[HN Gopher] Stingrays and Dirtboxes: how cops can secretly track...
___________________________________________________________________
Stingrays and Dirtboxes: how cops can secretly track your phone
Author : uhtred
Score : 213 points
Date : 2020-08-03 14:34 UTC (8 hours ago)
(HTM) web link (theintercept.com)
(TXT) w3m dump (theintercept.com)
| jdefr89 wrote:
| Hey. Someone who briefly worked on the Stingray team here.
|
| I left the company that develops the stingray (who's name is
| mentioned in the article but I shall not say it) because I didn't
| feel comfortable with the ethics of how it could potentially be
| easily abused without legal permission and/or repercussion. I
| fear these technologies will become more commonly used against
| Americans by low level law enforcement without good reason and
| without responsible usage.
| kome wrote:
| Thank you for walking away.
|
| I hope more people will follow your example and question their
| work. Not only at Harris Corporation, but in every part of what
| is called surveillance capitalism.
| jccc wrote:
| Is it enough that a few people like this simply turn their
| backs and walk away to different work? I would think their
| vacancies would be quickly and easily filled.
|
| Is there really a shortage of people willing and able to do
| this kind of work for these companies and government
| agencies? I'm asking because I truly don't know.
|
| And if not, could we think of some other ways people in these
| positions could exert some influence for change, even if it's
| only after they leave those jobs?
| jpollock wrote:
| Yes it has an effect. In a tight labour market, any
| restriction on the number of people who are willing to do
| your work will increase your costs.
|
| Eventually, you might start to ask "why" and change some
| things to bring the costs back in line.
|
| For example, I know lots of people (including me), who
| refused interviews with Uber post harassment revelations.
| jccc wrote:
| I understand that in principle it _could_ have an effect,
| and I understand how.
|
| I'm questioning whether that market for developers really
| is tight enough to matter, whether employers and top
| policy makers would even notice that some number of
| people withhold their skills in protest.
|
| I'm wondering if perhaps there are other more powerful
| ways for these developers to exert their influence,
| whether in these positions or outside of them.
| TeaDrunk wrote:
| I was under the impression that lack of talent does
| matter- if top talent doesn't want to work for you, you
| can't replace top talent with less-top talent and expect
| to maintain your competitive edge. Especially if said top
| talent is now working for a competitor.
| jpollock wrote:
| That would be an interesting research paper, particularly
| if it was able to quantify the effect of various blows to
| a companies reputation.
|
| "The effect of corporate reputation on staffing costs"?
|
| A quick googling implies "yes"?
|
| https://www.igniyte.co.uk/blog/how-a-bad-corporate-
| reputatio....
| mellow2020 wrote:
| You can't change rape by being a good rapist. All that
| serves IMO is to normalize being an accomplice and doing
| evil things with good intentions.
|
| > People have a series of rationalizations. People say for
| example that science and technology have their own logic,
| that they are in fact autonomous. This particular
| rationalization is profoundly false. It is not true that
| science marches on in defiance of human will, independent
| of human will, that just is not the case. But it is
| comfortable, as I said: it leads to the position that "if I
| don't do it, someone else will."
|
| > Of course if one takes that as an ethical principle then
| obviously it can serve as a license to do anything at all.
| "People will be murdered; if I don't do it, someone else
| will." "Women will be raped; if I don't do it, someone else
| will." That is just a license for violence.
|
| - http://tech.mit.edu/V105/N16/weisen.16n.html
| TallGuyShort wrote:
| If a rapist stops being a rapist, does someone
| immediately turn around and pay someone else to become a
| rapist? No? Then the rape analogy isn't a perfect fit.
| The question is still valid, IMO.
| dang wrote:
| Would you please stop posting generic ideological
| comments to HN? It looks like you've been doing it
| repeatedly. It's against the site guidelines because it
| leads to repetitive threads which are tedious at best and
| nasty at worst. This site is supposed to be for curious
| conversation and those things are not compatible.
|
| https://news.ycombinator.com/newsguidelines.html
| mellow2020 wrote:
| > Would you please stop posting generic ideological
| comments to HN?
|
| If you explain to me how the comment I replied to isn't
| just as generic, and what you mean by "ideological" that
| is present in my comment and not in the parent, sure.
|
| You allow a claim, coated in "wondering", an old chestnut
| trotted out time and time again -- and don't the clear
| refuting of it, by one of the greats in the field? There
| are no principles here you are applying fairly, it's
| utterly arbitrary. My point stands. Graying it out just
| adds the data that some people would rather bury and
| smear it, than learn. That's on them.
|
| And no, it doesn't lead to any conversation of any kind,
| because agreement is expressed in upvotes, and I doubt
| anyone can muster a coherent rebuttal. I don't see you
| trying either, you just say what _would_ have happened,
| if you hadn 't made replying impossible. Weizenbaum is
| correct, and apparently, some people cannot let that
| stand.
|
| > It's against the site guidelines because it leads to
| repetitive threads which are tedious at best and nasty at
| worst.
|
| Which part of them?
|
| > This site is supposed to be for curious conversation
| and those things are not compatible.
|
| Saying "it" and "those things" doesn't make up for a
| clear definition of them.
| jccc wrote:
| (For whatever it's worth, I was sincerely wondering
| because I don't know what the actual labor constraints on
| these companies/agencies might be. I suspected they
| aren't enough to make much of a difference when
| developers walk away in protest, and so I asked.)
