Resources

How Law Enforcement Gets Around Your Smartphone’s Encryption

Lawmakers and law enforcement agencies around the world, including in the United States, have increasingly called for backdoors in the encryption schemes that protect your data, arguing that national security is at stake. But new research indicates governments already have methods and tools that, for better or worse, let them access locked smartphones thanks to weaknesses in the security schemes of Android and iOS.

Cryptographers at Johns Hopkins University used publicly available documentation from Apple and Google as well as their own analysis to assess the robustness of Android and iOS encryption. They also studied more than a decade’s worth of reports about which of these mobile security features law enforcement and criminals have previously bypassed, or can currently, using special hacking tools…

once you unlock your device the first time after reboot, lots of encryption keys start getting stored in quick access memory, even while the phone is locked. At this point an attacker could find and exploit certain types of security vulnerabilities in iOS to grab encryption keys that are accessible in memory and decrypt big chunks of data from the phone. Based on available reports about smartphone access tools, like those from the Israeli law enforcement contractor Cellebrite and US-based forensic access firm Grayshift, the researchers realized that this is how almost all smartphone access tools likely work right now. It’s true that you need a specific type of operating system vulnerability to grab the keys — and both Apple and Google patch as many of those flaws as possible — but if you can find it, the keys are available, too…

Forensic tools exploiting the right vulnerability can grab even more decryption keys, and ultimately access even more data, on an Android phone.

561

NSO Used Real People’s Location Data To Pitch Its Contact-Tracing Tech

NSO, a private intelligence company best known for developing and selling governments access to its Pegasus spyware, pitched its contact-tracing system earlier this year, dubbed Fleming, aimed at helping governments track the spread of COVID-19. Fleming is designed to allow governments to feed location data from cell phone companies to visualize and track the spread of the virus. NSO gave several news outlets each a demo of Fleming, which NSO says helps governments make public health decisions “without compromising individual privacy.” But in May, a security researcher told TechCrunch that he found an exposed database storing thousands of location data points used by NSO to demonstrate how Fleming works — the same demo seen by reporters weeks earlier. TechCrunch reported the apparent security lapse to NSO, which quickly secured the database, but said that the location data was “not based on real and genuine data.” NSO’s claim that the location data wasn’t real differed from reports in Israeli media, which said NSO had used phone location data obtained from advertising platforms, known as data brokers, to “train” the system. Academic and privacy expert Tehilla Shwartz Altshuler, who was also given a demo of Fleming, said NSO told her that the data was obtained from data brokers, which sell access to vast troves of aggregate location data collected from the apps installed on millions of phones.

NSO is currently embroiled in a lawsuit with Facebook-owned WhatsApp, which last year blamed NSO for exploiting an undisclosed vulnerability in WhatsApp to infect some 1,400 phones with Pegasus, including journalists and human rights defenders. NSO says it should be afforded legal immunity because it acts on behalf of governments.

580

Dozens of Journalists’ iPhones Hacked With NSO ‘Zero-Click’ Spyware, Says Citizen Lab

For more than the past year, London-based reporter Rania Dridi and at least 36 journalists, producers and executives working for the Al Jazeera news agency were targeted with a so-called “zero-click” attack that exploited a now-fixed vulnerability in Apple’s iMessage. The attack invisibly compromised the devices without having to trick the victims into opening a malicious link. Citizen Lab, the internet watchdog at the University of Toronto, was asked to investigate earlier this year after one of the victims, Al Jazeera investigative journalist Tamer Almisshal, suspected that his phone may have been hacked. In a technical report out Sunday and shared with TechCrunch, the researchers say they believe the journalists’ iPhones were infected with the Pegasus spyware, developed by Israel-based NSO Group. The researchers analyzed Almisshal’s iPhone and found it had between July and August connected to servers known to be used by NSO for delivering the Pegasus spyware. The device revealed a burst of network activity that suggests that the spyware may have been delivered silently over iMessage. Logs from the phone show that the spyware was likely able to secretly record the microphone and phone calls, take photos using the phone’s camera, access the victim’s passwords, and track the phone’s location.

