Slashdot Mirror
NSA and GCHQ Target "Leaky" Phone Apps To Scoop User Data
schwit1 writes "New leaked NSA documents shed a new light on the agency's assault on the data controls of smartphone apps. Using app data permissions as a jumping off point, the documents show agency staffers building huge quantities of data, including 'intercepting Google Maps queries made on smartphones, and using them to collect large volumes of location information.' One slide lists capabilities for 'hot mic' recording, high precision geotracking, and file retrieval which would reach any content stored locally on the phone, including text messages, emails and calendar entries. As the slide notes in a parenthetical aside, 'if it's on the phone, we can get it.'"
what those birds are so angry about
Why are you listening?
Do you understand me now?
Why are you still listening?
Do you think I have something to hide?
Remember, I'm on your side
So bugger off like a good man
and snoop on the Taleban
I'd rather be riding my '63 Triumph T120.
The NSA has all the actual slides from the internal presentation:
http://www.theguardian.com/wor...
From what I gather, TRACKER SMURF module of the WARRIOR PRIDE rootkit for both IOS and Android sort of grabs pin positions of places you search for in Google Maps as well as where you actually ARE. What's interesting is the seeming fascination with sexual orientation and clubs. I guess if there is dirt to be had on an operative or a politician, it might be if they are secretly a wild and crazy guy, or perhaps visiting a mistress in South America instead of being lost on the Appalachian trail.
I know it's fashionable to be angry and all that, but the more of these slides they release, the more you understand how good these guys are at spycraft. It's a solid rootkit base with modules for various device driver interaction, it's pulling back info to be sorted in databases specifically at dossier building on targets, etc etc. It's a well organized program of information gathering, actually.
People seem to be freaking out that all these capabilities exist when anyone with half a wit or more knew that this was all possible.
The question is regarding the set of controls over how and when this is done.
I mean, by golly, did you know that 5 years ago they could listen in on your phone conversations and even determine where you were located when you were making the phone call?!
Carrying on about these capabilities (as opposed to the way they are used) is going to look as quaint to people in 20 years as the above concern about land-line phone calls looks now.
I always wondered why he did this. To create the GPS industry? I don't think so. Instead I think it was with the full knowledge that in a short time, the NSA could track people using it.
excitingthingstodo.blogspot.com
Hopefully the open source phones catch up, because right now carrying around a general purpose computing device you have no control over thanks to the carriers strikes me as an astoundingly bad idea.
The permissions system in Android is and has been a joke since the beginning. I would never use it as is.
I install F-wall for fine-grained control of network permissions on per-app basis. I don't use any "cloud-based" applications (Google, Facebook, etc). There ARE FOSS alternatives.
* K-9 mail (IMAP mail)
* Calendar Sync Adapter (plugs into Android's calendar and enables sync to a Caldav server. It's early in development but works for me)
* Firefox
We spent 25 years getting rid of Windows and it's ugly .exe-world and now we're quickly replacing it with something even worse. It's deeply tragic from a security point of view.
Don't use their products. The move away from US technology has only just begun.
One article I read phrased this as the NSA spying on Angry Birds use. Come to think of it, it makes sense! You are launching projectiles (birds) at "buildings" (the pigs' structures) to cause casualties (pigs). The black bird's even a bomb that blows himself up. The Angry Birds are terrorists!!!
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
Does this feature have any ability to secure a phone?
I take no small pleasure in doing this to Facebook.
now can we encrypt all traffic by default?
The difference between Windows and android phones is that they must install a backdoor in the android ones.
From the following linked article:
"During a recent interview session I had with Mikko Hypponen, the chief research officer for digital security company F-Secure Corp, he shared that he was friends with the men behind Rovio, the creators behind another massive success story--Angry Birds."
http://www.thestar.com.my/stor...
A couple of years ago I tried, in earnest, to inform Mikko Hypponen of evidence I had acquired (first-hand) that proved that Sony Entertainment was gathering data from computers that had Sony software installed, after being referred to him by Mark Russinovich (of Microsoft/Sysinternals fame). I was stone-walled completely, even after providing crash-dumps that held all the evidence he needed to go public-- now, I know why.
Let's fix it, there are some really great roms out there. Rooting for wireless Tether is VITAL. And another killer app, though it may seem minor it makes a huge difference, is the ability to change tracks in your pocket without looking at the phone at all. Using long press on the volume keys.
Down with surveillance, the NSA has been given broad authority with NOTHING to show for it. Time to lock down everything they don't admit they are spying on... I don't want NSA people to have all the best pick up lines, that'd be evil.
And their manchurian candidate with access to the opponent's copy of Microsoft Office and Powerpoint can't be beat using conventional politics.
The shame of it is, if I felt that the NSA was obeying the law, not watching people but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized, I would favor this capability.
Though let me be clear here; by "probable cause", I mean that a substantial percentage of the people who pass the probable cause bar wind up being found guilty. The notion that anyone crossing the border is subject to search, for example, doesn't pass the test.
Stop-Prism.org: Opt Out of Surveillance
This perpetual slide towards software we have less and less control over is NOT a good thing for us. Everyone buying into it is a chump.
