Slashdot Mirror
NSA and GCHQ Target "Leaky" Phone Apps To Scoop User Data
schwit1 writes "New leaked NSA documents shed a new light on the agency's assault on the data controls of smartphone apps. Using app data permissions as a jumping off point, the documents show agency staffers building huge quantities of data, including 'intercepting Google Maps queries made on smartphones, and using them to collect large volumes of location information.' One slide lists capabilities for 'hot mic' recording, high precision geotracking, and file retrieval which would reach any content stored locally on the phone, including text messages, emails and calendar entries. As the slide notes in a parenthetical aside, 'if it's on the phone, we can get it.'"
what those birds are so angry about
Why are you listening?
Do you understand me now?
Why are you still listening?
Do you think I have something to hide?
Remember, I'm on your side
So bugger off like a good man
and snoop on the Taleban
I'd rather be riding my '63 Triumph T120.
The NSA has all the actual slides from the internal presentation:
http://www.theguardian.com/wor...
From what I gather, TRACKER SMURF module of the WARRIOR PRIDE rootkit for both IOS and Android sort of grabs pin positions of places you search for in Google Maps as well as where you actually ARE. What's interesting is the seeming fascination with sexual orientation and clubs. I guess if there is dirt to be had on an operative or a politician, it might be if they are secretly a wild and crazy guy, or perhaps visiting a mistress in South America instead of being lost on the Appalachian trail.
I know it's fashionable to be angry and all that, but the more of these slides they release, the more you understand how good these guys are at spycraft. It's a solid rootkit base with modules for various device driver interaction, it's pulling back info to be sorted in databases specifically at dossier building on targets, etc etc. It's a well organized program of information gathering, actually.
People seem to be freaking out that all these capabilities exist when anyone with half a wit or more knew that this was all possible.
The question is regarding the set of controls over how and when this is done.
I mean, by golly, did you know that 5 years ago they could listen in on your phone conversations and even determine where you were located when you were making the phone call?!
Carrying on about these capabilities (as opposed to the way they are used) is going to look as quaint to people in 20 years as the above concern about land-line phone calls looks now.
I always wondered why he did this. To create the GPS industry? I don't think so. Instead I think it was with the full knowledge that in a short time, the NSA could track people using it.
excitingthingstodo.blogspot.com
Don't use their products. The move away from US technology has only just begun.
One article I read phrased this as the NSA spying on Angry Birds use. Come to think of it, it makes sense! You are launching projectiles (birds) at "buildings" (the pigs' structures) to cause casualties (pigs). The black bird's even a bomb that blows himself up. The Angry Birds are terrorists!!!
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
Does this feature have any ability to secure a phone?
I take no small pleasure in doing this to Facebook.
now can we encrypt all traffic by default?
Hopefully the open source phones catch up, because right now carrying around a general purpose computing device you have no control over thanks to the carriers strikes me as an astoundingly bad idea.
Having a phone whose OS is either compromised or deliberately acting against you is obviously unhelpful; but unless you control the baseband you are pretty much fucked regardless of the OS. Cell networks are fundamentally pretty hostile in terms of how much control is held by the network or at very low levels in the baseband, rather than where you can actually see it.
From the following linked article:
"During a recent interview session I had with Mikko Hypponen, the chief research officer for digital security company F-Secure Corp, he shared that he was friends with the men behind Rovio, the creators behind another massive success story--Angry Birds."
http://www.thestar.com.my/stor...
A couple of years ago I tried, in earnest, to inform Mikko Hypponen of evidence I had acquired (first-hand) that proved that Sony Entertainment was gathering data from computers that had Sony software installed, after being referred to him by Mark Russinovich (of Microsoft/Sysinternals fame). I was stone-walled completely, even after providing crash-dumps that held all the evidence he needed to go public-- now, I know why.
The shame of it is, if I felt that the NSA was obeying the law, not watching people but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized, I would favor this capability.
Though let me be clear here; by "probable cause", I mean that a substantial percentage of the people who pass the probable cause bar wind up being found guilty. The notion that anyone crossing the border is subject to search, for example, doesn't pass the test.