|
| (Also, I think it was clear that I was questioning
| strategy not morality.)
| dang wrote:
| Actually I missed that you were linking to a 1985 article
| by Weizenbaum. I agree, that's more interesting. Had I
| seen that I probably wouldn't have replied to you here.
|
| On the other hand:
|
| (1) "You can't change rape by being a good rapist" is
| just flamebait. Please don't.
|
| (2) Your account has mostly been posting in ideological
| arguments and it all looks pretty generic to me. Please
| don't do that either.
|
| If you want an explanation about why we don't want
| generic discussion on HN, and above all not generic
| ideological discussion, there are plenty at these links:
|
| https://hn.algolia.com/?dateRange=all&page=0&prefix=true&
| que...
|
| https://hn.algolia.com/?dateRange=all&page=0&prefix=true&
| que...
| sargun wrote:
| Just curious, how well were you compensated? Did you work on
| the radio side doing embedded stuff / math, or server software?
| goodluckchuck wrote:
| Any reason to think usage is limited to law enforcement?
| throwaway_drt2 wrote:
| Used to work for makers of the dirtbox. I would hope anyone
| curious about this issue also spends a lot of time digging into
| those devices as well.
| blue52 wrote:
| The majority of us are well aware how these devices create a
| MITM attack against your phone, but is there anything you
| found particularly interesting or egregious that we should
| know about? Especially how LE are using them to abuse every
| group who desperately needs protection from these devices.
| an_opabinia wrote:
| - In your opinion, is there a difference between an innocent
| person being materially and demonstrably harmed ("harmed," i.e.
| tort) by a stingray deployment and an innocent person harmed by
| any other tool misused in this way by the government?
|
| - Do you think there's a better alternative to tort that could
| as clearly limit the tools government uses to fight crime?
|
| - If harmless mass surveillance replaces concretely and plainly
| harmful mass surveillance (e.g. stop and frisk), did we come
| out ahead?
|
| I'm not a blowhard and obviously do not want to live in a
| surveillance state. I'm not even advocating for the status quo.
| It's okay if the answer to these questions are basically, "I
| don't know."
|
| Or go on and argue that stingrays in isolation of a malevolent
| government somehow materially harm people in some concrete way.
| It would be awesome to hear your perspective if that's the
| case.
| [deleted]
| ColanR wrote:
| To whomever flagged the sibling comment by throwaway_drt2: they
| were not being crude, they were referring to the cell site
| simulator called the Dirtbox. [1] Don't be so trigger-happy.
|
| [1] https://en.wikipedia.org/wiki/Dirtbox_%28cell_phone%29
| dang wrote:
| No one flagged that comment. It was affected by a software
| filter. Users vouched for it, which unkilled it.
| ColanR wrote:
| That makes more sense, since a similar comment that replied
| to it was also marked [dead]. Thanks for the clarification.
| dylan604 wrote:
| What kind of NDAs did they force on you? It's one thing to walk
| away silently, but you know they just filled your role with
| someone else with less morals.
|
| The other option is scorched earth similar to the recent news
| articles where there were blog posts publicly shaming the
| company. Wondering what kind of in between options are
| available. Anonymous posts are a start at least to get the
| inquisitive types to look in that direction and/or add some
| weight to previous anonymous posts.
|
| Edit: just read further down the list, and see others have
| essentially asked the same thing
| MacSystem wrote:
| I'm also glad you did that, we need more more people like you.
| room505 wrote:
| Can a Stingray be used to eavesdrop on someone using an app like
| Signal for a voice call or message?
| sandstrom wrote:
| Anyone know of any progress in 6G, that would improve privacy in
| this area? For example randomized (or truly encrypted) IMEI
| numbers?
|
| Also, I found this SIM card which seems to be doing IMEI
| randomization:
|
| https://omertadigital.com/blogs/news/encrypted-sim-cards-wha...
| hosteur wrote:
| There are no incentives to improve end user privacy with those
| who specify telco standards.
| baybal2 wrote:
| > Anyone know of any progress in 6G, that would improve privacy
| in this area?
|
| One of members of numerous 6G working groups is Huawei. If you
| remember, they recently proposed to replace the whole IP
| protocol with one where every packet must be cryptosigned by
| ISP.
|
| This SIM feels like a complete BS. IMSI is managed by the
| phone, not SIM.
| floatingatoll wrote:
| Wi-Fi Calling while in Airplane mode would not be subject to
| Stingray interception, and would protect IMEI data from airborne
| bulk capture.
|
| Authorities can still set up open SSIDs to capture limited
| information about phones, but the "fly an airplane over" capture
| model doesn't work well with Wi-Fi.
| falcolas wrote:
| You may be underestimating people's lack of care about what
| open access point people connect to. The traffic itself may be
| encrypted, but DNS queries, phone hardware addresses, and
| background traffic might not be.
| floatingatoll wrote:
| I'm not trying to offer a comprehensive solution for avoiding
| government monitoring. I'm just offering a solution for
| avoiding cellular Stingrays while retaining cellular service.
|
| For a more comprehensive solution, you would need to _at
| minimum_ not carry any electronic devices (signal detection),
| wear a mask and IR-blocking glasses (face detection), and
| wear shoe inserts (gait detection) -- and even then, they can
| still seize you and overcome those obstacles at will.
| falcolas wrote:
| The context of this article is "Cops tracking your phone",
| of which the parent comment _does not prevent_ in any
| meaningful fashion. The rest of the remedies presented here
| are also mostly unrelated to phone tracking.