546

Surveillance Compounded: Real-Time Crime Centers in the United States

Over the last two decades, law enforcement agencies across the United States have been obtaining more and more sophisticated surveillance technologies to collect data. Technologies such as networked cameras, automated license plate readers, and gunshot detection are deployed around the clock, as are the tools to process this data, such as predictive policing software and AI-enhanced video analytics. The last five years have seen a distinct trend in which police have begun deploying all of this technology in conjunction with one another. The technologies, working in concert, are being consolidated and fed into physical locations called Real-Time Crime Centers (RTCCs). These high-tech hubs, filled with walls of TV monitors and computer workstations for sworn officers and civilian analysts, not only exploit huge amounts of data, but also are used to justify an increase in surveillance technology through new “data-driven” or “intelligence-led” policing strategies.

As part of the Atlas of Surveillance project, the Electronic Frontier Foundation and students from the Reynolds School of Journalism at the University of Nevada, Reno have identified more than 80 RTCCs across the United States, with heavy concentrations in the South and the Northeast. In this report, we highlight the capabilities and controversies surrounding 7 of these facilities. As this trend expands, it is crucial that the public understands how the technologies are combined to collect data about people as they move through their day-to-day lives.

557

What Modern Video Surveillance Looks Like

A few years ago, when you saw a security camera, you may have thought that the video feed went to a VCR somewhere in a back office that could only be accessed when a crime occurs. Or maybe you imagined a sleepy guard who only paid half-attention, and only when they discovered a crime in progress. In the age of internet-connectivity, now it’s easy to imagine footage sitting on a server somewhere, with any image inaccessible except to someone willing to fast forward through hundreds of hours of footage.

That may be how it worked in 1990s heist movies, and it may be how a homeowner still sorts through their own home security camera footage. But that’s not how cameras operate in today’s security environment. Instead, advanced algorithms are watching every frame on every camera and documenting every person, animal, vehicle, and backpack as they move through physical space, and thus camera to camera, over an extended period of time.

548

France Bans Use of Drones To Police Protests In Paris

The Council of State said Paris police prefect Didier Lallement should halt “without delay” drone surveillance of gatherings on public roads. The ruling comes weeks after MPs backed a controversial security bill that includes police use of drones. Its main aim is to regulate how people share film or photos of police.

Privacy rights group La Quadrature du Net (LQDN) has argued that the bill’s main measures violate freedom of expression and that drones equipped with cameras cannot keep the peace but track individuals instead. The Council of State ruled there was “serious doubt over the legality” of drones without a prior text authorizing and setting out their use. LQDN said the only way the government could legalize drone surveillance now was in providing “impossible proof” that it was absolutely necessary to maintain law and order. The decision is the second setback in months for Parisian authorities’ drone plans. In May, the same court ruled that drones could not be used in the capital to track people in breach of France’s strict lockdown rules.

561

TikTok: Rampant product placement

In the world of TikTok, brands have the opportunity to get products out into the real world – or make stories of them already being out there. The platform turns placement into consumption as consumers participate – or play – with the products. Product placement on the platform could come from just giving products out to creators, or partnering with them, as is done on other platforms. However, it could also come from amplifying organic content or trends that are already happening with a brand’s products … Viewers are the stars. When it comes to distinguishing between viewers and audiences on TikTok, just as with content and ads, the lines are blurred. In fact, many TikTok users are also creators. For these creators, the feed is their stage and this where the opportunity for sponsorship and placement lies for brands.

544

Hundreds Riot, Thousands Protest at iPhone Factory in India

The international news agency AFP reports on “a violent rampage at a Taiwanese-run iPhone factory in southern India” leading to over 100 arrests. About 2,000 workers were involved in the protest, reports the Verge, citing the Indian Express newspaper.