Stop-Prism.org: Opt Out of Surveillance
It seems like time to revisit virtualization within smartphones. Set up a VM with a bogus profile, and use that as a walled sandbox to run any questionable games or apps. If necessary, direct that VM's network traffic through an Internet proxy.
The NSA has 15 such cases that they feel like telling congress about. These are a few of the cases where the target caught on or the employee was otherwise busted. Given Snowden, it's reasonable to think NSA employees can do a lot without being caught.
As a rough guesttimate, maybe 1 / 20 who snoop on the woman they fantasize about get caught. How many of those are reported to Clapper? One in four? How many does Clapper want to tell Congress about? Maybe 1/4 of the ones he knows about?
So as a rough guess, 15 X 20 X 4 X 4 = 2,400 NSA employees have been spying on women they have a crush on.
Indeed, that's the difference. When they had to show up with a warrant for a specific individual and have agents sit and listen, they did that for high value suspects. Now it's all of us, all the time, who are the targets.
> Chinese phones have BigBrother software intended for tracking Chinese citizens. This spyware probably won't work well from US providers.
I suspect the Chinese have noticed that they're shipping millions of phones to their #1 rival, the US.
Notice are set up in English. It's beyond trivial for the Chinese to set export phones to English language and US region backdoor.
If those Powerpoint slides are legit, then someone inside the NSA is seriously negligent in proper portion marking of classified documents. That's a security violation right there.
You may refuse and dont want a GPS bracelet on your ankle or wrist but that is what you will have. A dog collar for all of your LIFE.
WEARABLES, it's the future... (not your future as you have non in your digital cage) :)
Dont want a GPS bracelet tracking your every move?
Dont wear one.
It is optional to wear one ( unless you commit heinous crimes ).
The question becomes, do you *need* to wear one?
Today: not really.
The future: would be a 'nice to have' and cheap as chips. But probably still optional.
Your phone has a GPS too and ou can be tracked via cellular triangulation, so if you are worried about tracking, you might as well not have a mobile phone at all.
TLDR: Dont worry, you are allowed to not buy one.
Surely the existence of these abilities is a useful power in meaningful intelligence activity, so its revelation does make the NSA less effective in its legitimate work. The whole debate is always sailing close to this line; to me these revelations are over the line, unlike a lot of the earlier ones.
The file "Computer_Forensics_for_Prosecutors_(2013)_Part_1".pdf has this gem in it.
"Users of mobile devices and cloud storage sign off on their rights to data scanning, There is no opt-out option."
This file showed up when a question of True Crypt being back doored came up, as out of the blue it mentions it is; if not set up correctly I would tend to agree.
Page 16 http://www.techarp.com/article...
article lies about Phil ZImermann but the only place I could find the file.
I often type in and drive to strip clubs and card rooms just to throw the NSA off since those searches are in complete contradiction of my choir boy profile.
Twelve-and-three-quarter inches. Unyielding. This wand belonged to Bellatrix Lestrange.
Not if the government does it. The government doesn't have to follow the laws it passes for we the peasants.
Just to get a picture of my dong. They could have just asked, I mean, if it was for national security and all that...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
"If it's on the phone..."
Oh yeah? Not if I don't have a smart phone with data, you can't.
Still not gonna give in.
-
That lady with the dragon tattoo seems like a spy.
I'll keep an eye on her.
Even if you could setup a VM-like environment, you are wasting your time. First, you can't hack the 2nd cpu in the phone, which is the one that does the cell-tower comms, and how the backdoors can be loaded into the phone, and secondly, they don't really need to do the backdoor route because your data traffic is what reveals most of the info they are looking for. The only way to secure a cell phone is to place it in a faraday cage, embedded in concrete, and deep-sixed in the ocean.
You are being MICROattacked, from various angles, in a SOFT manner.
Security theatre. It will help with privacy from the perspective of not giving away lots of info to a particular app maker, but it will do nothing to stop what NSA/GCHQ is doing.
