Slashdot Mirror
Nobody's Cellphone Is Really That Secure, Bruce Schneier Reminds (theatlantic.com)
Earlier this week, The New York Times reported that the Russians and the Chinese were eavesdropping on President Donald Trump's personal cellphone and using the information gleaned to better influence his behavior. This should surprise no one, writes Bruce Schneier. From a story: Security experts have been talking about the potential security vulnerabilities in Trump's cellphone use since he became president. And President Barack Obama bristled at -- but acquiesced to -- the security rules prohibiting him from using a "regular" cellphone throughout his presidency. Three broader questions obviously emerge from the story. Who else is listening in on Trump's cellphone calls? What about the cellphones of other world leaders and senior government officials? And -- most personal of all -- what about my cellphone calls?
There are two basic places to eavesdrop on pretty much any communications system: at the end points and during transmission. This means that a cellphone attacker can either compromise one of the two phones or eavesdrop on the cellular network. Both approaches have their benefits and drawbacks. The NSA seems to prefer bulk eavesdropping on the planet's major communications links and then picking out individuals of interest. In 2016, WikiLeaks published a series of classified documents listing "target selectors": phone numbers the NSA searches for and records. These included senior government officials of Germany -- among them Chancellor Angela Merkel -- France, Japan, and other countries.
Other countries don't have the same worldwide reach that the NSA has, and must use other methods to intercept cellphone calls. We don't know details of which countries do what, but we know a lot about the vulnerabilities. Insecurities in the phone network itself are so easily exploited that 60 Minutes eavesdropped on a U.S. congressman's phone live on camera in 2016. Back in 2005, unknown attackers targeted the cellphones of many Greek politicians by hacking the country's phone network and turning on an already-installed eavesdropping capability. The NSA even implanted eavesdropping capabilities in networking equipment destined for the Syrian Telephone Company. Alternatively, an attacker could intercept the radio signals between a cellphone and a tower. Encryption ranges from very weak to possibly strong, depending on which flavor the system uses. Don't think the attacker has to put his eavesdropping antenna on the White House lawn; the Russian Embassy is close enough.
There are two basic places to eavesdrop on pretty much any communications system: at the end points and during transmission. This means that a cellphone attacker can either compromise one of the two phones or eavesdrop on the cellular network. Both approaches have their benefits and drawbacks. The NSA seems to prefer bulk eavesdropping on the planet's major communications links and then picking out individuals of interest. In 2016, WikiLeaks published a series of classified documents listing "target selectors": phone numbers the NSA searches for and records. These included senior government officials of Germany -- among them Chancellor Angela Merkel -- France, Japan, and other countries.
Other countries don't have the same worldwide reach that the NSA has, and must use other methods to intercept cellphone calls. We don't know details of which countries do what, but we know a lot about the vulnerabilities. Insecurities in the phone network itself are so easily exploited that 60 Minutes eavesdropped on a U.S. congressman's phone live on camera in 2016. Back in 2005, unknown attackers targeted the cellphones of many Greek politicians by hacking the country's phone network and turning on an already-installed eavesdropping capability. The NSA even implanted eavesdropping capabilities in networking equipment destined for the Syrian Telephone Company. Alternatively, an attacker could intercept the radio signals between a cellphone and a tower. Encryption ranges from very weak to possibly strong, depending on which flavor the system uses. Don't think the attacker has to put his eavesdropping antenna on the White House lawn; the Russian Embassy is close enough.
and you failed miserably. The lesson is never try.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
The New York Times reported that the Russians and the Chinese were eavesdropping on President Donald Trump's personal cellphone and using the information gleaned to better influence his behavior. This should surprise no one, writes Bruce Schneier.
My $0.02 why I am not surprised: -
Our government does routinely spy on friends
Our friends in the Mideast once returned the favor!
I guess we are getting a taste of our own MO.
Remember all the whining and hand wringing over Hillary Clinton using an unsecured email server? Remember how people said she was giving away state secrets and should be in jail?
Funny how those same people are absolutely silent when the con artist gives away national secrets every day over an unsecured phone.
Is to deem your smartphone compromised by default and if you're really concerned about the privacy and security of your communications then you deal with the interested parties vis-a-vis or use off-the-shelf computers with trusted software like e.g. Linux/*BSD and communication software which is known to be secure, like ring.cx, signal or wire. In order to protect yourself from compromised hardware you need to set up an internet router (any Wi-Fi access point which supports *WRT) and make sure that your traffic goes exactly where you intended it to go and not to some third parties.