| throwaway0a5e wrote:
| Anyone who cared (for either personal or professional reasons)
| has been leaving their phone at home for probably close to a
| decade now.
| rhplus wrote:
| Reports of stingray flight patterns go back to at least 2015:
|
| https://komonews.com/archive/fbi-behind-mysterious-spy-aircr...
|
| https://bgr.com/2015/06/03/fbi-dirtbox-stingray-spy-plane-pr...
| throwaway_drt2 wrote:
| I used to work for DRT, they make the "dirtbox" mentioned in the
| article. I would really encourage journalists to dig more into
| this company and their products.
| WarOnPrivacy wrote:
| > I would really encourage journalists to dig more into this
| company and their products.
|
| I guess journalists' disinterest in invasive surveillance is
| because reporting on it is harder, than reprinting the same 7
| headlines as every other news org.
|
| It's been a bit better since Edward Snowden dragged news orgs
| away from authoritarian-friendly journalism and into the
| surveillance age. However, journalists still seem to do about
| the bare minimum, while their reporting gives LEO/Gov endless
| benefit of the doubt.
| ideals wrote:
| You could contact https://twitter.com/KenKlippenstein via
| Signal with any information you didn't see in the article which
| should be. He seems to be a journalist interested in related
| fields.
|
| No one is going to know unless the people who worked there
| reach out.
| t0mmyb0y wrote:
| Almost no agencies upgraded to 4G, way too expensive, about
| $500k. If on android you can enter a code on device to force ONLY
| 4G to be used by the device.
| BelleOfTheBall wrote:
| I remember this being described in Bruce Schneier's book. When I
| first read it, I was terrified. Now, seeing them in action, I'm
| closer to dejected. Most methods of avoiding them aren't easy or
| practical enough to be used by the layman, hell, most laymen
| don't even know what stingrays are. These are incredibly tough to
| protect against on a mass scale.
| Mirioron wrote:
| What happens when they are used in countries with fewer
| protections to individuals than the US?
| mtgx wrote:
| The bar is already pretty low in the US. The FBI has trained
| cops to hide the use of stingrays from judges, so who really
| knows how many times these were illegally used to incriminate
| someone while telling judges they got anonymous tips or
| whatever.
| xkcd-sucks wrote:
| Slightly off topic: Why don't cell networks get shut down more
| often during large protests etc.?
|
| It seems that police use cell phones for internal communications
| pretty extensively -- Even when there are encrypted radio systems
| or channels.
|
| My guess is that UX of encrypted radio is generally terrible, and
| that it's a nightmare to distribute keys to all multiple agencies
| that might be operating in an area. So departments configure
| encrypted radio for internal use, but when there's large scale
| activity they need to fall back to cellphones for guaranteed un-
| eavesdroppable comms
| Nasrudith wrote:
| Well for one it would be very disruptive and hard to justify.
| It would interfere with 911 and calling family and would scare
| and inconvenience the populace turning them against them and a
| certain safe 'status quo' apathy is what they depend upon.
| Social dynamics aside more people on the streets makes their
| job harder regardless of their demeanor - which they will if
| they need to go in person to check on others.
|
| The disruption to service would also be very expensive to
| businesses which would be encourage flight.
|
| "And we lost this multi-million dollar contract sale because
| the cell service to reach us anywhere went down for three days,
| a worse case for the company than even if rioters burnt down
| the whole office. Why are we located in this shithole again?"
| triceratops wrote:
| > Why don't cell networks get shut down more often during large
| protests etc.?
|
| What problem are you trying to solve, exactly?
| ChuckMcM wrote:
| FWIW you can do much the same thing with your own SDR setup. One
| of the more surprising things for me was that the feature that a
| phone work "internationally" means that a nominally "4G" phones
| will still answer a GSM tower (talking on a GSM frequency) when
| the tower says hello. Some phones will let you turn that off.
|
| But that said, most smartphones will tell you their WiFi MAC
| address if you tell them you are an access point. It is more
| difficult to track a MAC address back to its owner, but it is
| easy to see if it shows up again near you. My Cisco access point
| did a variant on this when MAC address filtering was on, it would
| send you reports of "unknown" MAC addresses which you could log
| and then later associate with people visiting the office.
|
| Bottom line though seems to be to treat protests like DefCon
| events if you don't want to leak PII. Get a burner phone for such
| trips.
| Negitivefrags wrote:
| Random story: I once saw an one of the vans for the local ISP
| driving around wtih a box labeled "Stingray" and got all excited.
|
| Picture here: https://imgur.com/a/P1nPSD2
|
| Turns out that "Stingray" is also the name of a system for air-
| blown optic fiber installation.
|
| Personally I would have avoided the reuse of that particular name
| for anything in telecommunications because it has somewhat dark
| connotations already!
| jeffbee wrote:
| TL;DR it's a radio in your pocket that constantly announces its
| identity. I'm quite interested in the fact that people don't
| realize this. Is it a generational split between people who can
| remember when we did not all have radios in our pockets and those
| who can't, or ??? The fact that an always-on radio you carry
| everywhere can be used to track you seems like the #1 most
| obvious thing about the technology.
| rrose wrote:
| I feel like you're ignoring a key point here, which is that
| these stingray devices can MitM your phone by forcing it to
| send essentially unencrypted messages. That's both more
| technically complicated and more serious than passive tracking.
