If you think something like "cyber forensic tools" isn't a specific line item in the FBI's budget, you're crazy.
Their total budget for 2015 was just over $8.3 Billion. I'm sure they could find room under their Cyber, Criminal or Intelligence categories to pull $1.3 million from for a tool to hack the phone in a case like this one.
No, it makes perfect sense. He admits the truth -- they are fucking clueless on the details of the hack. They don't even have enough information to fill out the form to start the disclosure review process.
They paid for either a service or an obfuscated, single purpose binary. For all Coomey knows it was leprechaun magic.
Part of the problem is the bulk of that audience doesn't want real news, they want entertainment. When there was scarcity of outlets, they were mostly controlled by players who did both news and entertainment.
Today, much of what passes for "news" is really entertainment. Looking at what people I know pass around as news articles are really some blog repost, of a blog repost, of a (maybe) news article. The blog reposts contain opinionated rants, adding no inherent value other than confirming the already biased opinions of the readers. Frequently the original news article isn't actual "news", but a press release or FUD article that simply quotes a government statistic or celebrity/politician soundbite.
I'd appreciate it if the Slashdot overlords could contribute to the fight by editing submissions so they go to actual original articles and not click-bait blogs. (The ghost of Roland Piquepaille is watching you!)
You're misinterpreting that statute. For a quick example check out the SES pay rates, which go as high as $183k, which is the equivalent of Level II of the Executive Schedule.
Finally, that a look at USC 5305 which grants the President, they OPM, the right to set alternative pay schedules based on several factors.
This is used, for example, to pay certain positions at a much higher rate, such as doctors.
The financial services agencies (FDIC, OCC, SEC, CFTC, maybe one or two others) have their own pay schedule that goes higher because they have to try to compete with financial sector salaries.
I've seen FDIC postings advertised with a max salary of $265k. If I'm not mistaken, the FRB goes over $300k for their senior execs.
Senior execs don't get locality adjustments, but us peons do. As high as 30% for people in San Francisco, with New York, DC and Chicago not that far behind.
Not only is that incorrect, in that it quite possibly could be misdemeanor, that is wholly inconsistent with historical precedent on these types of cases.
Obama is acknowledging what is common knowledge and the subject of numerous news articles -- the government grossly overclassifies documents and frequently does it with the sole purpose of saving some politician from embarrassment, which has nothing to do with National Security. Overclassification was named as an issue in the 9/11 Report.
It is essentially the same thing. Unless you absolutely trust nothing, this is a possibility. The problem comes because there is a limited amount of trust based on things like other device ownership, location and paired association.
I like the convenience I get from my phone not locking when I'm at home, or when it is paired via BlueTooth to my car radio. I made the conscious choice to weaken the security and not require manual unlocking in those situations.
Because of my home PC being the main control point for everything I have, if that is ever taken over, I'm fairly well screwed. I *could* make it much harder, requiring 2FA (not via phone) for logging in to my home PC and not saving any accounts or passwords, but it is a much bigger pain-in-the-ass than is justified by risk likelihood.
If the your main PC that is used to control your Google accounts, including permissions, is under the control of bad actors, you're screwed either way.
They could always just turn off 2FA from the PC.
This paper is akin to bitching if someone got a hold of my phone in my home, where location based trust is used and keeps the phone unlocked, then the bad actor could install stuff then.
Duh!
It is next to impossible to ensure security if the bad guys have control of the actual hardware.
P.S. -- You misunderstood the premise of the person you were replying to. They are saying turn on 2FA for accessing your Google accounts ON THE PC. That way you need control of not only the PC, but the phone as well to essentially get control. Perfect? No. A much bigger hurdle? Yes.
There might be an app for that. They have that lovely big screen instead of the dials. I can see adding something like Torque and maybe a carburetor-simulator app. Add in some sound effects for the old-time gear head to get audio feedback and you might have a seller there.
I thought maybe this was a way to establish a WPA-secure connection without user input, based off proximity.
