-   Tales From the Crypt(o) (
-   -   'All Your Data ❝Я❞ Belong To Us' Thread (

ewmayer 2017-11-22 01:08

o [url=]Google collects Android users’ locations even when location services are disabled[/url] | Quartz
[quote]Many people realize that smartphones track their locations. But what if you actively turn off location services, haven’t used any apps, and haven’t even inserted a carrier SIM card?

Even if you take all of those precautions, phones running Android software gather data about your location and send it back to Google when they’re connected to the internet, a Quartz investigation has revealed.

Since the beginning of 2017, Android phones have been collecting the addresses of nearby cellular towers—even when location services are disabled—and sending that data back to Google. The result is that Google, the unit of Alphabet behind Android, has access to data about individuals’ locations and their movements that go far beyond a reasonable consumer expectation of privacy.

Quartz observed the data collection occur and contacted Google, which confirmed the practice.

The cell tower addresses have been included in information sent to the system Google uses to manage push notifications and messages on Android phones for the past 11 months, according to a Google spokesperson. [b]They were never used or stored, the spokesperson said[/b].[/quote]
Re. bolded snip: Right, because the same company that's been blatantly lying about user opt-out of its location services can be trusted regarding their claims about storage an use of such collected data. We pinkie-swear! But hey, this stuff is covered on page 31, subsection V.a{4], paragraph 3 of their privacy policy, so it was made eminently clear, notwithstanding the deliberately misleadingly named "location services" opt-out. But it gets even better - check out Google's lawyerly parsng of its own "we do not use your location data" language:
[quote]While Google says [b]it[/b] doesn’t use the location data it collects using this service, [b]it does allow advertisers to target consumers using location data[/b], an approach that has obvious commercial value. The company can tell using precise location tracking, for example, whether an individual with an Android phone or running Google apps has set foot in a specific store, and use that to target the advertising a user subsequently sees.[/quote]
IOW, "We respect your privacy, even if the legions of advertisers we sell your data to do not."

o []No boundaries: Exfiltration of personal data by session-replay scripts[/url] | Freedom to Tinket
[quote]You may know that most websites have third-party analytics scripts that record which pages you visit and the searches you make. But lately, more and more sites use “session replay” scripts. These scripts record your keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit, and send them to third-party servers. Unlike typical analytics services that provide aggregate statistics, these scripts are intended for the recording and playback of individual browsing sessions, as if someone is looking over your shoulder.

The stated purpose of this data collection includes gathering insights into how users interact with websites and discovering broken or confusing pages. However the extent of data collected by these services far exceeds user expectations [1]; text typed into forms is collected before the user submits the form, and precise mouse movements are saved, all without any visual indication to the user. This data can’t reasonably be expected to be kept anonymous. In fact, some companies allow publishers to explicitly link recordings to a user’s real identity.[/quote]

ewmayer 2017-11-30 22:09

[]William Binney: the Struggles of 'a Good American'[/url] | Mint Press News
[quote]In other words, if [NSA director] Hayden had listened to Binney and SARC, there would have been no Edward Snowden and 9/11 might not have occurred. But as the film painfully points out, while Binney, Roark and Drake were being prosecuted, Hayden went on to get two major promotions. The first was Deputy Director of National Intelligence and later Director of the CIA. (Hayden remains a respected go-to intelligence expert sought out by the mainstream U.S. media.)
I would be remiss if I did not note that [documentary filmmaker Friedrich] Moser is from Austria and his film was sponsored by the Austrian Film Institute. I doubt that such a film could be made in the United States today. Recently, the mainstream U.S. media has labeled him a “conspiracy theorist” because he has disputed the conventional wisdom that Russia “hacked” Democratic emails to help elect President Trump; Binney’s experiments revealed that the download speed of one of the key hacks was impossible via an Internet hack and instead matched what was possible from a direct download onto a thumb drive, i.e., a leak from an insider.

But that is the fate of people who sacrifice their careers for just causes. They eventually lose their reputations.

