Are you confused by the FBI vs Apple dispute regarding Syed Farook’s iPhone? I am.
In an excellent article published today, Cnet neatly summarized the delicate position in which Apple finds itself, following the issuance of a court order that compels Apple to help authorities unlock the iPhone 5c that was used by Islamic terrorist and mass murderer Syed Farook.
The nugget that surprises me is that the FBI appears to be preparing a brute force attack on this iPhone’s 256-bit AES encryption. This is a daunting task. To brute-force attack encrypted data that’s encrypted with AES-256, you need to try each of 2256 or 116,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000, 000,000,000,000,000,000 possibilities. That’s more than the number of atoms in the universe.
If Farook chose a strong passphrase, it could require thousands of years for most computers to decrypt his data. It appears that the FBI has serious horsepower to throw at this task.
Within days of its release, concerns about Microsoft Windows 10’s handling of users’ data have arisen. The 12,000 word 45 page Windows 10 EULA (end user license agreement) states that Microsoft may do what it wishes with your data.
If you wish to control your privacy, DON’T choose “Express Install”.
This loss of privacy is one downside to Microsoft’s new SAAS (software as a service) model. Linux on the desktop looks better and better.
This week the New York Post published an excellent article titled Obama has been collecting personal data for a secret race database. Soon after becoming chancellor in 1933, Adolph Hitler initiated a German census, with the assistance of IBM’s German subsidiary. The census used IBM’s Hollerith punch card technology: one card per each person. On this card were fields that defined address, race, religion, and ancestors.
This database probably seemed benign in 1933. A few years later, it powered Krystalnacht and, soon after, the entire holocaust.
After invading Poland, the Nazis immediately began a census. Ditto Holland and France. Again, IBM technology powered these efforts. Tyrannical centralized regimes require detailed demographic data collection and tabulation so that they can select groups and individuals for “special treatment”.
I object to any central government collecting reams of data about its citizens. In particular, I don’t trust this administration. Aside from its dubious motives, it’s proven its inability to safeguard personal data, including fingerprints, of millions of security clearance applicants. It appears that China now has these data.
Obviously, when your phone’s GPS receiver is on, your location within 30 feet or so is usually available.
There’s another way that remotes, your cellular service provider, 9-1-1 call centers [also known as Public Safety Answering Points (PSAPs)], and law enforcement can determine your phone’s location, even when your GPS is off, or even if your plain-Jane flip-phone has no GPS receiver. It’s called Uplink-Time Difference of Arrival U-TDOA). Here’s a brief simplified video description. Each cell tower has an antenna array with three or four 90 or 120 degree (when viewed from above) antenna sectors. Each tower knows, by comparing your phone’s received signal strength in each sector, which sector your phone is in. By measuring the propagation time for a “ping” to travel between the tower, your phone, and back again, it also knows the range to your phone. In a populated area your phone is likely to be talking with more than one tower, so all that’s needed is to know the bearing and range to your phone relative to two or more towers, and your location can be estimated within maybe a 100 foot radius. (You will be at the intersection of the two or more arcs.)
Even with only one tower talking to your phone, it knows that you are located somewhere along that 90 or 120 degree arc within the sector with the strongest signal. U-TDOA is used in Enhanced 9-1-1 Phase II systems so that first responders may be dispatched to wherever your cell phone is located when you place a 911 call for emergency assistance.
The only way to stop this is to remove the battery from your phone. (Oops. Sorry, iPhone users.) Switching it off won’t stop the communication. Switching it to Airplane Mode will prolly stop it, but there are no guarantees.
While watching a Youtube video clip about the recovery of a stolen bicycle, I learned about Burner, a smartphone app that allows a smartphone user to temporarily mask his or her phone number with an alias phone number. It’s available for iPhones, but not yet for Android phones. (originally published on 31 December 2012. 9 July 2014: Burner is now available for Android phones, as well as IOS.)
Theft recovery seems like a perfect use for telephone anonymity. The victim, who’s a Portland, Oregon resident, responded to a Seattle Craigslist for sale ad for what seemed to be his stolen bike. He used Burner to make his phone calls appear to originate in Seattle.