If you know you're being spied on (I find it hard to believe that the Times would find out before the U.S. government) wouldn't that just motivate you to feed bad information through those channels? Sure, you could try to block the spying, but that just means that the spy tries something else and you're uncertain as to whether or not they're intercepting your communication again. Also, they're faced with the difficulty of trying to determine if there's another line of communication that they don't have access to where all of the real information is being passed and have to question the value of all of the communications that they do intercept.
This can be extended to any network: they aren't secure. The purpose of a network is to communicate, not hide communications. It sounds strange, but true. You can attempt to add security to it, but the concept of a network means sharing information.
I agree.
The three letter agencies (not counting their other internal and external allies) are watching from the satellites, intercepting at NAP points, and sniffing lots of everything else. It's a big industry with lots of contractors across the planet. They watch each other, looking for new and interesting techniques. They sift and sniff the gargantuan amount of data looking for stuff, and sometimes they're successful, allies or not.
The latest SDRs are full of fun and mirth for those wishing to do trivial decodes and intercepts. The ways around identification are non-trivial, and worse where cameras can correlate physical identification. If you travel, chances are you're seen dozens, even hundreds of times. It's not paranoia, it's a matter of stitching data together to weave correlation.
It keeps them busy, albeit expensively. The rest of us just go to work and wonder what tiny amount of actual national security gets done, given the enormous poundage of data generated each moment. The reason for AI and neural learning isn't really about anything more than sifting and reacting. Lots of dead bodies this past week whose murderers didn't get detected.
---- Teach Peace. It's Cheaper Than War.
Everyone has got to know about this international intelligence sharing agreement Echelon UKUSA/SIGINT that created 5 eyes by now. Surely? It has been in operation since the 1940's. I shouldn't be surprised that not even the article mentions it. It is the governance document for this kind of telecommunications surveillance.
I have a scan of the agreement however I've found it difficult to find the text online. The NSA links to the UK/USA seems to be broken for me. Maybe they're just interested in who is interested. ;). However a bit more digging and I found this article from the guardian that link to UK National Archive copy of the agreement. It was not available online for some time after I got it - so I suggest you grab a copy to get some idea how this agreement works. After all that's one reason it was kept secret for so long.
Essentially agencies can't spy on domestic citizens so they ask a counterpart agency to spy for them. I read somewhere that even back as far as the 90's it was doing signal processing to "gist" (as in get the gist of) about 500,000 phone conversations using data centers the size of football fields and promote them to analysts automatically. They had two nuclear submarines that would be positioned over undersea fibre optic telecommunications nodes so I think you can surmise just how well funded this agreement is if five western nations are involved.
It is like a Berlin wall of surveillance for the western world.
My ism, it's full of beliefs.
I guess nobody cares about the truth anymore. Thanks, Slashdot, for being just another propaganda tool.
Here's what Trump wrote on this Twitter:
"The New York Times has a new Fake Story that now the Russians and Chinese (glad they finally added China) are listening to all of my calls on cellphones. Except that I rarely use a cellphone, & when I do it’s government authorized. I like Hard Lines. Just more made up Fake News!"
Cell phones have been possible to listen in to, even by citizens (with some skills, and expensive equipment) for quite some time now.
The technology is the same that it has been using for the last 10-15 years, the encryption back then was too hard for that time, but today - with insanely strong GPU's and CPU's - heck...even FPGA's with a little specialized design - can crack that stream open like a tunnel wide gate, and there's even open source software so you can experiment with your "own" equipment and algorithms. Figure this - you can purchase a 2$ cellphone module complete with IMEI number, receiver/transceiver, data module, parser, encryption/decryption all-in-one-chips on eBay for the longest time. Did anyone really think these would have such processing capacity in 2018 that it couldn't be hacked today with our insane home computers (insane in comparison to 10+ years ago)?
There was even this instance where there were an old Nokia Telephone (33xx I think, not sure - but it's googleable), that had a bug that enabled you to get into monitoring mode, that phone was sought after for sinister purposes back then - and hard to find, but it was quite true.
What this world is coming to - is for you and me to decide.