| bob1029 wrote:
| I don't think OP is ignoring any points. It is a statement of
| fact that we've been carrying around what ultimately amount
| to high power RFID surveillance devices in our pockets for
| about 20-30 years now (en masse). There are also many on this
| board at this very moment who can remember life before any of
| this technology or concern was a thing.
|
| In 1990, if you walked to the store without telling anyone
| where you were going, you were basically a ghost as far as
| anyone else was concerned. In 2020, even if you leave all of
| your digital electronics at home, you will probably be
| detected by someone else's electronics.
| rrose wrote:
| OP is sort of shrugging off the information in this article
| by saying that it should be common sense that by carrying a
| phone you are trackable. I don't really disagree with that.
| But a major point of the article is that not only are you
| trackable, but you can be actively surveilled or even have
| your text messages spoofed, which is not common knowledge
| and isn't really encapsulated by the "radio in your pocket"
| analogy
| WarOnPrivacy wrote:
| > these stingray devices can MitM your phone by forcing it to
| send essentially unencrypted messages.
|
| Earlier Harris equip did that by forcing 2g mode but 2g is
| being turned off: https://1ot.mobi/resources/blog/a-complete-
| overview-of-2g-3g...
|
| I'm less familiar with the capabilities of current IMEI
| catchers tho.
| op03 wrote:
| Do the math.
|
| The odds of someone targeting you (just for kicks) aren't that
| high.
|
| But don't tell Glenn Greenwald that cause then he has to go
| find something else to scare you with, to capture your
| attention in our current useless "state of fear" preserving
| info tsunami ecosystem.
|
| But anyway lets do the math...
|
| The US has 200 cops per million. Lets say 1% of that million
| are born douchebags and there is another 1% who have turned
| douchebagy for whatever reason.
|
| So you have 200 cops to deal with 20000 bad guys per million.
| So in general they have enough going on keeping them occupied.
|
| Now even if you assume they don't spend any time doing their
| job and all of them spend all their time fixating on you and no
| one else, the chances of them picking on you out of the million
| other options are still pretty low.
|
| What makes it even lower is if you apply the 2% douchebag rule
| to the cops themselves, you get probably 2 bad apples in that
| 200.
|
| But to indulge you lets apply it also to anyone who has access
| to the same privacy violating tech - bank managers, google
| engineers, telco engineers, the military, rich ppl etc. Keep
| adding whatever category you feel like and applying the 2%
| rule. You wont raise the odds too badly.
| vanusa wrote:
| It doesn't have to target _you_ directly in order to have a
| significant negative impact on your life.
| tspike wrote:
| Your comment comes off pretty condescending and dismissive,
| which clouds a valid point. It's not likely you will be
| individually targeted by law enforcement.
|
| The scarier proposition to me is bulk collection and latent
| analysis.
| [deleted]
| jjulius wrote:
| You can't expect end users with little-to-no technical know-how
| to have the same common knowledge that you do.
| TheSpiceIsLife wrote:
| I watched a doco last night where researchers put a sounding
| beacon _inside_ a shark.
|
| Inside it! They said something like "these sharks are used to
| cuts and scrapes and heal quickly."
|
| It's no wonder people don't immediately associate their phone
| with a locating beacon.
| pvaldes wrote:
| Maybe I'm not translating correctly "sounding beacon", but
| I would assume that what you see was just an (I don't know
| the exact term) "electronic tag". This is standard
| procedure in ecology, veterinary and animal husbandry. We
| did it sometimes. Is a rice grain size object, and does not
| left any noticeable scar in fishes.
| TheSpiceIsLife wrote:
| All good, I don't have any issue with attaching or
| implanting tracking devices for research purposes in what
| looks like a wholly harmless way.
|
| From what they were saying, it emitted a ping every ten
| minutes, wasn't entirely clear if it was acoustic or
| radio. Shark didn't seem to mind.
| mixmastamyk wrote:
| Most folks generally understand how radio works.
| jeffbee wrote:
| Well, why not? How can we improve general technological
| literacy? I don't want people to memorize the protocols, but
| I do want them to have the foundation of knowledge that would
| allow them to conclude that if the phone company can connect
| calls to your mobile handset, then they can also figure out
| roughly where it is. I'd also like for people to have the
| basic knowledge required to understand that GPS does not
| track you. It's the other way around. I'd like everyone to
| understand that mass and energy are conserved, the Earth
| orbits the Sun, etc.
| grawprog wrote:
| >would allow them to conclude that if the phone company can
| connect calls to your mobile handset, then they can also
| figure out roughly where it is
|
| To be fair, people have trouble concluding they can be
| tracked or found when they sign in to a service and are
| asked repeatedly if said service can have access to their
| location, then use said service to check in or announce
| their location publicly.
| spanhandler wrote:
| Every professional, expert, specialist, or technician feels
| this way about the stuff they know. "Why don't people know
| [basic thing about their work]? What a bunch of uneducated
| morons." The answer is because if they knew all the basic
| stuff about all those fields to be what those experts judge
| to be informed consumers, and took the time to apply that
| knowledge, they wouldn't have any time left to 1) actually
| buy products and services, or 2) learn what they need to
| know about their own field. Also because being an
| uninformed consumer works out more-or-less OK much of the
| time, largely because regulation prevents the worst sorts
| of abuses.