Moser is to be congratulated for making his aptly titled film, which would be enormously informative to about 99 percent of the public. I would recommend it to anyone. You can see it on Amazon for $4, the story of a good American [/quote]

ewmayer 2017-12-20 23:27

o [url=]The Crypto- Keepers: How the politics-by-app hustle conquered all[/url] | Yasha Levine, The Baffler
[quote]For the last three years I had been investigating the grassroots crypto tech accessories at the heart of today’s powerful privacy movement: internet anonymizers, encrypted chat apps, untraceable drop boxes for whistleblowers, and super-secure operating systems that even the NSA supposedly couldn’t crack. These tools were promoted by Pulitzer Prize-winning journalists, hackers, whistleblowers, and the biggest and most credible names in the privacy trade—from Edward Snowden to the Electronic Frontier Foundation and the American Civil Liberties Union. Apps like Tor and Signal promised to protect users from America’s all-seeing surveillance apparatus. And the cryptographers and programmers who built these people’s crypto weapons? Well, many of them claimed to live on the edge: subversive crypto-anarchists fighting The Man, pursued and assailed by shadowy U.S. government forces. Citing harassment, some of them had fled the United States altogether, forced to live in self-imposed exile in Berlin.

At least that’s how they saw themselves. My reporting revealed a different reality. As I found out by digging through financial records and FOIA requests, many of these self-styled online radicals were actually military contractors, drawing salaries with benefits from the very same U.S. national security state they claimed to be fighting. Their spunky crypto-tech also turned out, on closer inspection, to be a jury-rigged and porous Potemkin Village version of secure digital communications. What’s more, the relevant software here was itself financed by the U.S. government: millions of dollars a year flowing to crypto radicals from the Pentagon, the State Department, and organizations spun off from the CIA.

My investigation of this community had brought me a lot of abuse: smears and death threats lobbed by military contractors against me and my colleagues; false slanderous stories planted in the press about me being a sexist bully and a CIA agent paid to undermine trust in encryption. So I learned long ago to approach my sources with skepticism and wariness—especially someone as infamous as [Russian internet mogul-in-exile Pavel] Durov, who had recently gotten into the crypto business with Telegram, which now enjoys the distinction of being ISIS’s favorite chat app.
In America, the initial movement to take the anti-surveillance fight to Silicon Valley fizzled and turned into something else that was at once bizarre and pathetic: privacy activists working with Google and Facebook to fight the NSA with privacy technology. This made precisely as much sense as siding with Blackwater (or Xe or Acadami or whatever the Pentagon contractor calls itself now) against the U.S. Army. Yet this trend of politics-by-app went into overdrive after Donald Trump was elected president. You saw it everywhere: civil libertarians, privacy advocates, and demoralized liberals arose to proclaim that encryption—even the stuff rolled out by Silicon Valley surveillance giants—was the only thing that could protect us from a totalitarian Trump administration.

“Trump Is President. Now Encrypt Your Email,” urged New York magazine’s technology editor Max Read in an opinion piece published in the New York Times in March. “In the weeks after Donald J. Trump won the election, a schism threatened to break my group of friends in two. Not a political argument brought about by the president-elect, or a philosophical fight over the future of the country, but a question of which app we should be using to chat....” Buzzfeed concurred: “Here’s How To Protect Your Privacy In Trump’s America: Easy tips to shield yourself from expanded government surveillance,” wrote the outlet, offering its millennial readers a listicle guide to “going dark” on the net.

