Friday Squid Blogging: Cephalopod Art Conference

There was an interdisciplinary cephalopod art conference earlier this year, in Minneapolis. Videos of the conference are available online.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on November 25, 2011 at 4:27 PM • 22 Comments

Comments

DanielNovember 25, 2011 4:40 PM

Mall tracks shoppers using cell phone signals.

http://money.cnn.com/2011/11/22/technology/...

"The tracking system, called FootPath Technology, works through a series of antennas positioned throughout the shopping center that capture the unique identification number assigned to each phone (similar to a computer's IP address), and tracks its movement throughout the stores."

kashmarekNovember 25, 2011 4:50 PM

re: Mall Tracking

It seems that would be considered wiretapping, to intercept the signals, capture the phone id, and retain that information. In the early days of cell phone usage, that was an alarming situation when it was be done from highway overpasses for the purposes of using that phone information to make free calls. What is different now?

llewellyNovember 25, 2011 5:16 PM

But, never fear, the ID of your phone is EXTRA scram-diddly-scrambled:

"Last year, hackers hit AT&T, exposing the unique ID numbers and e-mail addresses of more than 100,000 iPad 3G owners. To make it harder for hackers to get at this information, Path Intelligence scrambles those numbers twice."

HOORAY FOR INFORMATION THEORY!!

ChrisNovember 25, 2011 7:39 PM

As I recall a phone sends out the equivalent of a MAC in the clear - it's how the system knows where your phone is in order to direct calls to the nearest cells. I don't know if that's enough to work backward to the person's phone number.

martinrNovember 25, 2011 8:45 PM

The ID tracked by FootPath sound like the IMEI of mobile phones
http://en.wikipedia.org/wiki/IMEI

If FootPath has sufficient scanners/antennas to triangulate the positions of the phones and couples it with the data processed in shop's cashiers about payments involving credit/debit or any other membership or affiliation cards, then they could attach persons names to the tracked IMEIs.

Clive RobinsonNovember 26, 2011 9:39 AM

@ Nick P,

I gather "Black Friday" has a different meaning on your side of the puddle than mine.

However how about a "Black Friday" or "Oh Crist" present list for that "Man about his compound",

http://www.theregister.co.uk/2011/11/25/...

One note, the cobolt gun barrel construction method of "rolling around a mandril" is the original way of making rifled gun barrels prior to land cutting tools.

Oh and my old "friends" from times sadly long past Accuracy International make it into the list, and are no doubt on the Xmas wish list of most squads/units at the sharp end this year.

Clive RobinsonNovember 27, 2011 11:14 PM

@ luigi,

The problem revolves around the thorny issue of encryption and key management.

Diaspora are trying to solve a "Chiken and Egg problem" which is how do you provide encrypted communications to users who "walk in off the street" to an Internet Cafe or equivalent where you can either not plug in storage media or do not wish to plug in storage media that contains the "keys to your kingdom". Their solution is to provide a "net within a net" where communication is encrypted BUT you have to connect to the "encrypted net" via a node (gateway) you are registered on and your communications betweeen the machine you are on and the node is in plain text...

So with Diaspora unless you control the node then the node admin can see your plaintext messages. The same is true for the person you are trying to communicate with and the node they are registered on.

Even if you could load encryption code down into the web browser on the machine the user uses you still have the problem of KeyMat (Keying Material, or the file in which you keep the encryption keys be they symetrical or asymetrical).

Even if you could solve the KeyMat issue you still have not solved the "end run" problem, that is the encrypted secure channel ends not at the user but some point before that. Thus if the user is on a machine they don't 100% control it can send from the keyboard and screen drivers the plaintext of to an adversary...

There is a known solution to the end run problem (extend the encrypted channel through the user) but it has it's own problems.

Have a look back through this blog to conversations between Nick P, myself and others with regards "authenticating transactions" not authenticating users.

dilbertNovember 28, 2011 8:46 AM

@llewelly,

They scamble it twice? Cool... so they're using ROT26 instead of plain old ROT13, right? :)

Nick PNovember 29, 2011 9:47 AM

@ Clive Robinson

Nice articles. That people let a non-licensed practitioner shoot their ass full of "cement, mineral oil, and flat tire sealant" tells me we have a bunch of Darwin Awards coming in the future. There have also been multiple Darwin Awards to people getting it on in high or crazy places. I consider the woman in the article a At-Risk Survivor.

Clive RobinsonDecember 4, 2011 3:05 AM

For those interested in the "My Android Mobile's bugged" debate...

The manufacturer of the software CarrierIQ have come out to refute the findings of Trevor Eckhart that they are monitoring all the keypresses and SMS's etc etc,

http://www.theregister.co.uk/2011/12/02/...

The "official story" is CarrierIQ's software is an aid to developers and network engineers to enable them to retrospectively diagnose faults...

The problem is that whilst it might ot might not be true it misses the point. What CarrierIQ has done is put in place software that allows what Trevor Eckhart reported to happen, thus it makes exploiting any phone on which it runs to be more easily exploited.