|
| In the specific case of tracking/spying I'd imagine lots of
| people (not most, but many) _have_ considered the
| possibility, then dismissed it without looking into it any
| further because it seems like something that would
| _obviously already be illegal_ , and assuming things that
| seem like they ought to already be illegal _are_ already
| illegal often gets one to the correct conclusion--just not
| this time. Those sorts probably assume that if a law
| enforcement agency gets a warrant or something _then_ they
| might start tracking locations using cell phones, but not
| that _the cell phone company is already doing that 100% of
| the time to everyone_ , since, again, it _really_ seems
| like something that 'd be illegal. I think a lot of the
| "information economy" falls in this blind spot--that credit
| card companies would be selling your purchase history or
| google/your-ISP would be recording every single website you
| visit _also_ seem, intuitively, like things that 'd be very
| illegal, for example.
| jeffbee wrote:
| I guess we will disagree on what is or should be
| obviously illegal. What your phone does is the functional
| equivalent of you walking down the street shouting your
| phone number. It does not strike me as obviously wrong
| for people to hear it.
| rrose wrote:
| the article also goes into the fact that these stingray
| devices can send text messages from your phone number and
| listen to your phone calls in real time. I dont think
| your analogy really captures that, and it's hard to
| imagine an argument for that being legal (at least
| without a warrant)
| spanhandler wrote:
| I just mean that it's the kind of thing many people who
| have some concept of how cell phones work _might assume_
| is illegal because tracking a bunch of people and storing
| all that info, or broad, non-tightly-targeted-and-
| regulated use of things like stingrays, and the various
| other things service providers and law enforcement do to
| spy on people really do seem pretty similar to stalking
| and warrantless search and various other activities that
| are illegal (so, obviously that would be too, how could
| it not be, one might reason), and so they might be
| surprised that a capability they know or suspect exists
| _in the technology_ is used the way it is and to the
| extent that it is by both private parties and law
| enforcement. Their not thinking about their cell phone as
| a device that spies on them or is otherwise very
| untrustworthy might not be because they don 't know what
| the tech _might do_ but because they 've assumed
| exercising those capabilities would be illegal.
|
| I suppose similar reasoning is how we arrive at our
| judgements on _most_ questions of legality, personally,
| when deciding how to behave and what to worry about
| others doing day-to-day. Like, I definitely can 't show
| you the statute that says driving the wrong way on the
| highway is illegal, rather than just a very bad idea, and
| I'm not sure I've even ever been told _specifically_ that
| that is illegal let alone done the research to makes sure
| it 's illegal--but nonetheless, I'm pretty sure it is.
| So, I would guess some people surprised that their cell
| phones spy on them in certain ways are more surprised
| that they _are_ being used that way and not that they
| _could_ be used that way.
|
| [EDIT] to stretch the analogy further, if I were
| surprised to learn that some delivery company had found a
| way to reduce delivery times by driving the wrong way on
| the highway, the fact that vehicles _are technically
| capable of_ driving the wrong way on the highway wouldn
| 't be the part that I found surprising.
| WarOnPrivacy wrote:
| In a general sense, our problem isn't surveillance but
| disproportional surveillance. It's generally appropriate
| for LEO to have access to the same data that all of us
| do. The problem is when 'privacy' or security laws
| restrict you and I from data but not the people who
| regularly exercise their exclusive powers to ruin lives.
| aylee wrote:
| Abstracting away all of the details underlying the tech is
| a double edged sword. On one side, you get massively higher
| adoption due to a lower barrier to entry. On the other, you
| now have a massive population of folks who don't understand
| the the "fundamentals".
|
| I'm not sure we "need" to improve the general
| understanding. I mean how many ppl know how to change their
| own car tires or oil? If anything you just keep creating
| niches for ppl to make livings in.
| WarOnPrivacy wrote:
| "Why does anyone need to know" is a restrictive premise.
|
| In my experience, what follows it are less rights, less
| ability, greater compliance & increased malleability (eg:
| susceptibility to "election meddling").
| TheAdamAndChe wrote:
| The median IQ is 100, meaning half of all people have IQs
| below 100. Many of them did not grow up in an environment
| that pushes lifelong learning. Lots of people do what
| they've been trained to do and nothing more, which is good!
| Our society needs people like that. But expecting people
| like that to think for themselves is a sure way to become
| needlessly frustrated.
|
| edit: switched average to median.
| steffan wrote:
| The measure that describes what you state would be the
| __median __, which is defined as the point at which there
| are as many values above as below.
|
| Averages will skew with large outliers on either side.
| E.g. if Bezos and I are alone in a room together, the
| average person in that room has $95B dollars. (Granted,
| in an n=2 situation, the median isn't meaningful either)
| TheAdamAndChe wrote:
| You're right, this has been fixed. Thanks!
| inetknght wrote:
| > _How can we improve general technological literacy?_
|
| Fund schools.
|
| Provide mandatory technical and privacy education.
|
| > _I 'd also like for people to have the basic knowledge
| required to_
|
| Fund schools.
| WarOnPrivacy wrote:
| > Fund schools.
|
| Hire tech capable teachers that care. Funding only works
| if it's toward this specific end.
| inetknght wrote:
| > _Hire tech capable teachers that care._
|
| I know teachers who make < $30k/year _and_ have to pay
| out-of-pocket for supplies. Good luck attracting tech
| talent with that salary.
|
| So, again: fund schools.
| WarOnPrivacy wrote:
| You've misrepresented my premise by quoting it without
| the context.