We’ve asked the companies in our Who Has Your Back Program what they are doing to bolster encryption in light of the NSA’s unlawful surveillance of your communications. As of now, eight companies—Dropbox, Facebook, Google, Microsoft, Sonic.net, SpiderOak, Twitter,and Yahoo—are implementing five out of five of our best practices for encryption.
It’s the Greenpeace / EFF / TAC airship, flying above NSA’s new enormous data center in Utah. They were protesting the NSA’s illegal snooping and seizure of citizens’ electronic personal effects. EFF reported the event on their website:
Greenpeace flew its 135-foot-long thermal airship over the Bluffdale, UT, data center early Friday morning, carrying the message: “NSA Illegal Spying Below” along with a link steering people to a new web site, StandAgainstSpying.org, which the three groups launched with the support of a separate, diverse coalition of over 20 grassroots advocacy groups and Internet companies. The site grades members of Congress on what they have done, or often not done, to rein in the NSA.
The Guardian published a full story on this event.
While the NSA is in the spotlight, when will James Clapper be indicted for lying to Congress about NSA’s capture of domestic telephone records?
Our company recently discovered a cyberattack that comprised [sic] a small number of employee log in credentials, allowing unauthorized access to eBay’s corporate network. As a result, a database containing encrypted password and other non-financial data was compromised. There is no evidence of the compromise affecting accounts for Paypal users, and no evidence of any unauthorized access to personal, financial or credit card information, which is stored separately in encrypted formats. The company is asking all eBay users to change their passwords.
The attack resulted in unauthorized access to a database of eBay users that included:
Date of birth
I changed my eBay password today. When I read through my keepass database.kdb file, I was chagrined to find that I’d used the same password for my accounts on several other sites. I changed them all. You should do the same if you have an eBay account. Here’s why, according to eBay:
I use the same password for multiple accounts. Do I now need to change all of them?
If you used the same password for eBay and any other site, we encourage our customers to change their passwords for those sites too. As a matter of good practice, the same password should never be used across multiple sites or accounts.
22 May update Glenn Greenwald thinks that Ed Snowden decided to reveal the extent of NSA snooping after watching US Intelligence chief James Clapper lie to Congress. (Clapper claimed that the NSA does not collect communications of ordinary Americans. When will Clapper be charged with perjury and contempt of Congress?)
The program outlined PRISM and AT&T technician Mark Klein’s discovery of a fiberoptic splitter that allowed the NSA to capture all packets that flow on AT&T’s Internet backbone as well as other attempts by NSA to read Internet-borne data without court orders. It also explored the loss of privacy to Facebook, Google, Doubleclick, et al commercial enterprises.
On Tuesday night, PBS broadcast a powerful Frontline two hour long piece about the NSA’s snooping into citizens’ electronic communications. They subtitled it “How the government came to spy on millions of Americans”. The second part will air next Tuesday. Watch it.
Senator Dianne Feinstein (D California) is outraged that her Senate Intelligence Committee’s communications have been monitored by the CIA (Feinstein Slams CIA, Accuses Agency of Spying on Staff). One irony is that last year when Ed Snowden revealed that the NSA routinely violated citizens’ Fourth Amendment rights, Senator Feinstein called for Snowden’s head.
Another irony is that her Senate Intelligence Committee is supposed to oversee the CIA. Her committee has failed to do its job and now she’s outraged at the result of that failure. Curiouser and curiouser.
Edward Snowden spoke on Monday at South By Southwest via live Internet video. Presumably he was in Russia. His true location was obscured by a chain of seven proxies, which caused the audio quality to suffer from multiple echos. The best audio/video recording that I’ve found is this YouTube video. Mr. Snowden participated in a panel discussion of Internet privacy, security, and infringement of U.S. Constitutional rights.
The panel pointed out that not only is the NSA trampling on our right to freedom from unreasonable search and seizure, but so are commercial entities such as Google and Facebook. Seizing everything from everybody is clearly a violation of the Fourth Amendment.
The panel agreed that end-to-end encryption is the only way to ensure privacy.
When will intelligence chief James Clapper be indicted for lying under oath while testifying to Congress?
If you want to stop warrantless searches of your emails, go to VanishingRights.com to see if your representative is a sponsor — if they’re not, ask them to be, and if they are, thank them! We can win this fight, but only if we show that the public is behind reform. Act now!