The workers are protesting over allegations of unpaid wages and exploitation, according to AFP. “Local media reported workers saying they had not been paid for up to four months and were being forced to do extra shifts…”
Workers at the Taiwanese-run Wistron Infocomm Manufacturing near Bangalore smashed glass panels with rods and flipped cars on their side… CCTV cameras, fans and lights were torn down, while a car was set on fire, footage shared on social media showed…

A local trade union leader alleged that there was “brutal exploitation” of factory workers in sweatshop conditions at the iPhone manufacturing plant. “The state government has allowed the company to flout the basic rights,” Satyanand, who uses one name, told The Hindu newspaper… Labour unrest is not uncommon in India, with workers paid poorly and given few or no social security benefits.

503

High-Frequency Traders Push Closer To Light Speed With Cutting-Edge Cables

High-frequency traders are using an experimental type of cable to speed up their systems by billionths of a second, the latest move in a technological arms race to execute stock trades as quickly as possible. From a report:
The cable, called hollow-core fiber, is a next-generation version of the fiber-optic cable used to deliver broadband internet to homes and businesses. Made of glass, such cables carry data encoded as beams of light. But instead of being solid, hollow-core fiber is empty inside, with dozens of parallel, air-filled channels narrower than a human hair. Because light travels nearly 50% faster through air than glass, it takes about one-third less time to send data through hollow-core fiber than through the same length of standard fiber. The difference is often just a minuscule fraction of a second. But in high-frequency trading, that can make the difference between profits and losses. HFT firms use sophisticated algorithms and ultrafast data networks to execute rapid-fire trades in stocks, options and futures. Many are secretive about their trading strategies and technology.

Hollow-core fiber is the latest in a series of advances that fast traders have used to try to outrace their competition. A decade ago, a company called Spread Networks spent about $300 million to lay fiber-optic cable in a straight line from Chicago to New York, so traders could send data back and forth along the route in just 13 milliseconds, or thousandths of a second. Within a few years the link was superseded by microwave networks that reduced transmission times along the route to less than nine milliseconds. HFT firms have also used lasers to zip data between the data centers of the New York Stock Exchange and Nasdaq, and they have embedded their algorithms in superfast computer chips. Now, faced with the limits of physics and technology, traders are left fighting over nanoseconds. “The time increments of these improvements have gotten markedly smaller,” said Michael Persico, chief executive of Anova Financial Networks, a technology provider that runs communications networks used by HFT firms. High-frequency trading is controversial, with critics saying that some ultrafast strategies amount to an invisible tax on investors. Industry representatives say such criticism is unfounded.

529

Australia Sues Facebook Over Its Use of Onavo To Snoop

Australia’s Competition and Consumer Commission (ACCC) is suing Facebook over its use, in 2016 and 2017, of the Onavo VPN app to spy on users for commercial purposes. From a report:
The ACCC’s case accuses Facebook of false, misleading or deceptive conduct toward thousands of Australian consumers, after it had promoted the Onavo Protect app — saying it would keep users personal activity data private, protected and secret and not use it for any other purpose, when it was being used to gather data to help Facebook’s business. “Through Onavo Protect, Facebook was collecting and using the very detailed and valuable personal activity data of thousands of Australian consumers for its own commercial purposes, which we believe is completely contrary to the promise of protection, secrecy and privacy that was central to Facebook’s promotion of this app,” said ACCC chair Rod Sims in a statement. “Consumers often use VPN services because they care about their online privacy, and that is what this Facebook product claimed to offer. In fact, Onavo Protect channelled significant volumes of their personal activity data straight back to Facebook.”

551

Facebook Said It’s Developing A Tool To Read Your Brain

Facebook told employees this week that it’s developing a tool to summarize news articles so users won’t have to read them. It also laid out early plans for a neural sensor to detect people’s thoughts and translate them into action. From a report:
[…] He [Facebook Chief Technology Officer Mike Schroepfer] also detailed a neural sensor to read commandments from people’s brains. Having acquired neural interface startup CTRL-labs in 2019, Facebook demonstrated its progress in the field with a sensor that takes “neural signals coming from my brain, down my spinal cord along my arm, to my wrist” and allows a user to make a physical action. Schroepfer noted that it could be used for typing, holding a virtual object, or controlling a character in a video game. “We all get the privilege of seeing the future because we are making it,” he said. Still, Facebook’s chief technology officer seemed to anticipate any criticisms of the products — or past failures — by touting safety measures. “We have to build responsibly to earn trust and the right to continue to grow,” he said. “It’s imperative that we get this right so that people around the world get all these amazing technologies … without experiencing the downsides.”