No, this is open access authentication based off location. Yawn. Set you AP to "low power" and centralize it in the building, then remove all authentication.
If they had figured out a way to initiate a key exchange based on proximity, then I'd possibly be impressed. Maybe with the password being exchanged with human inaudible sound and triggered by proximity.
According to the IRS historical tax data for 2013, there were 41,520 returns filed in the State of New York with an Adjusted Gross Income greater than $1,000,000.
The total amount of income reported by that group was $161,908,290,000, or a round $162 billion. Taking a quick calculation of 1% of that gives $1.62 billion.
The total State of New York Education Budget for 2013 was $72.3 billion, of which that $1.62 billion is an extra 2.25%. It may not seem like much from a percentage, but the goal isn't to replace existing funding but supplement it to improve services -- and that amount can do some serious good.
And no, for anyone in that income bracket this isn't a speed-bump to moving up the ladder. You're already in the nose bleed section and can handle this without losing a step. There is a much greater benefit for those in the bottom 50% getting up a rung than someone of my ilk going from Top 5% to Top 4%.
Why would you think that? The laws of division don't change for different base representations. Division is division no matter how you write the number.
Switching between towers of the same network is called a "soft hand-off", and can be done without dropping a call.
Switching to a tower from a different network is called a "hard hand-off", and usually results in a dropped call. The different networks don't share registration and other vital internal data needed for smooth transfer.
Maybe things have changed recently. I was a field engineer for Alcatel-Lucent several years ago and did cell site upgrades, which is how I know about some of this.
Of course, Europe may operate a bit differently as there are so many overlapping cell networks. In the U.S. there were essentially 2 major GSM networks -- AT&T and T-Mobile -- plus a couple of minors. The other two big guys -- Verizon and Sprint -- were CDMA. Things have changed a bit with LTE, but I have a hard time believing these twats will play nice with each other on call hand-off.
So...all they need to do is get a female sheep to make a declaration an that is law? Is this some form of Parliamentary Procedure I am unfamiliar with? Are you, perchance, from Scotland?
I need to research this more. From my understanding, phones will only connect to a non-home network when the home network is unavailable and not just because the non-home network is stronger.
If this were the case, active connections could be defeated simply by telling your phone to not use roaming.
The IMSI-catchers would still have to be able to claim that they are "official AT&T", for example, in order for your phone to agree to connect. I guess it is possible that all that requires is to name your IMSI-catcher "AT&T", but holy shit would that be stupid on the part of AT&T. Every prankster out there could MITM phone traffic if that were the case!
I need to dig a little more. I think your "encryption not available" is GSM encryption of the call (A5/1) but has nothing to do with validating that the tower really belongs to Velus.
if you're being actively targeted, then you're already getting attention. As IMSI-catchers are frequently used without oversight and warrants, defeating their drag net usage would force law enforcement to take other avenues. Those avenues most likely would require warrants and oversight. I'm all for that.
As much as I despise the cliche, it applies here to your post. Don't let the perfect be the enemy of the good. In other words, don't refuse partial solutions to problems on the excuse only a 100% solution will do.
IMSI-catchers, like the infamous Harris Stingray, operate in two different modes, passive and active.
In passive mode it just listens to the cellular frequencies and records the IMSI of any device in range. This is similar to WiFi war driving and listening passively for SSIDs. While there are some preventative measures you can take, at some point you just have to broadcast the ID in the clear for things to work. Not a lot can be done to securely protect against this.
However, in active mode the IMSI-catcher spoofs credentials and claims to be a valid cell tower, tricking the cell phone to actually connect to it. This allows everything from text messages, to DTMF tones to the contents of a voice call to be captured.
Here is where there is room for end-user security improvements. One step would be to whitelist the known towers in your area, refusing to let your phone connect to any tower not on your list -- such as claimed NEW towers.
Net stumbler applications like Wigle include lists of cellular networks in their scans and databases. A crowd-sourced or crowd-validated list of known, real towers could serve as an initial load or verification.