It's a bit like saying "Funny things are happening in the bank vault that we cann't see when the doors locked, so we will just bash some nice big window sized holes in all the walls and floors etc so we can look in to see"... Thus convieniently ignoring the fact that a safecracker, now does not have to take the time or effort to crack the lock or breach the walls to get in because those nice "vault testers" have made some bl**dy great window sized holes for the safe cracker to just walk through...

The simple fact is "vault tester company policy" has no effect on those wishing to loot the vault, it's the safe guards of the vault door, walls etc that stops the looters, if you put any kind of "mechanism" in place to breach the safe guards then the looters will just use it.

CarrierIQ has provided the "mechanism" and it's VP of marketing, Andrew Coward has
disingenuously/naively said it's "to help developers and networks"... Well are we going to wait for it "to also help looters" which bassed on past experiance we know is going to happen (Think the Greek Olympic's & Vodafone issue) or are we going to rip the mechanisum out to prevent that eventuality?

But that's not the bottom line for most users, CarrierIQ's Coward gave an indication of just what quantity of data is involved and said 200K/Day or more, the bottom line is thus who's paying for this data to be sent, at the end of the day they are, whilst it might not be directtly as part of a paid for data allowance, they certainly are in either reduced bandwidth or network upgrade costs and CPU cycles and battery life, and significantly reduced RAM availability. That is there is no free lunch for CarrierIQ's parasite, they might not pay for the blood they suck, but somebody does and that's "you" the individual customer...

Hopefully the four law suits and a federal investigation will rip the software out of future phones. But in all honesty I don't think they will simply because both the Industry and the various LEO's and other Government agencies have to much interest in gathering such data.

We know this is going on in a more general way but very significant way. There was a conference in London run by City Universities Bureau of Investigative Journalism unit a few days ago and up for discusssion was a whole load of information from Wikileaks. Whilst Julian Asssangea's trite "Well you're all screwed" comment after asking "Who here has an iPhone, who has a BlackBerry, who uses Gmail?" might have woken the audiance up in his usuall confrontational way. His further observation of "the reality is that intelligence operations are selling right now mass surveillance systems for all those products" is nether the less quite true. I know of a couple of organisations within a short drive of where I live who develop such systems, and have mentioned in the past on this blog how the actuall phone standards have the "mechanism" built in (it would appear originaly at the behest of the UK Government).

More thoughtfull and less confrontational comment was made by Steven Murdoch of the Cambridge University Labs Security Group (he posts fairly regularly to the groups blog at lightbluetouchpaper.org ). The register covered the confrance briefly at,

http://www.theregister.co.uk/2011/12/01/...

Also of interest they have an article from the well respected Duncan Campbell about Privacy International's investigation into the commercial but covert market for such phone, satellite, optical fiber and computer surveillance tools,

http://www.theregister.co.uk/2011/12/01/...

Penultimatly, we have recently seen a post about the insecurities of Android and Apple iOS well for those with RIM products here's an "invite too the party" to have a think about,

http://www.theregister.co.uk/2011/12/02/...

Whilst it appears it currently effects only the playbook not the Blackberry smart phones, it shows that even RIM's technology is vulnerable to attack when there is sufficient motivation to do so.

And finaly a link to a post I made a few days ago which contains two other links that might be of interest,

http://www.schneier.com/blog/archives/2011/12/...

Clive RobinsonDecember 4, 2011 3:18 AM

@ Dave,

With regard to GCHQ's recruitment competition, it has developed into a little bit of a farce.

It appears that the "success page" is available via a Google search...

http://www.theregister.co.uk/2011/12/03/...

So atleast somebody is worth interviewing over their lateral thinking ;-)

It kind of reminds me of Bill Gates comment a few years ago about Donald Knuths books in that anybody who had read them should get in contact. What he realy ment was not read but understood (and before anybody asks, no I did not drop him a line, because I'd already met him on a previous occasion).

Clive RobinsonDecember 4, 2011 3:50 AM

Further to the GCHQ snafu, I ran a site search on google and found the required page that then links to this page,

http://www.gchq-careers.co.uk/cyber-jobs/

On which there is an [Apply] button, when I pressed it the browser in my smart phone poped up a warning about an untrusted certificate...

I nearly spilled the mug of tea in my other hand laughing 8)

RobertTDecember 5, 2011 2:52 AM

@Clive R
"Thus convieniently ignoring the fact that a safecracker, now does not have to take the time or effort to crack the lock or breach the walls to get in because those nice "vault testers" have made some bl**dy great window sized holes for the safe cracker to just walk through..."

The smartphone Information security situation today is so bad it's hard not to laugh at it. I've sat in on meetings where otherwise intelligent engineers have proposed adding security bypass (aka hardware backdoors) so that they can properly do a root cause analysis of existing security failures.

The discussion goes something like....But How did that Ram value get changed???....The very concept that other apps would maliciously manipulate, timing, Interrupts and Ram addresses to wander outside their allocated memory space, is completely lost on most of these code cutters.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..