526

How the Nature Conservancy, the World’s Biggest Environmental Group, Became a Dealer of Meaningless Carbon Offsets

At first glance, big corporations appear to be protecting great swaths of U.S. forests in the fight against climate change. JPMorgan Chase & Co. has paid almost $1 million to preserve forestland in eastern Pennsylvania. Forty miles away, Walt Disney has spent hundreds of thousands to keep the city of Bethlehem, Pa., from aggressively harvesting a forest that surrounds its reservoirs. Across the state line in New York, investment giant BlackRock has paid thousands to the city of Albany to refrain from cutting trees around its reservoirs. JPMorgan, Disney, and BlackRock tout these projects as an important mechanism for slashing their own large carbon footprints.

By funding the preservation of carbon-absorbing forests, the companies say, they’re offsetting the carbon-producing impact of their global operations. But in all of those cases, the land was never threatened; the trees were already part of well-preserved forests. Rather than dramatically change their operations — JPMorgan executives continue to jet around the globe, Disney’s cruise ships still burn oil, and BlackRock’s office buildings gobble up electricity — the corporations are working with the Nature Conservancy, the world’s largest environmental group, to employ far-fetched logic to help absolve them of their climate sins. By taking credit for saving well-protected land, these companies are reducing nowhere near the pollution that they claim. […]

583

China Turns On Nuclear-Powered ‘Artificial Sun’

China successfully powered up its “artificial sun” nuclear fusion reactor for the first time, state media reported Friday, marking a great advance in the country’s nuclear power research capabilities. Phys.Org reports:
The HL-2M Tokamak reactor is China’s largest and most advanced nuclear fusion experimental research device, and scientists hope that the device can potentially unlock a powerful clean energy source. It uses a powerful magnetic field to fuse hot plasma and can reach temperatures of over 150 million degrees Celsius, according to the People’s Daily — approximately ten times hotter than the core of the sun. Located in southwestern Sichuan province and completed late last year, the reactor is often called an “artificial sun” on account of the enormous heat and power it produces. They plan to use the device in collaboration with scientists working on the International Thermonuclear Experimental Reactor — the world’s largest nuclear fusion research project based in France, which is expected to be completed in 2025.

548

Australia’s Great Barrier Reef Status Lowered To ‘Critical’ and Deteriorating

The health status of Australia’s Great Barrier Reef has officially declined from “significant concern” to “critical” for the first time, the International Union for Conservation of Nature (IUCN) announced this week. CBS News reports:
It said climate change is now the biggest threat to natural World Heritage sites, including the world’s largest and most spectacular coral reef. According to the new report, one-third of the 252 natural World Heritage sites are now threatened by climate change. Previously, invasive species were listed as the top threat.

The Great Barrier Reef must contend with ocean warming, acidification and extreme weather to stay alive amid record heat waves. It has lost half of its coral to climate change since 1995, with its status now listed as “critical” — the most urgent designated status in the classification system of the UNESCO advisory board. Sites listed as critical are “severely treated and require urgent, additional and large-scale conservation measures,” the report said. Additionally, the report warns that plans to protect the reef long-term have been slow to implement, failing to stop or reverse the reef’s deterioration.
The report adds that four other Australian world heritage sites have also deteriorated and received lowered statuses — the Blue Mountains, the Gondwana rainforests, the Ningaloo Coast and Shark Bay. “Overall, more sites have deteriorated than improved since 2017,” reports CBS News.