The trick is getting your phone to connect only to the whitelisted towers. I believe that function lies in the baseband processor and access to that is normally locked down tight.
This could be a nice addition to something like Silent Circle's Blackphone.
If nothing else, it should be possible to have your phone alert you when it connects to a non-whitelisted cell tower. After all, Android has the ability to display what tower you're connected to. Apps like Network Signal Info Pro certainly give enough details.
My question is will they attempt to do something mind-bendingly stupid like enabling a secret master key or key escrow when they re-enable encryption on the device. You know, just so they can cooperate with the FBI and show how they're better than Apple.
Threaded conversations are fun. Since you didn't quote the original, your use of this as a pronoun refers to having to figure out how to call up Poseidon and order some calm seas.
Sir, your ideas are intriguing to me and I wish to subscribe to your newsletter. I wonder if we can get a Federal grant for research efforts into replicating Triton's conch horn?
Slashdot Mirror
When the Texas school board found out gravity was a "theory".
It seems to be working for Trump.
If you think something like "cyber forensic tools" isn't a specific line item in the FBI's budget, you're crazy.
Their total budget for 2015 was just over $8.3 Billion. I'm sure they could find room under their Cyber, Criminal or Intelligence categories to pull $1.3 million from for a tool to hack the phone in a case like this one.
No, it makes perfect sense. He admits the truth -- they are fucking clueless on the details of the hack. They don't even have enough information to fill out the form to start the disclosure review process.
They paid for either a service or an obfuscated, single purpose binary. For all Coomey knows it was leprechaun magic.
Part of the problem is the bulk of that audience doesn't want real news, they want entertainment. When there was scarcity of outlets, they were mostly controlled by players who did both news and entertainment.
Today, much of what passes for "news" is really entertainment. Looking at what people I know pass around as news articles are really some blog repost, of a blog repost, of a (maybe) news article. The blog reposts contain opinionated rants, adding no inherent value other than confirming the already biased opinions of the readers. Frequently the original news article isn't actual "news", but a press release or FUD article that simply quotes a government statistic or celebrity/politician soundbite.
I'd appreciate it if the Slashdot overlords could contribute to the fight by editing submissions so they go to actual original articles and not click-bait blogs. (The ghost of Roland Piquepaille is watching you!)
In other tragic news, Kanye West had been found alive in his apartment.
You're misinterpreting that statute. For a quick example check out the SES pay rates, which go as high as $183k, which is the equivalent of Level II of the Executive Schedule.
https://en.m.wikipedia.org/wiki/Senior_Executive_Service_(United_States)
Finally, that a look at USC 5305 which grants the President, they OPM, the right to set alternative pay schedules based on several factors.
This is used, for example, to pay certain positions at a much higher rate, such as doctors.
The financial services agencies (FDIC, OCC, SEC, CFTC, maybe one or two others) have their own pay schedule that goes higher because they have to try to compete with financial sector salaries.
I've seen FDIC postings advertised with a max salary of $265k. If I'm not mistaken, the FRB goes over $300k for their senior execs.
https://www.law.cornell.edu/uscode/text/5/5303
Senior execs don't get locality adjustments, but us peons do. As high as 30% for people in San Francisco, with New York, DC and Chicago not that far behind.
Citation please. And I ask as a govt employee who has a salary higher than any Congressman other than the Speaker of the House.
They have staff allowances, expense accounts and benefits that aren't available to others, but salary alone...
Top career officials at an agency like FDIC have a max salary of $260k. Congressman are paid $174k according to Wikipedia.
Not only is that incorrect, in that it quite possibly could be misdemeanor, that is wholly inconsistent with historical precedent on these types of cases.
http://www.politico.com/story/2016/04/hillary-clinton-prosecution-past-cases-221744
https://www.washingtonpost.com/opinions/five-myths-about-classified-information/2015/09/18/a164c1a4-5d72-11e5-b38e-06883aacba64_story.html
Obama is acknowledging what is common knowledge and the subject of numerous news articles -- the government grossly overclassifies documents and frequently does it with the sole purpose of saving some politician from embarrassment, which has nothing to do with National Security. Overclassification was named as an issue in the 9/11 Report.