Yes, despite his manifest personal weirdness rms is completely right about his: you don't control your phone. Google/Apple and any vendor you give access to your mic and camera could be listening in on you at any time it is on. I am not convinced that turning your phone off that's it's necessarily *really* off -- Snowden agrees. There is no physical way to distinguish between the phone being off and malware which emulates the phone being off, or in the case of actors with "national means", hacked firmware; after all the "power" button isn't connected to the actual battery.
I've said for years now phones need at a hardware switch that disconnects their mic and cameras, and in addition to the standard power button a battery disconnect slide switch. If you took those features and added them to an iPhone 6 you could market it as a security phone.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Log in, and let's talk about it.
Who else is listening in on Trump's cellphone calls? What about the cellphones of other world leaders and senior government officials? And -- most personal of all -- what about my cellphone calls?
About the first: one would hope that the americans are listening to Trump's calls. Not just so that they know what every other world power learns from their eavesdropping, but also to gauge how well their own manipulation of his thought processes are proceeding, too.
Regarding the second point, one hopes - expects, even - that other world leaders are more circumspect. Since we don't hear about Xi on weibo or Merkel on twitter, we can assume that they are doing the statesmanlike thing and not blabbing stupidity to the world. They keep their stupidity firmly under wraps.
Finally - about your cellphone? You simply aren't important enough to waste effort on. So long as you don't do anything utterly stupid and reckless - like running your personal banking on your phone - there is no reason anyone else in the entire world would pay you any attention. But you already know that, since few people reply to your messages and nobody picks up when you call them.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
The spies know that you know they are spying and likely feeding them bad info. They probably assign low value to anything heard on a Trump phone call unless they can corroborate it. It's still very useful intel though, because even knowing what they want you to know has value, not to mention all the stuff that is true and more general stuff like the President's mood/state of mind, speech patterns and unfiltered reactions. Well, okay, the latter is usually on Twitter 10 minutes later, but still...
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
He should not use any means of communication for anything which is not secure and encrypted.
https://www.youtube.com/c/BrendaEM
Schneier has never been an expert in security. He is just a popular media journalist who wrote a popularized book on cryptology when said book was disapproved by the rather closed crypto community of the time. I bought his book when it came out. It was the nerd equivalent of buying Salaman Rushidie's book 'The Satanic Verses' when it was almost banned.
Schneier has spent decades muckracking around to become a 'security expert' though he has few academic credentials in cryptology or information security to back him up. He could be fairly be called a crypto/security journalist. The kind of guy qualified to write an article for Wired magazine on crypto. The word gadfly also comes to mind.
If you know you're being spied on (I find it hard to believe that the Times would find out before the U.S. government) wouldn't that just motivate you to feed bad information through those channels?
Indeed, this is the strategy being used by the White House: Owing to Trump's level of sheer incompetence, most everything that comes out of his mouth is bad information.
Yes there is. It's called yanking out the battery, though user replaceable batteries seem to be going the way of disco.
Sounds like an old Yes, Prime Minister dialogue:
Sir Humphrey: With Trident we could obliterate the whole of Eastern Europe.
Jim Hacker: I don't want to obliterate the whole of Eastern Europe.
Sir Humphrey: It's a deterrent.
Jim Hacker: It's a bluff. I probably wouldn't use it.
Sir Humphrey: Yes, but they don't know that you probably wouldn't.
Jim Hacker: They probably do.
Sir Humphrey: Yes, they probably know that you probably wouldn't. But they can't certainly know.
Jim Hacker: They probably certainly know that I probably wouldn't.
Sir Humphrey: Yes, but even though they probably certainly know that you probably wouldn't, they don't certainly know that, although you probably wouldn't, there is no probability that you certainly would.
https://www.youtube.com/watch?...
Of course your phone is insecure....you're running software you don't understand on a device you don't understand, using networks you don't understand. Why anyone would think they could do this "securely" is beyond me.
So sure- some of you install a firewall and anti-virus program and think that that's going to fix all those aforementioned problems. It won't.
The fact is that there's a very, very good chance that your phone is running something you don't want, never asked for, and can't detect let alone control. Half the apps in the Apple store have skanky shit going on inside them, the Android stores (Google Play, etc) aren't much better.
Now we also know that a lot of gadgets come with purpose-made malware in them, including phones, chargers, USB hubs, HDMI adapters, screen-casting gadgets, USB drives, charging cables, video systems, Blu-Ray players, etc etc etc.
Why anyone would think that they have a handle on what their electronics are doing is always amazing to me. You don't know what your gear is doing. You just don't.