|
| Funding incapable teachers can't advance your goal. As
| long as the plan is "Fund schools." and nothing at all
| follows the period "." then students will have properly
| funded incapable teachers.
|
| Source: Father to 5, who've attended 25 years of well
| funded and less funded schools. That's well over 100
| teachers I've met with & learned about. Zero teachers
| understood technology on a level that would enable them
| to teach the nuances of technology safety. Many (if not
| most) would have been handicapped by the
| misunderstandings they held about tech.
| notabee wrote:
| Funding alone won't fix the decades of neglect, social
| norms built around that dysfunction, and the incompetent
| leadership many schools systems suffer with. But it's a
| necessary first step. If you don't fix the other pieces
| though, even higher pay won't keep the people around who
| should be there. I have known some teachers who tried
| their damnedest and were very competent, but burned out
| quickly.
| amanaplanacanal wrote:
| This seems like a common tv and movie plot point though. If
| you don't want to be found you have to destroy or lose your
| phone.
| GaryNumanVevo wrote:
| Pro-tip: If you want fairly good OPSEC when going to a protest,
| get a burner Android phone, put it on airplane mode with WIFI
| only. Then purchase a couple of Comcast / Xfiniti logins off the
| web, and use those to connect to "xfiniti-wifi" hotspots. Most
| cities have them, the speeds are fairly decent too.
|
| We're truly living in the panopticon
| gruez wrote:
| If you have gapps installed (every stock ROM unless you're in
| china), you should probably assume google is tracking your
| location through wifi networks. As such, you should probably
| install lineageos for additional security.
| rootsudo wrote:
| This is more reason then ever to flash a generic android
| image.
|
| Google does track your wifi and have amassed a huuuuuge
| library of SSID name, freq, mac addresses and this is what
| they use alongside IP geo location for google maps and other
| services.
|
| It's good and also bad. And if you restrict these things, you
| "look" like a bot so you have increased friction to accessing
| information!
|
| The looking like a bot, makes sense I get that and ddos
| prevention but it goes in a circle, doesn't it?
|
| iPhone is not the answer either, but an iphone w/ no google
| apps doesn't mean you're free from the ecosystem.
| refurb wrote:
| Maybe I'm being overly paranoid, but if you're arrested, what's
| stopping the cops from matching the phones MAC to public wifi
| connections?
| GaryNumanVevo wrote:
| Realistically nothing, however if they're using a Stingray to
| target large swaths of people, you're more likely to avoid
| getting your phone pinged on WIFI. Not to mention going after
| specific MAC info from Xfinity takes a long time.
| zamadatix wrote:
| Since Android 9 there is an option to use randomized MACs for
| the actual connection (not just probing).
| mixmastamyk wrote:
| Most folks won't be aware of an option unless it is
| default.
| chocolatkey wrote:
| On my Samsung Galaxy S10e (Android 10) it is the default
| zamadatix wrote:
| That's for probing only, randomization on connection is
| accessible via developer options only.
| CharlesW wrote:
| This might be helpful: https://support.apple.com/en-
| us/HT211227
|
| > _To reduce this privacy risk, iOS 14, iPadOS 14, and
| watchOS 7 include a feature that periodically changes the MAC
| address your device uses with each Wi-Fi network. This
| randomized MAC address is your device 's private Wi-Fi
| address for that network--until the next time it joins with a
| different address._
|
| iOS 14 is in beta, but has been pretty solid for me.
| https://beta.apple.com/sp/betaprogram/
| helios_invictus wrote:
| You should not have to be good at opsec or economically
| advantaged to be able to demonstrate.
| sbierwagen wrote:
| Then don't bring a cell phone to a protest?
| dylan604 wrote:
| Then again, what would happen to a protestor that actually
| protested in a non-violent manner? Let's specify in the US
| as I can only guess it would be much more dangerous to
| protest in a country without a protected constitutional
| right to do so. So a US citizen brings their cell phone to
| a protest, non-violently marches with their signs, sings
| some songs, yells some, gets dispersed in a violent manner
| and/or gets arrested. If their cell phone gets pinged in a
| Stingray sweep, what happens? What's the negative
| repercussions?
| ghaff wrote:
| It would certainly seem as if far and away the easiest and
| best opsec is to not have your phone on you or at least not
| turned on. Have people really become so dependent on their
| phones that the thought of being somewhere without one
| doesn't even come up as an option? I'd certainly at least
| turn my phone or a burner phone off before depending on not
| being compromised.
| nick_kline wrote:
| People are pretty dependent on their cell phones. It's
| our maps, ways out of places. You can even do bus tickets
| on them. It's our way to call for help, see if someone is
| okay. So it's weird not to have my phone on me.
| closeparen wrote:
| Are there documented examples of people in the US facing
| repercussions because they were known to have been at a
| protest?
| tedunangst wrote:
| Arrested for "your cell phone said you were at the
| protest" not so much. Arrested for "you were photographed
| throwing a molotov wearing a limited edition etsy shirt
| for which you left a review using the same handle as your
| instagram account" yeah. HN kinda considers that to be
| the same thing though.
| GaryNumanVevo wrote:
| Completely agree, between DHS compiling information on
| journalists and unmarked vans picking up protesters, it's
| like the Arab Spring
| AftHurrahWinch wrote:
| In Portland hundreds of demonstrators used the mesh-networking
| app Bridgefy, and some affinity groups used goTennas which even
| served streaming movies, music, and documentaries that spoke to
| the revolutionary tenor.
