cooperate to provide backdoors (as they do with cell phones)? As for politically feasible, it isn't politically feasible for them to collect everyone's communication via PRISM, yet they are doing it.
Preventing government abuses means paying attention to not just what they've already proven to have done, but also attempting to discourage them from taking likely next steps.
They reported a CIA officials stated interest in using consumer devices for intelligence gathering. Their analysis of that was to presume it would be abused.
It may not be deep reporting or analysis, but your suggestion that they should be fined would be more in line with how Russia runs things than the media culture of the West.
I'm saying their speculative analysis is approaching (and surpassing) the line between "analysis" and "fabrication", and they should be punished for it.
A natural human response though, so I accept it. That said, my girlfriend finds it creepy that there's a machine under the TV that recognises her, and tracks her movements. I accept that too.
Something we aren't noticing is, if he can build one that small with off the shelf parts, the NSA could and probably does have devices like these as small as quarters or perhaps embedded in dummy iPhone charging cubes.
I would bet the Feds can build out miniature versions for a few hundred bucks a piece. Which in defense dollars means they are disposable.
If I'm not mistaken, a bunch of GET requests against a public API, unfortunately setup to not require authorization credentials and yet still exposing nominally 'private' data.
This is a collection of media buzz words strung together to create an article, it's about as insightful as claiming that network analysers can spy on network data.
I wonder why he only used one pi per channel though, I think they have the horsepower to sniff perhaps three.
Since the Pi takes 5V just like any USB device, he could re-use the same power adapter and just get a splitter USB cable; he didn't need a full blown powered USB with its own power adapter.
Can anyone give a technical account of how this is achieved?
The article makes it sound as though it relies on unsecured wifi data, but also states that "Even when he didn’t connect to a Wi-Fi network, his sensors could track his location through Wi-Fi “pings.”" It also talks about iMessage, and dropbox, and other application layer data.
iPhones are very "chatty" when not connected to a WiFi access point. They repeatedly try to find access points they have connected to before - broadcasting both their MAC address and the SSID of prior access points.
Android phones are completely silent even with the WiFi on when not connected to an access point.
Yep, this is a good explanation of it. Another thing he mentioned was that even if you have VPN enabled, the first few pings from dropbox, iMessage, etc. actually aren't getting sent through the VPN.
Presumably, the location tracking is just a variant of the Wi-Fi-based positioning systems commonly used today.
Whereas the system is normally used to provide a device with its location, here it's used to track the device's location. This requires having a network of Wi-Fi access points sharing data.
Having done some hacking with those little TP-Link devices (well, on a TL-MR3020, which is almost identical), I will say that Debian on a Raspberry Pi is much easier to work with than OpenWRT on a TL-.
With the TL- devices, you have very limited writeable storage, and as it's an append-only file system, the only way to reclaim the space is to reflash the system. A Pi, by comparison, feels like a normal computer system.
Twice the price isn't necessarily a bad deal, unless you're working in such volume that development time is an insignificant part of the overall project cost. Given the choice, I'd go for a Raspberry Pi next time.
While I didn't attend this talk, someone mentioned that there was a talk at Defcon where 3g networks were being sniffed.
https://www.defcon.org/html/defcon-21/dc-21-speakers.html
Do-It-Yourself Cellular IDS
"For less than $500, you can build your own cellular intrusion detection system to detect malicious activity through your own local femtocell. Our team will show how we leveraged root access on a femtocell, reverse engineered the activation process, and turned it into a proof-of-concept cellular network intrusion monitoring system.
We leveraged commercial Home Node-Bs (""femtocells"") to create a 3G cellular network sniffer without needing to reimplement the UMTS or CDMA2000 protocol stacks. Inside a Faraday cage, we connected smartphones to modified femtocells running Linux distributions and redirected traffic to a Snort instance. Then we captured traffic from infected phones and showed how Snort was able to detect and alert upon malicious traffic. We also wrote our own CDMA protocol dissector in order to better analyze CDMA traffic."
I think the author of this article doesn't really understand the technology behind packet sniffing, open wifi, what packets iPhones are sending, etc.
The article makes it sound like somehow this "device" (really just a computer - a Raspberry Pi) is somehow some special technology that people should watch out for. When I can do all of these things on any laptop on an open network. And in fact, that's going to be less attention grabbing in a cafe than some mysterious black box under a table.
It's a shame that the take away message wasn't that any open network is a security risk, not just when someone happens to have one of these "gadgets", but anyone on the network with a laptop can do the same thing.
The point is not "your phone/tablet network traffic can be overheard", the point is "it can be overheard and uniquely identified, therefore anyone putting cheap access points around your area can track which ones you go near, and when".
Don't despair, something great could come out of this article. A representative could read it, freak out and propose a bill that would ban raspberry-pi and regulate the hell out of the booming open hardware industry.
He said "public wifi". That gave me a bit of a jolt too at first.
I wonder if there are any known instances of someone monitoring and collecting a high value target's encrypted home wifi (say a CEO before earnings, or someone at the department of labor) with the goal of cracking it.
Yeah, wireshark can definitely sniff the network, but he was trying to point out that for $57 you can make ten of these and plug it in to empty outlets around the city, hotels, cafes, etc. and it would record data and send it back to a server....
Now imagine the government placed these nodes everywhere... they would basically have a fixed GPS on you.
Justified or not, these things are coming up in conversation at work and with friends a lot lately, which I find encouraging.