Yes, it's true that the cell tower can collect your phone's location even if you have a trustworthy software stack. But that's better than collecting your phone's location AND everything you ever do with your phone's software.
But go ahead people. Keep buying the shiny cages. I mean, it's worked out so well so far.
It seems like time to revisit virtualization within smartphones. Set up a VM with a bogus profile, and use that as a walled sandbox to run any questionable games or apps. If necessary, direct that VM's network traffic through an Internet proxy.
The NSA has 15 such cases that they feel like telling congress about. These are a few of the cases where the target caught on or the employee was otherwise busted. Given Snowden, it's reasonable to think NSA employees can do a lot without being caught.
As a rough guesttimate, maybe 1 / 20 who snoop on the woman they fantasize about get caught. How many of those are reported to Clapper? One in four? How many does Clapper want to tell Congress about? Maybe 1/4 of the ones he knows about?
So as a rough guess, 15 X 20 X 4 X 4 = 2,400 NSA employees have been spying on women they have a crush on.
Indeed, that's the difference. When they had to show up with a warrant for a specific individual and have agents sit and listen, they did that for high value suspects. Now it's all of us, all the time, who are the targets.
> Chinese phones have BigBrother software intended for tracking Chinese citizens. This spyware probably won't work well from US providers.
I suspect the Chinese have noticed that they're shipping millions of phones to their #1 rival, the US.
Notice are set up in English. It's beyond trivial for the Chinese to set export phones to English language and US region backdoor.
So, if I do this as a private individual I get arrested, but the NSA is off the hook?
I have bought an SSH app for my WP8 phone. For all I know I have given keys to my kingdom to the NSA, organized criminals, or both.
You may refuse and dont want a GPS bracelet on your ankle or wrist but that is what you will have. A dog collar for all of your LIFE.
WEARABLES, it's the future... (not your future as you have non in your digital cage) :)
If those Powerpoint slides are legit, then someone inside the NSA is seriously negligent in proper portion marking of classified documents. That's a security violation right there.
Surely the existence of these abilities is a useful power in meaningful intelligence activity, so its revelation does make the NSA less effective in its legitimate work. The whole debate is always sailing close to this line; to me these revelations are over the line, unlike a lot of the earlier ones.
The file "Computer_Forensics_for_Prosecutors_(2013)_Part_1".pdf has this gem in it.
"Users of mobile devices and cloud storage sign off on their rights to data scanning, There is no opt-out option."
This file showed up when a question of True Crypt being back doored came up, as out of the blue it mentions it is; if not set up correctly I would tend to agree.
Page 16 http://www.techarp.com/article...
article lies about Phil ZImermann but the only place I could find the file.
... and it is a felony in the USA.
I often type in and drive to strip clubs and card rooms just to throw the NSA off since those searches are in complete contradiction of my choir boy profile.
Twelve-and-three-quarter inches. Unyielding. This wand belonged to Bellatrix Lestrange.
Basically everyone needs to deal with the risk of multiple entry points into the organisation .... How anyone will deal with the security risk assessment is beyond me.
Just to get a picture of my dong. They could have just asked, I mean, if it was for national security and all that...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Is really fucked up
Do we not have better things to think about?
"If it's on the phone..."
Oh yeah? Not if I don't have a smart phone with data, you can't.
Still not gonna give in.
-
So it slowly come out.
Mr. Obama the "President N Chief."
His demands for minute-by-minute information on all U.S.A. citizens and all Not-U.S.A. citizens is nothing more than to satisfy his pervert fetishes.
Well Mr. Pervert N Chief, I hope your masturbations soothe the "Executive" and are service payable from the U.S.A. Treasury.
Obama goes from 'First Stoner' to 'First Masturbator.'
Ha ha
Sad but true
You are You
anybody with anything to lose would never trust any application to which they didn't have the source code. This targets US civilians, period. If you're filthy rich, you're one of us.
Abandon smart phones, and carry a 'dumb' one, preferably chinese multi-sim. Make sure you change numbers often.
Then change carriers every 2nd month, take on those free trials to switch etc.
Send SMS's like I cant discuss that on the phone - meet me at location woodpecker at 4pm (and remove battery out of phone at 3.45) for 1/2 hour.
Message like 'Import private key on page 452 line 21, ICQ page 210 line 4, action red book, page 9, parra 12.
then 1 month later 'Pick you up at kindergarten at 3pm'. People who KNOW they are under observation change their habbits.
So happy to think a Utah mormon wasted hours investigation 'The reindeers graze lightly on the rooftop'. The 2 hours later southpark S17 episode 1. How dare they wire up Santa! .
aren't fiction after all. ;(
That lady with the dragon tattoo seems like a spy.
I'll keep an eye on her.
"The documents do set out in great detail exactly how much information can be collected from widely popular apps. One document held on GCHQ's internal Wikipedia-style guide for staff details what can be collected from different apps. Though it uses Android apps for most of its examples, it suggests much of the same data could be taken from equivalent apps on iPhone or other platforms.