You are being MICROattacked, from various angles, in a SOFT manner.
playing Angry Birds, mayhaps enraging you (?); you have nobody to blame but yourself. Ok, NSA shouldn't be grabbing your www.Rivo.com (Angry Bird)
data, but the truth is they are just double dipping what Rivo.com has already collected. The reason Angry Birds is mentioned is it's ToS. Do yourself a favor and read it, You'll find it at www.rovio.com.
When I say ToS, I mean everything; Privacy Policy, EULA and any other practice of using your private info - to me the phrase "ToS" covers it all.
I read ToS's and if I disagree with them, refuse to use their services (FaceBook.com) or take measures to block parts I'm able to. www.rovio.com was one of the worst ToS, I'd ever read from a company who's sole purpose is pushing Angry Birds and many other popular on-line applications to collect data for various reasons,
One being ADs tailored to you -if you pay for the application or game, it has no effect on the data mined from you, maybe just block an ad or two, others have use
for the data mined and www.rovio.com comes across as the company more than able to supply it to them.
When I first read their ToS, Rivo mentioned they send "some information overseas" that was all that was said, what was sent, by what route and just who was overseas all omitted. Apparently www.rovio.com was using data mining practices only allowed somewhere "overseas".
I've just scaned Rivo's ToS for first time in a year or more, was a chore removing all the blocks. I didn't reread it, just a searched for the word overseas, which was missing; I assume redefining it to allow Overseas to be omitting, Last updated: October 2013
I use www.rovio.com as a poster child of what a bad ToS reads like, Rovio uses the www.nytimes.com's privacy policy :} - to show it's "in fine company, or they aren't the only ones doing it. http://www.rovio.com/en/news/b... bottom of the list. www.rovio.com also taught me of Flurry.com - one thing about www.rovio.com they covered everybody in the chain, very helpful editing one's HOSTS file. Missing of course: "overseas".
After reading Rovio's ToS - to opt out is done by cookies, you can never remove another cookie, it's best to use a HOSTS file - except for www.Flurry.com which is Google's on-line Analytics. To block Flurry.com you must request to opt out (I can't find the address for obvious reasons - Google: flurry.com opt out
You will need a rather hard to find mobile number "Android ID" is required for that https://play.google.com/store/... contrary to a review posted you don't opt out of www.rovio.com this way, use a router firewall, which your most likely using to connect to the Internet with and add www.rovio.com.
Each time you Change Roms, unlock, root, jail break or whatever you call owning your mobile device you will need to opt out from Flurry.com again (your ID will of changed).
It's a lot to type; but if you stayed with it and it help you, worth it.
Hopefully the open source phones catch up, because right now carrying around a general purpose computing device you have no control over thanks to the carriers strikes me as an astoundingly bad idea.
Having a phone whose OS is either compromised or deliberately acting against you is obviously unhelpful; but unless you control the baseband you are pretty much fucked regardless of the OS. Cell networks are fundamentally pretty hostile in terms of how much control is held by the network or at very low levels in the baseband, rather than where you can actually see it.
Sometimes you just have to hope for the best.
I like having a smart phone (and Android tablet), I was able to root the tablet before it became illegal. The phone calls out from the tablet (cyanogenmod ROM) that has Droid Firewall and permissions denied; the tablet through a router firewall. So no cell towers (if that helps much).
Hiding from NSA is or was never a goal, but from advertisers, while having everything at my disposal all the time, calendar, games, videos, and mostly the camera. I go to a parts store anymore, hold up my camera and say I need this :}.
While a smart phone isn't necessary for it, it's just nice to be able to call anybody at any time, still remember scouting for phone booths at times with little luck.
Sometimes the best isn't always a goal, two things I still won't do with my cell phone (tablet) is transfer money from an open account (money cards ok) or use them for my Email. Email is more prevention (malware) than eves dropping. I expect my Email to arrive as text, reading it in HTML being my decision; still using Forté Agent 1.93 just for that reason (Windows).
Trust is also missing from a mobile device in a way that just occurred to me, Cell phone or tablet, I don't have one website I'm able to auto log-on to. Fact, I rarely if ever log onto a web site mobility, ya, the camera I carry it for the camera - changed stroke mid pool (Grin)
if avoiding NSA were my goal, it's been referenced already as the "Eye of Sauron" :}