What were these apps? Who made them? Did they really work? That’s where the story got even stranger.
Secrets and Lies
Durov’s involuntary encounters with the FBI drive home one unpleasant fact of life in the big data economy: today’s app-obsessed privacy movement relies almost entirely on crypto tools that were hatched and funded by America’s foreign policy apparatus—a body of agencies and organizations that came out of an old-school Cold War propaganda project run by the CIA.
Eventually, the CIA’s multi-tentacled propaganda operation shed its covert status, and was transformed by Congress into the Broadcasting Board of Governors, a sister federal agency to the State Department. With a nearly billion-dollar budget, today the BBG operates America’s sprawling foreign propaganda nexus. The American public is only dimly aware of the BBG’s existence, but this media empire leaves almost no corner of the world untouched by satellite, television and radio transmissions. And just as was the case nearly seventy years ago under the CIA, the mission of the BBG is to systematically perpetrate the very same thing that America’s esteemed political establishment is currently accusing Russia of doing: sponsoring news—some of it objective, some wildly distorted—as part of a broader campaign to project geopolitical power.
Over the next several years, the BBG, backed by the State Department, expanded the Internet Freedom initiative into a $50 million a year program funding hundreds of projects targeting countries across the world—China, Cuba, Vietnam, and Russia. And here things, yet again, took a turn for the surreal: the Internet Freedom apparatus was designed to project power abroad—yet it also emerged as the primary mover and shaker in America’s domestic privacy movement. It funded activists and privacy researchers, worked with the EFF and ACLU and even companies like Google. Wherever you looked, privacy tools funded by this agency dominated the scene. That included the most ardently promoted privacy products now on offer: Tor, the anonymous internet browsing platform that powers what’s known as the “dark web,” and Signal, the chat app championed by Edward Snowden. Both of them took in millions in government cash to stay afloat.[/quote]

ewmayer 2017-12-20 23:28

[Continued from above post]
From a Whisper to a Scream
When Pavel Durov first had VKontakte taken away from him by the Kremlin and fled Russia, he was hailed in the West as a hero—a modern-day Sakharov who fought for freedom and paid the price with his business. America’s crypto and privacy community embraced him, too. But it did not take long for the relationship to sour—and the chief culprit was Signal, a crypto mobile phone app built by a small opaque company called Open Whisper Systems, aka Quiet Riddle Ventures LLC.

Invented by a self-styled radical cryptographer who goes by the name of Moxie Marlinspike (although his real name may or may not be Matthew Rosenfeld or Mike Benham), Signal was brought to life with funding from the BBG-supported Open Technology Fund (which has pumped in almost $3 million since 2013), and appears to rely on continued government funding for survival. Despite the service’s close ties to an organization spun off from the CIA, the leading lights of America’s privacy and crypto community back the app. “I use Signal every day. #notesforFBI,” Snowden tweeted out to legions of followers who went out and downloaded the app en masse. Marlinspike leveraged Snowden’s praise to the max, featuring the leaker’s endorsement prominently on his company’s website: “Use anything by Open Whisper Systems.”

Largely thanks to Snowden’s endorsement and support, Signal has become the go-to encrypted chat app among American journalists, political organizers, and activists—from anarchists to Marxists to Black Lives Matter. These days, it’s also the secure planning app of first resort for opposition rallies targeting Trump. The app’s even made major inroads into Silicon Valley, with Marlinspike working with management at Facebook and Google to get them to adopt the chat app’s encryption architecture into their mobile chat programs, including WhatsApp. Not surprisingly, Facebook’s adoption of Signal into its WhatsApp program won plaudits from the BBG; managers at the propaganda shop boasted that government-funded privacy tools were now going to be used by a billion people.

Despite Open Whisper’s continued ties to the U.S. government, leading lights of America’s privacy and crypto community have taken to warning off people from using anything else. That includes Telegram, which deploys a custom-built cryptographic technique designed by Pavel Durov’s brother, Nikolai, a mathematician. Even Snowden has taken it upon himself to shoo people away from Telegram, advising political activists, journalists, dissidents, whistleblowers—in short, everyone—to use Signal or even Facebook’s WhatsApp instead. “By default, it is less safe than @WhatsApp, which makes [it] dangerous for non-experts,” he tweeted in response to a question from a Telegram-curious supporter.