| sschueller wrote:
| How does bridgefy make money? It's not open source. The
| website leads to a level 3 default page.
|
| How do you know the feds don't own it?
| blue52 wrote:
| During uncertain times like this we need to be asking the
| hard questions. Always use protection like a VPN and
| iptable when connecting to unknown/untrusted networks.
| nick_kline wrote:
| Won't your wifi mac address be a unique identifier? Did google
| start doing wifi mac address randomization?
| samschooler wrote:
| Through the pandemic, Xfinity is offering anyone free guest
| access, so for at least the next few months, you don't need to
| even buy logins.
| https://corporate.comcast.com/press/releases/comcast-extends...
| codemac wrote:
| Note, this only works on the xfinity "public wifi stations"
| rather than the xfinity ssid's from home routers.
|
| If you want to access the home router networks, you still
| need to pay for an account.
| samschooler wrote:
| Yup thanks for the clarification
| omarchowdhury wrote:
| Are these logins legally purchasable or is there some
| black/grey market for them?
| seniorsassycat wrote:
| > stingrays can force phones to downgrade to 2G, a less secure
| protocol, and tell the phone to use either no encryption or use a
| weak encryption that can be cracked.
|
| Can android, iOS, or an open phone os prevent 2g communication?
| sudosysgen wrote:
| On Android, on most phones you can do _#_ #4636# _#_ , then get
| access to the service menu and configure the modem to act how
| you want it to.
| [deleted]
| jdefr89 wrote:
| Hey, I used to briefly work on the device in question. It's
| capabilities go far beyond just downgrading cellular service. I
| obviously can't say much more about it but I am a huge
| proponent of creating strong laws regarding who can use such a
| device and when. Putting such devices in the hands of low level
| law enforcement officers to use against their communities for
| trivial reasons can only turn out poorly.
| boring_twenties wrote:
| On Android, enter \ _#\_ #4636#\ _#\_ in the dialer. Then
| select "LTE only." (This will prevent 3G as well as 2G)
|
| edit: You gotta be kidding me with this formatting. Replace
| backslashes with asterisks.
| function_seven wrote:
| My apologies if this comes out garbled. Trying something...
|
| *#*#4636#*#*
| boring_twenties wrote:
| How?
| edflsafoiewq wrote:
| *=U+2217
| ideals wrote:
| Before I entered a random string into my phone I did a
| quick search which pulls up a bunch of other dialer
| commands for Android. It's pretty interesting
|
| https://android.stackexchange.com/questions/1468/do-you-
| know...
| [deleted]
| godelski wrote:
| That's because it is for MarkDown. So you can do things like
| _this_. But you can do * this * and it is fine. The
| difference is spacing.
| edflsafoiewq wrote:
| In normal Markdown you can escape with \ but it doesn't
| work on HN for some reason.
| xxpor wrote:
| On my phone (Galaxy Note 10), there's a toggle to allow 2G or
| not in the mobile network settings. No debug code needed or
| anything like that.
| WarOnPrivacy wrote:
| >Can android, iOS, or an open phone os prevent 2g
| communication?
|
| Some android installs can turn off 2g here: Settings -> Mobile
| Networks -> Network Mode
|
| However - 2G & 3g networks appear to be going away.
| https://1ot.mobi/resources/blog/a-complete-overview-of-2g-3g...
|
| AT&T killed 2g in 2017 https://www.pcmag.com/news/att-
| kills-2g-cutting-off-original...
|
| T-Mobile is in the process of turning off 2g
| https://www.alarmgrid.com/blog/t-mobile-and-rogers-2g-networ...
| [deleted]
| fulafel wrote:
| They could but they don't, and it's been known all along that
| these downgrade attacks are devastating to security and very
| practical. Complicity?
| shakna wrote:
| It happens within the OS for the baseband processor, not within
| the OS of the actual phone. Unsurprisingly, the details of how
| the baseband processor work are a highly guarded secret, and
| trying to reverse engineer anything around it will end up with
| a heft lawsuit thrown at you.
| jessaustin wrote:
| Presumably the creators of these devices have done at least
| some of that reverse engineering?
| jacquesm wrote:
| > trying to reverse engineer anything around it will end up
| with a heft lawsuit thrown at you.
|
| Is there an example of that? I can't imagine how reverse
| engineering anything would get a hefty lawsuit thrown at you.
| Maybe if you were to publish the results with your name under
| it, but just the act of reverse engineering?
| kawsper wrote:
| These low-level systems can be good attack vectors, on our
| computer systems if you can attack the BIOS (Intel ME or AMD
| PSP) it doesn't matter much what defenses the operating
| system has.
|
| Luckily, most of our computers aren't easily remotely
| connectable, but phone modems are another story.
| pas wrote:
| This is probably something that the baseband radio processor
| decides. Depending on the firmware/software on the chip the
| host OS might be able to instruct it to don't ever downgrade to
| 2G.
| myroon5 wrote:
| It's even possible for phones to be tracked while turned off:
|
| http://www.washingtonpost.com/world/national-security/nsa-gr...
|
| https://slate.com/technology/2013/07/nsa-can-reportedly-trac...
| alain94040 wrote:
| How is this possible?
| ExThermoGuy wrote:
| Your phone is never really off.
| sbierwagen wrote:
| Heads up: your account has been autobanned, maybe because
| you're commenting too many times as a new user, or for some
| other reason.
| x86_64Ubuntu wrote:
| How can you tell?