The GCHQ documents set out examples of what information can be extracted from different ad platforms, using perhaps the most popular mobile phone game of all time, Angry Birds – which has reportedly been downloaded more than 1.7bn times – as a case study.
From some app platforms, relatively limited, but identifying, information such as exact handset model, the unique ID of the handset, software version, and similar details are all that are transmitted.
Other apps choose to transmit much more data, meaning the agency could potentially net far more. One mobile ad platform, Millennial Media, appeared to offer particularly rich information. Millennial Media's website states it has partnered with Rovio on a special edition of Angry Birds; with Farmville maker Zynga; with Call of Duty developer Activision, and many other major franchises."
iOS has disabled this kind of tracking , but it's still in theory possible to use the same kind of tracking you'd get from a user on a laptop or desktop because it's much harder to delete caches and cookies on iOS. BUT... iOS doesn't support flash, which is where the majority of tracking happens. You should be disabling or at least "click to run" flash on desktops for the same reason.
Android is such a mess, that if you bought an Android device (or it was the free throw-away) you've likely already been tracked by the NSA even if you don't live in the US because it only takes one app that sends unencrypted data over the wire to do it. Hence the reference to Google Maps, which is used by default on Android devices.
There's some fantastic irony in that Apple dumping Google Maps in favor of it's own actually made iOS more secure.
Even if you could setup a VM-like environment, you are wasting your time. First, you can't hack the 2nd cpu in the phone, which is the one that does the cell-tower comms, and how the backdoors can be loaded into the phone, and secondly, they don't really need to do the backdoor route because your data traffic is what reveals most of the info they are looking for. The only way to secure a cell phone is to place it in a faraday cage, embedded in concrete, and deep-sixed in the ocean.
You are being MICROattacked, from various angles, in a SOFT manner.
Security theatre. It will help with privacy from the perspective of not giving away lots of info to a particular app maker, but it will do nothing to stop what NSA/GCHQ is doing.
You are being MICROattacked, from various angles, in a SOFT manner.
playing Angry Birds, mayhaps enraging you (?); you have nobody to blame but yourself. Ok, NSA shouldn't be grabbing your www.Rivo.com (Angry Bird)
data, but the truth is they are just double dipping what Rivo.com has already collected. The reason Angry Birds is mentioned is it's ToS. Do yourself a favor and read it, You'll find it at www.rovio.com.
When I say ToS, I mean everything; Privacy Policy, EULA and any other practice of using your private info - to me the phrase "ToS" covers it all.
I read ToS's and if I disagree with them, refuse to use their services (FaceBook.com) or take measures to block parts I'm able to. www.rovio.com was one of the worst ToS, I'd ever read from a company who's sole purpose is pushing Angry Birds and many other popular on-line applications to collect data for various reasons,
One being ADs tailored to you -if you pay for the application or game, it has no effect on the data mined from you, maybe just block an ad or two, others have use
for the data mined and www.rovio.com comes across as the company more than able to supply it to them.
When I first read their ToS, Rivo mentioned they send "some information overseas" that was all that was said, what was sent, by what route and just who was overseas all omitted. Apparently www.rovio.com was using data mining practices only allowed somewhere "overseas".
I've just scaned Rivo's ToS for first time in a year or more, was a chore removing all the blocks. I didn't reread it, just a searched for the word overseas, which was missing; I assume redefining it to allow Overseas to be omitting, Last updated: October 2013
I use www.rovio.com as a poster child of what a bad ToS reads like, Rovio uses the www.nytimes.com's privacy policy :} - to show it's "in fine company, or they aren't the only ones doing it. http://www.rovio.com/en/news/b... bottom of the list. www.rovio.com also taught me of Flurry.com - one thing about www.rovio.com they covered everybody in the chain, very helpful editing one's HOSTS file. Missing of course: "overseas".
After reading Rovio's ToS - to opt out is done by cookies, you can never remove another cookie, it's best to use a HOSTS file - except for www.Flurry.com which is Google's on-line Analytics. To block Flurry.com you must request to opt out (I can't find the address for obvious reasons - Google: flurry.com opt out
You will need a rather hard to find mobile number "Android ID" is required for that https://play.google.com/store/... contrary to a review posted you don't opt out of www.rovio.com this way, use a router firewall, which your most likely using to connect to the Internet with and add www.rovio.com.
Each time you Change Roms, unlock, root, jail break or whatever you call owning your mobile device you will need to opt out from Flurry.com again (your ID will of changed).
It's a lot to type; but if you stayed with it and it help you, worth it.
..is subverted. Face the hard truth.
The 1% need to control the 99% of plebeijans. And a lot of "old fart" IT guys knew this little gem for a long time.
Huawei was not obedient enough to put in backdoors for the Anglos, so NSA blacklisted them in the US. At least, thats my guess.
Putin's secret email address is BigBadBear@googlemail.com. He sends all state and military commands via this email account. NSA only tracks Putin when they fuck 500 million gmail users !
Plus, whenever he makes war, he is planning by using google maps ! Then he and the Russian general staff share their command documentation and plans via Google docs !