But for an app designed to hide people from the prying eyes of the U.S. government, Signal’s architecture has given some security and crypto experts pause. Its encryption algorithm is supposed to be flawless, but the app’s backend runs as a cloud service on Amazon, which is itself a major CIA contractor. The program also requires that users connect the app to a real mobile phone number and give access to their entire address book—strange behavior for an app that is supposed to hide people’s identities. Signal also depends on Google and Apple to deliver and install the app on people’s phone, and both of those companies are surveillance partners of the NSA. “Google usually has root access to the phone, there’s the issue of integrity. Google is still cooperating with the NSA and other intelligence agencies,” wrote Sander Venema, a developer who trains journalists on security. “I’m pretty sure that Google could serve a specially modified update or version of Signal to specific targets for surveillance, and they would be none the wiser that they installed malware on their phones.” And given Signal’s narrow marketing to political activists and journalists, the app works like a flag: it might encrypt messages, but it also tags users as people with something to hide—a big fat sign that says: “WATCH ME, PLEASE.”

And anyway, Signal or no Signal, if your enemy was the United States government, it didn’t really matter what crypto app you used. A recent dump of CIA hacking-tool documents published by WikiLeaks revealed that the agency’s Mobile Devices Branch has developed all sorts of goodies to grab phone data, even when it’s quarantined by the firewalls of apps like Signal and WhatsApp or even Telegram. “These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide, and Cloackman by hacking the ‘smart’ phones that they run on and collecting audio and message traffic before encryption is applied,” wrote WikiLeaks.
Durov was dumbfounded. As we sat talking, he told me he could not understand how people could trust a supposedly anti-government weapon that was being funded by the very same U.S. government it was supposed to protect its users from.

I told him that I shared his bewilderment. Throughout all my reporting on this set of crypto radicals funded by a CIA spinoff, I asked a simple question that no one could properly answer: If apps like Signal really posed a threat to the NSA’s surveillance power, why would the U.S. government continue to fund them? I couldn’t help but think of how this alignment of government and corporate power would have been received among the tech and media establishment in the United States had something similar taken place in the former Soviet Union: imagine if the KGB funded a special crypto fax line and told Aleksandr Solzhenitsyn and dissident samizdat writers to use it, promising that it was totally shielded from KGB operatives. Then imagine that Solzhenitsyn would not only believe the KGB, but would tell all his dissident buddies to use it: “It’s totally safe.” The KGB’s efforts would be mercilessly ridiculed in the capitalist West, while Solzhenitsyn would be branded a collaborator at worst, or a stooge at best. Ridiculous as this fusion of tech and state interests under the rubric of dissidence is on the face of things, in America this plan can somehow fly.

As I laid out this analogy, Durov nodded in agreement. “I don’t think it’s a coincidence that we both understand how naïve this kind of thinking is, and that we were both born in the Soviet Union.”[/quote]

Nick 2017-12-21 08:45

Apps like Tor ... promised to protect users from America’s all-seeing surveillance apparatus.
It sounds as if the author has not really studied the history of Tor or talked to the people behind it.

ewmayer 2018-01-11 02:02

Article on post-quantum cryptography, aimed at the layperson, but interesting nonetheless:

[]Why Quantum Computers Won’t Break Classical Cryptography[/url] |

ewmayer 2018-01-29 00:08

[url=]Your Faceprint Tomorrow[/url] | Jacob Silverman, [i]The Baffler[/i]

xilman 2018-01-29 07:27

[URL=""]All your bases are belong to U.S.[/URL]

ewmayer 2018-02-18 23:17

[url=]Surveillance Valley[/url] | Yasha Levine, [i]The Baffler[/i]

ewmayer 2018-03-02 07:05

o [url=]The quantum internet has arrived (and it hasn’t)[/url] | Nature

Discussion re. how the various national Intel services will possibly go about weakening, outright banning, or bypassing (e.g. via hardware implants) the promise of quantum comms security is welcome.

o [url=]In-the-wild DDoSes use new way to achieve unthinkable sizes[/url] | Ars Technica: [i]Attackers abuse “memcached” to amplify volumes by an unprecedented factor of 51k.[/i]

Dubslow 2018-03-16 01:19


All times are UTC. The time now is 12:22.

Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.