| sbierwagen wrote:
| Turn on "showdead" in account settings. This will show
| comments from banned users.
|
| I am only guessing they were autobanned. Comment history
| from the time of the banning doesn't show anything
| particular egregious that would trigger a manual ban.
| notyourday wrote:
| Unless you can physically disconnect the battery, your phone
| may not actually be fully off.
|
| For example, on my Android phone should I drain the battery
| into oblivion ( let the phone die ) and let it sit for about
| a week in that state, takes about 90 seconds to become fully
| functional to the lock screen from the moment it is plugged
| into a charger.
|
| On the other hand if I do hard power off of a phone followed
| by powering it on, it takes ~35-40 seconds for a phone to get
| to the lock screen. Out of curiosity I tested several more
| handsets with similar results. I can only explain that
| difference by phone not being completely powered off when the
| battery is inserted unless it does not have any juice at all.
| hammock wrote:
| It's called warm boot vs. cold boot (or soft boot vs hard
| boot)
| mixmastamyk wrote:
| I had assumed phone hardware generally won't power on until
| the battery has charged to 5% or so, ostensibly to prevent
| power drops. Not sure which idea is more accurate without a
| mobile electronics engineer chiming in.
| extrapickles wrote:
| You can use a non-linear junction detector, and triangulate
| on the signal it forces the target radio to give off. They
| are not very selective, so it's easier to track when there
| are very few radios in the area under illumination.
|
| The easier way is to compromise the phone and have it pretend
| to be off.
| arsome wrote:
| Do they even need to bother with a Stingray, can't they basically
| just pull up whatever provider's law enforcement portal and click
| a few buttons?
| TheSpiceIsLife wrote:
| Yeah, different tool though.
|
| An active mode IMSI capture device (eg, a Stingray) can:
|
| _Extracting stored data such as International Mobile
| Subscriber Identity ( "IMSI") numbers and Electronic Serial
| Number ("ESN")
|
| Writing cellular protocol metadata to internal storage
|
| Forcing an increase in signal transmission power
|
| Forcing an abundance of radio signals to be transmitted
|
| Forcing a downgrade to an older and less secure communications
| protocol if the older protocol is allowed by the target device,
| by making the Stingray pretend to be unable to communicate on
| an up-to-date protocol
|
| Interception of communications data or metadata
|
| Using received signal strength indicators to direction find the
| cellular device[9] Conducting a denial of service attack
|
| Oop, near forgot the reference
| https://en.wikipedia.org/wiki/Technical_and_further_educatio...
|
| Radio jamming for either general denial of service purposes or
| to aid in active mode protocol rollback attacks_
| jacquesm wrote:
| No, usually they need some kind of warrant for that.
| jdefr89 wrote:
| They will need a warrant usually even with stingray. I worked
| at said company on said technologies and left because I was
| comfortable with controls in place that prevent law enforcement
| from abusing it.
| jagged-chisel wrote:
| > I was comfortable
|
| I think perhaps you meant the opposite? You have about 30min
| to edit your comment...
| samtheprogram wrote:
| Not sure why you're getting downvoted, the other words in
| GP's comment, along with his other comment here [1],
| clearly indicate that you're right. Unfortunately it looks
| like 30 minutes have gone by.
|
| 1: https://news.ycombinator.com/item?id=24039707
| jagged-chisel wrote:
| Not to mention the logical discontinuity in "I left
| because I was comfortable" - I'd expect one to stay if
| they were comfortable. I would expect them to leave if
| they were not comfortable. But regardless of my
| expectations, I certainly could have been wrong.
|
| According to several other comments of theirs, discomfort
| drove them out. So I didn't believe I was incorrect. It's
| been awhile since I commented, so I hadn't even noticed
| any downvotes.
| xkcd-sucks wrote:
| Anecdotally from listening to police scanners, whenever there's
| an areawide BOLO notice or anything exciting involving a known
| party, they always say where the last "cellphone ping" was.
| E.g. "Look out for a Black male driving a white Nissan, last
| cell ping was on the north side of Lowell 15 minutes ago." Not
| sure if a warrant is required, but it happens pretty quickly
| blantonl wrote:
| That data is typically from the cell phone network provider
| themselves, not stingray and dirtboxes. It's part of the
| Enhanced 911 system in the United States.
| vanusa wrote:
| So - what countermeasures do people recommend?
|
| Is there anything one can carry around that acts like "phone" but
| is somehow less trackable?
| partdavid wrote:
| Someone else's phone?
| [deleted]
| kmfrk wrote:
| Title is "How Cops Can Secretly Track Your Phone" on my end.
| Assuming that was the original one, some comments here seem to
| suggest they only read the custom title without checking out the
| actual article.
| jancsika wrote:
| Protests should shift to "choose-your-own-adventure" style where
| a blockchain decides which branch to take. Just have a small
| selection of, say, 4 styles to choose from, where the most
| extreme includes potential branches with Ghandi-level long-term
| economic disruption.
|
| That way the stingray offers no advantage over the protesters;
| law enforcement and protesters get the next chapter at exactly
| the same time, and no single protestor or group of protestors may
| be targeted to disrupt the decision-making process.
|
| That pushes law enforcement either back to pre-protest prevention
| measures (which won't work for a spontaneous protest like BLM),
| or to disrupt internet connectivity altogether (which, for the
| Ghandi-level protest has its own economic implications).
___________________________________________________________________
(page generated 2020-08-03 23:00 UTC)