Just cruising through this digital world at 33 1/3 rpm...
Open hardware is best, of course, but it is sufficient to have a hardware switches that disconnect things.
You could repackage an iPhone 5s in a bulkier case and have a pretty securable phone.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
This seems a little simplistic considering public carriers are businesses out to make a buck and stay in the government's good graces, and methods to breach security can be had easily, if deliciously while adding security pretty much just subtracts from their bottom line.
But what about the phone he was *supposed* to be using? I'd think that the NSA would be able to configure/vet that to be inversely as secure as the public carrier networks aren't.
I still facepalm a bit when I see people whinging about: "Oh noes! Apple/Google might be monitoring your phone calls, location, or whatever. Targeted ads and Siri suggestions are CREEPY!". This, when they're carrying around a cell phone... ANY cell phone... in the first place.
Look... Apple may or may not be spying on you. Tim Cook's fight against the FBI and all his remarks about privacy may or may not be just for show. Google definitely IS spying on you. But it's primarily so they can better target ads to you. And they may or may not be feeding your information to the government. But the phone companies are 100%, without a doubt, confirmed to be spying on you... openly and brazenly... and feeding that information to the government. AT&T, for example, has been conspiring against you with the government for DECADES. The government doesn't even have to "tap" your line anymore. AT&T has built functionality for the NSA and their ilk to spy on you into their PSTN switches ever since they switched from analog to digital. They've built the same functionality into their cellular and data networks as well. They even provide space in their facilities to make playing Big Brother that much easier on the government:
https://en.wikipedia.org/wiki/...
And even before E911 rules, simple cell-tower triangulation could trace your location with startling accuracy. Remember how the first iPhone didn't have GPS? Well, it still had maps and location services. And it would show your position on said map based on signal strengths from the surrounding cell towers. It was startlingly accurate... down to 50 meters or less, I'd estimate. And anything Apple had on you, AT&T had on you as well; not because Apple necessarily shared it, but because of the way cellular networks work in the first place. And AT&T, with ZERO doubt (again... room 641A) was feeding that data to the government.
So, seriously... stop getting your panties all up in a wad over what Apple and Google may have or may do. AT&T's already sold you up the river. And they did so before smartphones were even a thing.
BTW: I pick on AT&T specifically, because they're the one that got caught red-handed. But if you doubt that Verizon and the rest are also conspiring with the NSA/FBI/etc. against you... well... I've got some fine beachfront resort land west of Miami that I think you'd just LOVE. Hit me up, and I'll tell you where to wire the money. Trust me, it'll be a steal!
Imagine all the people...
Here's what Trump wrote on this Twitter: "The New York Times has a new Fake Story that now the Russians and Chinese (glad they finally added China) are listening to all of my calls on cellphones. Except that I rarely use a cellphone, & when I do it’s government authorized. I like Hard Lines. Just more made up Fake News!"
He tweeted from a hard line? Cool tech!!!
Is it? Is it really, though? You sure that was the only power source on there? How much would even a capacitor have to store to be useful to a hostile third party?
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Now the Russians and the Chinese get to be as confused as we are about U.S. policy.
If you know you're being spied on (I find it hard to believe that the Times would find out before the U.S. government) wouldn't that just motivate you to feed bad information through those channels?
Indeed, this is the strategy being used by the White House: Owing to Trump's level of sheer incompetence, most everything that comes out of his mouth is bad information.
It doesn’t have to be about government or politics to be useful information. Trump has little interest in those topics, anyway. I wouldn't be surprised if Trump wants to use his own phone because he’s more worried about his own government spying on him, (although I’m sure laziness is a factor). If he’s using that phone to run his always shady business deals, that could be very compromising information.
-- sudon't
Air-ride Equipped
Here's what Trump wrote on this Twitter:
"The New York Times has a new Fake Story that now the Russians and Chinese (glad they finally added China) are listening to all of my calls on cellphones. Except that I rarely use a cellphone, & when I do it’s government authorized. I like Hard Lines. Just more made up Fake News!"
Which he sent from his iPhone. Use TweetDeck. It’ll tell you which phone he’s using.
-- sudon't
Air-ride Equipped
That's application-layer programming. He didn't design any of the algorithms. He makes cookbooks that other people can use.
One would hope that when somebody writes cookbook examples that he doesn't fully understand himself, that they would be peer reviewed.