The lesson of the Pentagon Papers. https://www.washingtonpost.com/opinions/five-myths-about-classified-information/2015/09/18/a164c1a4-5d72-11e5-b38e-06883aacba64_story.html
NY Times Op-Ed in 2001: http://www.nytimes.com/2011/11/07/opinion/national-security-and-americas-unnecessary-secrets.html
President signs law in 2010 to reduce overclassification: https://www.whitehouse.gov/blog/2010/10/07/president-signs-hr-553-reducing-over-classification-act
It is essentially the same thing. Unless you absolutely trust nothing, this is a possibility. The problem comes because there is a limited amount of trust based on things like other device ownership, location and paired association.
I like the convenience I get from my phone not locking when I'm at home, or when it is paired via BlueTooth to my car radio. I made the conscious choice to weaken the security and not require manual unlocking in those situations.
Because of my home PC being the main control point for everything I have, if that is ever taken over, I'm fairly well screwed. I *could* make it much harder, requiring 2FA (not via phone) for logging in to my home PC and not saving any accounts or passwords, but it is a much bigger pain-in-the-ass than is justified by risk likelihood.
If the your main PC that is used to control your Google accounts, including permissions, is under the control of bad actors, you're screwed either way.
They could always just turn off 2FA from the PC.
This paper is akin to bitching if someone got a hold of my phone in my home, where location based trust is used and keeps the phone unlocked, then the bad actor could install stuff then.
Duh!
It is next to impossible to ensure security if the bad guys have control of the actual hardware.
P.S. -- You misunderstood the premise of the person you were replying to. They are saying turn on 2FA for accessing your Google accounts ON THE PC. That way you need control of not only the PC, but the phone as well to essentially get control. Perfect? No. A much bigger hurdle? Yes.
There might be an app for that. They have that lovely big screen instead of the dials. I can see adding something like Torque and maybe a carburetor-simulator app. Add in some sound effects for the old-time gear head to get audio feedback and you might have a seller there.
Really? 100 comments in and not one reference to 1970s sitcom Mork and Mindy?
At least one of the plot lines revolved around Ork being such a cowardly place that they'd hide the entire planet from other aliens.
Looks like someone is turning old sitcoms into grant applications.
I thought maybe this was a way to establish a WPA-secure connection without user input, based off proximity.
No, this is open access authentication based off location. Yawn. Set you AP to "low power" and centralize it in the building, then remove all authentication.
If they had figured out a way to initiate a key exchange based on proximity, then I'd possibly be impressed. Maybe with the password being exchanged with human inaudible sound and triggered by proximity.
Tell that to Tesla Roadster owners, which would be "Version 1" of the car. Expect to be looked down on as a jealous insect not worthy of notice.
Follow that up with the purchasers of the Model S who started $5,000 pre-orders in, what, 2008? Delivery started in 2012.
Lots of Tesla owners to disprove that old adage. They might even whip out the old Aesop fable about the fox and the grapes in return.
Both of them.
According to the IRS historical tax data for 2013, there were 41,520 returns filed in the State of New York with an Adjusted Gross Income greater than $1,000,000.
The total amount of income reported by that group was $161,908,290,000, or a round $162 billion. Taking a quick calculation of 1% of that gives $1.62 billion.
The total State of New York Education Budget for 2013 was $72.3 billion, of which that $1.62 billion is an extra 2.25%. It may not seem like much from a percentage, but the goal isn't to replace existing funding but supplement it to improve services -- and that amount can do some serious good.
http://www.usgovernmentspending.com/year_spending_2013NYbs_17bs2n_20#usgs302
https://www.irs.gov/uac/SOI-Tax-Stats-Historic-Table-2
And no, for anyone in that income bracket this isn't a speed-bump to moving up the ladder. You're already in the nose bleed section and can handle this without losing a step. There is a much greater benefit for those in the bottom 50% getting up a rung than someone of my ilk going from Top 5% to Top 4%.