596

US Air Pollution Monitoring Network Falling Into Disrepair

The U.S. air pollution monitoring network has fallen into disrepair after years of budget cuts and neglect, leaving tens of millions of Americans vulnerable to undetected bad air quality from events like wildfires to industrial pollution, according to a report by the investigative arm of Congress. Reuters:
The conclusions from a 2-1/2-year audit by the U.S. Government Accountability Office (GAO) confirm key findings in a Reuters special report published last week that detailed broad failures in the air-pollution monitoring system, whose data guides U.S. regulatory policy and informs the public about health risks. Federal funding for the air monitoring network, which is overseen by the Environmental Protection Agency (EPA) and operated and maintained by state and local environmental agencies, has declined by about 20% since 2004, after adjusting for inflation, leaving it in poor condition, according to the GAO report viewed by Reuters. The GAO report said some agencies have reported termite damage and leaky roofs at shelters housing sensitive but aging pollution monitoring equipment, and one state agency resorted to shopping on eBay to find used monitor parts because the manufacturer had stopped making them.

529

China Expanding Weather-Control Program To Make Artificial Rain, Snow

China is massively expanding its weather-control project, and is aiming to be able to cover half the country in artificial rain and snow by 2025, the government said Tuesday. Business Insider reports:
The practice of “cloud seeding” was discovered in the US in 1946 by a chemist working for General Electric. China launched its own similar program in the 1960s. Dozens of other countries — including the US — also have such programs, but Beijing has the world’s largest, employing around 35,000 people, The Guardian reported.

In a statement, China’s State Council said that the country’s cloud seeing project will expand fivefold to cover an area of 2.1 million square miles and be completed by 2025. (China encompasses 3.7 million square miles, meaning the project could cover 56% of the country’s surface area.) The project will be at a “worldwide advanced level” by 2035, the State Council said, and will help alleviate “disasters such as drought and hail” and facilitate emergency responses “to forest or grassland fires.”

574

US Used Patriot Act To Gather Logs of Website Visitors

The government has interpreted a high-profile provision of the Patriot Act as empowering F.B.I. national security investigators to collect logs showing who has visited particular web pages, documents show. But the government stops short of using that law to collect the keywords people submit to internet search engines because it considers such terms to be content that requires a warrant to gather, according to letters produced by the Office of the Director of National Intelligence. The disclosures come at a time when Congress is struggling with new proposals to limit the law, known as Section 215 of the Patriot Act. The debate ran aground in the spring amid erratic messages from President Trump, but is expected to resume after President-elect Joseph R. Biden Jr. takes the oath of office in January.

In May, 59 senators voted to bar the use of Section 215 to collect internet search terms or web browsing activity, but negotiations broke down in the House. During that period, Senator Ron Wyden, Democrat of Oregon and one of the sponsors of the proposal ban, wrote to the director of national intelligence seeking clarity about any such use. Six months later, the Trump administration finally replied — initially, it turned out, in a misleading way. In a Nov. 6 letter to Mr. Wyden, John Ratcliffe, the intelligence director, wrote that Section 215 was not used to gather internet search terms, and that none of the 61 orders issued last year under that law by the Foreign Intelligence Surveillance Court involved collection of “web browsing” records. Mr. Wyden’s office provided that letter to The New York Times, arguing that it meant Mr. Wyden’s proposal in May — which he sponsored with Senator Steve Daines, Republican of Montana — could be enacted into law without any operational costs.

But The Times pressed Mr. Ratcliffe’s office and the F.B.I. to clarify whether it was defining “web browsing” activity to encompass logging all visitors to a particular website, in addition to a particular person’s browsing among different sites. The next day, the Justice Department sent a clarification to Mr. Ratcliffe’s office, according to a follow-up letter he sent to Mr. Wyden on Nov. 25. In fact, “one of those 61 orders resulted in the production of information that could be characterized as information regarding browsing,” Mr. Ratcliffe wrote in the second letter. Specifically, one order had approved collection of logs revealing which computers “in a specified foreign country” had visited “a single, identified U.S. web page.” Mr. Ratcliffe expressed regret “that this additional information was not included in my earlier letter” to the senator, and suggested his staff might take further “corrective action.” In a statement, Mr. Wyden said the letters raise “all kinds of new questions, including whether, in this particular case, the government has taken steps to avoid collecting Americans’ web browsing information.” “More generally,” Mr. Wyden continued, “the D.N.I. has provided no guarantee that the government wouldn’t use the Patriot Act to intentionally collect Americans’ web browsing information in the future, which is why Congress must pass the warrant requirement that has already received support from a bipartisan majority in the Senate.”