Why would you think that? The laws of division don't change for different base representations. Division is division no matter how you write the number.
Interesting.
Switching between towers of the same network is called a "soft hand-off", and can be done without dropping a call.
Switching to a tower from a different network is called a "hard hand-off", and usually results in a dropped call. The different networks don't share registration and other vital internal data needed for smooth transfer.
Maybe things have changed recently. I was a field engineer for Alcatel-Lucent several years ago and did cell site upgrades, which is how I know about some of this.
Of course, Europe may operate a bit differently as there are so many overlapping cell networks. In the U.S. there were essentially 2 major GSM networks -- AT&T and T-Mobile -- plus a couple of minors. The other two big guys -- Verizon and Sprint -- were CDMA. Things have changed a bit with LTE, but I have a hard time believing these twats will play nice with each other on call hand-off.
So...all they need to do is get a female sheep to make a declaration an that is law? Is this some form of Parliamentary Procedure I am unfamiliar with? Are you, perchance, from Scotland?
I need to research this more. From my understanding, phones will only connect to a non-home network when the home network is unavailable and not just because the non-home network is stronger.
If this were the case, active connections could be defeated simply by telling your phone to not use roaming.
The IMSI-catchers would still have to be able to claim that they are "official AT&T", for example, in order for your phone to agree to connect. I guess it is possible that all that requires is to name your IMSI-catcher "AT&T", but holy shit would that be stupid on the part of AT&T. Every prankster out there could MITM phone traffic if that were the case!
I need to dig a little more. I think your "encryption not available" is GSM encryption of the call (A5/1) but has nothing to do with validating that the tower really belongs to Velus.
if you're being actively targeted, then you're already getting attention. As IMSI-catchers are frequently used without oversight and warrants, defeating their drag net usage would force law enforcement to take other avenues. Those avenues most likely would require warrants and oversight. I'm all for that.
As much as I despise the cliche, it applies here to your post. Don't let the perfect be the enemy of the good. In other words, don't refuse partial solutions to problems on the excuse only a 100% solution will do.
IMSI-catchers, like the infamous Harris Stingray, operate in two different modes, passive and active.
In passive mode it just listens to the cellular frequencies and records the IMSI of any device in range. This is similar to WiFi war driving and listening passively for SSIDs. While there are some preventative measures you can take, at some point you just have to broadcast the ID in the clear for things to work. Not a lot can be done to securely protect against this.
However, in active mode the IMSI-catcher spoofs credentials and claims to be a valid cell tower, tricking the cell phone to actually connect to it. This allows everything from text messages, to DTMF tones to the contents of a voice call to be captured.
Here is where there is room for end-user security improvements. One step would be to whitelist the known towers in your area, refusing to let your phone connect to any tower not on your list -- such as claimed NEW towers.
Net stumbler applications like Wigle include lists of cellular networks in their scans and databases. A crowd-sourced or crowd-validated list of known, real towers could serve as an initial load or verification.
The trick is getting your phone to connect only to the whitelisted towers. I believe that function lies in the baseband processor and access to that is normally locked down tight.
This could be a nice addition to something like Silent Circle's Blackphone.
If nothing else, it should be possible to have your phone alert you when it connects to a non-whitelisted cell tower. After all, Android has the ability to display what tower you're connected to. Apps like Network Signal Info Pro certainly give enough details.
My question is will they attempt to do something mind-bendingly stupid like enabling a secret master key or key escrow when they re-enable encryption on the device. You know, just so they can cooperate with the FBI and show how they're better than Apple.
Threaded conversations are fun. Since you didn't quote the original, your use of this as a pronoun refers to having to figure out how to call up Poseidon and order some calm seas.
Sir, your ideas are intriguing to me and I wish to subscribe to your newsletter. I wonder if we can get a Federal grant for research efforts into replicating Triton's conch horn?