490

Google Illegally Spied On Workers Before Firing Them, US Labor Board Alleges

Google violated US labor laws by spying on workers who were organizing employee protests, then firing two of them, according to a complaint to be filed by the National Labor Relations Board (NLRB) today. The complaint names two employees, Laurence Berland and Kathryn Spiers, both of whom were fired by the company in late 2019 in connection with employee activism. Berland was organizing against Google’s decision to work with IRI Consultants, a firm widely known for its anti-union efforts, when he was let go for reviewing other employees’ calendars. Now, the NLRB has found Google’s policy against employees looking at certain coworkers’ calendars is unlawful. “Google’s hiring of IRI is an unambiguous declaration that management will no longer tolerate worker organizing,” Berland said in a statement. “Management and their union busting cronies wanted to send that message, and the NLRB is now sending their own message: worker organizing is protected by law.”

Spiers was fired after she created a pop-up for Google employees visiting the IRI Consultants website. “Googlers have the right to participate in protected concerted activities,” the notification read, according to The Guardian. The company said Spiers had violated security policies, a statement that hurt her reputation in the tech community. Now, the NLRB has found the firing was unlawful. “This week the NLRB issued a complaint on my behalf. They found that I was illegally terminated for trying to help my colleagues,” Spiers said. “Colleagues and strangers believe I abused my role because of lies told by Google management while they were retaliating against me. The NLRB can order Google to reinstate me, but it cannot reverse the harm done to my credibility.”

525

Human ‘Stuff’ Now Outweighs All Life on Earth

It’s not just your storage unit that’s packed to the gills. According to a new study, the mass of all our stuff — buildings, roads, cars, and everything else we manufacture — now exceeds the weight of all living things on the planet. And the amount of new material added every week equals the total weight of Earth’s nearly 8 billion people. “If you weren’t convinced before that humans are dominating the planet, then you should be convinced now,” says Timon McPhearson, an urban ecologist at the New School who was not involved with the research. “This is an eye-catching comparison,” adds Fridolin Krausmann, a social ecologist at the University of Natural Resources and Life Sciences, Vienna, who also was not involved in the work. There are many measures of humanity’s impact on the planet. Fossil fuels have sent greenhouse gases soaring to levels not seen in at least 800,000 years. Agriculture and dwellings have altered 70% of land. And humans have wiped out untold numbers of species in an emerging great extinction. The transformations are so great that researchers have declared we’re living in a new human-dominated age: the Anthropocene.

537

Report Claims America’s CIA Also Controlled a Second Swiss Encryption Firm

Swiss politicians have voiced outrage and demanded an investigation after revelations that a second Swiss encryption company was allegedly used by the CIA and its German counterpart to spy on governments worldwide. “How can such a thing happen in a country that claims to be neutral like Switzerland?” co-head of Switzerland’s Socialist Party, Cedric Wermuth, asked in an interview with Swiss public broadcaster SRF late Thursday. He called for a parliamentary inquiry after an SRF investigation broadcast on Wednesday found that a second Swiss encryption firm had been part of a spectacular espionage scheme orchestrated by U.S. and German intelligence services.

A first investigation had revealed back in February an elaborate, decades-long set-up, in which the CIA and its German counterpart creamed off the top-secret communications of governments through their hidden control of a Swiss encryption company called Crypto.

SRF’s report this week found that a second but smaller Swiss encryption firm, Omnisec, had been used in the same way.

That company, which was split off from Swiss cryptographic equipment maker Gretag in 1987, sold voice, fax and data encryption equipment to governments around the world until it halted operations two years ago. SRF’s investigative program Rundschau concluded that, like Crypto, Omnisec had sold manipulated equipment to foreign governments and armies. Omnisec meanwhile also sold its faulty OC-500 series devices to several federal agencies in Switzerland, including its own intelligence agencies, as well as to Switzerland’s largest bank, UBS, and other private companies in the country, the SRF investigation showed.

The findings unleashed fresh outrage in Switzerland, which is still reeling from the Crypto revelations.

520